API: Add default policy for image endpoint

This patch amend I2ef1865e21b99f3bed3a5b7c53816cfe808a2fc2 to add default policy for image endpoint and also test cases. Change-Id: Idb9c866865242b5965da8acd9750854abb4f617a
2016-10-19 17:01:39 +08:00 · 2016-10-19 17:01:39 +08:00 · 09be7521cc
commit 09be7521cc
parent ea963601a5
2 changed files with 28 additions and 0 deletions
--- a/etc/zun/policy.json
+++ b/etc/zun/policy.json
@ -19,5 +19,8 @@
    "container:execute": "rule:admin_or_user",
    "container:kill": "rule:admin_or_user",

+    "image:create": "rule:default",
+    "image:get_all": "rule:default",
+
    "magnum-service:get_all": "rule:admin_api"
 }
--- a/zun/tests/unit/api/controllers/v1/test_images.py
+++ b/zun/tests/unit/api/controllers/v1/test_images.py
@ -117,3 +117,28 @@ class TestImageController(api_base.FunctionalTest):
        self.assertEqual(1, len(actual_images))
        self.assertEqual(test_image['uuid'],
                         actual_images[0].get('uuid'))
+
+
+class TestImageEnforcement(api_base.FunctionalTest):
+
+    def _common_policy_check(self, rule, func, *arg, **kwarg):
+        self.policy.set_rules({rule: 'project_id:non_fake'})
+        response = func(*arg, **kwarg)
+        self.assertEqual(403, response.status_int)
+        self.assertEqual('application/json', response.content_type)
+        self.assertTrue(
+            "Policy doesn't allow %s to be performed." % rule,
+            response.json['errors'][0]['detail'])
+
+    def test_policy_disallow_get_all(self):
+        self._common_policy_check(
+            'image:get_all', self.get_json, '/images/',
+            expect_errors=True)
+
+    def test_policy_disallow_create(self):
+        params = ('{"repo": "foo"}')
+        self._common_policy_check(
+            'image:create', self.app.post, '/v1/images/',
+            params=params,
+            content_type='application/json',
+            expect_errors=True)