Add upload policy for glance v2 api

Related to bug 1250918

There currently exists no check in set_data function for glance
api v2 in the policy layer. This patch adds upload_image policy.

DocImpact

Change-Id: Ibccc78f8bccff3baa5aca574cf17bd14c5403ca2

doc/source/policies.rst

@@ -50,6 +50,10 @@ The actions that may have a rule enforced on them are:
   * ``GET /v1/images/<IMAGE_ID>``
   * ``GET /v2/images/<IMAGE_ID>/file``
 
+* ``upload_image`` - Upload binary image data
+
+  * ``PUT /v2/images/<IMAGE_ID>/file``
+
 * ``add_image`` - Create an image entity
 
   * ``POST /v1/images``

etc/policy.json

@@ -4,12 +4,14 @@
 
     "add_image": "",
     "delete_image": "",
-    "download_image": "",
     "get_image": "",
     "get_images": "",
     "modify_image": "",
     "publicize_image": "",
 
+    "download_image": "",
+    "upload_image": "",
+
     "delete_image_location": "",
     "get_image_location": "",
     "set_image_location": "",

glance/api/policy.py

@@ -233,6 +233,10 @@ class ImageProxy(glance.domain.proxy.Image):
         self.policy.enforce(self.context, 'download_image', {})
         return self.image.get_data(*args, **kwargs)
 
+    def set_data(self, *args, **kwargs):
+        self.policy.enforce(self.context, 'upload_image', {})
+        return self.image.set_data(*args, **kwargs)
+
     def get_member_repo(self, **kwargs):
         member_repo = self.image.get_member_repo(**kwargs)
         return ImageMemberRepoProxy(member_repo, self.context, self.policy)

glance/tests/etc/policy.json

@@ -5,12 +5,14 @@
 
     "add_image": "",
     "delete_image": "",
-    "download_image": "",
     "get_image": "",
     "get_images": "",
     "modify_image": "",
     "publicize_image": "",
 
+    "download_image": "",
+    "upload_image": "",
+
     "delete_image_location": "",
     "get_image_location": "",
     "set_image_location": "",

glance/tests/unit/test_policy.py

@@ -268,6 +268,12 @@ class TestImagePolicy(test_utils.BaseTestCase):
         self.assertRaises(exception.Forbidden, image.get_data)
         self.policy.enforce.assert_called_once_with({}, "download_image", {})
 
+    def test_image_set_data(self):
+        self.policy.enforce.side_effect = exception.Forbidden
+        image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
+        self.assertRaises(exception.Forbidden, image.set_data)
+        self.policy.enforce.assert_called_once_with({}, "upload_image", {})
+
 
 class TestMemberPolicy(test_utils.BaseTestCase):
     def setUp(self):