Fix secret metadata access rules (pt 2)

This patch fixes the secure-rbac rules to ensure that the user making
the request is authenticated for the project that owns the secret.

Story: 2009253
Task: 43453

Change-Id: I8222ea2a55cdb72f1d9affe9fb0cf542c6b7c88c
(cherry picked from commit af262dc30c)
This commit is contained in:
Douglas Mendizábal 2021-09-27 15:05:34 -05:00
parent 64a4242454
commit b30cb63d3a

View File

@ -14,13 +14,20 @@ from oslo_policy import policy
_MEMBER = "role:member"
_ADMIN = "role:admin"
_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
_SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
rules = [
policy.DocumentedRuleDefault(
name='secret_meta:get',
check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read or ' +
f'{_MEMBER}',
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
description='metadata/: Lists a secrets user-defined metadata. || ' +
'metadata/{key}: Retrieves a secrets user-added metadata.',
@ -40,7 +47,9 @@ rules = [
check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' +
f'rule:secret_non_private_read) or {_MEMBER}',
'rule:secret_non_private_read) or ' +
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
description='Adds a new key/value pair to the secrets user-defined ' +
'metadata.',
@ -56,7 +65,9 @@ rules = [
check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' +
f'rule:secret_non_private_read) or {_MEMBER}',
'rule:secret_non_private_read) or ' +
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
description='metadata/: Sets the user-defined metadata for a secret ' +
'|| metadata/{key}: Updates an existing key/value pair ' +
@ -77,7 +88,9 @@ rules = [
check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' +
f'rule:secret_non_private_read) or {_MEMBER}',
'rule:secret_non_private_read) or ' +
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'],
description='Delete secret user-defined metadata by key.',
operations=[