From 616b15b3dbab3b5e745b598114ade132d39f85a8 Mon Sep 17 00:00:00 2001
From: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
Date: Wed, 1 Feb 2023 17:20:29 +0200
Subject: [PATCH] Add oslo.policy.enforcer entry point

this will allow various oslo.policy scripts like
`oslopolicy-policy-generator` to work with Gnocchi.

Fixes: #1291
---
 gnocchi/rest/app.py      |  4 +---
 gnocchi/rest/policies.py | 14 ++++++++++++++
 setup.cfg                |  3 +++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/gnocchi/rest/app.py b/gnocchi/rest/app.py
index 39020d049..86c3747c3 100644
--- a/gnocchi/rest/app.py
+++ b/gnocchi/rest/app.py
@@ -21,7 +21,6 @@
 
 import daiquiri
 from oslo_middleware import cors
-from oslo_policy import policy
 from paste import deploy
 import pecan
 from pecan import jsonify
@@ -52,8 +51,7 @@ class GnocchiHook(pecan.hooks.PecanHook):
     def __init__(self, conf):
         self.backends = {}
         self.conf = conf
-        self.policy_enforcer = policy.Enforcer(conf)
-        self.policy_enforcer.register_defaults(policies.list_rules())
+        self.policy_enforcer = policies.init(conf)
         self.auth_helper = driver.DriverManager("gnocchi.rest.auth_helper",
                                                 conf.api.auth_mode,
                                                 invoke_on_load=True).driver
diff --git a/gnocchi/rest/policies.py b/gnocchi/rest/policies.py
index cd0cb9abf..0e06cb1a8 100644
--- a/gnocchi/rest/policies.py
+++ b/gnocchi/rest/policies.py
@@ -13,6 +13,7 @@
 #    under the License.
 
 
+from oslo_config import cfg
 from oslo_policy import policy
 
 ADMIN = "role:admin"
@@ -412,3 +413,16 @@ def list_rules():
         + resource_rules + resource_type_rules \
         + archive_policy_rules + archive_policy_rule_rules \
         + metric_rules + measure_rules
+
+
+def init(conf):
+    policy_enforcer = policy.Enforcer(conf)
+    policy_enforcer.register_defaults(list_rules())
+    return policy_enforcer
+
+
+def get_enforcer():
+    # This method is used by oslopolicy CLI scripts in order to generate policy
+    # files from overrides on disk and defaults in code.
+    cfg.CONF([], project='gnocchi')
+    return init(cfg.CONF)
diff --git a/setup.cfg b/setup.cfg
index cc24fa74a..17ee60b3c 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -160,6 +160,9 @@ oslo.config.opts.defaults =
 oslo.policy.policies =
     gnocchi = gnocchi.rest.policies:list_rules
 
+oslo.policy.enforcer =
+    gnocchi = gnocchi.rest.policies:get_enforcer
+
 [build_sphinx]
 all_files = 1
 build-dir = doc/build