From e2c8e537308f411040893792577b0fe3369ea651 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 8 Mar 2021 09:52:26 -0500
Subject: [PATCH] Implement secure RBAC for consumers API

Add new project scope specific RBAC rules for the consumers API.  The old
rules still apply, but eventually will be deprecated.  The new
rules do include some changes to default policy, which are documented in
the release note.

Change-Id: I89ed0113238446ee96e486af0540b6b24336a29c
---
 barbican/common/policies/consumers.py         | 38 +++++++++++++++----
 ...rbac-consumer-policy-5ff67280dc2a2c09.yaml |  9 +++++
 2 files changed, 39 insertions(+), 8 deletions(-)
 create mode 100644 releasenotes/notes/secure-rbac-consumer-policy-5ff67280dc2a2c09.yaml

diff --git a/barbican/common/policies/consumers.py b/barbican/common/policies/consumers.py
index 1c5a67595..b99c7b843 100644
--- a/barbican/common/policies/consumers.py
+++ b/barbican/common/policies/consumers.py
@@ -16,14 +16,27 @@ from oslo_policy import policy
 #                  The POST/DELETE rules also share the check stirngs.
 #                  These can probably be turned into constants in base
 
+
+_READER = "role:reader"
+_MEMBER = "role:member"
+_ADMIN = "role:admin"
+_SYSTEM_ADMIN = "role:admin and system_scope:all"
+_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
+_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
+_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
+_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
+
 rules = [
     policy.DocumentedRuleDefault(
         name='consumer:get',
         check_str='rule:admin or rule:observer or rule:creator or ' +
                   'rule:audit or rule:container_non_private_read or ' +
                   'rule:container_project_creator or ' +
-                  'rule:container_project_admin or rule:container_acl_read',
-        scope_types=[],
+                  'rule:container_project_admin or rule:container_acl_read' +
+                  f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
+                  f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
+                  f"{_SYSTEM_ADMIN}",
+        scope_types=['project', 'system'],
         description='List a specific consumer for a given container.',
         operations=[
             {
@@ -38,8 +51,11 @@ rules = [
         check_str='rule:admin or rule:observer or rule:creator or ' +
                   'rule:audit or rule:container_non_private_read or ' +
                   'rule:container_project_creator or ' +
-                  'rule:container_project_admin or rule:container_acl_read',
-        scope_types=[],
+                  'rule:container_project_admin or rule:container_acl_read' +
+                  f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
+                  f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
+                  f"{_SYSTEM_ADMIN}",
+        scope_types=['project', 'system'],
         description='List a containers consumers.',
         operations=[
             {
@@ -52,8 +68,11 @@ rules = [
         name='consumers:post',
         check_str='rule:admin or rule:container_non_private_read or ' +
                   'rule:container_project_creator or ' +
-                  'rule:container_project_admin or rule:container_acl_read',
-        scope_types=[],
+                  'rule:container_project_admin or rule:container_acl_read' +
+                  f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
+                  f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
+                  f"{_SYSTEM_ADMIN}",
+        scope_types=['project', 'system'],
         description='Creates a consumer.',
         operations=[
             {
@@ -66,8 +85,11 @@ rules = [
         name='consumers:delete',
         check_str='rule:admin or rule:container_non_private_read or ' +
                   'rule:container_project_creator or ' +
-                  'rule:container_project_admin or rule:container_acl_read',
-        scope_types=[],
+                  'rule:container_project_admin or rule:container_acl_read' +
+                  f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
+                  f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
+                  f"{_SYSTEM_ADMIN}",
+        scope_types=['project', 'system'],
         description='Deletes a consumer.',
         operations=[
             {
diff --git a/releasenotes/notes/secure-rbac-consumer-policy-5ff67280dc2a2c09.yaml b/releasenotes/notes/secure-rbac-consumer-policy-5ff67280dc2a2c09.yaml
new file mode 100644
index 000000000..157bb5444
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-consumer-policy-5ff67280dc2a2c09.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Implement secure-rbac for consumers resource.
+security:
+  - |
+    The new secure-rbac policy allows consumers to be added and deleted by
+    members.  This is a change from the previous policy which only allowed the
+    secret's creator or admins or those that had a read acl on the secret.