From 85fca8e94c5966f829c37cc1f9175a4b5f10041a Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Thu, 2 Apr 2020 21:37:01 -0500
Subject: [PATCH] Introduce scope_types in server external events

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
 - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

Appropriate scope_type for nova case:
- https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope

This commit introduce scope_type for server external events API policies
as 'system'.

Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.

Partial implement blueprint policy-defaults-refresh

Change-Id: I33771d8f203d8d49a20e572bd9d3f3d39f90e6f6
---
 nova/policies/server_external_events.py            | 11 ++++++-----
 .../unit/policies/test_server_external_events.py   | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/nova/policies/server_external_events.py b/nova/policies/server_external_events.py
index 2291c3d28c8f..83da4f9615b3 100644
--- a/nova/policies/server_external_events.py
+++ b/nova/policies/server_external_events.py
@@ -23,15 +23,16 @@ POLICY_ROOT = 'os_compute_api:os-server-external-events:%s'
 
 server_external_events_policies = [
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'create',
-        base.RULE_ADMIN_API,
-        "Create one or more external events",
-        [
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_API,
+        description="Create one or more external events",
+        operations=[
             {
                 'method': 'POST',
                 'path': '/os-server-external-events'
             }
-        ]),
+        ],
+        scope_types=['system']),
 ]
 
 
diff --git a/nova/tests/unit/policies/test_server_external_events.py b/nova/tests/unit/policies/test_server_external_events.py
index dfd71f3ba7a1..932d521dd540 100644
--- a/nova/tests/unit/policies/test_server_external_events.py
+++ b/nova/tests/unit/policies/test_server_external_events.py
@@ -77,3 +77,17 @@ class ServerExternalEventsScopeTypePolicyTest(ServerExternalEventsPolicyTest):
     def setUp(self):
         super(ServerExternalEventsScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that admin is able to create the server external events.
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+        ]
+        # Check that non-admin is not able to create the server
+        # external events.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]