openstack
/
barbican
Code Issues Proposed changes

Allow users with "creator" role to edit ACLs 

This patch updates the default policy to allow users with the
"creator" role to edit Secret and Container ACLs.

Secrets that have an ACL set to private will only be able to be edited
by the user who owns the secret.

Change-Id: I0dc603a3e3a894fee774483a70285d47b57abdf8
This commit is contained in:
Douglas Mendizábal 2022-05-18 16:29:03 -05:00
parent 09d184de7f
commit 486e60723f
2 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
barbican/common/policies/acls.py
View File

@ -46,8 +46,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='secret_acls:delete',
check_str='rule:secret_project_admin or rule:secret_project_creator' +
f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
check_str='rule:secret_project_admin or rule:secret_project_creator ' +
'or (rule:secret_project_creator_role and ' +
'rule:secret_non_private_read) or ' +
f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
scope_types=['project'],
description='Delete the ACL settings for a given secret.',
@ -60,8 +62,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='secret_acls:put_patch',
check_str='rule:secret_project_admin or rule:secret_project_creator' +
f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
check_str='rule:secret_project_admin or rule:secret_project_creator ' +
'or (rule:secret_project_creator_role and ' +
'rule:secret_non_private_read) or ' +
f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
scope_types=['project'],
description='Create new, replaces, or updates existing ACL for a ' +
@ -95,6 +99,8 @@ rules = [
name='container_acls:delete',
check_str='rule:container_project_admin or ' +
'rule:container_project_creator or ' +
'(rule:container_project_creator_role and' +
' rule:container_non_private_read) or ' +
f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
scope_types=['project'],
@ -111,6 +117,8 @@ rules = [
name='container_acls:put_patch',
check_str='rule:container_project_admin or ' +
'rule:container_project_creator or ' +
'(rule:container_project_creator_role and' +
' rule:container_non_private_read) or ' +
f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
scope_types=['project'],

24
barbican/tests/api/controllers/test_acls.py
View File

@ -111,8 +111,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='create',
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
expect_errors=True)
self.assertEqual(403, resp.status_int)
expect_errors=False)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='create',
@ -379,8 +379,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='update',
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
expect_errors=True)
self.assertEqual(403, resp.status_int)
expect_errors=False)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='update',
@ -460,9 +460,9 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='delete',
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
expect_errors=True)
expect_errors=False)
self.assertEqual(403, resp.status_int)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='delete',
@ -567,8 +567,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='create',
entity_id=container_id, roles=['creator'],
user='NotContainerCreator', expect_errors=True)
self.assertEqual(403, resp.status_int)
user='NotContainerCreator', expect_errors=False)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='create',
@ -871,8 +871,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='update',
entity_id=container_id, roles=['creator'], user='NotCreator',
expect_errors=True)
self.assertEqual(403, resp.status_int)
expect_errors=False)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='update',
@ -931,9 +931,9 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='delete',
entity_id=container_id, roles=['creator'], user='NotCreator',
expect_errors=True)
expect_errors=False)
self.assertEqual(403, resp.status_int)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='delete',