From e3e1a455b756c0d28f98e83096aa2b3aeb0f6269 Mon Sep 17 00:00:00 2001
From: Hongbin Lu <hongbin034@gmail.com>
Date: Sat, 5 May 2018 22:12:47 +0000
Subject: [PATCH] Require admin privilege for image APIs

The image APIs are designed for pull/delete images at a compute
node. Non-admin users should be disallowed to access individual
compute node. This patch enforce that.

Change-Id: I23b559dae6d695903a7ea26b48a1a17c45515910
Partial-Implements: blueprint rework-image-api
---
 zun/common/policies/image.py                  |  6 +++---
 .../unit/api/controllers/v1/test_images.py    | 20 ++++++++++++-------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/zun/common/policies/image.py b/zun/common/policies/image.py
index 7d5f4b864..a2bb0f9c9 100644
--- a/zun/common/policies/image.py
+++ b/zun/common/policies/image.py
@@ -22,7 +22,7 @@ rules = [
     # https://developer.openstack.org/api-ref/application-container/
     policy.DocumentedRuleDefault(
         name=IMAGE % 'pull',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.RULE_ADMIN_API,
         description='Pull an image.',
         operations=[
             {
@@ -36,7 +36,7 @@ rules = [
     # https://developer.openstack.org/api-ref/application-container/
     policy.DocumentedRuleDefault(
         name=IMAGE % 'get_all',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.RULE_ADMIN_API,
         description='Print a list of available images.',
         operations=[
             {
@@ -47,7 +47,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name=IMAGE % 'get_one',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.RULE_ADMIN_API,
         description='Retrieve the details of a specific image.',
         operations=[
             {
diff --git a/zun/tests/unit/api/controllers/v1/test_images.py b/zun/tests/unit/api/controllers/v1/test_images.py
index a98f0cfb2..a8bdb1087 100644
--- a/zun/tests/unit/api/controllers/v1/test_images.py
+++ b/zun/tests/unit/api/controllers/v1/test_images.py
@@ -23,8 +23,9 @@ from zun.tests.unit.db import utils
 
 
 class TestImageController(api_base.FunctionalTest):
+    @mock.patch('zun.common.policy.enforce', return_value=True)
     @patch('zun.compute.api.API.image_pull')
-    def test_image_pull(self, mock_image_pull):
+    def test_image_pull(self, mock_image_pull, mock_policy_enforce):
         mock_image_pull.side_effect = lambda x, y: y
 
         params = ('{"repo": "hello-world"}')
@@ -53,8 +54,9 @@ class TestImageController(api_base.FunctionalTest):
                       content_type='application/json')
         self.assertTrue(mock_image_pull.not_called)
 
+    @mock.patch('zun.common.policy.enforce', return_value=True)
     @patch('zun.compute.api.API.image_pull')
-    def test_image_pull_conflict(self, mock_image_pull):
+    def test_image_pull_conflict(self, mock_image_pull, mock_policy_enforce):
         mock_image_pull.side_effect = lambda x, y: y
 
         params = ('{"repo": "hello-world"}')
@@ -68,9 +70,10 @@ class TestImageController(api_base.FunctionalTest):
                           params=params, content_type='application/json')
         self.assertTrue(mock_image_pull.not_called)
 
+    @mock.patch('zun.common.policy.enforce', return_value=True)
     @patch('zun.compute.api.API.image_pull')
     def test_pull_image_set_project_id_and_user_id(
-            self, mock_image_pull):
+            self, mock_image_pull, mock_policy_enforce):
         def _create_side_effect(cnxt, image):
             self.assertEqual(self.context.project_id, image.project_id)
             self.assertEqual(self.context.user_id, image.user_id)
@@ -82,8 +85,9 @@ class TestImageController(api_base.FunctionalTest):
                   params=params,
                   content_type='application/json')
 
+    @mock.patch('zun.common.policy.enforce', return_value=True)
     @patch('zun.compute.api.API.image_pull')
-    def test_image_pull_with_tag(self, mock_image_pull):
+    def test_image_pull_with_tag(self, mock_image_pull, mock_policy_enforce):
         mock_image_pull.side_effect = lambda x, y: y
 
         params = ('{"repo": "hello-world:latest"}')
@@ -94,8 +98,9 @@ class TestImageController(api_base.FunctionalTest):
         self.assertEqual(202, response.status_int)
         self.assertTrue(mock_image_pull.called)
 
+    @mock.patch('zun.common.policy.enforce', return_value=True)
     @patch('zun.objects.Image.list')
-    def test_get_all_images(self, mock_image_list):
+    def test_get_all_images(self, mock_image_list, mock_policy_enforce):
         test_image = utils.get_test_image()
         images = [objects.Image(self.context, **test_image)]
         mock_image_list.return_value = images
@@ -127,9 +132,10 @@ class TestImageController(api_base.FunctionalTest):
         self.assertEqual(test_image['uuid'],
                          response.json['uuid'])
 
+    @mock.patch('zun.common.policy.enforce', return_value=True)
     @patch('zun.objects.Image.list')
-    def test_get_all_images_with_pagination_marker(self, mock_image_list
-                                                   ):
+    def test_get_all_images_with_pagination_marker(
+            self, mock_image_list, mock_policy_enforce):
         image_list = []
         for id_ in range(4):
             test_image = utils.create_test_image(