Merge "Ensure the sample policy file won't diverge"

2013-12-05 06:04:16 +00:00 · 2013-12-05 06:04:16 +00:00 · b2b6856ada
parent c88f025b56 4a3ba4c4e7
commit b2b6856ada
2 changed files with 38 additions and 1 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -93,5 +93,24 @@
    "identity:list_roles_for_trust": "",
    "identity:check_role_for_trust": "",
    "identity:get_role_for_trust": "",
-    "identity:delete_trust": ""
+    "identity:delete_trust": "",
+
+    "identity:create_consumer": "rule:admin_required",
+    "identity:get_consumer": "rule:admin_required",
+    "identity:list_consumers": "rule:admin_required",
+    "identity:delete_consumer": "rule:admin_required",
+    "identity:update_consumer": "rule:admin_required",
+
+    "identity:authorize_request_token": "rule:admin_required",
+    "identity:list_access_token_roles": "rule:admin_required",
+    "identity:get_access_token_role": "rule:admin_required",
+    "identity:list_access_tokens": "rule:admin_required",
+    "identity:get_access_token": "rule:admin_required",
+    "identity:delete_access_token": "rule:admin_required",
+
+    "identity:list_projects_for_endpoint": "rule:admin_required",
+    "identity:add_endpoint_to_project": "rule:admin_required",
+    "identity:check_endpoint_in_project": "rule:admin_required",
+    "identity:list_endpoints_for_project": "rule:admin_required",
+    "identity:remove_endpoint_from_project": "rule:admin_required"
 }
--- a/keystone/tests/test_policy.py
+++ b/keystone/tests/test_policy.py
@ -15,10 +15,13 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import json
 import StringIO
 import tempfile
 import urllib2

+from testtools import matchers
+
 from keystone import config
 from keystone import exception
 from keystone.openstack.common.fixture import moxstubout
@ -208,3 +211,18 @@ class DefaultPolicyTestCase(tests.TestCase):
        self._set_rules(new_default_rule)
        self.assertRaises(exception.ForbiddenAction, rules.enforce,
                          self.credentials, "example:noexist", {})
+
+
+class PolicyJsonTestCase(tests.TestCase):
+
+    def _load_entries(self, filename):
+        return set(json.load(file(filename)))
+
+    def test_json_examples_have_matching_entries(self):
+        policy_keys = self._load_entries(tests.etcdir('policy.json'))
+        cloud_policy_keys = self._load_entries(
+            tests.etcdir('policy.v3cloudsample.json'))
+
+        diffs = set(policy_keys).difference(set(cloud_policy_keys))
+
+        self.assertThat(diffs, matchers.Equals(set()))