From b30cb63d3a258ff26e3b9cdc0dab1e604fc6b6d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Mon, 27 Sep 2021 15:05:34 -0500
Subject: [PATCH] Fix secret metadata access rules (pt 2)

This patch fixes the secure-rbac rules to ensure that the user making
the request is authenticated for the project that owns the secret.

Story: 2009253
Task: 43453

Change-Id: I8222ea2a55cdb72f1d9affe9fb0cf542c6b7c88c
(cherry picked from commit af262dc30c4ec7a8c6df86b67ed202f602296d46)
---
 barbican/common/policies/secretmeta.py | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/barbican/common/policies/secretmeta.py b/barbican/common/policies/secretmeta.py
index 2b629bf99..ab75b51ce 100644
--- a/barbican/common/policies/secretmeta.py
+++ b/barbican/common/policies/secretmeta.py
@@ -14,13 +14,20 @@ from oslo_policy import policy
 
 
 _MEMBER = "role:member"
+_ADMIN = "role:admin"
+_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
+_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
+_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
+_SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
+
 rules = [
     policy.DocumentedRuleDefault(
         name='secret_meta:get',
         check_str='rule:secret_non_private_read or ' +
                   'rule:secret_project_creator or ' +
                   'rule:secret_project_admin or rule:secret_acl_read or ' +
-                  f'{_MEMBER}',
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
         description='metadata/: Lists a secrets user-defined metadata. || ' +
                     'metadata/{key}: Retrieves a secrets user-added metadata.',
@@ -40,7 +47,9 @@ rules = [
         check_str='rule:secret_project_admin or ' +
                   'rule:secret_project_creator or ' +
                   '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
         description='Adds a new key/value pair to the secrets user-defined ' +
                     'metadata.',
@@ -56,7 +65,9 @@ rules = [
         check_str='rule:secret_project_admin or ' +
                   'rule:secret_project_creator or ' +
                   '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
         description='metadata/: Sets the user-defined metadata for a secret ' +
                     '|| metadata/{key}: Updates an existing key/value pair ' +
@@ -77,7 +88,9 @@ rules = [
         check_str='rule:secret_project_admin or ' +
                   'rule:secret_project_creator or ' +
                   '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
         description='Delete secret user-defined metadata by key.',
         operations=[