Migrate address-group API to the new secure rbac rules

This commit updates the port policies to understand scope checking and
account
for a read-only role. This is part of a broader series of changes across
OpenStack to provide a consistent RBAC experience and improve
security.

It also adds new UT to test new API policies for address-group API.

Change-Id: Ibcd6084b30d923803723caffbf61bf2a60c6a408
(cherry picked from commit fd6ee70c3d)

neutron/conf/policies/address_group.py

@@ -10,6 +10,7 @@
 #  License for the specific language governing permissions and limitations
 #  under the License.
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from neutron.conf.policies import base
@@ -18,6 +19,9 @@ from neutron.conf.policies import base
 AG_COLLECTION_PATH = '/address-groups'
 AG_RESOURCE_PATH = '/address-groups/{id}'
 
+DEPRECATION_REASON = (
+    "The Address scope API now supports system scope and default roles.")
+
 
 rules = [
     policy.RuleDefault(
@@ -27,8 +31,9 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='get_address_group',
-        check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
-                                 'rule:shared_address_groups'),
+        check_str=base.policy_or(
+            base.SYSTEM_OR_PROJECT_READER,
+            'rule:shared_address_groups'),
         description='Get an address group',
         operations=[
             {
@@ -39,7 +44,14 @@ rules = [
                 'method': 'GET',
                 'path': AG_RESOURCE_PATH,
             },
-        ]
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=policy.DeprecatedRule(
+            name='get_address_group',
+            check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
+                                     'rule:shared_address_groups'),
+            deprecated_reason=DEPRECATION_REASON,
+            deprecated_since=versionutils.deprecated.WALLABY)
     ),
 ]
 

neutron/tests/unit/conf/policies/test_address_group.py

@@ -0,0 +1,49 @@
+# Copyright (c) 2021 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo_policy import policy as base_policy
+
+from neutron import policy
+from neutron.tests.unit.conf.policies import base
+
+
+class AddressGroupAPITestCase(base.PolicyBaseTestCase):
+
+    def setUp(self):
+        super(AddressGroupAPITestCase, self).setUp()
+        self.target = {'project_id': self.project_id}
+
+    def test_system_reader_can_get_address_group(self):
+        self.assertTrue(
+            policy.enforce(self.system_reader_ctx,
+                           "get_address_group", self.target))
+
+    def test_project_reader_can_get_address_group(self):
+        self.assertTrue(
+            policy.enforce(self.project_reader_ctx,
+                           "get_address_group", self.target))
+
+    def test_system_reader_can_get_any_address_group(self):
+        target = {'project_id': 'some-other-project'}
+        self.assertTrue(
+            policy.enforce(self.system_reader_ctx,
+                           "get_address_group", target))
+
+    def test_project_reader_can_not_get_address_group_other_tenant(self):
+        target = {'project_id': 'some-other-project'}
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.project_reader_ctx, "get_address_group", target)