Expose a get_enforcer method for oslo.policy scripts

Because we have policy in code, we should be able to use the
oslo.policy CLI scripts to produce sample policy files and render
complete policies based on overrides on disk. This was broken
because keystone wasn't removing unexpected commandline arguments
before passing them to oslo.config to parse. This prevented
people from generating complete policy files like they would for
horizon.

This commit exposes a get_enforcer() that substitutes an empty list
in place of arguments passed in through the system. This makes it
so that oslo.config doesn't choke when processing configuration
values.

Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
Closes-Bug: 1740951
(cherry picked from commit 85c957c50387ca47b68bc412879c753e7618f86b)

4 files changed, 38 insertions, 0 deletions

diff --git a/keystone/common/policy.py b/keystone/common/policy.py
index 4ec0a0f99..d5e8619e2 100644
--- a/keystone/common/policy.py
+++ b/keystone/common/policy.py
@@ -35,6 +35,17 @@ def init():
         register_rules(_ENFORCER)
 
 
+def get_enforcer():
+    # Here we pass an empty list of arguments because there aren't any
+    # arguments that oslo.config or oslo.policy shouldn't already understand
+    # from the CONF object. This makes things easier here because we don't have
+    # to parse arguments passed in from the command line and remove unexpected
+    # arguments before building a Config object.
+    CONF([], project='keystone')
+    init()
+    return _ENFORCER
+
+
 def enforce(credentials, action, target, do_raise=True):
     """Verify that the action is valid on the target in this context.
 
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 485198d11..54587f399 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -15,6 +15,7 @@
 
 import json
 import os
+import subprocess
 import uuid
 
 from oslo_policy import policy as common_policy
@@ -213,3 +214,18 @@ class PolicyJsonTestCase(unit.TestCase):
 
         doc_targets = list(read_doc_targets())
         self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys)
+
+
+class GeneratePolicyFileTestCase(unit.TestCase):
+
+    def test_policy_generator_from_command_line(self):
+        # This test ensures keystone.common.policy:get_enforcer ignores
+        # unexpected arguments before handing them off to oslo.config, which
+        # will fail and prevent users from generating policy files.
+        ret_val = subprocess.Popen(
+            ['oslopolicy-policy-generator', '--namespace', 'keystone'],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE
+        )
+        ret_val.communicate()
+        self.assertEqual(ret_val.returncode, 0)
diff --git a/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml b/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml
new file mode 100644
index 000000000..5b7650346
--- /dev/null
+++ b/releasenotes/notes/bug-1740951-82b7e4bd608742ab.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1740951 <https://bugs.launchpad.net/keystone/+bug/1740951>`_]
+    A new method was added that made it so oslo.policy sample generation
+    scripts can be used with keystone. The ``oslopolicy-policy-generator``
+    script will now generate a policy file containing overrides and defaults
+    registered in code.
diff --git a/setup.cfg b/setup.cfg
index f03acd1fc..67ab508a8 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -181,6 +181,9 @@ oslo.policy.policies =
     # the default defined polices.
     keystone = keystone.common.policies:list_rules
 
+oslo.policy.enforcer =
+    keystone = keystone.common.policy:get_enforcer
+
 paste.filter_factory =
     healthcheck = oslo_middleware:Healthcheck.factory
     cors = oslo_middleware:CORS.factory