Allow users with "creator" role to edit ACLs

This patch updates the default policy to allow users with the
"creator" role to edit Secret and Container ACLs.

Secrets that have an ACL set to private will only be able to be edited
by the user who owns the secret.

Change-Id: I0dc603a3e3a894fee774483a70285d47b57abdf8

barbican/common/policies/acls.py

@@ -33,7 +33,9 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_acls:delete',
-        check_str='rule:secret_project_admin or rule:secret_project_creator',
+        check_str='rule:secret_project_admin or rule:secret_project_creator ' +
+                  'or (rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='Delete the ACL settings for a given secret.',
         operations=[
@@ -45,7 +47,9 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_acls:put_patch',
-        check_str='rule:secret_project_admin or rule:secret_project_creator',
+        check_str='rule:secret_project_admin or rule:secret_project_creator ' +
+                  'or (rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='Create new, replaces, or updates existing ACL for a ' +
                     'given secret.',
@@ -75,7 +79,9 @@ rules = [
     policy.DocumentedRuleDefault(
         name='container_acls:delete',
         check_str='rule:container_project_admin or ' +
-                  'rule:container_project_creator',
+                  'rule:container_project_creator or ' +
+                  '(rule:container_project_creator_role and' +
+                  ' rule:container_non_private_read)',
         scope_types=[],
         description='Delete ACL for a given container. No content is returned '
                     'in the case of successful deletion.',
@@ -89,7 +95,9 @@ rules = [
     policy.DocumentedRuleDefault(
         name='container_acls:put_patch',
         check_str='rule:container_project_admin or ' +
-                  'rule:container_project_creator',
+                  'rule:container_project_creator or ' +
+                  '(rule:container_project_creator_role and' +
+                  ' rule:container_non_private_read)',
         scope_types=[],
         description='Create new or replaces existing ACL for a given '
                     'container.',

barbican/tests/api/controllers/test_acls.py

@@ -111,8 +111,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='create',
             entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
-            expect_errors=True)
-        self.assertEqual(403, resp.status_int)
+            expect_errors=False)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='create',
@@ -379,8 +379,8 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='update',
             entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
-            expect_errors=True)
-        self.assertEqual(403, resp.status_int)
+            expect_errors=False)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='update',
@@ -460,9 +460,9 @@ class WhenTestingSecretACLsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='delete',
             entity_id=secret_uuid, roles=['creator'], user='NotSecretCreator',
-            expect_errors=True)
+            expect_errors=False)
 
-        self.assertEqual(403, resp.status_int)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='secrets', op_type='delete',
@@ -567,8 +567,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='create',
             entity_id=container_id, roles=['creator'],
-            user='NotContainerCreator', expect_errors=True)
-        self.assertEqual(403, resp.status_int)
+            user='NotContainerCreator', expect_errors=False)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='create',
@@ -871,8 +871,8 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='update',
             entity_id=container_id, roles=['creator'], user='NotCreator',
-            expect_errors=True)
-        self.assertEqual(403, resp.status_int)
+            expect_errors=False)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='update',
@@ -931,9 +931,9 @@ class WhenTestingContainerAclsResource(utils.BarbicanAPIBaseTestCase,
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='delete',
             entity_id=container_id, roles=['creator'], user='NotCreator',
-            expect_errors=True)
+            expect_errors=False)
 
-        self.assertEqual(403, resp.status_int)
+        self.assertEqual(200, resp.status_int)
 
         resp = self._set_acls_with_context(
             self.app, entity_type='containers', op_type='delete',