From cae41d68cf182dec59666d84a8b84a54ed374ee3 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Mon, 10 Feb 2020 20:40:17 -0600
Subject: [PATCH] Add new default roles in os-console-output policies

This adds new defaults roles in os-admin-password API policies.

This policy is default to owner or system admin role.

Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.

Partial implement blueprint policy-defaults-refresh

Change-Id: Icadf5e1a05a93ad1524b2c519f1cc56a65156d8c
---
 nova/policies/console_output.py               |  2 +-
 .../unit/policies/test_console_output.py      | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/nova/policies/console_output.py b/nova/policies/console_output.py
index 12869d3ec625..461ef83a5492 100644
--- a/nova/policies/console_output.py
+++ b/nova/policies/console_output.py
@@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-output'
 console_output_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
         description='Show console output for a server',
         operations=[
             {
diff --git a/nova/tests/unit/policies/test_console_output.py b/nova/tests/unit/policies/test_console_output.py
index 6b5019cbcbb9..1426dca1865a 100644
--- a/nova/tests/unit/policies/test_console_output.py
+++ b/nova/tests/unit/policies/test_console_output.py
@@ -82,3 +82,29 @@ class ConsoleOutputScopeTypePolicyTest(ConsoleOutputPolicyTest):
     def setUp(self):
         super(ConsoleOutputScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class ConsoleOutputNoLegacyPolicyTest(ConsoleOutputPolicyTest):
+    """Test Console Output APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system_admin_or_owner APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(ConsoleOutputNoLegacyPolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system or projct admin or owner is able to
+        # get the server console.
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system and non-admin/owner is not able to
+        # get the server console.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_reader_context,
+            self.project_foo_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context]