Browse Source

Fix secret metadata access rules

This patch fixes the legacy policy rules for accessing secret metadata
by checking that the user making the request is authenticated for the
project that owns the secret.

Story: 2009253
Task: 43456

Change-Id: Ide37d64dff10d421817bf90b8e2e58bf6ac4f592
(cherry picked from commit 7d270bacbe)
(cherry picked from commit 750a79b4f5)
(cherry picked from commit 64a4242454)
(cherry picked from commit 86d7d64110)
(cherry picked from commit 3270240065)
changes/38/816338/1
Douglas Mendizábal 8 months ago
parent
commit
3acf50a823
  1. 9
      barbican/api/controllers/__init__.py
  2. 4
      barbican/api/controllers/secretmeta.py
  3. 8
      barbican/api/controllers/secrets.py
  4. 3
      barbican/common/policies/base.py
  5. 19
      barbican/common/policies/secretmeta.py

9
barbican/api/controllers/__init__.py

@ -219,3 +219,12 @@ class ACLMixin(object):
acl_dict.update(co_dict)
return acl_dict
class SecretACLMixin(ACLMixin):
def get_acl_tuple(self, req, **kwargs):
acl = self.get_acl_dict_for_user(req, self.secret.secret_acls)
acl['project_id'] = self.secret.project.external_id
acl['creator_id'] = self.secret.creator_id
return 'secret', acl

4
barbican/api/controllers/secretmeta.py

@ -29,7 +29,7 @@ def _secret_metadata_not_found():
'another castle.'))
class SecretMetadataController(controllers.ACLMixin):
class SecretMetadataController(controllers.SecretACLMixin):
"""Handles SecretMetadata requests by a given secret id."""
def __init__(self, secret):
@ -107,7 +107,7 @@ class SecretMetadataController(controllers.ACLMixin):
return {'key': key, 'value': value}
class SecretMetadatumController(controllers.ACLMixin):
class SecretMetadatumController(controllers.SecretACLMixin):
def __init__(self, secret):
LOG.debug('=== Creating SecretMetadatumController ===')

8
barbican/api/controllers/secrets.py

@ -71,7 +71,7 @@ def _request_has_twsk_but_no_transport_key_id():
'transport key id has not been provided.'))
class SecretController(controllers.ACLMixin):
class SecretController(controllers.SecretACLMixin):
"""Handles Secret retrieval and deletion requests."""
def __init__(self, secret):
@ -79,12 +79,6 @@ class SecretController(controllers.ACLMixin):
self.secret = secret
self.transport_key_repo = repo.get_transport_key_repository()
def get_acl_tuple(self, req, **kwargs):
d = self.get_acl_dict_for_user(req, self.secret.secret_acls)
d['project_id'] = self.secret.project.external_id
d['creator_id'] = self.secret.creator_id
return 'secret', d
@pecan.expose()
def _lookup(self, sub_resource, *remainder):
if sub_resource == 'acl':

3
barbican/common/policies/base.py

@ -82,6 +82,9 @@ rules = [
name='secret_project_creator',
check_str="rule:creator and rule:secret_project_match and " +
"rule:secret_creator_user"),
policy.RuleDefault(
name='secret_project_creator_role',
check_str="rule:creator and rule:secret_project_match"),
policy.RuleDefault(
name='container_project_admin',
check_str="rule:admin and rule:container_project_match"),

19
barbican/common/policies/secretmeta.py

@ -16,7 +16,9 @@ from oslo_policy import policy
rules = [
policy.DocumentedRuleDefault(
name='secret_meta:get',
check_str='rule:all_but_audit',
check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read',
scope_types=[],
description='metadata/: Lists a secrets user-defined metadata. || ' +
'metadata/{key}: Retrieves a secrets user-added metadata.',
@ -33,7 +35,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='secret_meta:post',
check_str='rule:admin_or_creator',
check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' +
'rule:secret_non_private_read)',
scope_types=[],
description='Adds a new key/value pair to the secrets user-defined ' +
'metadata.',
@ -46,7 +51,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='secret_meta:put',
check_str='rule:admin_or_creator',
check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' +
'rule:secret_non_private_read)',
scope_types=[],
description='metadata/: Sets the user-defined metadata for a secret ' +
'|| metadata/{key}: Updates an existing key/value pair ' +
@ -64,7 +72,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='secret_meta:delete',
check_str='rule:admin_or_creator',
check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' +
'rule:secret_non_private_read)',
scope_types=[],
description='Delete secret user-defined metadata by key.',
operations=[

Loading…
Cancel
Save