MB-61292: Fix read and write permissions for secrets

timofey-barmin · timofey-barmin · commit 9774a42ef91b · 2024-09-27T01:28:51.000Z
Mistakenly only write permissions were checked. Even when write access was not needed. Change-Id: Idde53637c8bb7428f309303844d6eca4559d2430 Reviewed-on: https://review.couchbase.org/c/ns_server/+/216784 Tested-by: Timofey Barmin <timofey.barmin@couchbase.com> Reviewed-by: Navdeep S Boparai <navdeep.boparai@couchbase.com> Well-Formed: Build Bot <build@couchbase.com>
diff --git a/apps/ns_server/src/menelaus_web_secrets.erl b/apps/ns_server/src/menelaus_web_secrets.erl
@@ -390,27 +390,48 @@ validate_datetime_in_the_future(Name, State) ->
           end
       end, Name, State).
 
-is_usage_allowed({bucket_encryption, "*"}, Req) ->
+is_usage_allowed({bucket_encryption, "*"}, write, Req) ->
+    %% Those who can create a bucket should be able to create a secret to
+    %% encrypt that bucket
     menelaus_auth:has_permission({[buckets], create}, Req) orelse
     menelaus_auth:has_permission({[admin, security], write}, Req);
-is_usage_allowed({bucket_encryption, B}, Req) ->
+is_usage_allowed({bucket_encryption, "*"}, read, Req) ->
+    %% Those who can view bucket list should be able to view the secrets
+    %% that can encrypt buckets
+    menelaus_auth:has_permission({[{bucket, any}, settings], read}, Req) orelse
+    menelaus_auth:has_permission({[admin, security], read}, Req);
+
+is_usage_allowed({bucket_encryption, B}, write, Req) ->
+    %% Those who can modify bucket settings should be able to create a secret
+    %% that encrypts that specific bucket
     menelaus_auth:has_permission({[{bucket, B}, settings], write}, Req) orelse
     menelaus_auth:has_permission({[admin, security], write}, Req);
-is_usage_allowed(secrets_encryption, Req) ->
+is_usage_allowed({bucket_encryption, B}, read, Req) ->
+    %% Those who can read bucket settings should be able to see secrets that
+    %% can encrypt that specific bucket
+    menelaus_auth:has_permission({[{bucket, B}, settings], read}, Req) orelse
+    menelaus_auth:has_permission({[admin, security], read}, Req);
+
+is_usage_allowed(secrets_encryption, write, Req) ->
+    menelaus_auth:has_permission({[admin, security], write}, Req);
+is_usage_allowed(secrets_encryption, read, Req) ->
+    menelaus_auth:has_permission({[admin, security], read}, Req);
+
+is_usage_allowed(config_encryption, write, Req) ->
     menelaus_auth:has_permission({[admin, security], write}, Req);
-is_usage_allowed(config_encryption, Req) ->
-    menelaus_auth:has_permission({[admin, security], write}, Req).
+is_usage_allowed(config_encryption, read, Req) ->
+    menelaus_auth:has_permission({[admin, security], read}, Req).
 
 read_filter_secrets_by_permission(Secrets, Req) ->
     lists:filter(
       fun (#{usage := List}) when List /= [] ->
-          lists:any(is_usage_allowed(_, Req), List)
+          lists:any(is_usage_allowed(_, read, Req), List)
       end, Secrets).
 
 write_filter_secrets_by_permission(Secrets, Req) ->
     lists:filter(
       fun (#{usage := List}) when List /= [] ->
-          lists:all(is_usage_allowed(_, Req), List)
+          lists:all(is_usage_allowed(_, write, Req), List)
       end, Secrets).
 
 parse_id(Str) when is_list(Str) ->
