From 6e53363f52dcbc32c9b0494379623bbdc55fbba9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Thu, 25 Aug 2022 15:45:23 -0500 Subject: [PATCH] Fix Secure RBAC policies for Containers API This patch fixes the Consumers API policies to ensure that they are only evaluated when enforce_new_defaults = True Change-Id: I4e91ca55e3d4030dfdc55d78b92ec3ad3f94bd64 --- barbican/common/policies/containers.py | 125 +++++++++++++++++-------- 1 file changed, 88 insertions(+), 37 deletions(-) diff --git a/barbican/common/policies/containers.py b/barbican/common/policies/containers.py index 4bb0fdbfb..9e348a584 100644 --- a/barbican/common/policies/containers.py +++ b/barbican/common/policies/containers.py @@ -10,21 +10,63 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy +from barbican.common.policies import base -_READER = "role:reader" -_MEMBER = "role:member" -_ADMIN = "role:admin" -_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s" -_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s" -_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s" -_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s" + +deprecated_containers_post = policy.DeprecatedRule( + name='containers:post', + check_str='rule:admin_or_creator', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_containers_get = policy.DeprecatedRule( + name='containers:get', + check_str='rule:all_but_audit', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_container_get = policy.DeprecatedRule( + name='container:get', + check_str='rule:container_non_private_read or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_admin or ' + + 'rule:container_acl_read', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_container_delete = policy.DeprecatedRule( + name='container:delete', + check_str='rule:container_project_admin or ' + + 'rule:container_project_creator', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_container_secret_post = policy.DeprecatedRule( + name='container_secret:post', + check_str='rule:container_project_admin or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_creator_role and ' + + 'rule:container_non_private_read', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_container_secret_delete = policy.DeprecatedRule( + name='container_secret:delete', + check_str='rule:container_project_admin or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_creator_role and ' + + 'rule:container_non_private_read', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) rules = [ policy.DocumentedRuleDefault( name='containers:post', - check_str=f"rule:admin_or_creator or {_MEMBER}", + check_str='True:%(enforce_new_defaults)s and role:member', scope_types=['project'], description='Creates a container.', operations=[ @@ -32,11 +74,12 @@ rules = [ 'path': '/v1/containers', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_containers_post ), policy.DocumentedRuleDefault( name='containers:get', - check_str=f"rule:all_but_audit or {_MEMBER}", + check_str='True:%(enforce_new_defaults)s and role:member', scope_types=['project'], description='Lists a projects containers.', operations=[ @@ -44,16 +87,18 @@ rules = [ 'path': '/v1/containers', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_containers_get ), policy.DocumentedRuleDefault( name='container:get', - check_str='rule:container_non_private_read or ' + - 'rule:container_project_creator or ' + - 'rule:container_project_admin or ' + - 'rule:container_acl_read or ' + - f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " + - f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:container_project_admin or ' + '(rule:container_project_member and rule:container_owner) or ' + '(rule:container_project_member and ' + ' rule:container_is_not_private) or ' + 'rule:container_acl_read)'), scope_types=['project'], description='Retrieves a single container.', operations=[ @@ -61,14 +106,17 @@ rules = [ 'path': '/v1/containers/{container-id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_container_get ), policy.DocumentedRuleDefault( name='container:delete', - check_str='rule:container_project_admin or ' + - 'rule:container_project_creator or ' + - f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " + - f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:container_project_admin or ' + '(rule:container_project_member and rule:container_owner) or ' + '(rule:container_project_member and ' + ' rule:container_is_not_private))'), scope_types=['project'], description='Deletes a container.', operations=[ @@ -76,16 +124,17 @@ rules = [ 'path': '/v1/containers/{uuid}', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_container_delete ), policy.DocumentedRuleDefault( name='container_secret:post', - check_str='rule:container_project_admin or ' + - 'rule:container_project_creator or ' + - 'rule:container_project_creator_role and ' + - 'rule:container_non_private_read or ' + - f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " + - f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:container_project_admin or ' + '(rule:container_project_member and rule:container_owner) or ' + '(rule:container_project_member and ' + ' rule:container_is_not_private))'), scope_types=['project'], description='Add a secret to an existing container.', operations=[ @@ -93,16 +142,17 @@ rules = [ 'path': '/v1/containers/{container-id}/secrets', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_container_secret_post ), policy.DocumentedRuleDefault( name='container_secret:delete', - check_str='rule:container_project_admin or ' + - 'rule:container_project_creator or ' + - 'rule:container_project_creator_role and ' + - 'rule:container_non_private_read or ' + - f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " + - f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:container_project_admin or ' + '(rule:container_project_member and rule:container_owner) or ' + '(rule:container_project_member and ' + ' rule:container_is_not_private))'), scope_types=['project'], description='Remove a secret from a container.', operations=[ @@ -110,7 +160,8 @@ rules = [ 'path': '/v1/containers/{container-id}/secrets/{secret-id}', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_container_secret_delete ), ]