From 273e8417d4a14a4c6d7eb514bce0cb317bd13d25 Mon Sep 17 00:00:00 2001
From: Anthony Washington <anthony.washington@intel.com>
Date: Thu, 23 Mar 2017 18:45:17 +0000
Subject: [PATCH] Move project endpoint to DocumentedRuleDefault

A new policy class was introduce that requires
additional parameters when defining policy objects

This patch switches our project endpoint policy object to
the policy.DocumentedRuleDefault and fills the
required policy parameters as needed.

Change-Id: Ifc43008837b82e4b99ada844daa85472481fa904
Partially-Implements: bp policy-docs
---
 keystone/common/policies/project_endpoint.py | 44 +++++++++++++++-----
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py
index be84474981..a98489f8d3 100644
--- a/keystone/common/policies/project_endpoint.py
+++ b/keystone/common/policies/project_endpoint.py
@@ -16,21 +16,45 @@ from keystone.common.policies import base
 
 project_endpoint_policies = [
 
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_projects_for_endpoint',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List projects allowed to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
+                              'projects'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'add_endpoint_to_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Allow project to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_endpoint_in_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Check if a project is allowed to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'GET'},
+                    {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoints_for_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List the endpoints a project is allowed to access.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'remove_endpoint_from_project',
-        check_str=base.RULE_ADMIN_REQUIRED)
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description=('Remove access to an endpoint from a project that has '
+                     'previously been given explicit access.'),
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'DELETE'}])
 ]