From 72e0ea0c10c32b3da81ecacbebff190a96e3baab Mon Sep 17 00:00:00 2001
From: Anthony Washington <anthony.washington@intel.com>
Date: Thu, 23 Mar 2017 18:34:11 +0000
Subject: [PATCH] Move access token to DocumentedRuleDefault

A new policy class was introduce that requires
additional parameters when defining policy objects.

This patch switches our access token revocation  policy object to
the policy.DocumentedRuleDefault and fills the
required policy parameters as needed.

Change-Id: I5703202cfc3e0f445b59374eeb848e1782e8d4e5
Partially-Implements: bp policy-docs
---
 keystone/common/policies/access_token.py | 46 +++++++++++++++++-------
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/keystone/common/policies/access_token.py b/keystone/common/policies/access_token.py
index 937a0c3afb..974bd62668 100644
--- a/keystone/common/policies/access_token.py
+++ b/keystone/common/policies/access_token.py
@@ -15,24 +15,46 @@ from oslo_policy import policy
 from keystone.common.policies import base
 
 access_token_policies = [
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'authorize_request_token',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Authorize OAUTH1 request token.',
+        operations=[{'path': '/v3/OS-OAUTH1/authorize/{request_token_id}',
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_access_token',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Get OAUTH1 access token for user by access token ID.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_access_token_role',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Get role for user OAUTH1 access token.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}/roles/{role_id}'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_access_tokens',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List OAUTH1 access tokens for user.',
+        operations=[{'path': '/v3/users/{user_id}/OS-OAUTH1/access_tokens',
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_access_token_roles',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List OAUTH1 access token roles.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}/roles'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_access_token',
-        check_str=base.RULE_ADMIN_REQUIRED)
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Delete OAUTH1 access token.',
+        operations=[{'path': ('/v3/users/{user_id}/OS-OAUTH1/access_tokens/'
+                              '{access_token_id}'),
+                     'method': 'DELETE'}])
 ]