Fix Story 2010258 (CVE-2022-3100)

This patch fixes a security vunlerability where the contents of a
request query string were mistakenly being used in the RBAC policy
engine.

(cherry picked from commit b6cbbf90c6)

Change-Id: I5797988e4c63c75fccf85277c52815d9bf684cff

barbican/api/controllers/__init__.py

@@ -64,7 +64,6 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
         if target_name and target_data:
             policy_dict['target'] = {target_name: target_data}
 
-        policy_dict.update(kwargs)
         # Enforce access controls.
         if ctx.policy_enforcer:
             target = flatten(policy_dict)