From deae4e44b0cc88c382422975d8e752e13d1ecc56 Mon Sep 17 00:00:00 2001
From: Surojit Pathak <suro@yahoo-inc.com>
Date: Thu, 8 Oct 2015 17:44:32 +0000
Subject: [PATCH] Modify admin_api policy rule

Magnum API's magnum_service:get_all is enforced by admin_api.
Modifying the rule to use context_is_admin. Also changing the to_dict()
call to include change in roles.

Change-Id: I44dda27857945dfd3ad43fa28ea458ce2966388c
Closes-Bug: #1503402
---
 etc/magnum/policy.json                   | 2 +-
 magnum/common/context.py                 | 1 +
 magnum/tests/fake_policy.py              | 2 +-
 magnum/tests/unit/common/test_context.py | 4 ++++
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json
index f9d8371a91..e33473d071 100644
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@@ -2,7 +2,7 @@
     "context_is_admin":  "role:admin",
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
-    "admin_api": "is_admin:True",
+    "admin_api": "rule:context_is_admin",
 
     "bay:create": "rule:default",
     "bay:delete": "rule:default",
diff --git a/magnum/common/context.py b/magnum/common/context.py
index e35bb5522d..de306d9b23 100644
--- a/magnum/common/context.py
+++ b/magnum/common/context.py
@@ -65,6 +65,7 @@ class RequestContext(context.RequestContext):
                       'is_admin': self.is_admin,
                       'is_public_api': self.is_public_api,
                       'read_only': self.read_only,
+                      'roles': self.roles,
                       'show_deleted': self.show_deleted,
                       'request_id': self.request_id,
                       'trust_id': self.trust_id,
diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py
index 8cdd81ac17..10a62d292d 100644
--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@@ -18,7 +18,7 @@ policy_data = """
     "context_is_admin":  "role:admin",
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
-    "admin_api": "is_admin:True",
+    "admin_api": "rule:context_is_admin",
 
     "bay:create": "",
     "bay:delete": "",
diff --git a/magnum/tests/unit/common/test_context.py b/magnum/tests/unit/common/test_context.py
index 61a9f0ed46..1e7f1ceb55 100644
--- a/magnum/tests/unit/common/test_context.py
+++ b/magnum/tests/unit/common/test_context.py
@@ -27,6 +27,7 @@ class ContextTestCase(base.TestCase):
                                              user_id='user-id1',
                                              project_name='tenant1',
                                              project_id='tenant-id1',
+                                             roles=['admin', 'service'],
                                              is_admin=True,
                                              is_public_api=True,
                                              read_only=True,
@@ -46,6 +47,8 @@ class ContextTestCase(base.TestCase):
         self.assertEqual("user-id1", ctx.user_id)
         self.assertEqual("tenant1", ctx.project_name)
         self.assertEqual("tenant-id1", ctx.project_id)
+        for role in ctx.roles:
+            self.assertTrue(role in ['admin', 'service'])
         self.assertTrue(ctx.is_admin)
         self.assertTrue(ctx.is_public_api)
         self.assertTrue(ctx.read_only)
@@ -70,6 +73,7 @@ class ContextTestCase(base.TestCase):
         self.assertEqual(ctx.is_admin, ctx2.is_admin)
         self.assertEqual(ctx.is_public_api, ctx2.is_public_api)
         self.assertEqual(ctx.read_only, ctx2.read_only)
+        self.assertEqual(ctx.roles, ctx2.roles)
         self.assertEqual(ctx.show_deleted, ctx2.show_deleted)
         self.assertEqual(ctx.request_id, ctx2.request_id)
         self.assertEqual(ctx.trust_id, ctx2.trust_id)