Simplify logic in get_enforcer

The get_enforcer method is used by oslopolicy CLI scripts to generate policy files. The scripts will use configuration files to find policy files so that overrides can be generated with default values registered in code. The get_enforcer method used to parse the arguments passed in from the system and remove the `namespace` and `output-file` arguments because they wouldn't be recognized while processing configuration values. This commit simplifies the logic of get_enforcer. A related discussion was held in review: https://review.openstack.org/#/c/530828/3 Proposing this to nova since I attempted to use similar logic to fix a problem in keystone, but figured the simplified logic might be useful here, too. Change-Id: I7cd27fe8c39ddfc6ec20f4cfe4d62912d4cebaa4
2018-01-03 20:37:22 +00:00 · 2018-01-03 20:37:22 +00:00 · 6244a44278
parent f95f165b49
commit 6244a44278
2 changed files with 19 additions and 16 deletions
--- a/nova/policy.py
+++ b/nova/policy.py
@ -16,7 +16,6 @@
 """Policy Engine For Nova."""
 import copy
 import re
-import sys

 from oslo_config import cfg
 from oslo_log import log as logging
@ -208,21 +207,9 @@ def register_rules(enforcer):


 def get_enforcer():
-    # This method is for use by oslopolicy CLI scripts. Those scripts need the
-    # 'output-file' and 'namespace' options, but having those in sys.argv means
-    # loading the Nova config options will fail as those are not expected to
-    # be present. So we pass in an arg list with those stripped out.
-    conf_args = []
-    # Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
-    i = 1
-    while i < len(sys.argv):
-        if sys.argv[i].strip('-') in ['namespace', 'output-file']:
-            i += 2
-            continue
-        conf_args.append(sys.argv[i])
-        i += 1
-
-    cfg.CONF(conf_args, project='nova')
+    # This method is used by oslopolicy CLI scripts in order to generate policy
+    # files from overrides on disk and defaults in code.
+    cfg.CONF([], project='nova')
    init()
    return _ENFORCER

--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@ -16,6 +16,7 @@
 """Test of Policy Engine For Nova."""

 import os.path
+import subprocess

 import mock
 from oslo_policy import policy as oslo_policy
@ -496,3 +497,18 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
            self.admin_or_owner_rules + self.non_admin_only_rules +
            self.allow_all_rules + special_rules)
        self.assertEqual(set([]), result)
+
+
+class GeneratePolicyFileTestCase(test.NoDBTestCase):
+
+    def test_policy_generator_from_command_line(self):
+        # This test ensures nova.policy:get_enforcer ignores unexpected
+        # arguments before handing them off to oslo.config, which will fail and
+        # prevent users from generating policy files.
+        ret_val = subprocess.Popen(
+            ['oslopolicy-policy-generator', '--namespace', 'nova'],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE
+        )
+        ret_val.communicate()
+        self.assertEqual(0, ret_val.returncode)