Fix remaining Secure RBAC policies

This patch fixes the remaining default policies to ensure they are only
evaluated when enforce_new_defaults=True.

The 'reader' role is removed from the policy tests in thise codebase
because they now correctly fail.

The 'reader' role in was introduced into the policy tests in
060ca2ee36 and the dynamic tests that were
generated passed because of the issue being resolved in this patch.

Now that the new default policies are not being evaluated when
enforce_new_defaults=False the requests using the 'reader' role are
correctly denied.

Story: 2010235
Task: 46036
Change-Id: Ief495c50bb120e2aa671dbcc80734ccb5a839b74
This commit is contained in:
Douglas Mendizábal 2022-08-26 09:23:07 -05:00
parent 708b00d340
commit 950420f3c9
5 changed files with 223 additions and 109 deletions

View File

@ -19,70 +19,16 @@ LEGACY_POLICY_DEPRECATION = (
)
rules = [
policy.RuleDefault(
name='system_reader',
check_str='role:reader and system_scope:all'),
policy.RuleDefault(
name='system_admin',
check_str='role:amdin and system_scope:all'),
policy.RuleDefault(
name='admin',
check_str='role:admin'),
policy.RuleDefault(
name='observer',
check_str='role:observer'),
policy.RuleDefault(
name='creator',
check_str='role:creator'),
policy.RuleDefault(
name='audit',
check_str='role:audit'),
policy.RuleDefault(
name='service_admin',
check_str='role:key-manager:service-admin'),
policy.RuleDefault(
name='admin_or_creator',
check_str='rule:admin or rule:creator'),
policy.RuleDefault(
name='all_but_audit',
check_str='rule:admin or rule:observer or rule:creator'),
policy.RuleDefault(
name='all_users',
check_str='rule:admin or rule:observer or rule:creator or ' +
'rule:audit or rule:service_admin'),
policy.RuleDefault(
name='secret_project_match',
check_str='project_id:%(target.secret.project_id)s'),
policy.RuleDefault(
name='secret_acl_read',
check_str="'read':%(target.secret.read)s"),
policy.RuleDefault(
name='secret_private_read',
check_str="'False':%(target.secret.read_project_access)s"),
policy.RuleDefault(
name='secret_creator_user',
check_str="user_id:%(target.secret.creator_id)s"),
policy.RuleDefault(
name='container_project_match',
check_str="project_id:%(target.container.project_id)s"),
policy.RuleDefault(
name='container_acl_read',
check_str="'read':%(target.container.read)s"),
policy.RuleDefault(
name='container_private_read',
check_str="'False':%(target.container.read_project_access)s"),
policy.RuleDefault(
name='container_creator_user',
check_str="user_id:%(target.container.creator_id)s"),
policy.RuleDefault(
name='secret_non_private_read',
check_str="rule:all_users and rule:secret_project_match and not " +
"rule:secret_private_read"),
policy.RuleDefault(
name='secret_decrypt_non_private_read',
check_str="rule:all_but_audit and rule:secret_project_match and not " +
"rule:secret_private_read"),
policy.RuleDefault(
name='container_non_private_read',
check_str="rule:all_users and rule:container_project_match and not " +
"rule:container_private_read"),
policy.RuleDefault(
name='secret_project_reader',
check_str='role:reader and rule:secret_project_match'),
@ -91,7 +37,7 @@ rules = [
check_str='role:member and rule:secret_project_match'),
policy.RuleDefault(
name='secret_project_admin',
check_str='rule:admin and rule:secret_project_match'),
check_str='role:admin and rule:secret_project_match'),
policy.RuleDefault(
name='secret_owner',
check_str='user_id:%(target.secret.creator_id)s'),
@ -99,12 +45,12 @@ rules = [
name='secret_is_not_private',
check_str='True:%(target.secret.read_project_access)s'),
policy.RuleDefault(
name='secret_project_creator',
check_str="rule:creator and rule:secret_project_match and " +
"rule:secret_creator_user"),
name='secret_acl_read',
check_str="'read':%(target.secret.read)s"),
policy.RuleDefault(
name='secret_project_creator_role',
check_str="rule:creator and rule:secret_project_match"),
name='container_project_match',
check_str="project_id:%(target.container.project_id)s"),
policy.RuleDefault(
name='container_project_member',
check_str='role:member and rule:container_project_match'),
@ -118,18 +64,84 @@ rules = [
name='container_is_not_private',
check_str='True:%(target.container.read_project_access)s'),
policy.RuleDefault(
name='container_project_creator',
check_str="rule:creator and rule:container_project_match and " +
"rule:container_creator_user"),
policy.RuleDefault(
name='container_project_creator_role',
check_str="rule:creator and rule:container_project_match"),
name='container_acl_read',
check_str="'read':%(target.container.read)s"),
policy.RuleDefault(
name='order_project_match',
check_str='project_id:%(target.order.project_id)s'),
policy.RuleDefault(
name='order_project_member',
check_str='role:member and rule:order_project_match'),
# NOTE(dmendiza):
# The default rules below are only used in the deprecated legacy policy
# and should be removed when the legacy policy is eventually dropped.
policy.RuleDefault(
name='audit',
check_str='role:audit'),
policy.RuleDefault(
name='observer',
check_str='role:observer'),
policy.RuleDefault(
name='creator',
check_str='role:creator'),
policy.RuleDefault(
name='admin',
check_str='role:admin'),
policy.RuleDefault(
name='service_admin',
check_str='role:key-manager:service-admin'),
policy.RuleDefault(
name='all_users',
check_str='rule:admin or rule:observer or rule:creator or ' +
'rule:audit or rule:service_admin'),
policy.RuleDefault(
name='all_but_audit',
check_str='rule:admin or rule:observer or rule:creator'),
policy.RuleDefault(
name='admin_or_creator',
check_str='rule:admin or rule:creator'),
policy.RuleDefault(
name='secret_creator_user',
check_str="user_id:%(target.secret.creator_id)s"),
policy.RuleDefault(
name='secret_private_read',
check_str="'False':%(target.secret.read_project_access)s"),
policy.RuleDefault(
name='secret_non_private_read',
check_str="rule:all_users and rule:secret_project_match and not " +
"rule:secret_private_read"),
policy.RuleDefault(
name='secret_decrypt_non_private_read',
check_str="rule:all_but_audit and rule:secret_project_match and not " +
"rule:secret_private_read"),
policy.RuleDefault(
name='secret_project_creator',
check_str="rule:creator and rule:secret_project_match and " +
"rule:secret_creator_user"),
policy.RuleDefault(
name='secret_project_creator_role',
check_str="rule:creator and rule:secret_project_match"),
policy.RuleDefault(
name='container_private_read',
check_str="'False':%(target.container.read_project_access)s"),
policy.RuleDefault(
name='container_creator_user',
check_str="user_id:%(target.container.creator_id)s"),
policy.RuleDefault(
name='container_non_private_read',
check_str="rule:all_users and rule:container_project_match and not " +
"rule:container_private_read"),
policy.RuleDefault(
name='container_project_creator',
check_str="rule:creator and rule:container_project_match and " +
"rule:container_creator_user"),
policy.RuleDefault(
name='container_project_creator_role',
check_str="rule:creator and rule:container_project_match"),
]

View File

@ -10,17 +10,41 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from barbican.common.policies import base
_READER = "role:reader"
_SYSTEM_ADMIN = "role:admin and system_scope:all"
_SYSTEM_READER = "role:reader and system_scope:all"
deprecated_quotas_get = policy.DeprecatedRule(
name='quotas:get',
check_str='rule:all_users',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_project_quotas_get = policy.DeprecatedRule(
name='project_quotas:get',
check_str='rule:service_admin',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_project_quotas_put = policy.DeprecatedRule(
name='project_quotas:put',
check_str='rule:service_admin',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_project_quotas_delete = policy.DeprecatedRule(
name='project_quotas:delete',
check_str='rule:service_admin',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
rules = [
policy.DocumentedRuleDefault(
name='quotas:get',
check_str=f'rule:all_users or {_READER}',
check_str='True:%(enforce_new_defaults)s and role:reader',
scope_types=['project'],
description='List quotas for the project the user belongs to.',
operations=[
@ -28,11 +52,12 @@ rules = [
'path': '/v1/quotas',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_quotas_get
),
policy.DocumentedRuleDefault(
name='project_quotas:get',
check_str=f'rule:service_admin or {_SYSTEM_READER}',
check_str='True:%(enforce_new_defaults)s and rule:system_reader',
scope_types=['system'],
description='List quotas for the specified project.',
operations=[
@ -44,11 +69,12 @@ rules = [
'path': '/v1/project-quotas/{uuid}',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_project_quotas_get
),
policy.DocumentedRuleDefault(
name='project_quotas:put',
check_str=f'rule:service_admin or {_SYSTEM_ADMIN}',
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
scope_types=['system'],
description='Create or update the configured project quotas for '
'the project with the specified UUID.',
@ -57,11 +83,12 @@ rules = [
'path': '/v1/project-quotas/{uuid}',
'method': 'PUT'
}
]
],
deprecated_rule=deprecated_project_quotas_put
),
policy.DocumentedRuleDefault(
name='project_quotas:delete',
check_str=f'rule:service_admin or {_SYSTEM_ADMIN}',
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
scope_types=['system'],
description='Delete the project quotas configuration for the '
'project with the requested UUID.',
@ -70,7 +97,8 @@ rules = [
'path': '/v1/quotas}',
'method': 'DELETE'
}
]
],
deprecated_rule=deprecated_project_quotas_delete
),
]

View File

@ -10,15 +10,53 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from barbican.common.policies import base
_READER = "role:reader"
deprecated_secretstores_get = policy.DeprecatedRule(
name='secretstores:get',
check_str='rule:all_users',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_secretstores_get_global = policy.DeprecatedRule(
name='secretstores:get_global_default',
check_str='rule:all_users',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_secretstores_get_preferred = policy.DeprecatedRule(
name='secretstores:get_preferred',
check_str='rule:all_users',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_secretstores_preferred_post = policy.DeprecatedRule(
name='secretstore_preferred:post',
check_str='rule:admin',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_secretstores_preferred_delete = policy.DeprecatedRule(
name='secretstore_preferred:delete',
check_str='rule:admin',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_secretstore_get = policy.DeprecatedRule(
name='secretstore:get',
check_str='rule:all_users',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
rules = [
policy.DocumentedRuleDefault(
name='secretstores:get',
check_str=f'rule:all_users or {_READER}',
check_str='True:%(enforce_new_defaults)s and role:reader',
scope_types=['project', 'system'],
description='Get list of available secret store backends.',
operations=[
@ -26,11 +64,12 @@ rules = [
'path': '/v1/secret-stores',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_secretstores_get
),
policy.DocumentedRuleDefault(
name='secretstores:get_global_default',
check_str=f'rule:all_users or {_READER}',
check_str='True:%(enforce_new_defaults)s and role:reader',
scope_types=['project', 'system'],
description='Get a reference to the secret store that is used as ' +
'default secret store backend for the deployment.',
@ -39,11 +78,12 @@ rules = [
'path': '/v1/secret-stores/global-default',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_secretstores_get_global
),
policy.DocumentedRuleDefault(
name='secretstores:get_preferred',
check_str=f'rule:all_users or {_READER}',
check_str='True:%(enforce_new_defaults)s and role:reader',
scope_types=['project', 'system'],
description='Get a reference to the preferred secret store if ' +
'assigned previously.',
@ -52,11 +92,12 @@ rules = [
'path': '/v1/secret-stores/preferred',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_secretstores_get_preferred
),
policy.DocumentedRuleDefault(
name='secretstore_preferred:post',
check_str='rule:admin',
check_str='True:%(enforce_new_defaults)s and role:admin',
scope_types=['project'],
description='Set a secret store backend to be preferred store ' +
'backend for their project.',
@ -65,11 +106,12 @@ rules = [
'path': '/v1/secret-stores/{ss-id}/preferred',
'method': 'POST'
}
]
],
deprecated_rule=deprecated_secretstores_preferred_post
),
policy.DocumentedRuleDefault(
name='secretstore_preferred:delete',
check_str='rule:admin',
check_str='True:%(enforce_new_defaults)s and role:admin',
scope_types=['project'],
description='Remove preferred secret store backend setting for ' +
'their project.',
@ -78,11 +120,12 @@ rules = [
'path': '/v1/secret-stores/{ss-id}/preferred',
'method': 'DELETE'
}
]
],
deprecated_rule=deprecated_secretstores_preferred_delete
),
policy.DocumentedRuleDefault(
name='secretstore:get',
check_str=f'rule:all_users or {_READER}',
check_str='True:%(enforce_new_defaults)s and role:reader',
scope_types=['project', 'system'],
description='Get details of secret store by its ID.',
operations=[
@ -90,7 +133,8 @@ rules = [
'path': '/v1/secret-stores/{ss-id}',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_secretstore_get
),
]

View File

@ -10,15 +10,41 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
_READER = "role:reader"
_SYSTEM_ADMIN = "role:admin and system_scope:all"
from barbican.common.policies import base
deprecated_transport_key_get = policy.DeprecatedRule(
name='transport_key:get',
check_str='rule:all_users',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_transport_key_delete = policy.DeprecatedRule(
name='transport_key:delete',
check_str='rule:service_admin',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_transport_keys_get = policy.DeprecatedRule(
name='transport_keys:get',
check_str='rule:all_users',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_transport_keys_post = policy.DeprecatedRule(
name='transport_keys:post',
check_str='rule:service_admin',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
rules = [
policy.DocumentedRuleDefault(
name='transport_key:get',
check_str=f'rule:all_users or {_READER}',
check_str='True:%(enforce_new_defaults)s and role:reader',
scope_types=['project', 'system'],
description='Get a specific transport key.',
operations=[
@ -26,11 +52,12 @@ rules = [
'path': '/v1/transport_keys/{key-id}}',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_transport_key_get
),
policy.DocumentedRuleDefault(
name='transport_key:delete',
check_str=f'{_SYSTEM_ADMIN}',
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
scope_types=['system'],
description='Delete a specific transport key.',
operations=[
@ -38,11 +65,12 @@ rules = [
'path': '/v1/transport_keys/{key-id}',
'method': 'DELETE'
}
]
],
deprecated_rule=deprecated_transport_key_delete
),
policy.DocumentedRuleDefault(
name='transport_keys:get',
check_str=f'rule:all_users or {_READER}',
check_str='True:%(enforce_new_defaults)s and role:reader',
scope_types=['project', 'system'],
description='Get a list of all transport keys.',
operations=[
@ -50,11 +78,12 @@ rules = [
'path': '/v1/transport_keys',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_transport_keys_get
),
policy.DocumentedRuleDefault(
name='transport_keys:post',
check_str=f'{_SYSTEM_ADMIN}',
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
scope_types=['system'],
description='Create a new transport key.',
operations=[
@ -62,7 +91,8 @@ rules = [
'path': '/v1/transport_keys',
'method': 'POST'
}
]
],
deprecated_rule=deprecated_transport_keys_post
),
]

View File

@ -1212,17 +1212,17 @@ class WhenTestingSecretStoresResource(BaseTestCase):
def test_should_pass_get_all_secret_stores(self):
self._assert_pass_rbac(
['admin', 'observer', 'audit', 'creator', 'reader'],
['admin', 'observer', 'audit', 'creator'],
self._invoke_on_get)
def test_should_pass_get_global_default(self):
self._assert_pass_rbac(
['admin', 'observer', 'audit', 'creator', 'reader'],
['admin', 'observer', 'audit', 'creator'],
self._invoke_get_global_default)
def test_should_pass_get_preferred(self):
self._assert_pass_rbac(
['admin', 'observer', 'audit', 'creator', 'reader'],
['admin', 'observer', 'audit', 'creator'],
self._invoke_get_preferred)
def _invoke_on_get(self):
@ -1274,7 +1274,7 @@ class WhenTestingSecretStoreResource(BaseTestCase):
def test_should_pass_get_a_secret_store(self):
self._assert_pass_rbac(
['admin', 'observer', 'audit', 'creator', 'reader'],
['admin', 'observer', 'audit', 'creator'],
self._invoke_on_get)
def _invoke_on_get(self):
@ -1314,7 +1314,7 @@ class WhenTestingPreferredSecretStoreResource(BaseTestCase):
def test_should_raise_set_preferred_secret_store(self):
self._assert_fail_rbac(
[None, 'creator', 'observer', 'audit', 'reader'],
[None, 'creator', 'observer', 'audit'],
self._invoke_on_post)
def _invoke_on_post(self):