File 0001-Fix-policy-for-adding-a-secret-to-a-container.patch of Package openstack-barbican-doc

From 2c6726e3e79d22cd0304647e072493b9d7e84830 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Fri, 15 Oct 2021 11:51:10 -0500
Subject: [PATCH] Fix policy for adding a secret to a container

This patch fixes the policies for adding and removing secrets from a
secret container.

Story: 2009297
Task: 43727
Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc
(cherry picked from commit 6c841b23afa8ed6fa4cd01ba1a6bebfb60f06ae5)
(cherry picked from commit a8226fcf33f16078d92949af23bdf41a7593bb64)
(cherry picked from commit 7cf500a98239e861f877539827f3be57c920b95c)
(cherry picked from commit 54e342fa7cf15cb77b2bc4b330c5b8fa41678881)
(cherry picked from commit ecfef01555b299e3b58392208d1630ed84ca6717)
---
 barbican/common/policies/base.py       |  2 ++
 barbican/common/policies/containers.py | 10 ++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py
index 52812f36..ad4fa8a8 100644
--- a/barbican/common/policies/base.py
+++ b/barbican/common/policies/base.py
@@ -68,6 +68,8 @@ rules = [
     policy.RuleDefault('container_project_creator',
                        "rule:creator and rule:container_project_match and "
                        "rule:container_creator_user"),
+    policy.RuleDefault("container_project_creator_role",
+                       "rule:creator and rule:container_project_match"),
 ]
 
 
diff --git a/barbican/common/policies/containers.py b/barbican/common/policies/containers.py
index 643f1411..d0090c72 100644
--- a/barbican/common/policies/containers.py
+++ b/barbican/common/policies/containers.py
@@ -27,9 +27,15 @@ rules = [
                        'rule:container_project_admin or '
                        'rule:container_project_creator'),
     policy.RuleDefault('container_secret:post',
-                       'rule:admin'),
+                       'rule:container_project_admin or ' +
+                       'rule:container_project_creator or ' +
+                       'rule:container_project_creator_role and ' +
+                       'rule:container_non_private_read'),
     policy.RuleDefault('container_secret:delete',
-                       'rule:admin'),
+                       'rule:container_project_admin or ' +
+                       'rule:container_project_creator or ' +
+                       'rule:container_project_creator_role and ' +
+                       'rule:container_non_private_read'),
 ]
 
 
-- 
2.25.1

openSUSE Build Service is sponsored by