Merge "Fix secret metadata access rules (pt 2)"

2021-10-12 18:57:56 +00:00 · 2021-10-12 18:57:56 +00:00 · 46f695ccad
commit 46f695ccad
parent aaf53f3cf4 af262dc30c
1 changed files with 17 additions and 4 deletions
--- a/barbican/common/policies/secretmeta.py
+++ b/barbican/common/policies/secretmeta.py
@ -14,13 +14,20 @@ from oslo_policy import policy


 _MEMBER = "role:member"
+_ADMIN = "role:admin"
+_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
+_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
+_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
+_SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
+
 rules = [
    policy.DocumentedRuleDefault(
        name='secret_meta:get',
        check_str='rule:secret_non_private_read or ' +
                  'rule:secret_project_creator or ' +
                  'rule:secret_project_admin or rule:secret_acl_read or ' +
-                  f'{_MEMBER}',
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
        scope_types=['project'],
        description='metadata/: Lists a secrets user-defined metadata. || ' +
                    'metadata/{key}: Retrieves a secrets user-added metadata.',
@ -40,7 +47,9 @@ rules = [
        check_str='rule:secret_project_admin or ' +
                  'rule:secret_project_creator or ' +
                  '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
        scope_types=['project'],
        description='Adds a new key/value pair to the secrets user-defined ' +
                    'metadata.',
@ -56,7 +65,9 @@ rules = [
        check_str='rule:secret_project_admin or ' +
                  'rule:secret_project_creator or ' +
                  '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
        scope_types=['project'],
        description='metadata/: Sets the user-defined metadata for a secret ' +
                    '|| metadata/{key}: Updates an existing key/value pair ' +
@ -77,7 +88,9 @@ rules = [
        check_str='rule:secret_project_admin or ' +
                  'rule:secret_project_creator or ' +
                  '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
        scope_types=['project'],
        description='Delete secret user-defined metadata by key.',
        operations=[