openstack/barbican
Code Issues Proposed changes

Fix secret metadata access rules (pt 2)

Browse Source 
This patch fixes the secure-rbac rules to ensure that the user making
the request is authenticated for the project that owns the secret.

Story: 2009253
Task: 43453

Change-Id: I8222ea2a55cdb72f1d9affe9fb0cf542c6b7c88c
(cherry picked from commit af262dc30c)
This commit is contained in:
Douglas Mendizábal 2021-09-27 15:05:34 -05:00
parent 64a4242454
commit b30cb63d3a
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
barbican/common/policies/secretmeta.py
View File

@ -14,13 +14,20 @@ from oslo_policy import policy
_MEMBER = "role:member" _MEMBER = "role:member"
_ADMIN = "role:admin"
_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
_SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
rules = [ rules = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='secret_meta:get', name='secret_meta:get',
check_str='rule:secret_non_private_read or ' + check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' + 'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read or ' + 'rule:secret_project_admin or rule:secret_acl_read or ' +
f'{_MEMBER}', f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'], scope_types=['project'],
description='metadata/: Lists a secrets user-defined metadata. || ' + description='metadata/: Lists a secrets user-defined metadata. || ' +
'metadata/{key}: Retrieves a secrets user-added metadata.', 'metadata/{key}: Retrieves a secrets user-added metadata.',
@ -40,7 +47,9 @@ rules = [
check_str='rule:secret_project_admin or ' + check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' + 'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' + '(rule:secret_project_creator_role and ' +
f'rule:secret_non_private_read) or {_MEMBER}', 'rule:secret_non_private_read) or ' +
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'], scope_types=['project'],
description='Adds a new key/value pair to the secrets user-defined ' + description='Adds a new key/value pair to the secrets user-defined ' +
'metadata.', 'metadata.',
@ -56,7 +65,9 @@ rules = [
check_str='rule:secret_project_admin or ' + check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' + 'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' + '(rule:secret_project_creator_role and ' +
f'rule:secret_non_private_read) or {_MEMBER}', 'rule:secret_non_private_read) or ' +
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'], scope_types=['project'],
description='metadata/: Sets the user-defined metadata for a secret ' + description='metadata/: Sets the user-defined metadata for a secret ' +
'|| metadata/{key}: Updates an existing key/value pair ' + '|| metadata/{key}: Updates an existing key/value pair ' +
@ -77,7 +88,9 @@ rules = [
check_str='rule:secret_project_admin or ' + check_str='rule:secret_project_admin or ' +
'rule:secret_project_creator or ' + 'rule:secret_project_creator or ' +
'(rule:secret_project_creator_role and ' + '(rule:secret_project_creator_role and ' +
f'rule:secret_non_private_read) or {_MEMBER}', 'rule:secret_non_private_read) or ' +
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
scope_types=['project'], scope_types=['project'],
description='Delete secret user-defined metadata by key.', description='Delete secret user-defined metadata by key.',
operations=[ operations=[