Fix secret metadata access rules
This patch fixes the legacy policy rules for accessing secret metadata by checking that the user making the request is authenticated for the project that owns the secret. Story: 2009253 Task: 43456 Change-Id: Ide37d64dff10d421817bf90b8e2e58bf6ac4f592 (cherry picked from commit7d270bacbe
) (cherry picked from commit750a79b4f5
) (cherry picked from commit64a4242454
) (cherry picked from commit86d7d64110
) (cherry picked from commit3270240065
)
This commit is contained in:
parent
ecfef01555
commit
3acf50a823
|
@ -219,3 +219,12 @@ class ACLMixin(object):
|
||||||
acl_dict.update(co_dict)
|
acl_dict.update(co_dict)
|
||||||
|
|
||||||
return acl_dict
|
return acl_dict
|
||||||
|
|
||||||
|
|
||||||
|
class SecretACLMixin(ACLMixin):
|
||||||
|
|
||||||
|
def get_acl_tuple(self, req, **kwargs):
|
||||||
|
acl = self.get_acl_dict_for_user(req, self.secret.secret_acls)
|
||||||
|
acl['project_id'] = self.secret.project.external_id
|
||||||
|
acl['creator_id'] = self.secret.creator_id
|
||||||
|
return 'secret', acl
|
||||||
|
|
|
@ -29,7 +29,7 @@ def _secret_metadata_not_found():
|
||||||
'another castle.'))
|
'another castle.'))
|
||||||
|
|
||||||
|
|
||||||
class SecretMetadataController(controllers.ACLMixin):
|
class SecretMetadataController(controllers.SecretACLMixin):
|
||||||
"""Handles SecretMetadata requests by a given secret id."""
|
"""Handles SecretMetadata requests by a given secret id."""
|
||||||
|
|
||||||
def __init__(self, secret):
|
def __init__(self, secret):
|
||||||
|
@ -107,7 +107,7 @@ class SecretMetadataController(controllers.ACLMixin):
|
||||||
return {'key': key, 'value': value}
|
return {'key': key, 'value': value}
|
||||||
|
|
||||||
|
|
||||||
class SecretMetadatumController(controllers.ACLMixin):
|
class SecretMetadatumController(controllers.SecretACLMixin):
|
||||||
|
|
||||||
def __init__(self, secret):
|
def __init__(self, secret):
|
||||||
LOG.debug('=== Creating SecretMetadatumController ===')
|
LOG.debug('=== Creating SecretMetadatumController ===')
|
||||||
|
|
|
@ -71,7 +71,7 @@ def _request_has_twsk_but_no_transport_key_id():
|
||||||
'transport key id has not been provided.'))
|
'transport key id has not been provided.'))
|
||||||
|
|
||||||
|
|
||||||
class SecretController(controllers.ACLMixin):
|
class SecretController(controllers.SecretACLMixin):
|
||||||
"""Handles Secret retrieval and deletion requests."""
|
"""Handles Secret retrieval and deletion requests."""
|
||||||
|
|
||||||
def __init__(self, secret):
|
def __init__(self, secret):
|
||||||
|
@ -79,12 +79,6 @@ class SecretController(controllers.ACLMixin):
|
||||||
self.secret = secret
|
self.secret = secret
|
||||||
self.transport_key_repo = repo.get_transport_key_repository()
|
self.transport_key_repo = repo.get_transport_key_repository()
|
||||||
|
|
||||||
def get_acl_tuple(self, req, **kwargs):
|
|
||||||
d = self.get_acl_dict_for_user(req, self.secret.secret_acls)
|
|
||||||
d['project_id'] = self.secret.project.external_id
|
|
||||||
d['creator_id'] = self.secret.creator_id
|
|
||||||
return 'secret', d
|
|
||||||
|
|
||||||
@pecan.expose()
|
@pecan.expose()
|
||||||
def _lookup(self, sub_resource, *remainder):
|
def _lookup(self, sub_resource, *remainder):
|
||||||
if sub_resource == 'acl':
|
if sub_resource == 'acl':
|
||||||
|
|
|
@ -82,6 +82,9 @@ rules = [
|
||||||
name='secret_project_creator',
|
name='secret_project_creator',
|
||||||
check_str="rule:creator and rule:secret_project_match and " +
|
check_str="rule:creator and rule:secret_project_match and " +
|
||||||
"rule:secret_creator_user"),
|
"rule:secret_creator_user"),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='secret_project_creator_role',
|
||||||
|
check_str="rule:creator and rule:secret_project_match"),
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name='container_project_admin',
|
name='container_project_admin',
|
||||||
check_str="rule:admin and rule:container_project_match"),
|
check_str="rule:admin and rule:container_project_match"),
|
||||||
|
|
|
@ -16,7 +16,9 @@ from oslo_policy import policy
|
||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='secret_meta:get',
|
name='secret_meta:get',
|
||||||
check_str='rule:all_but_audit',
|
check_str='rule:secret_non_private_read or ' +
|
||||||
|
'rule:secret_project_creator or ' +
|
||||||
|
'rule:secret_project_admin or rule:secret_acl_read',
|
||||||
scope_types=[],
|
scope_types=[],
|
||||||
description='metadata/: Lists a secrets user-defined metadata. || ' +
|
description='metadata/: Lists a secrets user-defined metadata. || ' +
|
||||||
'metadata/{key}: Retrieves a secrets user-added metadata.',
|
'metadata/{key}: Retrieves a secrets user-added metadata.',
|
||||||
|
@ -33,7 +35,10 @@ rules = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='secret_meta:post',
|
name='secret_meta:post',
|
||||||
check_str='rule:admin_or_creator',
|
check_str='rule:secret_project_admin or ' +
|
||||||
|
'rule:secret_project_creator or ' +
|
||||||
|
'(rule:secret_project_creator_role and ' +
|
||||||
|
'rule:secret_non_private_read)',
|
||||||
scope_types=[],
|
scope_types=[],
|
||||||
description='Adds a new key/value pair to the secrets user-defined ' +
|
description='Adds a new key/value pair to the secrets user-defined ' +
|
||||||
'metadata.',
|
'metadata.',
|
||||||
|
@ -46,7 +51,10 @@ rules = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='secret_meta:put',
|
name='secret_meta:put',
|
||||||
check_str='rule:admin_or_creator',
|
check_str='rule:secret_project_admin or ' +
|
||||||
|
'rule:secret_project_creator or ' +
|
||||||
|
'(rule:secret_project_creator_role and ' +
|
||||||
|
'rule:secret_non_private_read)',
|
||||||
scope_types=[],
|
scope_types=[],
|
||||||
description='metadata/: Sets the user-defined metadata for a secret ' +
|
description='metadata/: Sets the user-defined metadata for a secret ' +
|
||||||
'|| metadata/{key}: Updates an existing key/value pair ' +
|
'|| metadata/{key}: Updates an existing key/value pair ' +
|
||||||
|
@ -64,7 +72,10 @@ rules = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='secret_meta:delete',
|
name='secret_meta:delete',
|
||||||
check_str='rule:admin_or_creator',
|
check_str='rule:secret_project_admin or ' +
|
||||||
|
'rule:secret_project_creator or ' +
|
||||||
|
'(rule:secret_project_creator_role and ' +
|
||||||
|
'rule:secret_non_private_read)',
|
||||||
scope_types=[],
|
scope_types=[],
|
||||||
description='Delete secret user-defined metadata by key.',
|
description='Delete secret user-defined metadata by key.',
|
||||||
operations=[
|
operations=[
|
||||||
|
|
Loading…
Reference in New Issue