Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:chajain:branches:Cloud:Openstack:Master
openstack-barbican
0001-Fix-secret-metadata-access-rules.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Fix-secret-metadata-access-rules.patch of Package openstack-barbican
From 3f65f2b2c86b3cd8a110b3abbafe788395b8f5b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com> Date: Mon, 27 Sep 2021 14:40:07 -0500 Subject: [PATCH] Fix secret metadata access rules This patch fixes the legacy policy rules for accessing secret metadata by checking that the user making the request is authenticated for the project that owns the secret. Story: 2009253 Task: 43456 Change-Id: Ide37d64dff10d421817bf90b8e2e58bf6ac4f592 (cherry picked from commit 7d270bacbe29a90a10f1855abc3b50dac0f08022) (cherry picked from commit 750a79b4f5fbb94b1a1d0f329a0c8a51566b2cae) (cherry picked from commit 64a4242454a65df17abc10e13861463a2de71813) (cherry picked from commit 86d7d6411075a15cdea742acfa9f6d0ca42c044c) (cherry picked from commit 32702400655675d30ebe53b2151da77532d56bb1) (cherry picked from commit 3acf50a823bd61090d2c102a0cfa509651a8956a) --- barbican/api/controllers/__init__.py | 9 +++++++++ barbican/api/controllers/secretmeta.py | 4 ++-- barbican/api/controllers/secrets.py | 8 +------- barbican/common/policies/base.py | 2 ++ barbican/common/policies/secretmeta.py | 19 +++++++++++++++---- 5 files changed, 29 insertions(+), 13 deletions(-) diff --git a/barbican/api/controllers/__init__.py b/barbican/api/controllers/__init__.py index 99677c44..5243b443 100644 --- a/barbican/api/controllers/__init__.py +++ b/barbican/api/controllers/__init__.py @@ -226,3 +226,12 @@ class ACLMixin(object): acl_dict.update(co_dict) return acl_dict + + +class SecretACLMixin(ACLMixin): + + def get_acl_tuple(self, req, **kwargs): + acl = self.get_acl_dict_for_user(req, self.secret.secret_acls) + acl['project_id'] = self.secret.project.external_id + acl['creator_id'] = self.secret.creator_id + return 'secret', acl diff --git a/barbican/api/controllers/secretmeta.py b/barbican/api/controllers/secretmeta.py index f0bada25..f99f027e 100644 --- a/barbican/api/controllers/secretmeta.py +++ b/barbican/api/controllers/secretmeta.py @@ -29,7 +29,7 @@ def _secret_metadata_not_found(): 'another castle.')) -class SecretMetadataController(controllers.ACLMixin): +class SecretMetadataController(controllers.SecretACLMixin): """Handles SecretMetadata requests by a given secret id.""" def __init__(self, secret): @@ -108,7 +108,7 @@ class SecretMetadataController(controllers.ACLMixin): value)} -class SecretMetadatumController(controllers.ACLMixin): +class SecretMetadatumController(controllers.SecretACLMixin): def __init__(self, secret): LOG.debug('=== Creating SecretMetadatumController ===') diff --git a/barbican/api/controllers/secrets.py b/barbican/api/controllers/secrets.py index 7e5c6ffe..1ccc83ec 100644 --- a/barbican/api/controllers/secrets.py +++ b/barbican/api/controllers/secrets.py @@ -71,7 +71,7 @@ def _request_has_twsk_but_no_transport_key_id(): 'transport key id has not been provided.')) -class SecretController(controllers.ACLMixin): +class SecretController(controllers.SecretACLMixin): """Handles Secret retrieval and deletion requests.""" def __init__(self, secret): @@ -79,12 +79,6 @@ class SecretController(controllers.ACLMixin): self.secret = secret self.transport_key_repo = repo.get_transport_key_repository() - def get_acl_tuple(self, req, **kwargs): - d = self.get_acl_dict_for_user(req, self.secret.secret_acls) - d['project_id'] = self.secret.project.external_id - d['creator_id'] = self.secret.creator_id - return 'secret', d - @pecan.expose() def _lookup(self, sub_resource, *remainder): if sub_resource == 'acl': diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py index dd2316a1..52812f36 100644 --- a/barbican/common/policies/base.py +++ b/barbican/common/policies/base.py @@ -61,6 +61,8 @@ rules = [ policy.RuleDefault('secret_project_creator', "rule:creator and rule:secret_project_match and " "rule:secret_creator_user"), + policy.RuleDefault('secret_project_creator_role', + "rule:creator and rule:secret_project_match"), policy.RuleDefault('container_project_admin', "rule:admin and rule:container_project_match"), policy.RuleDefault('container_project_creator', diff --git a/barbican/common/policies/secretmeta.py b/barbican/common/policies/secretmeta.py index f78c721e..da93dcef 100644 --- a/barbican/common/policies/secretmeta.py +++ b/barbican/common/policies/secretmeta.py @@ -15,13 +15,24 @@ from oslo_policy import policy rules = [ policy.RuleDefault('secret_meta:get', - 'rule:all_but_audit'), + 'rule:secret_non_private_read or ' + + 'rule:secret_project_creator or ' + + 'rule:secret_project_admin or rule:secret_acl_read'), policy.RuleDefault('secret_meta:post', - 'rule:admin_or_creator'), + 'rule:secret_project_admin or ' + + 'rule:secret_project_creator or ' + + '(rule:secret_project_creator_role and ' + + 'rule:secret_non_private_read)'), policy.RuleDefault('secret_meta:put', - 'rule:admin_or_creator'), + 'rule:secret_project_admin or ' + + 'rule:secret_project_creator or ' + + '(rule:secret_project_creator_role and ' + + 'rule:secret_non_private_read)'), policy.RuleDefault('secret_meta:delete', - 'rule:admin_or_creator'), + 'rule:secret_project_admin or ' + + 'rule:secret_project_creator or ' + + '(rule:secret_project_creator_role and ' + + 'rule:secret_non_private_read)'), ] -- 2.25.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor