Merge "Fix secret metadata access rules"

2021-10-12 18:51:41 +00:00 · 2021-10-12 18:51:41 +00:00 · aaf53f3cf4
parent 2d912de1c3 7d270bacbe
commit aaf53f3cf4
5 changed files with 31 additions and 13 deletions
--- a/barbican/api/controllers/init.py
+++ b/barbican/api/controllers/init.py
@ -237,3 +237,12 @@ class ACLMixin(object):
        acl_dict.update(co_dict)

        return acl_dict
+
+
+class SecretACLMixin(ACLMixin):
+
+    def get_acl_tuple(self, req, **kwargs):
+        acl = self.get_acl_dict_for_user(req, self.secret.secret_acls)
+        acl['project_id'] = self.secret.project.external_id
+        acl['creator_id'] = self.secret.creator_id
+        return 'secret', acl
--- a/barbican/api/controllers/secretmeta.py
+++ b/barbican/api/controllers/secretmeta.py
@ -28,7 +28,7 @@ def _secret_metadata_not_found():
    pecan.abort(404, u._('Secret metadata not found.'))


-class SecretMetadataController(controllers.ACLMixin):
+class SecretMetadataController(controllers.SecretACLMixin):
    """Handles SecretMetadata requests by a given secret id."""

    def __init__(self, secret):
@ -106,7 +106,7 @@ class SecretMetadataController(controllers.ACLMixin):
        return {'key': key, 'value': value}


-class SecretMetadatumController(controllers.ACLMixin):
+class SecretMetadatumController(controllers.SecretACLMixin):

    def __init__(self, secret):
        LOG.debug('=== Creating SecretMetadatumController ===')
--- a/barbican/api/controllers/secrets.py
+++ b/barbican/api/controllers/secrets.py
@ -71,7 +71,7 @@ def _request_has_twsk_but_no_transport_key_id():
                         'transport key id has not been provided.'))


-class SecretController(controllers.ACLMixin):
+class SecretController(controllers.SecretACLMixin):
    """Handles Secret retrieval and deletion requests."""

    def __init__(self, secret):
@ -81,12 +81,6 @@ class SecretController(controllers.ACLMixin):
        self.consumer_repo = repo.get_secret_consumer_repository()
        self.transport_key_repo = repo.get_transport_key_repository()

-    def get_acl_tuple(self, req, **kwargs):
-        d = self.get_acl_dict_for_user(req, self.secret.secret_acls)
-        d['project_id'] = self.secret.project.external_id
-        d['creator_id'] = self.secret.creator_id
-        return 'secret', d
-
    @pecan.expose()
    def _lookup(self, sub_resource, *remainder):
        if sub_resource == 'acl':
--- a/barbican/common/policies/base.py
+++ b/barbican/common/policies/base.py
@ -82,6 +82,9 @@ rules = [
        name='secret_project_creator',
        check_str="rule:creator and rule:secret_project_match and " +
                  "rule:secret_creator_user"),
+    policy.RuleDefault(
+        name='secret_project_creator_role',
+        check_str="rule:creator and rule:secret_project_match"),
    policy.RuleDefault(
        name='container_project_admin',
        check_str="rule:admin and rule:container_project_match"),
--- a/barbican/common/policies/secretmeta.py
+++ b/barbican/common/policies/secretmeta.py
@ -17,7 +17,10 @@ _MEMBER = "role:member"
 rules = [
    policy.DocumentedRuleDefault(
        name='secret_meta:get',
-        check_str=f'rule:all_but_audit or {_MEMBER}',
+        check_str='rule:secret_non_private_read or ' +
+                  'rule:secret_project_creator or ' +
+                  'rule:secret_project_admin or rule:secret_acl_read or ' +
+                  f'{_MEMBER}',
        scope_types=['project'],
        description='metadata/: Lists a secrets user-defined metadata. || ' +
                    'metadata/{key}: Retrieves a secrets user-added metadata.',
@ -34,7 +37,10 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='secret_meta:post',
-        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  f'rule:secret_non_private_read) or {_MEMBER}',
        scope_types=['project'],
        description='Adds a new key/value pair to the secrets user-defined ' +
                    'metadata.',
@ -47,7 +53,10 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='secret_meta:put',
-        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  f'rule:secret_non_private_read) or {_MEMBER}',
        scope_types=['project'],
        description='metadata/: Sets the user-defined metadata for a secret ' +
                    '|| metadata/{key}: Updates an existing key/value pair ' +
@ -65,7 +74,10 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='secret_meta:delete',
-        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  f'rule:secret_non_private_read) or {_MEMBER}',
        scope_types=['project'],
        description='Delete secret user-defined metadata by key.',
        operations=[