Move access token to DocumentedRuleDefault

A new policy class was introduce that requires additional parameters when defining policy objects. This patch switches our access token revocation policy object to the policy.DocumentedRuleDefault and fills the required policy parameters as needed. Change-Id: I5703202cfc3e0f445b59374eeb848e1782e8d4e5 Partially-Implements: bp policy-docs
2017-03-23 18:34:11 +00:00 · 2017-03-23 18:34:11 +00:00 · 72e0ea0c10
parent 9034755743
commit 72e0ea0c10
1 changed files with 34 additions and 12 deletions
--- a/keystone/common/policies/access_token.py
+++ b/keystone/common/policies/access_token.py
@ -15,24 +15,46 @@ from oslo_policy import policy
 from keystone.common.policies import base

 access_token_policies = [
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'authorize_request_token',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Authorize OAUTH1 request token.',
+        operations=[{'path': '/v3/OS-OAUTH1/authorize/{request_token_id}',
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_access_token',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Get OAUTH1 access token for user by access token ID.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_access_token_role',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Get role for user OAUTH1 access token.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}/roles/{role_id}'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_access_tokens',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List OAUTH1 access tokens for user.',
+        operations=[{'path': '/v3/users/{user_id}/OS-OAUTH1/access_tokens',
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_access_token_roles',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List OAUTH1 access token roles.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}/roles'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_access_token',
-        check_str=base.RULE_ADMIN_REQUIRED)
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Delete OAUTH1 access token.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}'),
+                     'method': 'DELETE'}])
 ]