Fix secret metadata access rules (pt 2)

This patch fixes the secure-rbac rules to ensure that the user making the request is authenticated for the project that owns the secret. Story: 2009253 Task: 43453 Change-Id: I8222ea2a55cdb72f1d9affe9fb0cf542c6b7c88c (cherry picked from commit af262dc30c)
2021-09-27 15:05:34 -05:00 · 2021-09-27 15:05:34 -05:00 · b30cb63d3a
commit b30cb63d3a
parent 64a4242454
1 changed files with 17 additions and 4 deletions
--- a/barbican/common/policies/secretmeta.py
+++ b/barbican/common/policies/secretmeta.py
@ -14,13 +14,20 @@ from oslo_policy import policy


 _MEMBER = "role:member"
+_ADMIN = "role:admin"
+_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
+_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
+_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
+_SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
+
 rules = [
    policy.DocumentedRuleDefault(
        name='secret_meta:get',
        check_str='rule:secret_non_private_read or ' +
                  'rule:secret_project_creator or ' +
                  'rule:secret_project_admin or rule:secret_acl_read or ' +
-                  f'{_MEMBER}',
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
        scope_types=['project'],
        description='metadata/: Lists a secrets user-defined metadata. || ' +
                    'metadata/{key}: Retrieves a secrets user-added metadata.',
@ -40,7 +47,9 @@ rules = [
        check_str='rule:secret_project_admin or ' +
                  'rule:secret_project_creator or ' +
                  '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
        scope_types=['project'],
        description='Adds a new key/value pair to the secrets user-defined ' +
                    'metadata.',
@ -56,7 +65,9 @@ rules = [
        check_str='rule:secret_project_admin or ' +
                  'rule:secret_project_creator or ' +
                  '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
        scope_types=['project'],
        description='metadata/: Sets the user-defined metadata for a secret ' +
                    '|| metadata/{key}: Updates an existing key/value pair ' +
@ -77,7 +88,9 @@ rules = [
        check_str='rule:secret_project_admin or ' +
                  'rule:secret_project_creator or ' +
                  '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
        scope_types=['project'],
        description='Delete secret user-defined metadata by key.',
        operations=[