From b6002aa3d04c0dc3bf49c05686b76f1780de358f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Thu, 25 Aug 2022 11:28:27 -0500 Subject: [PATCH] Fix Secure RBAC policies for Consumers This patch fixes the Consumers API policies to ensure that they are only evaluated when enforce_new_defaults = True Story: 2010235 Change-Id: I191f41372a5c0b334ff858743a9303325db40cb6 --- barbican/common/policies/base.py | 3 + barbican/common/policies/consumers.py | 182 +++++++++++++++++--------- 2 files changed, 123 insertions(+), 62 deletions(-) diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py index 62ba30650..54b11c5d7 100644 --- a/barbican/common/policies/base.py +++ b/barbican/common/policies/base.py @@ -19,6 +19,9 @@ LEGACY_POLICY_DEPRECATION = ( ) rules = [ + policy.RuleDefault( + name='system_admin', + check_str='role:amdin and system_scope:all'), policy.RuleDefault( name='admin', check_str='role:admin'), diff --git a/barbican/common/policies/consumers.py b/barbican/common/policies/consumers.py index 3f8ce1f34..ffceabff0 100644 --- a/barbican/common/policies/consumers.py +++ b/barbican/common/policies/consumers.py @@ -10,41 +10,83 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy +from barbican.common.policies import base + # FIXME(hrybacki): Note that the GET rules have the same check strings. # The POST/DELETE rules also share the check stirngs. # These can probably be turned into constants in base - -_READER = "role:reader" -_MEMBER = "role:member" -_ADMIN = "role:admin" -_SYSTEM_ADMIN = "role:admin and system_scope:all" - -_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s" -_SECRET_PROJECT = "project_id:%(target.secret.project_id)s" -_SECRET_MEMBER = f"{_MEMBER} and {_SECRET_PROJECT}" -_SECRET_ADMIN = f"{_ADMIN} and {_SECRET_PROJECT}" -_SECRET_ACCESS = (f"{_SECRET_CREATOR} or ({_SECRET_MEMBER} and " - f"True:%(target.secret.read_project_access)s)") - -_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s" -_CONTAINER_PROJECT = "project_id:%(target.container.project_id)s" -_CONTAINER_MEMBER = f"{_MEMBER} and {_CONTAINER_PROJECT}" -_CONTAINER_ADMIN = f"{_ADMIN} and {_CONTAINER_PROJECT}" -_CONTAINER_ACCESS = (f"{_CONTAINER_CREATOR} or ({_CONTAINER_MEMBER} and " - f"True:%(target.container.read_project_access)s)") +deprecated_consumer_get = policy.DeprecatedRule( + name='consumer:get', + check_str='rule:admin or rule:observer or rule:creator or ' + + 'rule:audit or rule:container_non_private_read or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_admin or rule:container_acl_read', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_container_consumers_get = policy.DeprecatedRule( + name='container_consumers:get', + check_str='rule:container_non_private_read or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_admin or rule:container_acl_read', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_container_consumers_post = policy.DeprecatedRule( + name='container_consumers:post', + check_str='rule:container_non_private_read or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_admin or rule:container_acl_read ', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_container_consumers_delete = policy.DeprecatedRule( + name='container_consumers:delete', + check_str='rule:container_non_private_read or ' + + 'rule:container_project_creator or ' + + 'rule:container_project_admin or rule:container_acl_read ', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_secret_consumers_get = policy.DeprecatedRule( + name='secret_consumers:get', + check_str='rule:secret_non_private_read or ' + + 'rule:secret_project_creator or ' + + 'rule:secret_project_admin or rule:secret_acl_read', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_secret_consumers_post = policy.DeprecatedRule( + name='secret_consumers:post', + check_str='rule:secret_non_private_read or ' + + 'rule:secret_project_creator or ' + + 'rule:secret_project_admin or rule:secret_acl_read', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_secret_consumers_delete = policy.DeprecatedRule( + name='secret_consumers:delete', + check_str='rule:secret_non_private_read or ' + + 'rule:secret_project_creator or ' + + 'rule:secret_project_admin or rule:secret_acl_read', + deprecated_reason=base.LEGACY_POLICY_DEPRECATION, + deprecated_since=versionutils.deprecated.WALLABY +) rules = [ policy.DocumentedRuleDefault( name='consumer:get', - check_str='rule:admin or rule:observer or rule:creator or ' + - 'rule:audit or rule:container_non_private_read or ' + - 'rule:container_project_creator or ' + - 'rule:container_project_admin or rule:container_acl_read' + - f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " + - f"{_SYSTEM_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_member and rule:container_owner) or ' + '(rule:container_project_member and ' + ' rule:container_is_not_private) or ' + 'rule:container_acl_read)'), scope_types=['project', 'system'], # This API is unusable. There is no way for a user to get # the consumer-id they would need to send a request. @@ -52,15 +94,18 @@ rules = [ operations=[{ 'path': '/v1/containers/{container-id}/consumers/{consumer-id}', 'method': 'GET' - }] + }], + deprecated_rule=deprecated_consumer_get ), policy.DocumentedRuleDefault( name='container_consumers:get', - check_str='rule:container_non_private_read or ' + - 'rule:container_project_creator or ' + - 'rule:container_project_admin or rule:container_acl_read ' + - f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " + - f"{_SYSTEM_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_member and rule:container_owner) or ' + '(rule:container_project_member and ' + ' rule:container_is_not_private) or ' + 'rule:container_acl_read)'), scope_types=['project', 'system'], description='List a containers consumers.', operations=[ @@ -68,15 +113,18 @@ rules = [ 'path': '/v1/containers/{container-id}/consumers', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_container_consumers_get ), policy.DocumentedRuleDefault( name='container_consumers:post', - check_str='rule:container_non_private_read or ' + - 'rule:container_project_creator or ' + - 'rule:container_project_admin or rule:container_acl_read ' + - f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " + - f"{_SYSTEM_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_member and rule:container_owner) or ' + '(rule:container_project_member and ' + ' rule:container_is_not_private) or ' + 'rule:container_acl_read)'), scope_types=['project', 'system'], description='Creates a consumer.', operations=[ @@ -84,15 +132,18 @@ rules = [ 'path': '/v1/containers/{container-id}/consumers', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_container_consumers_post ), policy.DocumentedRuleDefault( name='container_consumers:delete', - check_str='rule:container_non_private_read or ' + - 'rule:container_project_creator or ' + - 'rule:container_project_admin or rule:container_acl_read ' + - f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " + - f"{_SYSTEM_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_member and rule:container_owner) or ' + '(rule:container_project_member and ' + ' rule:container_is_not_private) or ' + 'rule:container_acl_read)'), scope_types=['project', 'system'], description='Deletes a consumer.', operations=[ @@ -100,15 +151,17 @@ rules = [ 'path': '/v1/containers/{container-id}/consumers', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_container_consumers_delete ), policy.DocumentedRuleDefault( name='secret_consumers:get', - check_str='rule:secret_non_private_read or ' + - 'rule:secret_project_creator or ' + - 'rule:secret_project_admin or rule:secret_acl_read ' + - f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " + - f"{_SYSTEM_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_member and rule:secret_owner) or ' + '(rule:secret_project_member and rule:secret_is_not_private) or ' + 'rule:secret_acl_read)'), scope_types=['project', 'system'], description='List consumers for a secret.', operations=[ @@ -116,15 +169,17 @@ rules = [ 'path': '/v1/secrets/{secret-id}/consumers', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_secret_consumers_get ), policy.DocumentedRuleDefault( name='secret_consumers:post', - check_str='rule:secret_non_private_read or ' + - 'rule:secret_project_creator or ' + - 'rule:secret_project_admin or rule:secret_acl_read ' + - f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " + - f"{_SYSTEM_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_member and rule:secret_owner) or ' + '(rule:secret_project_member and rule:secret_is_not_private) or ' + 'rule:secret_acl_read)'), scope_types=['project', 'system'], description='Creates a consumer.', operations=[ @@ -132,15 +187,17 @@ rules = [ 'path': '/v1/secrets/{secrets-id}/consumers', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_secret_consumers_post ), policy.DocumentedRuleDefault( name='secret_consumers:delete', - check_str='rule:secret_non_private_read or ' + - 'rule:secret_project_creator or ' + - 'rule:secret_project_admin or rule:secret_acl_read ' + - f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " + - f"{_SYSTEM_ADMIN}", + check_str=( + 'True:%(enforce_new_defaults)s and ' + '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_member and rule:secret_owner) or ' + '(rule:secret_project_member and rule:secret_is_not_private) or ' + 'rule:secret_acl_read)'), scope_types=['project', 'system'], description='Deletes a consumer.', operations=[ @@ -148,7 +205,8 @@ rules = [ 'path': '/v1/secrets/{secrets-id}/consumers', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_secret_consumers_delete ), ]