From 265908ec5f9ab601f2a09bd54dc488c40a9d315f Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 8 Mar 2021 15:06:26 -0500
Subject: [PATCH] Implement secure RBAC for orders API

Add new project scope specific RBAC rules for the orders API.  The old
rules still apply, but eventually will be deprecated.  The new
rules do include some changes to default policy, which are documented in
the release note.

Change-Id: I8e6963d7ab788038102c7f4570b3f2c9a342eabf
---
 barbican/common/policies/orders.py            | 21 ++++++++++---------
 ...re-rbac-order-policy-2068c64cb6830c6c.yaml | 15 +++++++++++++
 2 files changed, 26 insertions(+), 10 deletions(-)
 create mode 100644 releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml

diff --git a/barbican/common/policies/orders.py b/barbican/common/policies/orders.py
index e034e0b9b..f0580f00a 100644
--- a/barbican/common/policies/orders.py
+++ b/barbican/common/policies/orders.py
@@ -12,12 +12,13 @@
 
 from oslo_policy import policy
 
+_MEMBER = "role:member"
 
 rules = [
     policy.DocumentedRuleDefault(
         name='orders:get',
-        check_str='rule:all_but_audit',
-        scope_types=[],
+        check_str=f'rule:all_but_audit or {_MEMBER}',
+        scope_types=['project'],
         description='Gets list of all orders associated with a project.',
         operations=[
             {
@@ -28,8 +29,8 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='orders:post',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
         description='Creates an order.',
         operations=[
             {
@@ -40,8 +41,8 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='orders:put',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
         description='Unsupported method for the orders API.',
         operations=[
             {
@@ -52,8 +53,8 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='order:get',
-        check_str='rule:all_users',
-        scope_types=[],
+        check_str=f'rule:all_users or {_MEMBER}',
+        scope_types=['project'],
         description='Retrieves an orders metadata.',
         operations=[
             {
@@ -64,8 +65,8 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='order:delete',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'rule:admin or {_MEMBER}',
+        scope_types=['project'],
         description='Deletes an order.',
         operations=[
             {
diff --git a/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml b/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml
new file mode 100644
index 000000000..0f23bc9e4
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    Implement secure-rbac for orders resource.
+security:
+  - |
+    The current policy allows all users except those with the audit role to
+    list orders or retrieve an orders metadata.  The new desired policy will
+    restrict this to members.  For backwards compatibility, the old policies
+    remain in effect, but they are deprecated and will be removed in future,
+    leaving the more restrictive new policy.
+  - |
+    The new secure-rbac policy allows for secret deletion by members.  This is
+    a change from the previous policy that only allowed deletion by the
+    project admin.