From a8226fcf33f16078d92949af23bdf41a7593bb64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Fri, 15 Oct 2021 11:51:10 -0500 Subject: [PATCH] Fix policy for adding a secret to a container This patch fixes the policies for adding and removing secrets from a secret container. Story: 2009297 Task: 43724 Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc (cherry picked from commit 6c841b23afa8ed6fa4cd01ba1a6bebfb60f06ae5) --- barbican/common/policies/base.py | 3 +++ barbican/common/policies/containers.py | 10 ++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py index a042a7683..6b4cb1f3d 100644 --- a/barbican/common/policies/base.py +++ b/barbican/common/policies/base.py @@ -92,6 +92,9 @@ rules = [ name='container_project_creator', check_str="rule:creator and rule:container_project_match and " + "rule:container_creator_user"), + policy.RuleDefault( + name='container_project_creator_role', + check_str="rule:creator and rule:container_project_match"), ] diff --git a/barbican/common/policies/containers.py b/barbican/common/policies/containers.py index d3e45ad27..4bb0fdbfb 100644 --- a/barbican/common/policies/containers.py +++ b/barbican/common/policies/containers.py @@ -80,7 +80,10 @@ rules = [ ), policy.DocumentedRuleDefault( name='container_secret:post', - check_str='rule:admin or ' + + check_str='rule:container_project_admin or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_creator_role and ' + + 'rule:container_non_private_read or ' + f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " + f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}", scope_types=['project'], @@ -94,7 +97,10 @@ rules = [ ), policy.DocumentedRuleDefault( name='container_secret:delete', - check_str='rule:admin or ' + + check_str='rule:container_project_admin or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_creator_role and ' + + 'rule:container_non_private_read or ' + f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " + f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}", scope_types=['project'],