Fix Secure RBAC policies for Secret ACLs

This patch fixes the Secure RBAC Secret ACL policies to ensure that they
are only evaluated when enforce_new_defaults = True

Story: 2010235
Change-Id: I176091f8658fff75ba2d55aa937203c22a7f43b4

barbican/common/policies/acls.py

@@ -10,29 +10,71 @@
 #  License for the specific language governing permissions and limitations
 #  under the License.
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
+from barbican.common.policies import base
+
+
 # FIXME(hrybacki): Repetitive check strings: Port to simpler checks
 #                  - secret_acls:delete, secret_acls:put_patch
 #                  - container_acls:delete container_acls:put_patch
 
-_MEMBER = 'role:member'
-_ADMIN = 'role:admin'
-_SECRET_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
-_SECRET_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
-_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
-_SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
-_CONTAINER_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
-_CONTAINER_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
-_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
-_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
+deprecated_secret_acls_get = policy.DeprecatedRule(
+    name='secret_acls:get',
+    check_str='rule:all_but_audit and rule:secret_project_match',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_secret_acls_delete = policy.DeprecatedRule(
+    name='secret_acls:delete',
+    check_str='rule:secret_project_admin or rule:secret_project_creator ' +
+              'or (rule:secret_project_creator_role and ' +
+              'rule:secret_non_private_read)',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_secret_acls_put_patch = policy.DeprecatedRule(
+    name='secret_acls:put_patch',
+    check_str='rule:secret_project_admin or rule:secret_project_creator ' +
+              'or (rule:secret_project_creator_role and ' +
+              'rule:secret_non_private_read)',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_container_acls_get = policy.DeprecatedRule(
+    name='container_acls:get',
+    check_str='rule:all_but_audit and rule:container_project_match',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_container_acls_delete = policy.DeprecatedRule(
+    name='container_acls:delete',
+    check_str='rule:container_project_admin or ' +
+              'rule:container_project_creator or ' +
+              '(rule:container_project_creator_role and' +
+              ' rule:container_non_private_read)',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_container_acls_put_patch = policy.DeprecatedRule(
+    name='container_acls:put_patch',
+    check_str='rule:container_project_admin or ' +
+              'rule:container_project_creator or ' +
+              '(rule:container_project_creator_role and' +
+              ' rule:container_non_private_read)',
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
 
 rules = [
     policy.DocumentedRuleDefault(
         name='secret_acls:get',
-        check_str='(rule:all_but_audit and rule:secret_project_match) or ' +
-                  f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
-                  f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
+        check_str=(
+            "True:%(enforce_new_defaults)s and "
+            "(rule:secret_project_admin or "
+            "(rule:secret_project_member and rule:secret_owner) or "
+            "(rule:secret_project_member and rule:secret_is_not_private))"),
         scope_types=['project'],
         description='Retrieve the ACL settings for a given secret.'
                     'If no ACL is defined for that secret, then Default ACL '
@@ -42,15 +84,16 @@ rules = [
                 'path': '/v1/secrets/{secret-id}/acl',
                 'method': 'GET'
             },
-        ]
+        ],
+        deprecated_rule=deprecated_secret_acls_get
     ),
     policy.DocumentedRuleDefault(
         name='secret_acls:delete',
-        check_str='rule:secret_project_admin or rule:secret_project_creator ' +
-                  'or (rule:secret_project_creator_role and ' +
-                  'rule:secret_non_private_read) or ' +
-                  f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
-                  f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
+        check_str=(
+            "True:%(enforce_new_defaults)s and "
+            "(rule:secret_project_admin or "
+            "(rule:secret_project_member and rule:secret_owner) or "
+            "(rule:secret_project_member and rule:secret_is_not_private))"),
         scope_types=['project'],
         description='Delete the ACL settings for a given secret.',
         operations=[
@@ -58,15 +101,16 @@ rules = [
                 'path': '/v1/secrets/{secret-id}/acl',
                 'method': 'DELETE'
             },
-        ]
+        ],
+        deprecated_rule=deprecated_secret_acls_delete
     ),
     policy.DocumentedRuleDefault(
         name='secret_acls:put_patch',
-        check_str='rule:secret_project_admin or rule:secret_project_creator ' +
-                  'or (rule:secret_project_creator_role and ' +
-                  'rule:secret_non_private_read) or ' +
-                  f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
-                  f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
+        check_str=(
+            "True:%(enforce_new_defaults)s and "
+            "(rule:secret_project_admin or "
+            "(rule:secret_project_member and rule:secret_owner) or "
+            "(rule:secret_project_member and rule:secret_is_not_private))"),
         scope_types=['project'],
         description='Create new, replaces, or updates existing ACL for a ' +
                     'given secret.',
@@ -79,13 +123,17 @@ rules = [
                 'path': '/v1/secrets/{secret-id}/acl',
                 'method': 'PATCH'
             },
-        ]
+        ],
+        deprecated_rule=deprecated_secret_acls_put_patch
     ),
     policy.DocumentedRuleDefault(
         name='container_acls:get',
-        check_str='(rule:all_but_audit and rule:container_project_match) or ' +
-                  f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
-                  f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
+        check_str=(
+            "True:%(enforce_new_defaults)s and "
+            "(rule:container_project_admin or "
+            "(rule:container_project_member and rule:container_owner) or "
+            "(rule:container_project_member and "
+            " rule:container_is_not_private))"),
         scope_types=['project'],
         description='Retrieve the ACL settings for a given container.',
         operations=[
@@ -93,16 +141,17 @@ rules = [
                 'path': '/v1/containers/{container-id}/acl',
                 'method': 'GET'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_container_acls_get
     ),
     policy.DocumentedRuleDefault(
         name='container_acls:delete',
-        check_str='rule:container_project_admin or ' +
-                  'rule:container_project_creator or ' +
-                  '(rule:container_project_creator_role and' +
-                  ' rule:container_non_private_read) or ' +
-                  f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
-                  f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
+        check_str=(
+            "True:%(enforce_new_defaults)s and "
+            "(rule:container_project_admin or "
+            "(rule:container_project_member and rule:container_owner) or "
+            "(rule:container_project_member and "
+            " rule:container_is_not_private))"),
         scope_types=['project'],
         description='Delete ACL for a given container. No content is returned '
                     'in the case of successful deletion.',
@@ -111,16 +160,17 @@ rules = [
                 'path': '/v1/containers/{container-id}/acl',
                 'method': 'DELETE'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_container_acls_delete
     ),
     policy.DocumentedRuleDefault(
         name='container_acls:put_patch',
-        check_str='rule:container_project_admin or ' +
-                  'rule:container_project_creator or ' +
-                  '(rule:container_project_creator_role and' +
-                  ' rule:container_non_private_read) or ' +
-                  f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
-                  f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
+        check_str=(
+            "True:%(enforce_new_defaults)s and "
+            "(rule:container_project_admin or "
+            "(rule:container_project_member and rule:container_owner) or "
+            "(rule:container_project_member and "
+            " rule:container_is_not_private))"),
         scope_types=['project'],
         description='Create new or replaces existing ACL for a given '
                     'container.',
@@ -133,7 +183,8 @@ rules = [
                 'path': '/v1/containers/{container-id}/acl',
                 'method': 'PATCH'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_container_acls_put_patch
     ),
 ]
 

barbican/common/policies/base.py

@@ -13,6 +13,11 @@
 from oslo_policy import policy
 
 
+LEGACY_POLICY_DEPRECATION = (
+    'The default policy for the Key Manager API has been updated '
+    'to use scopes and default roles.'
+)
+
 rules = [
     policy.RuleDefault(
         name='admin',
@@ -97,9 +102,18 @@ rules = [
     policy.RuleDefault(
         name='secret_project_creator_role',
         check_str="rule:creator and rule:secret_project_match"),
+    policy.RuleDefault(
+        name='container_project_member',
+        check_str='role:member and rule:container_project_match'),
     policy.RuleDefault(
         name='container_project_admin',
-        check_str="rule:admin and rule:container_project_match"),
+        check_str='role:admin and rule:container_project_match'),
+    policy.RuleDefault(
+        name='container_owner',
+        check_str="user_id:%(target.container.creator_id)s"),
+    policy.RuleDefault(
+        name='container_is_not_private',
+        check_str='True:%(target.container.read_project_access)s'),
     policy.RuleDefault(
         name='container_project_creator',
         check_str="rule:creator and rule:container_project_match and " +

barbican/common/policies/secrets.py

@@ -13,18 +13,15 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 
+from barbican.common.policies import base
 
-_LEGACY_POLICY_DEPRECATION = (
-    'The default policy for the Key Manager API has been updated '
-    'to use scopes and default roles.'
-)
 
 deprecated_secret_decrypt = policy.DeprecatedRule(
     name='secret:decrypt',
     check_str='rule:secret_decrypt_non_private_read or ' +
               'rule:secret_project_creator or ' +
               'rule:secret_project_admin or rule:secret_acl_read',
-    deprecated_reason=_LEGACY_POLICY_DEPRECATION,
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
     deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_secret_get = policy.DeprecatedRule(
@@ -32,13 +29,13 @@ deprecated_secret_get = policy.DeprecatedRule(
     check_str='rule:secret_non_private_read or ' +
               'rule:secret_project_creator or ' +
               'rule:secret_project_admin or rule:secret_acl_read',
-    deprecated_reason=_LEGACY_POLICY_DEPRECATION,
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
     deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_secret_put = policy.DeprecatedRule(
     name='secret:put',
     check_str='rule:admin_or_creator and rule:secret_project_match',
-    deprecated_reason=_LEGACY_POLICY_DEPRECATION,
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
     deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_secret_delete = policy.DeprecatedRule(
@@ -47,19 +44,19 @@ deprecated_secret_delete = policy.DeprecatedRule(
               'rule:secret_project_creator or ' +
               '(rule:secret_project_creator_role and ' +
               'not rule:secret_private_read)',
-    deprecated_reason=_LEGACY_POLICY_DEPRECATION,
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
     deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_secrets_post = policy.DeprecatedRule(
     name='secrets:post',
     check_str='rule:admin_or_creator',
-    deprecated_reason=_LEGACY_POLICY_DEPRECATION,
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
     deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_secrets_get = policy.DeprecatedRule(
     name='secrets:get',
     check_str='rule:all_but_audit',
-    deprecated_reason=_LEGACY_POLICY_DEPRECATION,
+    deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
     deprecated_since=versionutils.deprecated.WALLABY
 )