From 0012785501f4a31d39e491903f60b058c4ee6413 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Mon, 25 Nov 2019 17:44:15 +0000
Subject: [PATCH] Introduce scope_types in os-services

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
 - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

There are two type of scope:
1. 'system': policy with 'system' scope means user with
'system-scoped' token have permission to access otherwise not.
This scope type can be applied to API policies which need
access permission at system level.

2. 'project': policy with 'project' scope means user with
'project-scoped' token have permission to access.
This scope type can be applied to API policies which need
access permission at project level.

Any policy need permission for both scope 'system' and 'project'
can be added with both scope, for example: scope_type['system', 'project']

This commit introduce scope_type for os-services API policies.

All the os-service policy are scopped as 'system' because
nova services operation should not be given access to
project scopped token.

Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.

Partial implement blueprint policy-defaults-refresh

Change-Id: Ia6ad47e4e411c8c6f50c98807ee97f99297d97b8
---
 nova/policies/services.py                 |  3 ++-
 nova/tests/unit/policies/test_services.py | 12 ++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/nova/policies/services.py b/nova/policies/services.py
index fcec2483f40a..8c4f406f62a2 100644
--- a/nova/policies/services.py
+++ b/nova/policies/services.py
@@ -59,7 +59,8 @@ services_policies = [
                 'method': 'DELETE',
                 'path': '/os-services/{service_id}'
             }
-        ]),
+        ],
+        scope_types=['system']),
 ]
 
 
diff --git a/nova/tests/unit/policies/test_services.py b/nova/tests/unit/policies/test_services.py
index 058c7d26a409..2619062aeb4e 100644
--- a/nova/tests/unit/policies/test_services.py
+++ b/nova/tests/unit/policies/test_services.py
@@ -97,3 +97,15 @@ class ServicesScopeTypePolicyTest(ServicesPolicyTest):
     def setUp(self):
         super(ServicesScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to change the service
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system or non-admin is not able to change the service
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]