From d6c01bba595f06e308e7204302b996425edf3a3c Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Sun, 6 Dec 2020 14:19:06 -0600
Subject: [PATCH] [goal] Deprecate the JSON formatted policy file

As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also replace policy.json to policy.yaml ref from doc and tests.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: Idaa65dac1c97324d671b9a07a2f3d51bb128e8c2
---
 barbican/cmd/status.py                        | 10 +++-------
 barbican/common/config.py                     | 19 ++++++++++++++++++
 barbican/common/policy.py                     |  8 ++++++++
 barbican/tests/api/test_resources_policy.py   |  2 +-
 doc/source/admin/access_control.rst           |  4 ++--
 doc/source/configuration/policy.rst           |  8 ++++++++
 ...ormatted-policy-file-b135aa7551e81066.yaml | 20 +++++++++++++++++++
 requirements.txt                              |  2 +-
 setup.cfg                                     |  2 +-
 9 files changed, 63 insertions(+), 12 deletions(-)
 create mode 100644 releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml

diff --git a/barbican/cmd/status.py b/barbican/cmd/status.py
index daab75589..e5f3e4d6d 100644
--- a/barbican/cmd/status.py
+++ b/barbican/cmd/status.py
@@ -13,6 +13,7 @@
 #    under the License.
 
 from oslo_config import cfg
+from oslo_upgradecheck import common_checks
 from oslo_upgradecheck import upgradecheck
 
 from barbican.i18n import _
@@ -26,11 +27,6 @@ class Checks(upgradecheck.UpgradeCommands):
     and added to _upgrade_checks tuple.
     """
 
-    def _check_placeholder(self):
-        # This is just a placeholder for upgrade checks, it should be
-        # removed when the actual checks are added
-        return upgradecheck.Result(upgradecheck.Code.SUCCESS)
-
     # The format of the check functions is to return an
     # oslo_upgradecheck.upgradecheck.Result
     # object with the appropriate
@@ -39,8 +35,8 @@ class Checks(upgradecheck.UpgradeCommands):
     # in the returned Result's "details" attribute. The
     # summary will be rolled up at the end of the check() method.
     _upgrade_checks = (
-        # In the future there should be some real checks added here
-        (_('Placeholder'), _check_placeholder),
+        (_("Policy File JSON to YAML Migration"),
+         (common_checks.check_policy_json, {'conf': cfg.CONF})),
     )
 
 
diff --git a/barbican/common/config.py b/barbican/common/config.py
index 766f0feb8..7abd83f15 100644
--- a/barbican/common/config.py
+++ b/barbican/common/config.py
@@ -23,6 +23,7 @@ import os
 from oslo_config import cfg
 from oslo_log import log
 from oslo_middleware import cors
+from oslo_policy import opts as policy_opts
 from oslo_service import _options
 
 from barbican import i18n as u
@@ -322,6 +323,24 @@ def setup_remote_pydev_debug():
             raise
 
 
+def set_lib_defaults():
+    """Update default value for configuration options from other namespace.
+
+    Example, oslo lib config options. This is needed for
+    config generator tool to pick these default value changes.
+    https://docs.openstack.org/oslo.config/latest/cli/
+    generator.html#modifying-defaults-from-other-namespaces
+    """
+
+    set_middleware_defaults()
+
+    # TODO(gmann): Remove setting the default value of config policy_file
+    # once oslo_policy change the default value to 'policy.yaml'.
+    # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+    DEFAULT_POLICY_FILE = 'policy.yaml'
+    policy_opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+
+
 def set_middleware_defaults():
     """Update default configuration options for oslo.middleware."""
     cors.set_defaults(
diff --git a/barbican/common/policy.py b/barbican/common/policy.py
index 42f7c3ed9..06bdd8d96 100644
--- a/barbican/common/policy.py
+++ b/barbican/common/policy.py
@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from oslo_policy import opts
 from oslo_policy import policy
 
 from barbican.common import config
@@ -22,6 +23,13 @@ CONF = config.CONF
 ENFORCER = None
 
 
+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+
+
 def reset():
     global ENFORCER
     if ENFORCER:
diff --git a/barbican/tests/api/test_resources_policy.py b/barbican/tests/api/test_resources_policy.py
index 64fa25fe7..a892aa562 100644
--- a/barbican/tests/api/test_resources_policy.py
+++ b/barbican/tests/api/test_resources_policy.py
@@ -36,7 +36,7 @@ from barbican.model import models
 from barbican.tests import utils
 
 
-# Point to the policy.json file located in source control.
+# Point to the policy.yaml file located in source control.
 TEST_VAR_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__),
                                             '../../../etc', 'barbican'))
 
diff --git a/doc/source/admin/access_control.rst b/doc/source/admin/access_control.rst
index e1fe38a13..8f5eae6d8 100644
--- a/doc/source/admin/access_control.rst
+++ b/doc/source/admin/access_control.rst
@@ -9,7 +9,7 @@ Like many other services, the Key Manager service supports the protection of its
 APIs by enforcing policy rules defined in a policy file.  The Key Manager
 service stores a reference to a policy JSON file in its configuration file,
 :file:`/etc/barbican/barbican.conf`.  Typically this file is named
-``policy.json`` and it is stored in :file:`/etc/barbican/policy.json`.
+``policy.yaml`` and it is stored in :file:`/etc/barbican/policy.yaml`.
 
 Each Key Manager API call has a line in the policy file that dictates which
 level of access applies:
@@ -46,7 +46,7 @@ Default Policy
 
 The policy engine in OpenStack is very flexible and allows for customized
 policies that make sense for your particular cloud.  The Key Manager service
-comes with a sample ``policy.json`` file which can be used as the starting
+comes with a sample ``policy.yaml`` file which can be used as the starting
 point for a customized policy.  The sample policy defines 5 distinct roles:
 
 key-manager:service-admin
diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst
index 6c6f80b9a..246308cb5 100644
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@@ -4,6 +4,14 @@
 Policy configuration
 ====================
 
+.. warning::
+
+   JSON formatted policy file is deprecated since Barbican 12.0.0 (Wallaby).
+   This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
+   JSON-formatted policy file to YAML in a backward-compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
 Configuration
 ~~~~~~~~~~~~~
 
diff --git a/releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml b/releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml
new file mode 100644
index 000000000..c9c530004
--- /dev/null
+++ b/releasenotes/notes/deprecate-json-formatted-policy-file-b135aa7551e81066.yaml
@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has
+    been changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized or previously generated
+    static policy JSON files (which are not needed by default), should
+    generate new policy files or convert them in YAML format. Use the
+    `oslopolicy-convert-json-to-yaml
+    <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of JSON policy files was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby cycle with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.
diff --git a/requirements.txt b/requirements.txt
index 3d6174dfb..61a1ed727 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16,7 +16,7 @@ oslo.log>=4.3.0 # Apache-2.0
 oslo.policy>=3.6.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
-oslo.upgradecheck>=0.1.1 # Apache-2.0
+oslo.upgradecheck>=1.3.0 # Apache-2.0
 oslo.utils>=3.33.0 # Apache-2.0
 oslo.versionedobjects>=1.31.2 # Apache-2.0
 Paste>=2.0.2 # MIT
diff --git a/setup.cfg b/setup.cfg
index ad01a3f9f..c73d5a19e 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -82,7 +82,7 @@ oslo.config.opts =
     barbican.certificate.plugin = barbican.plugin.interface.certificate_manager:list_opts
     barbican.certificate.plugin.snakeoil = barbican.plugin.snakeoil_ca:list_opts
 oslo.config.opts.defaults =
-    barbican.common.config = barbican.common.config:set_middleware_defaults
+    barbican.common.config = barbican.common.config:set_lib_defaults
 
 # TBD: OpenStack stuff...
 # NOTE(jkoelker) To run the test suite under nose install the following