Merge "Use to_policy_values for policy enforcement"

neutron/context.py

@@ -91,6 +91,26 @@ class ContextBase(oslo_context.RequestContext):
         })
         return context
 
+    def to_policy_values(self):
+        values = super(ContextBase, self).to_policy_values()
+        values['tenant_id'] = self.tenant_id
+        values['is_admin'] = self.is_admin
+
+        # NOTE(jamielennox): These are almost certainly unused and non-standard
+        # but kept for backwards compatibility. Remove them in Pike
+        # (oslo.context from Ocata release already issues deprecation warnings
+        # for non-standard keys).
+        values['user'] = self.user
+        values['tenant'] = self.tenant
+        values['domain'] = self.domain
+        values['user_domain'] = self.user_domain
+        values['project_domain'] = self.project_domain
+        values['tenant_name'] = self.tenant_name
+        values['project_name'] = self.tenant_name
+        values['user_name'] = self.user_name
+
+        return values
+
     @classmethod
     def from_dict(cls, values):
         return cls(user_id=values.get('user_id', values.get('user')),

neutron/policy.py

@@ -326,7 +326,7 @@ def _prepare_check(context, action, target, pluralized):
     if target is None:
         target = {}
     match_rule = _build_match_rule(action, target, pluralized)
-    credentials = context.to_dict()
+    credentials = context.to_policy_values()
     return match_rule, target, credentials
 
 
@@ -415,7 +415,7 @@ def check_is_admin(context):
     """Verify context has admin rights according to policy settings."""
     init()
     # the target is user-self
-    credentials = context.to_dict()
+    credentials = context.to_policy_values()
     if ADMIN_CTX_POLICY not in _ENFORCER.rules:
         return False
     return _ENFORCER.enforce(ADMIN_CTX_POLICY, credentials, credentials)
@@ -425,7 +425,7 @@ def check_is_advsvc(context):
     """Verify context has advsvc rights according to policy settings."""
     init()
     # the target is user-self
-    credentials = context.to_dict()
+    credentials = context.to_policy_values()
     if ADVSVC_CTX_POLICY not in _ENFORCER.rules:
         return False
     return _ENFORCER.enforce(ADVSVC_CTX_POLICY, credentials, credentials)

neutron/tests/unit/test_context.py

@@ -142,3 +142,28 @@ class TestNeutronContext(base.BaseTestCase):
         ctx_admin = context.get_admin_context()
         self.assertEqual(req_id_before, oslo_context.get_current().request_id)
         self.assertNotEqual(req_id_before, ctx_admin.request_id)
+
+    def test_to_policy_values(self):
+        values = {
+            'user_id': 'user_id',
+            'tenant_id': 'tenant_id',
+            'is_admin': 'is_admin',
+            'tenant_name': 'tenant_name',
+            'user_name': 'user_name',
+            'domain': 'domain',
+            'user_domain': 'user_domain',
+            'project_domain': 'project_domain',
+            'user_name': 'user_name',
+        }
+        additional_values = {
+            'user': 'user_id',
+            'tenant': 'tenant_id',
+            'project_id': 'tenant_id',
+            'project_name': 'tenant_name',
+        }
+        ctx = context.Context(**values)
+        # apply dict() to get a real dictionary, needed for newer oslo.context
+        # that returns _DeprecatedPolicyValues object instead
+        policy_values = dict(ctx.to_policy_values())
+        self.assertDictSupersetOf(values, policy_values)
+        self.assertDictSupersetOf(additional_values, policy_values)