Fix secret metadata access rules
This patch fixes the legacy policy rules for accessing secret metadata by checking that the user making the request is authenticated for the project that owns the secret. Story: 2009253 Task: 43455 Change-Id: Ide37d64dff10d421817bf90b8e2e58bf6ac4f592 (cherry picked from commit7d270bacbe
) (cherry picked from commit750a79b4f5
) (cherry picked from commit64a4242454
) (cherry picked from commit86d7d64110
)
This commit is contained in:
parent
54e342fa7c
commit
3270240065
|
@ -219,3 +219,12 @@ class ACLMixin(object):
|
|||
acl_dict.update(co_dict)
|
||||
|
||||
return acl_dict
|
||||
|
||||
|
||||
class SecretACLMixin(ACLMixin):
|
||||
|
||||
def get_acl_tuple(self, req, **kwargs):
|
||||
acl = self.get_acl_dict_for_user(req, self.secret.secret_acls)
|
||||
acl['project_id'] = self.secret.project.external_id
|
||||
acl['creator_id'] = self.secret.creator_id
|
||||
return 'secret', acl
|
||||
|
|
|
@ -28,7 +28,7 @@ def _secret_metadata_not_found():
|
|||
pecan.abort(404, u._('Secret metadata not found.'))
|
||||
|
||||
|
||||
class SecretMetadataController(controllers.ACLMixin):
|
||||
class SecretMetadataController(controllers.SecretACLMixin):
|
||||
"""Handles SecretMetadata requests by a given secret id."""
|
||||
|
||||
def __init__(self, secret):
|
||||
|
@ -106,7 +106,7 @@ class SecretMetadataController(controllers.ACLMixin):
|
|||
return {'key': key, 'value': value}
|
||||
|
||||
|
||||
class SecretMetadatumController(controllers.ACLMixin):
|
||||
class SecretMetadatumController(controllers.SecretACLMixin):
|
||||
|
||||
def __init__(self, secret):
|
||||
LOG.debug('=== Creating SecretMetadatumController ===')
|
||||
|
|
|
@ -71,7 +71,7 @@ def _request_has_twsk_but_no_transport_key_id():
|
|||
'transport key id has not been provided.'))
|
||||
|
||||
|
||||
class SecretController(controllers.ACLMixin):
|
||||
class SecretController(controllers.SecretACLMixin):
|
||||
"""Handles Secret retrieval and deletion requests."""
|
||||
|
||||
def __init__(self, secret):
|
||||
|
@ -81,12 +81,6 @@ class SecretController(controllers.ACLMixin):
|
|||
self.consumer_repo = repo.get_secret_consumer_repository()
|
||||
self.transport_key_repo = repo.get_transport_key_repository()
|
||||
|
||||
def get_acl_tuple(self, req, **kwargs):
|
||||
d = self.get_acl_dict_for_user(req, self.secret.secret_acls)
|
||||
d['project_id'] = self.secret.project.external_id
|
||||
d['creator_id'] = self.secret.creator_id
|
||||
return 'secret', d
|
||||
|
||||
@pecan.expose()
|
||||
def _lookup(self, sub_resource, *remainder):
|
||||
if sub_resource == 'acl':
|
||||
|
|
|
@ -82,6 +82,9 @@ rules = [
|
|||
name='secret_project_creator',
|
||||
check_str="rule:creator and rule:secret_project_match and " +
|
||||
"rule:secret_creator_user"),
|
||||
policy.RuleDefault(
|
||||
name='secret_project_creator_role',
|
||||
check_str="rule:creator and rule:secret_project_match"),
|
||||
policy.RuleDefault(
|
||||
name='container_project_admin',
|
||||
check_str="rule:admin and rule:container_project_match"),
|
||||
|
|
|
@ -16,7 +16,9 @@ from oslo_policy import policy
|
|||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_meta:get',
|
||||
check_str='rule:all_but_audit',
|
||||
check_str='rule:secret_non_private_read or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'rule:secret_project_admin or rule:secret_acl_read',
|
||||
scope_types=[],
|
||||
description='metadata/: Lists a secrets user-defined metadata. || ' +
|
||||
'metadata/{key}: Retrieves a secrets user-added metadata.',
|
||||
|
@ -33,7 +35,10 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_meta:post',
|
||||
check_str='rule:admin_or_creator',
|
||||
check_str='rule:secret_project_admin or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'(rule:secret_project_creator_role and ' +
|
||||
'rule:secret_non_private_read)',
|
||||
scope_types=[],
|
||||
description='Adds a new key/value pair to the secrets user-defined ' +
|
||||
'metadata.',
|
||||
|
@ -46,7 +51,10 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_meta:put',
|
||||
check_str='rule:admin_or_creator',
|
||||
check_str='rule:secret_project_admin or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'(rule:secret_project_creator_role and ' +
|
||||
'rule:secret_non_private_read)',
|
||||
scope_types=[],
|
||||
description='metadata/: Sets the user-defined metadata for a secret ' +
|
||||
'|| metadata/{key}: Updates an existing key/value pair ' +
|
||||
|
@ -64,7 +72,10 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_meta:delete',
|
||||
check_str='rule:admin_or_creator',
|
||||
check_str='rule:secret_project_admin or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'(rule:secret_project_creator_role and ' +
|
||||
'rule:secret_non_private_read)',
|
||||
scope_types=[],
|
||||
description='Delete secret user-defined metadata by key.',
|
||||
operations=[
|
||||
|
|
Loading…
Reference in New Issue