From 4a3ba4c4e76d59fc669246e7ed025edb5426895d Mon Sep 17 00:00:00 2001
From: David Stanek <dstanek@dstanek.com>
Date: Mon, 2 Dec 2013 15:59:11 +0000
Subject: [PATCH] Ensure the sample policy file won't diverge

Currently rules should appear in both policy.v3cloudsample.json and
policy.json. In the future there may be a few exceptions that can be
documented by making the exception explicit in the test.

Change-Id: I3e9cdf64998d667941c44dc6edb48c2f7a9d37c4
Closes-Bug: #1255564
---
 etc/policy.v3cloudsample.json | 21 ++++++++++++++++++++-
 keystone/tests/test_policy.py | 18 ++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 8c7e1daca0..6ec65de097 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -92,5 +92,24 @@
     "identity:list_roles_for_trust": "",
     "identity:check_role_for_trust": "",
     "identity:get_role_for_trust": "",
-    "identity:delete_trust": ""
+    "identity:delete_trust": "",
+
+    "identity:create_consumer": "rule:admin_required",
+    "identity:get_consumer": "rule:admin_required",
+    "identity:list_consumers": "rule:admin_required",
+    "identity:delete_consumer": "rule:admin_required",
+    "identity:update_consumer": "rule:admin_required",
+
+    "identity:authorize_request_token": "rule:admin_required",
+    "identity:list_access_token_roles": "rule:admin_required",
+    "identity:get_access_token_role": "rule:admin_required",
+    "identity:list_access_tokens": "rule:admin_required",
+    "identity:get_access_token": "rule:admin_required",
+    "identity:delete_access_token": "rule:admin_required",
+
+    "identity:list_projects_for_endpoint": "rule:admin_required",
+    "identity:add_endpoint_to_project": "rule:admin_required",
+    "identity:check_endpoint_in_project": "rule:admin_required",
+    "identity:list_endpoints_for_project": "rule:admin_required",
+    "identity:remove_endpoint_from_project": "rule:admin_required"
 }
diff --git a/keystone/tests/test_policy.py b/keystone/tests/test_policy.py
index cb641bf5b3..cb5ae3ce8a 100644
--- a/keystone/tests/test_policy.py
+++ b/keystone/tests/test_policy.py
@@ -15,10 +15,13 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import json
 import StringIO
 import tempfile
 import urllib2
 
+from testtools import matchers
+
 from keystone import config
 from keystone import exception
 from keystone.openstack.common.fixture import moxstubout
@@ -208,3 +211,18 @@ class DefaultPolicyTestCase(tests.TestCase):
         self._set_rules(new_default_rule)
         self.assertRaises(exception.ForbiddenAction, rules.enforce,
                           self.credentials, "example:noexist", {})
+
+
+class PolicyJsonTestCase(tests.TestCase):
+
+    def _load_entries(self, filename):
+        return set(json.load(file(filename)))
+
+    def test_json_examples_have_matching_entries(self):
+        policy_keys = self._load_entries(tests.etcdir('policy.json'))
+        cloud_policy_keys = self._load_entries(
+            tests.etcdir('policy.v3cloudsample.json'))
+
+        diffs = set(policy_keys).difference(set(cloud_policy_keys))
+
+        self.assertThat(diffs, matchers.Equals(set()))