Barbican should not do rbac on version api call

Closes-Bug: #1290445

Change-Id: Idcd52600542b017f54c25a75ec0ab37348eb109d
This commit is contained in:
Arvind Tiwari 2014-03-10 13:26:45 -06:00
parent caefb74bfd
commit 617addcbc7
7 changed files with 36 additions and 9 deletions

View File

@ -52,7 +52,6 @@ def create_main_app(global_config, **local_conf):
queue.init(CONF)
# Resources
versions = res.VersionResource()
secrets = res.SecretsResource(crypto_mgr)
secret = res.SecretResource(crypto_mgr)
orders = res.OrdersResource()
@ -70,7 +69,6 @@ def create_main_app(global_config, **local_conf):
if newrelic_loaded:
wsgi_app = newrelic.agent.WSGIApplicationWrapper(wsgi_app)
api.add_route('/', versions)
api.add_route('/v1/{keystone_id}/secrets', secrets)
api.add_route('/v1/{keystone_id}/secrets/{secret_id}', secret)
api.add_route('/v1/{keystone_id}/orders', orders)
@ -95,3 +93,13 @@ def create_admin_app(global_config, **local_conf):
api.add_route('/', versions)
return wsgi_app
def create_version_app(global_config, **local_conf):
config.parse_args()
versions = res.VersionResource()
wsgi_app = api = falcon.API()
api.add_route('/', versions)
return wsgi_app

View File

@ -152,8 +152,13 @@ class WhenTestingVersionResource(BaseTestCase):
self._invoke_on_get()
self.setUp() # Need to re-setup
def test_should_fail_get_version(self):
self._assert_fail_rbac([None, 'bunkrolehere'], self._invoke_on_get)
def test_should_pass_get_version_with_bad_roles(self):
self.req = self._generate_req(roles=[None, 'bunkrolehere'])
self._invoke_on_get()
def test_should_pass_get_version_with_no_roles(self):
self.req = self._generate_req()
self._invoke_on_get()
def test_should_pass_get_version_multiple_roles(self):
self.req = self._generate_req(roles=['admin', 'observer', 'creator',

View File

@ -111,7 +111,7 @@ function configure_barbican {
## Set up keystone
# Turn on the middleware
iniset $BARBICAN_PASTE_CONF 'pipeline:main' pipeline 'keystone_authtoken context apiapp'
iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'keystone_authtoken context apiapp'
# Set the keystone parameters
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL

View File

@ -1,7 +1,17 @@
[composite:main]
use = egg:Paste#urlmap
/: barbican_version
/v1: barbican_api
# Use this pipeline for Barbican API - versions no authentication
[pipeline:barbican_version]
pipeline = unauthenticated-context versionapp
# Use this pipeline for Barbican API - DEFAULT no authentication
[pipeline:main]
[pipeline:barbican_api]
pipeline = unauthenticated-context apiapp
####pipeline = simple apiapp
#pipeline = keystone_authtoken context apiapp
#Use this pipeline to activate a repoze.profile middleware and HTTP port,
# to provide profiling information for the REST API processing.
@ -15,6 +25,9 @@ pipeline = keystone_authtoken context apiapp
[app:apiapp]
paste.app_factory = barbican.api.app:create_main_app
[app:versionapp]
paste.app_factory = barbican.api.app:create_version_app
[filter:simple]
paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
@ -36,7 +49,7 @@ admin_user = barbican
admin_password = orange
auth_version = v2.0
#delay failing perhaps to log the unauthorized request in barbican ..
#delay_auth_decision = true
#delay_auth_decision = true
[filter:profile]
use = egg:repoze.profile

View File

@ -1,5 +1,5 @@
{
"version:get": "rule:all_users",
"version:get": "@",
"secret:decrypt": "rule:all_but_audit",
"secret:get": "rule:all_users",
"secret:put": "rule:admin_or_creator",

View File

@ -15,7 +15,7 @@
# How many seconds to wait for the API to be responding before giving up
API_RESPONDING_TIMEOUT=20
if ! timeout ${API_RESPONDING_TIMEOUT} sh -c "while ! curl -s http://127.0.0.1:9311/ 2>/dev/null | grep -q 'Authentication required' ; do sleep 1; done"; then
if ! timeout ${API_RESPONDING_TIMEOUT} sh -c "while ! curl -s http://127.0.0.1:9311/ 2>/dev/null | grep -q 'v1' ; do sleep 1; done"; then
echo "The Barbican (non-admin) API failed to respond within ${API_RESPONDING_TIMEOUT} seconds"
exit 1
fi

View File

@ -8,6 +8,7 @@ kombu>=2.4.8
netaddr>=0.7.6
oslo.config>=1.2.0
PasteDeploy>=1.5.0
Paste
pbr>=0.5.21,<1.0
pycrypto>=2.6
pysqlite