Allow purging policy files

This change introduces the new purge_config parameter to the policy
class so that any policy rules not managed by puppet manifests can be
cleared.

Co-Authored-By: Martin Schuppert <mschuppert@redhat.com>
Depends-On: https://review.opendev.org/802305
Change-Id: Ic228fce771c936d8f9837c1e5f4d4403c7b24a9e

manifests/policy.pp

@@ -36,12 +36,18 @@
 #   (Optional) Path to the keystone policy folder
 #   Defaults to $::os_service_default
 #
+# [*purge_config*]
+#   (optional) Whether to set only the specified policy rules in the policy
+#    file.
+#    Defaults to false.
+#
 class keystone::policy (
   $enforce_scope        = $::os_service_default,
   $enforce_new_defaults = $::os_service_default,
   $policies             = {},
   $policy_path          = '/etc/keystone/policy.yaml',
   $policy_dirs          = $::os_service_default,
+  $purge_config         = false,
 ) {
 
   include keystone::deps
@@ -49,14 +55,16 @@ class keystone::policy (
 
   validate_legacy(Hash, 'validate_hash', $policies)
 
-  Openstacklib::Policy::Base {
-    file_path   => $policy_path,
-    file_user   => 'root',
-    file_group  => $::keystone::params::group,
-    file_format => 'yaml',
+  $policy_parameters = {
+    policies     => $policies,
+    policy_path  => $policy_path,
+    file_user    => 'root',
+    file_group   => $::keystone::params::group,
+    file_format  => 'yaml',
+    purge_config => $purge_config,
   }
 
-  create_resources('openstacklib::policy::base', $policies)
+  create_resources('openstacklib::policy', { $policy_path => $policy_parameters })
 
   oslo::policy { 'keystone_config':
     enforce_scope        => $enforce_scope,

releasenotes/notes/policy_purge_config-bb47d21812e84e10.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds new purge_config parameter. When set to true, the policy file is
+    cleared during configuration process. This allows to remove any existing
+    rules before applying them or clean the file when all policies got removed.

spec/classes/keystone_policy_spec.rb

@@ -2,35 +2,72 @@ require 'spec_helper'
 
 describe 'keystone::policy' do
   shared_examples 'keystone::policy' do
-    let :params do
-      {
-        :enforce_scope        => false,
-        :enforce_new_defaults => false,
-        :policy_path          => '/etc/keystone/policy.yaml',
-        :policy_dirs          => '/etc/keystone/policy.d',
-        :policies             => {
-          'context_is_admin' => {
-            'key'   => 'context_is_admin',
-            'value' => 'foo:bar'
+
+    context 'setup policy with parameters' do
+      let :params do
+        {
+          :enforce_scope        => false,
+          :enforce_new_defaults => false,
+          :policy_path          => '/etc/keystone/policy.yaml',
+          :policy_dirs          => '/etc/keystone/policy.d',
+          :policies             => {
+            'context_is_admin' => {
+              'key'   => 'context_is_admin',
+              'value' => 'foo:bar'
+            }
           }
         }
-      }
+      end
+
+      it 'set up the policies' do
+        is_expected.to contain_openstacklib__policy('/etc/keystone/policy.yaml').with(
+          :policies     => {
+            'context_is_admin' => {
+              'key'   => 'context_is_admin',
+              'value' => 'foo:bar'
+            }
+          },
+          :policy_path  => '/etc/keystone/policy.yaml',
+          :file_user    => 'root',
+          :file_group   => 'keystone',
+          :file_format  => 'yaml',
+          :purge_config => false,
+        )
+        is_expected.to contain_oslo__policy('keystone_config').with(
+          :enforce_scope        => false,
+          :enforce_new_defaults => false,
+          :policy_file          => '/etc/keystone/policy.yaml',
+          :policy_dirs          => '/etc/keystone/policy.d',
+        )
+      end
     end
 
-    it 'set up the policies' do
-      is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
-        :key         => 'context_is_admin',
-        :value       => 'foo:bar',
-        :file_user   => 'root',
-        :file_group  => 'keystone',
-        :file_format => 'yaml',
-      })
-      is_expected.to contain_oslo__policy('keystone_config').with(
-        :enforce_scope        => false,
-        :enforce_new_defaults => false,
-        :policy_file          => '/etc/keystone/policy.yaml',
-        :policy_dirs          => '/etc/keystone/policy.d',
-      )
+    context 'with empty policies and purge_config enabled' do
+      let :params do
+        {
+          :enforce_scope        => false,
+          :enforce_new_defaults => false,
+          :policy_path          => '/etc/keystone/policy.yaml',
+          :policies             => {},
+          :purge_config         => true,
+        }
+      end
+
+      it 'set up the policies' do
+        is_expected.to contain_openstacklib__policy('/etc/keystone/policy.yaml').with(
+          :policies     => {},
+          :policy_path  => '/etc/keystone/policy.yaml',
+          :file_user    => 'root',
+          :file_group   => 'keystone',
+          :file_format  => 'yaml',
+          :purge_config => true,
+        )
+        is_expected.to contain_oslo__policy('keystone_config').with(
+          :enforce_scope        => false,
+          :enforce_new_defaults => false,
+          :policy_file          => '/etc/keystone/policy.yaml',
+        )
+      end
     end
   end