Merge "Add new config to enforce the new defaults"

4 files changed, 59 insertions, 1 deletions

diff --git a/oslo_policy/opts.py b/oslo_policy/opts.py
index e0e1dd6..16e3696 100644
--- a/oslo_policy/opts.py
+++ b/oslo_policy/opts.py
@@ -34,6 +34,17 @@ _options = [
                        'will be raised. If ``False``, a message will be '
                        'logged informing operators that policies are being '
                        'invoked with mismatching scope.')),
+    cfg.BoolOpt('enforce_new_defaults',
+                default=False,
+                help=_('This option controls whether or not to use old '
+                       'deprecated defaults when evaluating policies. If '
+                       '``True``, the old deprecated defaults are not going '
+                       'to be evaluated which mean if any existing token '
+                       'allowed for old defaults but disallowed for new '
+                       'defaults will be disallowed. It is encouraged to '
+                       'enable this flag along with ``enforce_scope`` flag '
+                       'so that you can get benefits of new defaults and '
+                       '``scope_type`` together')),
     cfg.StrOpt('policy_file',
                default='policy.json',
                help=_('The relative or absolute path of a file that maps '
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py
index dbb9443..a1a6f85 100644
--- a/oslo_policy/policy.py
+++ b/oslo_policy/policy.py
@@ -703,7 +703,10 @@ class Enforcer(object):
         # messages telling them stuff is going to change if they don't maintain
         # the policy manually or add infrastructure to their deployment to
         # support the new policy.
-        if (deprecated_rule.check_str != default.check_str
+        # If flag enforce_new_defaults is true then do not add OrCheck
+        # the old check_str and enforce only new defaults.
+        if (not self.conf.oslo_policy.enforce_new_defaults
+                and deprecated_rule.check_str != default.check_str
                 and default.name not in self.file_rules):
 
             default.check = OrCheck([_parser.parse_rule(cs) for cs in
diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py
index 1053de7..b67504b 100644
--- a/oslo_policy/tests/test_policy.py
+++ b/oslo_policy/tests/test_policy.py
@@ -1648,6 +1648,39 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
         # Verify that we didn't overwrite the new rule.
         self.assertEqual('bang', self.enforcer.rules['new_rule'].match)
 
+    def test_enforce_new_defaults_no_old_check_string(self):
+        self.conf.set_override('enforce_new_defaults', True,
+                               group='oslo_policy')
+        deprecated_rule = policy.DeprecatedRule(
+            name='foo:create_bar',
+            check_str='role:fizz'
+        )
+
+        rule_list = [policy.DocumentedRuleDefault(
+            name='foo:create_bar',
+            check_str='role:bang',
+            description='Create a bar.',
+            operations=[{'path': '/v1/bars', 'method': 'POST'}],
+            deprecated_rule=deprecated_rule,
+            deprecated_reason='"role:bang" is a better default',
+            deprecated_since='N'
+        )]
+        enforcer = policy.Enforcer(self.conf)
+        enforcer.register_defaults(rule_list)
+
+        with mock.patch('warnings.warn') as mock_warn:
+            enforcer.load_rules()
+            mock_warn.assert_not_called()
+        self.assertTrue(
+            enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']})
+        )
+        self.assertFalse(
+            enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']})
+        )
+        self.assertFalse(
+            enforcer.enforce('foo:create_bar', {}, {'roles': ['baz']})
+        )
+
 
 class DocumentedRuleDefaultTestCase(base.PolicyBaseTestCase):
 
diff --git a/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml b/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml
new file mode 100644
index 0000000..8ff851f
--- /dev/null
+++ b/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml
@@ -0,0 +1,11 @@
+features:
+  - |
+    A new configuration option ``enforce_new_defaults`` has been
+    added to the ``[oslo_policy]`` group to control whether or not to
+    use the old deprecated defaults. If ``True``, the old deprecated
+    defaults are not going to be evaluated which mean if any existing
+    token allowed for old defaults but disallowed for new defaults
+    will be disallowed. It is encouraged to enable this flag along
+    with ``enforce_scope`` flag so that you can get benefits of new
+    defaults and ``scope_type`` together. This way operators can switch
+    to new defaults without overwriting the rule in policy file.