Barbican should not do rbac on version api call
Closes-Bug: #1290445 Change-Id: Idcd52600542b017f54c25a75ec0ab37348eb109d
This commit is contained in:
parent
caefb74bfd
commit
617addcbc7
@ -52,7 +52,6 @@ def create_main_app(global_config, **local_conf):
|
||||
queue.init(CONF)
|
||||
|
||||
# Resources
|
||||
versions = res.VersionResource()
|
||||
secrets = res.SecretsResource(crypto_mgr)
|
||||
secret = res.SecretResource(crypto_mgr)
|
||||
orders = res.OrdersResource()
|
||||
@ -70,7 +69,6 @@ def create_main_app(global_config, **local_conf):
|
||||
if newrelic_loaded:
|
||||
wsgi_app = newrelic.agent.WSGIApplicationWrapper(wsgi_app)
|
||||
|
||||
api.add_route('/', versions)
|
||||
api.add_route('/v1/{keystone_id}/secrets', secrets)
|
||||
api.add_route('/v1/{keystone_id}/secrets/{secret_id}', secret)
|
||||
api.add_route('/v1/{keystone_id}/orders', orders)
|
||||
@ -95,3 +93,13 @@ def create_admin_app(global_config, **local_conf):
|
||||
api.add_route('/', versions)
|
||||
|
||||
return wsgi_app
|
||||
|
||||
|
||||
def create_version_app(global_config, **local_conf):
|
||||
config.parse_args()
|
||||
|
||||
versions = res.VersionResource()
|
||||
wsgi_app = api = falcon.API()
|
||||
api.add_route('/', versions)
|
||||
|
||||
return wsgi_app
|
||||
|
@ -152,8 +152,13 @@ class WhenTestingVersionResource(BaseTestCase):
|
||||
self._invoke_on_get()
|
||||
self.setUp() # Need to re-setup
|
||||
|
||||
def test_should_fail_get_version(self):
|
||||
self._assert_fail_rbac([None, 'bunkrolehere'], self._invoke_on_get)
|
||||
def test_should_pass_get_version_with_bad_roles(self):
|
||||
self.req = self._generate_req(roles=[None, 'bunkrolehere'])
|
||||
self._invoke_on_get()
|
||||
|
||||
def test_should_pass_get_version_with_no_roles(self):
|
||||
self.req = self._generate_req()
|
||||
self._invoke_on_get()
|
||||
|
||||
def test_should_pass_get_version_multiple_roles(self):
|
||||
self.req = self._generate_req(roles=['admin', 'observer', 'creator',
|
||||
|
@ -111,7 +111,7 @@ function configure_barbican {
|
||||
## Set up keystone
|
||||
|
||||
# Turn on the middleware
|
||||
iniset $BARBICAN_PASTE_CONF 'pipeline:main' pipeline 'keystone_authtoken context apiapp'
|
||||
iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'keystone_authtoken context apiapp'
|
||||
|
||||
# Set the keystone parameters
|
||||
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
|
@ -1,7 +1,17 @@
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/: barbican_version
|
||||
/v1: barbican_api
|
||||
|
||||
# Use this pipeline for Barbican API - versions no authentication
|
||||
[pipeline:barbican_version]
|
||||
pipeline = unauthenticated-context versionapp
|
||||
|
||||
# Use this pipeline for Barbican API - DEFAULT no authentication
|
||||
[pipeline:main]
|
||||
[pipeline:barbican_api]
|
||||
pipeline = unauthenticated-context apiapp
|
||||
####pipeline = simple apiapp
|
||||
#pipeline = keystone_authtoken context apiapp
|
||||
|
||||
#Use this pipeline to activate a repoze.profile middleware and HTTP port,
|
||||
# to provide profiling information for the REST API processing.
|
||||
@ -15,6 +25,9 @@ pipeline = keystone_authtoken context apiapp
|
||||
[app:apiapp]
|
||||
paste.app_factory = barbican.api.app:create_main_app
|
||||
|
||||
[app:versionapp]
|
||||
paste.app_factory = barbican.api.app:create_version_app
|
||||
|
||||
[filter:simple]
|
||||
paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
|
||||
|
||||
@ -36,7 +49,7 @@ admin_user = barbican
|
||||
admin_password = orange
|
||||
auth_version = v2.0
|
||||
#delay failing perhaps to log the unauthorized request in barbican ..
|
||||
#delay_auth_decision = true
|
||||
#delay_auth_decision = true
|
||||
|
||||
[filter:profile]
|
||||
use = egg:repoze.profile
|
||||
|
@ -1,5 +1,5 @@
|
||||
{
|
||||
"version:get": "rule:all_users",
|
||||
"version:get": "@",
|
||||
"secret:decrypt": "rule:all_but_audit",
|
||||
"secret:get": "rule:all_users",
|
||||
"secret:put": "rule:admin_or_creator",
|
||||
|
@ -15,7 +15,7 @@
|
||||
# How many seconds to wait for the API to be responding before giving up
|
||||
API_RESPONDING_TIMEOUT=20
|
||||
|
||||
if ! timeout ${API_RESPONDING_TIMEOUT} sh -c "while ! curl -s http://127.0.0.1:9311/ 2>/dev/null | grep -q 'Authentication required' ; do sleep 1; done"; then
|
||||
if ! timeout ${API_RESPONDING_TIMEOUT} sh -c "while ! curl -s http://127.0.0.1:9311/ 2>/dev/null | grep -q 'v1' ; do sleep 1; done"; then
|
||||
echo "The Barbican (non-admin) API failed to respond within ${API_RESPONDING_TIMEOUT} seconds"
|
||||
exit 1
|
||||
fi
|
||||
|
@ -8,6 +8,7 @@ kombu>=2.4.8
|
||||
netaddr>=0.7.6
|
||||
oslo.config>=1.2.0
|
||||
PasteDeploy>=1.5.0
|
||||
Paste
|
||||
pbr>=0.5.21,<1.0
|
||||
pycrypto>=2.6
|
||||
pysqlite
|
||||
|
Loading…
Reference in New Issue
Block a user