Update default policy settings

Also, there were some issues with policy:
* 'publicize_image' instead of 'publicize_package';
* corresponding actions have different names;
* user could not upload packages by default;
* user could mark package public/unpublic;
* user could delete pablic packages.

Change-Id: I5459016a4e7401b58fcb343e40d0047a4959b7df
Closes-Bug: #1439240
Closes-Bug: #1436289

etc/murano/policy.json

@@ -3,10 +3,33 @@
     "admin_api": "is_admin:True",
     "default": "",
 
-    "update_package": "rule:admin_api",
-    "upload_package": "rule:admin_api",
-    "delete_package": "rule:admin_api",
+    "get_package": "rule:default",
+    "upload_package": "rule:default",
+    "modify_package": "rule:default",
+    "publicize_package": "rule:admin_api",
+    "manage_public_package": "rule:default",
+    "delete_package": "rule:default",
+    "download_package": "rule:default",
+
+    "get_category": "rule:default",
     "delete_category": "rule:admin_api",
-    "add_category": "rule:admin_api"
+    "add_category": "rule:admin_api",
+
+    "list_deployments": "rule:default",
+    "statuses_deployments": "rule:default",
+
+    "list_environments": "rule:default",
+    "show_environment": "rule:default",
+    "update_environment": "rule:default",
+    "create_environment": "rule:default",
+    "delete_environment": "rule:default",
+
+    "list_env_templates": "rule:default",
+    "create_env_template": "rule:default",
+    "show_env_template": "rule:default",
+    "update_env_template": "rule:default",
+    "delete_env_template": "rule:default",
+
+    "execute_action": "rule:default"
 }
 

murano/api/v1/catalog.py

@@ -132,13 +132,22 @@ class Controller(object):
                                 "value":"New description" }
             { "op": "replace", "path": "/name", "value": "New name" }
         """
-        policy.check("update_package", req.context, {'package_id': package_id})
+        policy.check("modify_package", req.context, {'package_id': package_id})
+
+        pkg_to_update = db_api.package_get(package_id, req.context)
+        if pkg_to_update.is_public:
+            policy.check("manage_public_package", req.context)
 
         _check_content_type(req, 'application/murano-packages-json-patch')
         if not isinstance(body, list):
             msg = _('Request body must be a JSON array of operation objects.')
             LOG.error(msg)
             raise exc.HTTPBadRequest(explanation=msg)
+        for change in body:
+            if 'is_public' in change['path']:
+                if change['value'] is True and not pkg_to_update.is_public:
+                    policy.check('publicize_package', req.context)
+                break
         package = db_api.package_update(package_id, body, req.context)
 
         return package.to_dict()
@@ -167,7 +176,7 @@ class Controller(object):
 
             return value
 
-        policy.check("search_packages", req.context)
+        policy.check("get_package", req.context)
 
         filters = _get_filters(req.GET.items())
         limit = _validate_limit(filters.get('limit'))
@@ -200,6 +209,9 @@ class Controller(object):
         else:
             package_meta = {}
 
+        if package_meta.get('is_public'):
+            policy.check('publicize_package', req.context)
+
         with tempfile.NamedTemporaryFile(delete=False) as tempf:
             LOG.debug("Storing package archive in a temporary file")
             content = file_obj.file.read()
@@ -226,7 +238,7 @@ class Controller(object):
                 package_meta[v] = getattr(pkg_to_upload, k)
 
         if req.params.get('is_public', '').lower() == 'true':
-            policy.check('publicize_image', req.context)
+            policy.check('publicize_package', req.context)
             package_meta['is_public'] = True
 
         try:
@@ -239,14 +251,14 @@ class Controller(object):
 
     def get_ui(self, req, package_id):
         target = {'package_id': package_id}
-        policy.check("get_package_ui", req.context, target)
+        policy.check("get_package", req.context, target)
 
         package = db_api.package_get(package_id, req.context)
         return package.ui_definition
 
     def get_logo(self, req, package_id):
         target = {'package_id': package_id}
-        policy.check("get_package_logo", req.context, target)
+        policy.check("get_package", req.context, target)
 
         package = db_api.package_get(package_id, req.context)
         return package.logo
@@ -265,6 +277,10 @@ class Controller(object):
     def delete(self, req, package_id):
         target = {'package_id': package_id}
         policy.check("delete_package", req.context, target)
+
+        package = db_api.package_get(package_id, req.context)
+        if package.is_public:
+            policy.check("manage_public_package", req.context, target)
         db_api.package_delete(package_id, req.context)
 
     def get_category(self, req, category_id):
@@ -273,12 +289,12 @@ class Controller(object):
         return category.to_dict()
 
     def show_categories(self, req):
-        policy.check("show_categories", req.context)
+        policy.check("get_category", req.context)
         categories = db_api.categories_list()
         return {'categories': [category.name for category in categories]}
 
     def list_categories(self, req):
-        policy.check("list_categories", req.context)
+        policy.check("get_category", req.context)
         categories = db_api.categories_list()
         return {'categories': [category.to_dict() for category in categories]}
 

murano/tests/unit/api/v1/test_catalog.py

@@ -94,9 +94,9 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
         })
 
         self.expect_policy_check('upload_package')
-        self.expect_policy_check('publicize_image')
+        self.expect_policy_check('publicize_package')
         self.expect_policy_check('upload_package')
-        self.expect_policy_check('publicize_image')
+        self.expect_policy_check('publicize_package')
 
         file_obj_str = cStringIO.StringIO("This is some dummy data")
         file_obj = mock.MagicMock(cgi.FieldStorage)