Merge "[goal] Deprecate the JSON formatted policy file"

15 files changed, 45 insertions, 22 deletions

diff --git a/heat/api/cfn/v1/stacks.py b/heat/api/cfn/v1/stacks.py
index 245c8d57d..881c43d88 100644
--- a/heat/api/cfn/v1/stacks.py
+++ b/heat/api/cfn/v1/stacks.py
@@ -49,7 +49,7 @@ class StackController(object):
         raise exception.HeatInvalidActionError()
 
     def _enforce(self, req, action):
-        """Authorize an action against the policy.json and policies in code."""
+        """Authorize an action against the policy.yaml and policies in code."""
         try:
             self.policy.enforce(req.context, action, is_registered_policy=True)
         except heat_exception.Forbidden:
diff --git a/heat/api/openstack/v1/actions.py b/heat/api/openstack/v1/actions.py
index 3a99a445e..553c09a67 100644
--- a/heat/api/openstack/v1/actions.py
+++ b/heat/api/openstack/v1/actions.py
@@ -25,7 +25,7 @@ class ActionController(object):
 
     Implements the API for stack actions
     """
-    # Define request scope (must match what is in policy.json or policies in
+    # Define request scope (must match what is in policy.yaml or policies in
     # code)
     REQUEST_SCOPE = 'actions'
 
diff --git a/heat/api/openstack/v1/build_info.py b/heat/api/openstack/v1/build_info.py
index 2743f621b..923d38225 100644
--- a/heat/api/openstack/v1/build_info.py
+++ b/heat/api/openstack/v1/build_info.py
@@ -24,7 +24,7 @@ class BuildInfoController(object):
 
     Returns build information for current app.
     """
-    # Define request scope (must match what is in policy.json or policies in
+    # Define request scope (must match what is in policy.yaml or policies in
     # code)
     REQUEST_SCOPE = 'build_info'
 
diff --git a/heat/api/openstack/v1/events.py b/heat/api/openstack/v1/events.py
index 87aa000a8..7c0527408 100644
--- a/heat/api/openstack/v1/events.py
+++ b/heat/api/openstack/v1/events.py
@@ -83,7 +83,7 @@ class EventController(object):
 
     Implements the API actions.
     """
-    # Define request scope (must match what is in policy.json or policies in
+    # Define request scope (must match what is in policy.yaml or policies in
     # code)
     REQUEST_SCOPE = 'events'
 
diff --git a/heat/api/openstack/v1/resources.py b/heat/api/openstack/v1/resources.py
index 199f778e4..f6d7cd8cb 100644
--- a/heat/api/openstack/v1/resources.py
+++ b/heat/api/openstack/v1/resources.py
@@ -74,7 +74,7 @@ class ResourceController(object):
 
     Implements the API actions.
     """
-    # Define request scope (must match what is in policy.json or policies in
+    # Define request scope (must match what is in policy.yaml or policies in
     # code)
     REQUEST_SCOPE = 'resource'
 
diff --git a/heat/api/openstack/v1/services.py b/heat/api/openstack/v1/services.py
index c51167b7c..4c61e2aed 100644
--- a/heat/api/openstack/v1/services.py
+++ b/heat/api/openstack/v1/services.py
@@ -25,7 +25,7 @@ from heat.rpc import client as rpc_client
 
 class ServiceController(object):
     """WSGI controller for reporting the heat engine status in Heat v1 API."""
-    # Define request scope (must match what is in policy.json or policies in
+    # Define request scope (must match what is in policy.yaml or policies in
     # code)
     REQUEST_SCOPE = 'service'
 
diff --git a/heat/api/openstack/v1/stacks.py b/heat/api/openstack/v1/stacks.py
index 1da826509..80b8e90b5 100644
--- a/heat/api/openstack/v1/stacks.py
+++ b/heat/api/openstack/v1/stacks.py
@@ -183,7 +183,7 @@ class StackController(object):
 
     Implements the API actions.
     """
-    # Define request scope (must match what is in policy.json or policies in
+    # Define request scope (must match what is in policy.yaml or policies in
     # code)
     REQUEST_SCOPE = 'stacks'
 
diff --git a/heat/cmd/status.py b/heat/cmd/status.py
index 3281176f1..4bf48d017 100644
--- a/heat/cmd/status.py
+++ b/heat/cmd/status.py
@@ -15,6 +15,7 @@
 import sys
 
 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck
 
 from heat.common.i18n import _
@@ -28,11 +29,6 @@ class Checks(upgradecheck.UpgradeCommands):
     and added to _upgrade_checks tuple.
     """
 
-    def _check_placeholder(self):
-        # This is just a placeholder for upgrade checks, it should be
-        # removed when the actual checks are added
-        return upgradecheck.Result(upgradecheck.Code.SUCCESS)
-
     # The format of the check functions is to return an
     # oslo_upgradecheck.upgradecheck.Result
     # object with the appropriate
@@ -41,8 +37,8 @@ class Checks(upgradecheck.UpgradeCommands):
     # in the returned Result's "details" attribute. The
     # summary will be rolled up at the end of the check() method.
     _upgrade_checks = (
-        # In the future there should be some real checks added here
-        (_('Placeholder'), _check_placeholder),
+        (_('Policy File JSON to YAML Migration'),
+         (common_checks.check_policy_json, {'conf': cfg.CONF})),
     )
 
 
diff --git a/heat/common/config.py b/heat/common/config.py
index 1c03b6f1b..e978fdb40 100644
--- a/heat/common/config.py
+++ b/heat/common/config.py
@@ -19,6 +19,7 @@ from oslo_config import cfg
 from oslo_db import options as oslo_db_ops
 from oslo_log import log as logging
 from oslo_middleware import cors
+from oslo_policy import opts as policy_opts
 from osprofiler import opts as profiler
 
 from heat.common import exception
@@ -596,3 +597,7 @@ def set_config_defaults():
                        'DELETE',
                        'PATCH']
     )
+    # TODO(gmann): Remove setting the default value of config policy_file
+    # once oslo_policy change the default value to 'policy.yaml'.
+    # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+    policy_opts.set_defaults(cfg.CONF, 'policy.yaml')
diff --git a/heat/common/policy.py b/heat/common/policy.py
index 38971e001..9b72e833a 100644
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@@ -19,6 +19,7 @@
 
 from oslo_config import cfg
 from oslo_log import log as logging
+from oslo_policy import opts
 from oslo_policy import policy
 from oslo_utils import excutils
 
@@ -33,6 +34,12 @@ LOG = logging.getLogger(__name__)
 DEFAULT_RULES = policy.Rules.from_dict({'default': '!'})
 DEFAULT_RESOURCE_RULES = policy.Rules.from_dict({'default': '@'})
 
+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+
 ENFORCER = None
 
 
diff --git a/heat/tests/cmd/test_status.py b/heat/tests/cmd/test_status.py
index ede3ba63b..8f73a525d 100644
--- a/heat/tests/cmd/test_status.py
+++ b/heat/tests/cmd/test_status.py
@@ -12,6 +12,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from unittest import mock
+
 from oslo_upgradecheck.upgradecheck import Code
 
 from heat.cmd import status
@@ -24,7 +26,13 @@ class TestUpgradeChecks(common.HeatTestCase):
         super(TestUpgradeChecks, self).setUp()
         self.cmd = status.Checks()
 
-    def test__check_placeholder(self):
-        check_result = self.cmd._check_placeholder()
-        self.assertEqual(
-            Code.SUCCESS, check_result.code)
+    @mock.patch('oslo_utils.fileutils.is_json')
+    def test_checks(self, mock_util):
+        mock_util.return_value = False
+        for name, func in self.cmd._upgrade_checks:
+            if isinstance(func, tuple):
+                func_name, kwargs = func
+                result = func_name(self, **kwargs)
+            else:
+                result = func(self)
+            self.assertEqual(Code.SUCCESS, result.code)
diff --git a/heat/tests/common.py b/heat/tests/common.py
index b3c1fdc99..baafe94be 100644
--- a/heat/tests/common.py
+++ b/heat/tests/common.py
@@ -81,7 +81,7 @@ class HeatTestCase(testscenarios.WithScenarios,
                    testtools.TestCase, FakeLogMixin):
 
     def setUp(self, mock_keystone=True, mock_resource_policy=True,
-              quieten_logging=True):
+              quieten_logging=True, mock_find_file=True):
         super(HeatTestCase, self).setUp()
         self.setup_logging(quieten=quieten_logging)
         self.warnings = self.useFixture(fixtures.WarningsCapture())
@@ -126,6 +126,9 @@ class HeatTestCase(testscenarios.WithScenarios,
                         '/etc/heat/templates',
                         templ_path)
 
+        if mock_find_file:
+            self.mock_find_file = self.patchobject(
+                cfg.ConfigOpts, 'find_file')
         if mock_keystone:
             self.stub_keystoneclient()
         if mock_resource_policy:
diff --git a/heat/tests/convergence/framework/reality.py b/heat/tests/convergence/framework/reality.py
index dcd7a79c7..055782b38 100644
--- a/heat/tests/convergence/framework/reality.py
+++ b/heat/tests/convergence/framework/reality.py
@@ -11,6 +11,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from unittest import mock
+
 from heat.common import exception
 from heat.db.sqlalchemy import api as db_api
 from heat.tests import utils
@@ -49,4 +51,5 @@ class RealityStore(object):
         return res_data.value
 
 
-reality = RealityStore()
+with mock.patch("oslo_config.cfg.ConfigOpts.find_file"):
+    reality = RealityStore()
diff --git a/heat/tests/test_common_context.py b/heat/tests/test_common_context.py
index 01604c665..31f5bb736 100644
--- a/heat/tests/test_common_context.py
+++ b/heat/tests/test_common_context.py
@@ -391,7 +391,7 @@ class RequestContextMiddlewareTest(common.HeatTestCase):
     )]
 
     def setUp(self):
-        super(RequestContextMiddlewareTest, self).setUp()
+        super(RequestContextMiddlewareTest, self).setUp(mock_find_file=False)
         self.fixture = self.useFixture(config_fixture.Config())
         self.fixture.conf(args=['--config-dir', policy_path])
         policy_opts.set_defaults(cfg.CONF, 'check_admin.json')
diff --git a/heat/tests/test_common_policy.py b/heat/tests/test_common_policy.py
index eb2753c4a..99c23c436 100644
--- a/heat/tests/test_common_policy.py
+++ b/heat/tests/test_common_policy.py
@@ -33,7 +33,8 @@ policy_path = os.path.dirname(os.path.realpath(__file__)) + "/policy/"
 class TestPolicyEnforcer(common.HeatTestCase):
 
     def setUp(self):
-        super(TestPolicyEnforcer, self).setUp(mock_resource_policy=False)
+        super(TestPolicyEnforcer, self).setUp(
+            mock_resource_policy=False, mock_find_file=False)
         self.fixture = self.useFixture(config_fixture.Config())
         self.fixture.conf(args=['--config-dir', policy_path])