diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py index 77f451f7a..cbd3c4a33 100644 --- a/barbican/common/policies/base.py +++ b/barbican/common/policies/base.py @@ -19,70 +19,16 @@ LEGACY_POLICY_DEPRECATION = ( ) rules = [ + policy.RuleDefault( + name='system_reader', + check_str='role:reader and system_scope:all'), policy.RuleDefault( name='system_admin', check_str='role:amdin and system_scope:all'), - policy.RuleDefault( - name='admin', - check_str='role:admin'), - policy.RuleDefault( - name='observer', - check_str='role:observer'), - policy.RuleDefault( - name='creator', - check_str='role:creator'), - policy.RuleDefault( - name='audit', - check_str='role:audit'), - policy.RuleDefault( - name='service_admin', - check_str='role:key-manager:service-admin'), - policy.RuleDefault( - name='admin_or_creator', - check_str='rule:admin or rule:creator'), - policy.RuleDefault( - name='all_but_audit', - check_str='rule:admin or rule:observer or rule:creator'), - policy.RuleDefault( - name='all_users', - check_str='rule:admin or rule:observer or rule:creator or ' + - 'rule:audit or rule:service_admin'), + policy.RuleDefault( name='secret_project_match', check_str='project_id:%(target.secret.project_id)s'), - policy.RuleDefault( - name='secret_acl_read', - check_str="'read':%(target.secret.read)s"), - policy.RuleDefault( - name='secret_private_read', - check_str="'False':%(target.secret.read_project_access)s"), - policy.RuleDefault( - name='secret_creator_user', - check_str="user_id:%(target.secret.creator_id)s"), - policy.RuleDefault( - name='container_project_match', - check_str="project_id:%(target.container.project_id)s"), - policy.RuleDefault( - name='container_acl_read', - check_str="'read':%(target.container.read)s"), - policy.RuleDefault( - name='container_private_read', - check_str="'False':%(target.container.read_project_access)s"), - policy.RuleDefault( - name='container_creator_user', - check_str="user_id:%(target.container.creator_id)s"), - policy.RuleDefault( - name='secret_non_private_read', - check_str="rule:all_users and rule:secret_project_match and not " + - "rule:secret_private_read"), - policy.RuleDefault( - name='secret_decrypt_non_private_read', - check_str="rule:all_but_audit and rule:secret_project_match and not " + - "rule:secret_private_read"), - policy.RuleDefault( - name='container_non_private_read', - check_str="rule:all_users and rule:container_project_match and not " + - "rule:container_private_read"), policy.RuleDefault( name='secret_project_reader', check_str='role:reader and rule:secret_project_match'), @@ -91,7 +37,7 @@ rules = [ check_str='role:member and rule:secret_project_match'), policy.RuleDefault( name='secret_project_admin', - check_str='rule:admin and rule:secret_project_match'), + check_str='role:admin and rule:secret_project_match'), policy.RuleDefault( name='secret_owner', check_str='user_id:%(target.secret.creator_id)s'), @@ -99,12 +45,12 @@ rules = [ name='secret_is_not_private', check_str='True:%(target.secret.read_project_access)s'), policy.RuleDefault( - name='secret_project_creator', - check_str="rule:creator and rule:secret_project_match and " + - "rule:secret_creator_user"), + name='secret_acl_read', + check_str="'read':%(target.secret.read)s"), + policy.RuleDefault( - name='secret_project_creator_role', - check_str="rule:creator and rule:secret_project_match"), + name='container_project_match', + check_str="project_id:%(target.container.project_id)s"), policy.RuleDefault( name='container_project_member', check_str='role:member and rule:container_project_match'), @@ -118,18 +64,84 @@ rules = [ name='container_is_not_private', check_str='True:%(target.container.read_project_access)s'), policy.RuleDefault( - name='container_project_creator', - check_str="rule:creator and rule:container_project_match and " + - "rule:container_creator_user"), - policy.RuleDefault( - name='container_project_creator_role', - check_str="rule:creator and rule:container_project_match"), + name='container_acl_read', + check_str="'read':%(target.container.read)s"), + policy.RuleDefault( name='order_project_match', check_str='project_id:%(target.order.project_id)s'), policy.RuleDefault( name='order_project_member', check_str='role:member and rule:order_project_match'), + + # NOTE(dmendiza): + # The default rules below are only used in the deprecated legacy policy + # and should be removed when the legacy policy is eventually dropped. + policy.RuleDefault( + name='audit', + check_str='role:audit'), + policy.RuleDefault( + name='observer', + check_str='role:observer'), + policy.RuleDefault( + name='creator', + check_str='role:creator'), + policy.RuleDefault( + name='admin', + check_str='role:admin'), + policy.RuleDefault( + name='service_admin', + check_str='role:key-manager:service-admin'), + policy.RuleDefault( + name='all_users', + check_str='rule:admin or rule:observer or rule:creator or ' + + 'rule:audit or rule:service_admin'), + policy.RuleDefault( + name='all_but_audit', + check_str='rule:admin or rule:observer or rule:creator'), + policy.RuleDefault( + name='admin_or_creator', + check_str='rule:admin or rule:creator'), + + policy.RuleDefault( + name='secret_creator_user', + check_str="user_id:%(target.secret.creator_id)s"), + policy.RuleDefault( + name='secret_private_read', + check_str="'False':%(target.secret.read_project_access)s"), + policy.RuleDefault( + name='secret_non_private_read', + check_str="rule:all_users and rule:secret_project_match and not " + + "rule:secret_private_read"), + policy.RuleDefault( + name='secret_decrypt_non_private_read', + check_str="rule:all_but_audit and rule:secret_project_match and not " + + "rule:secret_private_read"), + policy.RuleDefault( + name='secret_project_creator', + check_str="rule:creator and rule:secret_project_match and " + + "rule:secret_creator_user"), + policy.RuleDefault( + name='secret_project_creator_role', + check_str="rule:creator and rule:secret_project_match"), + + policy.RuleDefault( + name='container_private_read', + check_str="'False':%(target.container.read_project_access)s"), + policy.RuleDefault( + name='container_creator_user', + check_str="user_id:%(target.container.creator_id)s"), + policy.RuleDefault( + name='container_non_private_read', + check_str="rule:all_users and rule:container_project_match and not " + + "rule:container_private_read"), + policy.RuleDefault( + name='container_project_creator', + check_str="rule:creator and rule:container_project_match and " + + "rule:container_creator_user"), + policy.RuleDefault( + name='container_project_creator_role', + check_str="rule:creator and rule:container_project_match"), ] diff --git a/barbican/common/policies/quotas.py b/barbican/common/policies/quotas.py index fea49fd23..c5427d33f 100644 --- a/barbican/common/policies/quotas.py +++ b/barbican/common/policies/quotas.py @@ -10,17 +10,41 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy +from barbican.common.policies import base -_READER = "role:reader" -_SYSTEM_ADMIN = "role:admin and system_scope:all" -_SYSTEM_READER = "role:reader and system_scope:all" + +deprecated_quotas_get = policy.DeprecatedRule( + name='quotas:get', + check_str='rule:all_users', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_project_quotas_get = policy.DeprecatedRule( + name='project_quotas:get', + check_str='rule:service_admin', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_project_quotas_put = policy.DeprecatedRule( + name='project_quotas:put', + check_str='rule:service_admin', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_project_quotas_delete = policy.DeprecatedRule( + name='project_quotas:delete', + check_str='rule:service_admin', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) rules = [ policy.DocumentedRuleDefault( name='quotas:get', - check_str=f'rule:all_users or {_READER}', + check_str='True:%(enforce_new_defaults)s and role:reader', scope_types=['project'], description='List quotas for the project the user belongs to.', operations=[ @@ -28,11 +52,12 @@ rules = [ 'path': '/v1/quotas', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_quotas_get ), policy.DocumentedRuleDefault( name='project_quotas:get', - check_str=f'rule:service_admin or {_SYSTEM_READER}', + check_str='True:%(enforce_new_defaults)s and rule:system_reader', scope_types=['system'], description='List quotas for the specified project.', operations=[ @@ -44,11 +69,12 @@ rules = [ 'path': '/v1/project-quotas/{uuid}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_project_quotas_get ), policy.DocumentedRuleDefault( name='project_quotas:put', - check_str=f'rule:service_admin or {_SYSTEM_ADMIN}', + check_str='True:%(enforce_new_defaults)s and rule:system_admin', scope_types=['system'], description='Create or update the configured project quotas for ' 'the project with the specified UUID.', @@ -57,11 +83,12 @@ rules = [ 'path': '/v1/project-quotas/{uuid}', 'method': 'PUT' } - ] + ], + deprecated_rule=deprecated_project_quotas_put ), policy.DocumentedRuleDefault( name='project_quotas:delete', - check_str=f'rule:service_admin or {_SYSTEM_ADMIN}', + check_str='True:%(enforce_new_defaults)s and rule:system_admin', scope_types=['system'], description='Delete the project quotas configuration for the ' 'project with the requested UUID.', @@ -70,7 +97,8 @@ rules = [ 'path': '/v1/quotas}', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_project_quotas_delete ), ] diff --git a/barbican/common/policies/secretstores.py b/barbican/common/policies/secretstores.py index 38abe15ce..ff94c288c 100644 --- a/barbican/common/policies/secretstores.py +++ b/barbican/common/policies/secretstores.py @@ -10,15 +10,53 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy +from barbican.common.policies import base -_READER = "role:reader" + +deprecated_secretstores_get = policy.DeprecatedRule( + name='secretstores:get', + check_str='rule:all_users', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_secretstores_get_global = policy.DeprecatedRule( + name='secretstores:get_global_default', + check_str='rule:all_users', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_secretstores_get_preferred = policy.DeprecatedRule( + name='secretstores:get_preferred', + check_str='rule:all_users', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_secretstores_preferred_post = policy.DeprecatedRule( + name='secretstore_preferred:post', + check_str='rule:admin', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_secretstores_preferred_delete = policy.DeprecatedRule( + name='secretstore_preferred:delete', + check_str='rule:admin', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_secretstore_get = policy.DeprecatedRule( + name='secretstore:get', + check_str='rule:all_users', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) rules = [ policy.DocumentedRuleDefault( name='secretstores:get', - check_str=f'rule:all_users or {_READER}', + check_str='True:%(enforce_new_defaults)s and role:reader', scope_types=['project', 'system'], description='Get list of available secret store backends.', operations=[ @@ -26,11 +64,12 @@ rules = [ 'path': '/v1/secret-stores', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_secretstores_get ), policy.DocumentedRuleDefault( name='secretstores:get_global_default', - check_str=f'rule:all_users or {_READER}', + check_str='True:%(enforce_new_defaults)s and role:reader', scope_types=['project', 'system'], description='Get a reference to the secret store that is used as ' + 'default secret store backend for the deployment.', @@ -39,11 +78,12 @@ rules = [ 'path': '/v1/secret-stores/global-default', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_secretstores_get_global ), policy.DocumentedRuleDefault( name='secretstores:get_preferred', - check_str=f'rule:all_users or {_READER}', + check_str='True:%(enforce_new_defaults)s and role:reader', scope_types=['project', 'system'], description='Get a reference to the preferred secret store if ' + 'assigned previously.', @@ -52,11 +92,12 @@ rules = [ 'path': '/v1/secret-stores/preferred', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_secretstores_get_preferred ), policy.DocumentedRuleDefault( name='secretstore_preferred:post', - check_str='rule:admin', + check_str='True:%(enforce_new_defaults)s and role:admin', scope_types=['project'], description='Set a secret store backend to be preferred store ' + 'backend for their project.', @@ -65,11 +106,12 @@ rules = [ 'path': '/v1/secret-stores/{ss-id}/preferred', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_secretstores_preferred_post ), policy.DocumentedRuleDefault( name='secretstore_preferred:delete', - check_str='rule:admin', + check_str='True:%(enforce_new_defaults)s and role:admin', scope_types=['project'], description='Remove preferred secret store backend setting for ' + 'their project.', @@ -78,11 +120,12 @@ rules = [ 'path': '/v1/secret-stores/{ss-id}/preferred', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_secretstores_preferred_delete ), policy.DocumentedRuleDefault( name='secretstore:get', - check_str=f'rule:all_users or {_READER}', + check_str='True:%(enforce_new_defaults)s and role:reader', scope_types=['project', 'system'], description='Get details of secret store by its ID.', operations=[ @@ -90,7 +133,8 @@ rules = [ 'path': '/v1/secret-stores/{ss-id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_secretstore_get ), ] diff --git a/barbican/common/policies/transportkeys.py b/barbican/common/policies/transportkeys.py index 3d9283bee..30604ce5c 100644 --- a/barbican/common/policies/transportkeys.py +++ b/barbican/common/policies/transportkeys.py @@ -10,15 +10,41 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy -_READER = "role:reader" -_SYSTEM_ADMIN = "role:admin and system_scope:all" +from barbican.common.policies import base + + +deprecated_transport_key_get = policy.DeprecatedRule( + name='transport_key:get', + check_str='rule:all_users', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_transport_key_delete = policy.DeprecatedRule( + name='transport_key:delete', + check_str='rule:service_admin', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_transport_keys_get = policy.DeprecatedRule( + name='transport_keys:get', + check_str='rule:all_users', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_transport_keys_post = policy.DeprecatedRule( + name='transport_keys:post', + check_str='rule:service_admin', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) rules = [ policy.DocumentedRuleDefault( name='transport_key:get', - check_str=f'rule:all_users or {_READER}', + check_str='True:%(enforce_new_defaults)s and role:reader', scope_types=['project', 'system'], description='Get a specific transport key.', operations=[ @@ -26,11 +52,12 @@ rules = [ 'path': '/v1/transport_keys/{key-id}}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_transport_key_get ), policy.DocumentedRuleDefault( name='transport_key:delete', - check_str=f'{_SYSTEM_ADMIN}', + check_str='True:%(enforce_new_defaults)s and rule:system_admin', scope_types=['system'], description='Delete a specific transport key.', operations=[ @@ -38,11 +65,12 @@ rules = [ 'path': '/v1/transport_keys/{key-id}', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_transport_key_delete ), policy.DocumentedRuleDefault( name='transport_keys:get', - check_str=f'rule:all_users or {_READER}', + check_str='True:%(enforce_new_defaults)s and role:reader', scope_types=['project', 'system'], description='Get a list of all transport keys.', operations=[ @@ -50,11 +78,12 @@ rules = [ 'path': '/v1/transport_keys', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_transport_keys_get ), policy.DocumentedRuleDefault( name='transport_keys:post', - check_str=f'{_SYSTEM_ADMIN}', + check_str='True:%(enforce_new_defaults)s and rule:system_admin', scope_types=['system'], description='Create a new transport key.', operations=[ @@ -62,7 +91,8 @@ rules = [ 'path': '/v1/transport_keys', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_transport_keys_post ), ] diff --git a/barbican/tests/api/test_resources_policy.py b/barbican/tests/api/test_resources_policy.py index 84d280fdc..37bab3be4 100644 --- a/barbican/tests/api/test_resources_policy.py +++ b/barbican/tests/api/test_resources_policy.py @@ -1212,17 +1212,17 @@ class WhenTestingSecretStoresResource(BaseTestCase): def test_should_pass_get_all_secret_stores(self): self._assert_pass_rbac( - ['admin', 'observer', 'audit', 'creator', 'reader'], + ['admin', 'observer', 'audit', 'creator'], self._invoke_on_get) def test_should_pass_get_global_default(self): self._assert_pass_rbac( - ['admin', 'observer', 'audit', 'creator', 'reader'], + ['admin', 'observer', 'audit', 'creator'], self._invoke_get_global_default) def test_should_pass_get_preferred(self): self._assert_pass_rbac( - ['admin', 'observer', 'audit', 'creator', 'reader'], + ['admin', 'observer', 'audit', 'creator'], self._invoke_get_preferred) def _invoke_on_get(self): @@ -1274,7 +1274,7 @@ class WhenTestingSecretStoreResource(BaseTestCase): def test_should_pass_get_a_secret_store(self): self._assert_pass_rbac( - ['admin', 'observer', 'audit', 'creator', 'reader'], + ['admin', 'observer', 'audit', 'creator'], self._invoke_on_get) def _invoke_on_get(self): @@ -1314,7 +1314,7 @@ class WhenTestingPreferredSecretStoreResource(BaseTestCase): def test_should_raise_set_preferred_secret_store(self): self._assert_fail_rbac( - [None, 'creator', 'observer', 'audit', 'reader'], + [None, 'creator', 'observer', 'audit'], self._invoke_on_post) def _invoke_on_post(self):