Fix secret metadata access rules

This patch fixes the legacy policy rules for accessing secret metadata
by checking that the user making the request is authenticated for the
project that owns the secret.

Story: 2009253
Task: 43455

Change-Id: Ide37d64dff10d421817bf90b8e2e58bf6ac4f592
(cherry picked from commit 7d270bacbe)
(cherry picked from commit 750a79b4f5)
(cherry picked from commit 64a4242454)
(cherry picked from commit 86d7d64110)

barbican/api/controllers/__init__.py

@@ -219,3 +219,12 @@ class ACLMixin(object):
         acl_dict.update(co_dict)
 
         return acl_dict
+
+
+class SecretACLMixin(ACLMixin):
+
+    def get_acl_tuple(self, req, **kwargs):
+        acl = self.get_acl_dict_for_user(req, self.secret.secret_acls)
+        acl['project_id'] = self.secret.project.external_id
+        acl['creator_id'] = self.secret.creator_id
+        return 'secret', acl

barbican/api/controllers/secretmeta.py

@@ -28,7 +28,7 @@ def _secret_metadata_not_found():
     pecan.abort(404, u._('Secret metadata not found.'))
 
 
-class SecretMetadataController(controllers.ACLMixin):
+class SecretMetadataController(controllers.SecretACLMixin):
     """Handles SecretMetadata requests by a given secret id."""
 
     def __init__(self, secret):
@@ -106,7 +106,7 @@ class SecretMetadataController(controllers.ACLMixin):
         return {'key': key, 'value': value}
 
 
-class SecretMetadatumController(controllers.ACLMixin):
+class SecretMetadatumController(controllers.SecretACLMixin):
 
     def __init__(self, secret):
         LOG.debug('=== Creating SecretMetadatumController ===')

barbican/api/controllers/secrets.py

@@ -71,7 +71,7 @@ def _request_has_twsk_but_no_transport_key_id():
                          'transport key id has not been provided.'))
 
 
-class SecretController(controllers.ACLMixin):
+class SecretController(controllers.SecretACLMixin):
     """Handles Secret retrieval and deletion requests."""
 
     def __init__(self, secret):
@@ -81,12 +81,6 @@ class SecretController(controllers.ACLMixin):
         self.consumer_repo = repo.get_secret_consumer_repository()
         self.transport_key_repo = repo.get_transport_key_repository()
 
-    def get_acl_tuple(self, req, **kwargs):
-        d = self.get_acl_dict_for_user(req, self.secret.secret_acls)
-        d['project_id'] = self.secret.project.external_id
-        d['creator_id'] = self.secret.creator_id
-        return 'secret', d
-
     @pecan.expose()
     def _lookup(self, sub_resource, *remainder):
         if sub_resource == 'acl':

barbican/common/policies/base.py

@@ -82,6 +82,9 @@ rules = [
         name='secret_project_creator',
         check_str="rule:creator and rule:secret_project_match and " +
                   "rule:secret_creator_user"),
+    policy.RuleDefault(
+        name='secret_project_creator_role',
+        check_str="rule:creator and rule:secret_project_match"),
     policy.RuleDefault(
         name='container_project_admin',
         check_str="rule:admin and rule:container_project_match"),

barbican/common/policies/secretmeta.py

@@ -16,7 +16,9 @@ from oslo_policy import policy
 rules = [
     policy.DocumentedRuleDefault(
         name='secret_meta:get',
-        check_str='rule:all_but_audit',
+        check_str='rule:secret_non_private_read or ' +
+                  'rule:secret_project_creator or ' +
+                  'rule:secret_project_admin or rule:secret_acl_read',
         scope_types=[],
         description='metadata/: Lists a secrets user-defined metadata. || ' +
                     'metadata/{key}: Retrieves a secrets user-added metadata.',
@@ -33,7 +35,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_meta:post',
-        check_str='rule:admin_or_creator',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='Adds a new key/value pair to the secrets user-defined ' +
                     'metadata.',
@@ -46,7 +51,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_meta:put',
-        check_str='rule:admin_or_creator',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='metadata/: Sets the user-defined metadata for a secret ' +
                     '|| metadata/{key}: Updates an existing key/value pair ' +
@@ -64,7 +72,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_meta:delete',
-        check_str='rule:admin_or_creator',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='Delete secret user-defined metadata by key.',
         operations=[