From 09be7521cc42f3908d9547f470672eaaa0138996 Mon Sep 17 00:00:00 2001
From: Eli Qiao <liyong.qiao@intel.com>
Date: Wed, 19 Oct 2016 17:01:39 +0800
Subject: [PATCH] API: Add default policy for image endpoint

This patch amend I2ef1865e21b99f3bed3a5b7c53816cfe808a2fc2 to add
default policy for image endpoint and also test cases.

Change-Id: Idb9c866865242b5965da8acd9750854abb4f617a
---
 etc/zun/policy.json                           |  3 +++
 .../unit/api/controllers/v1/test_images.py    | 25 +++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/etc/zun/policy.json b/etc/zun/policy.json
index 2e5b62ae9..bfc8c0595 100644
--- a/etc/zun/policy.json
+++ b/etc/zun/policy.json
@@ -19,5 +19,8 @@
     "container:execute": "rule:admin_or_user",
     "container:kill": "rule:admin_or_user",
 
+    "image:create": "rule:default",
+    "image:get_all": "rule:default",
+
     "magnum-service:get_all": "rule:admin_api"
 }
diff --git a/zun/tests/unit/api/controllers/v1/test_images.py b/zun/tests/unit/api/controllers/v1/test_images.py
index 647e76263..4581eb563 100644
--- a/zun/tests/unit/api/controllers/v1/test_images.py
+++ b/zun/tests/unit/api/controllers/v1/test_images.py
@@ -117,3 +117,28 @@ class TestImageController(api_base.FunctionalTest):
         self.assertEqual(1, len(actual_images))
         self.assertEqual(test_image['uuid'],
                          actual_images[0].get('uuid'))
+
+
+class TestImageEnforcement(api_base.FunctionalTest):
+
+    def _common_policy_check(self, rule, func, *arg, **kwarg):
+        self.policy.set_rules({rule: 'project_id:non_fake'})
+        response = func(*arg, **kwarg)
+        self.assertEqual(403, response.status_int)
+        self.assertEqual('application/json', response.content_type)
+        self.assertTrue(
+            "Policy doesn't allow %s to be performed." % rule,
+            response.json['errors'][0]['detail'])
+
+    def test_policy_disallow_get_all(self):
+        self._common_policy_check(
+            'image:get_all', self.get_json, '/images/',
+            expect_errors=True)
+
+    def test_policy_disallow_create(self):
+        params = ('{"repo": "foo"}')
+        self._common_policy_check(
+            'image:create', self.app.post, '/v1/images/',
+            params=params,
+            content_type='application/json',
+            expect_errors=True)