Fix Secure RBAC policies for Orders

This patch fixes policy issues for deployments that have not yet opted into the Secure RBAC defaults by making sure that the new policies are only evaluated when enforce_new_defaults = True. This prevents policy side-effects where some users with roles used in the new policy defaults are able to access APIs that they were not allowed to access with the legacy deprecated policies. This patch also deprecates the old policies using DeprecatedRule objects from olso_policy to ensure that the enforce_new_defaults option works as expected. Story: 2010235 Change-Id: I8131987a5b3fc200674b61a52eebb93717d84baa
2022-08-25 18:28:11 +02:00
parent ea4c511918
commit 0c8efcd2ac
2 changed files with 58 additions and 13 deletions
--- a/barbican/common/policies/base.py
+++ b/barbican/common/policies/base.py
@@ -121,6 +121,12 @@ rules = [
    policy.RuleDefault(
        name='container_project_creator_role',
        check_str="rule:creator and rule:container_project_match"),
+    policy.RuleDefault(
+        name='order_project_match',
+        check_str='project_id:%(target.order.project_id)s'),
+    policy.RuleDefault(
+        name='order_project_member',
+        check_str='role:member and rule:order_project_match'),
 ]


--- a/barbican/common/policies/orders.py
+++ b/barbican/common/policies/orders.py
@@ -10,16 +10,47 @@
 #  License for the specific language governing permissions and limitations
 #  under the License.

+from oslo_log import versionutils
 from oslo_policy import policy

+from barbican.common.policies import base

-_MEMBER = "role:member"
-_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.order.project_id)s"
+
+deprecated_orders_get = policy.DeprecatedRule(
+    name='orders:get',
+    check_str='rule:all_but_audit',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_orders_post = policy.DeprecatedRule(
+    name='orders:post',
+    check_str='rule:admin_or_creator',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_orders_put = policy.DeprecatedRule(
+    name='orders:put',
+    check_str='rule:admin_or_creator',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_order_get = policy.DeprecatedRule(
+    name='order:get',
+    check_str='rule:all_users and project_id:%(target.order.project_id)s',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_order_delete = policy.DeprecatedRule(
+    name='order:delete',
+    check_str='rule:admin and project_id:%(target.order.project_id)s',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)

 rules = [
    policy.DocumentedRuleDefault(
        name='orders:get',
-        check_str=f'rule:all_but_audit or {_MEMBER}',
+        check_str="True:%(enforce_new_defaults)s and role:member",
        scope_types=['project'],
        description='Gets list of all orders associated with a project.',
        operations=[
@@ -27,11 +58,12 @@ rules = [
                'path': '/v1/orders',
                'method': 'GET'
            }
-        ]
+        ],
+        deprecated_rule=deprecated_orders_get
    ),
    policy.DocumentedRuleDefault(
        name='orders:post',
-        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        check_str="True:%(enforce_new_defaults)s and role:member",
        scope_types=['project'],
        description='Creates an order.',
        operations=[
@@ -39,11 +71,13 @@ rules = [
                'path': '/v1/orders',
                'method': 'POST'
            }
-        ]
+        ],
+        deprecated_rule=deprecated_orders_post
+
    ),
    policy.DocumentedRuleDefault(
        name='orders:put',
-        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        check_str="True:%(enforce_new_defaults)s and role:member",
        scope_types=['project'],
        description='Unsupported method for the orders API.',
        operations=[
@@ -51,12 +85,14 @@ rules = [
                'path': '/v1/orders',
                'method': 'PUT'
            }
-        ]
+        ],
+        deprecated_rule=deprecated_orders_put
    ),
    policy.DocumentedRuleDefault(
        name='order:get',
-        check_str='rule:all_users and project_id:%(target.order.project_id)s '
-                  f'or {_PROJECT_MEMBER}',
+        check_str=(
+            "True:%(enforce_new_defaults)s and "
+            "rule:order_project_member"),
        scope_types=['project'],
        description='Retrieves an orders metadata.',
        operations=[
@@ -64,12 +100,14 @@ rules = [
                'path': '/v1/orders/{order-id}',
                'method': 'GET'
            }
-        ]
+        ],
+        deprecated_rule=deprecated_order_get
    ),
    policy.DocumentedRuleDefault(
        name='order:delete',
-        check_str='rule:admin and project_id:%(target.order.project_id)s or '
-                  f'{_PROJECT_MEMBER}',
+        check_str=(
+            "True:%(enforce_new_defaults)s and "
+            "rule:order_project_member"),
        scope_types=['project'],
        description='Deletes an order.',
        operations=[
@@ -78,6 +116,7 @@ rules = [
                'method': 'DELETE'
            }
        ],
+        deprecated_rule=deprecated_order_delete
    )
 ]