From c73fb88c01b482dcd29a4f2f9661c4a0cd463344 Mon Sep 17 00:00:00 2001
From: Hieu LE <hieulq@vn.fujitsu.com>
Date: Fri, 13 Oct 2017 12:53:45 +0700
Subject: [PATCH] Implement policy in code - workflow (10)

This commit migrate all workflow policies into code [1].

Like oslo.config, with oslo.policy, we can define all of
default rules in code base and only change some rules
via policy file. Another thing that we should use yaml
format instead of json format.

[1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>

Change-Id: I8ab332abb5ebd4c67f8baf62c43ac3e9a10d7ee1
---
 etc/policy.json                   |  7 ---
 mistral/policies/__init__.py      |  4 +-
 mistral/policies/workflow.py      | 91 +++++++++++++++++++++++++++++++
 mistral/tests/unit/fake_policy.py |  7 ---
 4 files changed, 94 insertions(+), 15 deletions(-)
 create mode 100644 mistral/policies/workflow.py

diff --git a/etc/policy.json b/etc/policy.json
index 12c71b0fe..bc6d8020e 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -1,13 +1,6 @@
 {
     "default": "rule:admin_or_owner",
 
-    "workflows:create": "rule:admin_or_owner",
-    "workflows:delete": "rule:admin_or_owner",
-    "workflows:get": "rule:admin_or_owner",
-    "workflows:list": "rule:admin_or_owner",
-    "workflows:list:all_projects": "rule:admin_only",
-    "workflows:update": "rule:admin_or_owner",
-
     "event_triggers:create": "rule:admin_or_owner",
     "event_triggers:create:public": "rule:admin_only",
     "event_triggers:delete": "rule:admin_or_owner",
diff --git a/mistral/policies/__init__.py b/mistral/policies/__init__.py
index 4bb16931c..b8f5b2256 100644
--- a/mistral/policies/__init__.py
+++ b/mistral/policies/__init__.py
@@ -24,6 +24,7 @@ from mistral.policies import member
 from mistral.policies import service
 from mistral.policies import task
 from mistral.policies import workbook
+from mistral.policies import workflow
 
 
 def list_rules():
@@ -37,5 +38,6 @@ def list_rules():
         member.list_rules(),
         service.list_rules(),
         task.list_rules(),
-        workbook.list_rules()
+        workbook.list_rules(),
+        workflow.list_rules()
     )
diff --git a/mistral/policies/workflow.py b/mistral/policies/workflow.py
new file mode 100644
index 000000000..161e585c2
--- /dev/null
+++ b/mistral/policies/workflow.py
@@ -0,0 +1,91 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from mistral.policies import base
+
+WORKFLOWS = 'workflows:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=WORKFLOWS % 'create',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Create a new workflow.',
+        operations=[
+            {
+                'path': '/v2/workflows',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=WORKFLOWS % 'delete',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Delete a workflow.',
+        operations=[
+            {
+                'path': '/v2/workflows',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=WORKFLOWS % 'get',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Return the named workflow.',
+        operations=[
+            {
+                'path': '/v2/workflows/{workflow_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=WORKFLOWS % 'list',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Return a list of workflows.',
+        operations=[
+            {
+                'path': '/v2/workflows',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=WORKFLOWS % 'list:all_projects',
+        check_str=base.RULE_ADMIN_ONLY,
+        description='Return a list of workflows from all projects.',
+        operations=[
+            {
+                'path': '/v2/workflows',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=WORKFLOWS % 'update',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Update one or more workflows.',
+        operations=[
+            {
+                'path': '/v2/workflows',
+                'method': 'PUT'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules
diff --git a/mistral/tests/unit/fake_policy.py b/mistral/tests/unit/fake_policy.py
index 2f931f315..cd47453af 100644
--- a/mistral/tests/unit/fake_policy.py
+++ b/mistral/tests/unit/fake_policy.py
@@ -14,11 +14,4 @@
 
 policy_data = """{
     "default": "rule:admin_or_owner",
-
-    "workflows:create": "rule:admin_or_owner",
-    "workflows:delete": "rule:admin_or_owner",
-    "workflows:get": "rule:admin_or_owner",
-    "workflows:list": "rule:admin_or_owner",
-    "workflows:list:all_projects": "rule:admin_only",
-    "workflows:update": "rule:admin_or_owner",
 }"""