From 9a16e9114f7c7dbb3e22f5f71c5858c519ae07d0 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 8 Mar 2021 15:41:49 -0500
Subject: [PATCH] Implement secure RBAC for transport key API

Add new system scope specific RBAC rules for the transport key API.
The new rules tighten the policy to only allow system admins to
add or delete transport keys.

Change-Id: Icbe81724fb8b4f28fc4b5d24afe2618e759fcbad
---
 barbican/common/policies/transportkeys.py              | 10 ++++++----
 ...cure-rbac-transportkey-policy-3e904787694f8471.yaml | 10 ++++++++++
 2 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml

diff --git a/barbican/common/policies/transportkeys.py b/barbican/common/policies/transportkeys.py
index 160e9a380..338560945 100644
--- a/barbican/common/policies/transportkeys.py
+++ b/barbican/common/policies/transportkeys.py
@@ -13,6 +13,8 @@
 from oslo_policy import policy
 
 
+_SYSTEM_ADMIN = "role:admin and system_scope:all"
+
 rules = [
     policy.DocumentedRuleDefault(
         name='transport_key:get',
@@ -28,8 +30,8 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='transport_key:delete',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'{_SYSTEM_ADMIN}',
+        scope_types=['system'],
         description='Delete a specific transport key.',
         operations=[
             {
@@ -52,8 +54,8 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='transport_keys:post',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'{_SYSTEM_ADMIN}',
+        scope_types=['system'],
         description='Create a new transport key.',
         operations=[
             {
diff --git a/releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml b/releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml
new file mode 100644
index 000000000..32a9282df
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Implement secure-rbac for transportkeys resource.
+security:
+  - |
+    The current policy allows users with the admin role to add or delete
+    transport keys.  This interface was only ever intended to be used by
+    system admins, and so it has been restricted using the new policy
+    to the system admin only (admins with system_scope:all).