From a8226fcf33f16078d92949af23bdf41a7593bb64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Fri, 15 Oct 2021 11:51:10 -0500
Subject: [PATCH] Fix policy for adding a secret to a container

This patch fixes the policies for adding and removing secrets from a
secret container.

Story: 2009297
Task: 43724
Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc
(cherry picked from commit 6c841b23afa8ed6fa4cd01ba1a6bebfb60f06ae5)
---
 barbican/common/policies/base.py       |  3 +++
 barbican/common/policies/containers.py | 10 ++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py
index a042a7683..6b4cb1f3d 100644
--- a/barbican/common/policies/base.py
+++ b/barbican/common/policies/base.py
@@ -92,6 +92,9 @@ rules = [
         name='container_project_creator',
         check_str="rule:creator and rule:container_project_match and " +
                   "rule:container_creator_user"),
+    policy.RuleDefault(
+        name='container_project_creator_role',
+        check_str="rule:creator and rule:container_project_match"),
 ]
 
 
diff --git a/barbican/common/policies/containers.py b/barbican/common/policies/containers.py
index d3e45ad27..4bb0fdbfb 100644
--- a/barbican/common/policies/containers.py
+++ b/barbican/common/policies/containers.py
@@ -80,7 +80,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='container_secret:post',
-        check_str='rule:admin or ' +
+        check_str='rule:container_project_admin or ' +
+                  'rule:container_project_creator or ' +
+                  'rule:container_project_creator_role and ' +
+                  'rule:container_non_private_read or ' +
                   f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
@@ -94,7 +97,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='container_secret:delete',
-        check_str='rule:admin or ' +
+        check_str='rule:container_project_admin or ' +
+                  'rule:container_project_creator or ' +
+                  'rule:container_project_creator_role and ' +
+                  'rule:container_non_private_read or ' +
                   f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],