openstack
/
barbican
Code Issues Proposed changes

Merge "Allow users with "creator" role to edit ACLs"

This commit is contained in:
Zuul 2022-05-27 16:18:24 +00:00 committed by Gerrit Code Review
parent f177c30ff6 c86b11fb8e
commit 4bb724c50e
2 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
barbican/common/policies/acls.py
View File

@ -46,8 +46,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='secret_acls:delete',
check_str='rule:secret_project_admin or rule:secret_project_creator' +
f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
check_str='rule:secret_project_admin or rule:secret_project_creator ' +
'or (rule:secret_project_creator_role and ' +
'rule:secret_non_private_read) or ' +
f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
scope_types=['project'],
description='Delete the ACL settings for a given secret.',
@ -60,8 +62,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='secret_acls:put_patch',
check_str='rule:secret_project_admin or rule:secret_project_creator' +
f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
check_str='rule:secret_project_admin or rule:secret_project_creator ' +
'or (rule:secret_project_creator_role and ' +
'rule:secret_non_private_read) or ' +
f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
scope_types=['project'],
description='Create new, replaces, or updates existing ACL for a ' +
@ -95,6 +99,8 @@ rules = [
name='container_acls:delete',
check_str='rule:container_project_admin or ' +
'rule:container_project_creator or ' +
'(rule:container_project_creator_role and' +
' rule:container_non_private_read) or ' +
f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
scope_types=['project'],
@ -111,6 +117,8 @@ rules = [
name='container_acls:put_patch',
check_str='rule:container_project_admin or ' +
'rule:container_project_creator or ' +
'(rule:container_project_creator_role and' +
' rule:container_non_private_read) or ' +
f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
scope_types=['project'],

24
barbican/tests/api/controllers/test_acls.py
View File

@ -111,8 +111,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='create',
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
expect_errors=True)
self.assertEqual(403, resp.status_int)
expect_errors=False)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='create',
@ -379,8 +379,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='update',
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
expect_errors=True)
self.assertEqual(403, resp.status_int)
expect_errors=False)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='update',
@ -460,9 +460,9 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='delete',
entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
expect_errors=True)
expect_errors=False)
self.assertEqual(403, resp.status_int)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='secrets', op_type='delete',
@ -567,8 +567,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='create',
entity_id=container_id, roles=['creator'],
user='NotContainerCreator', expect_errors=True)
self.assertEqual(403, resp.status_int)
user='NotContainerCreator', expect_errors=False)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='create',
@ -871,8 +871,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='update',
entity_id=container_id, roles=['creator'], user='NotCreator',
expect_errors=True)
self.assertEqual(403, resp.status_int)
expect_errors=False)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='update',
@ -931,9 +931,9 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='delete',
entity_id=container_id, roles=['creator'], user='NotCreator',
expect_errors=True)
expect_errors=False)
self.assertEqual(403, resp.status_int)
self.assertEqual(200, resp.status_int)
resp = self._set_acls_with_context(
self.app, entity_type='containers', op_type='delete',