From 617addcbc70a36973eddce6b6bfad88e1df2ec8b Mon Sep 17 00:00:00 2001 From: Arvind Tiwari Date: Mon, 10 Mar 2014 13:26:45 -0600 Subject: [PATCH] Barbican should not do rbac on version api call Closes-Bug: #1290445 Change-Id: Idcd52600542b017f54c25a75ec0ab37348eb109d --- barbican/api/app.py | 12 ++++++++++-- barbican/tests/api/test_resources_policy.py | 9 +++++++-- contrib/devstack/lib/barbican | 2 +- etc/barbican/barbican-api-paste.ini | 17 +++++++++++++++-- etc/barbican/policy.json | 2 +- functionaltests/run_tests.sh | 2 +- requirements.txt | 1 + 7 files changed, 36 insertions(+), 9 deletions(-) diff --git a/barbican/api/app.py b/barbican/api/app.py index cfe47a9ef..91d8ad68e 100644 --- a/barbican/api/app.py +++ b/barbican/api/app.py @@ -52,7 +52,6 @@ def create_main_app(global_config, **local_conf): queue.init(CONF) # Resources - versions = res.VersionResource() secrets = res.SecretsResource(crypto_mgr) secret = res.SecretResource(crypto_mgr) orders = res.OrdersResource() @@ -70,7 +69,6 @@ def create_main_app(global_config, **local_conf): if newrelic_loaded: wsgi_app = newrelic.agent.WSGIApplicationWrapper(wsgi_app) - api.add_route('/', versions) api.add_route('/v1/{keystone_id}/secrets', secrets) api.add_route('/v1/{keystone_id}/secrets/{secret_id}', secret) api.add_route('/v1/{keystone_id}/orders', orders) @@ -95,3 +93,13 @@ def create_admin_app(global_config, **local_conf): api.add_route('/', versions) return wsgi_app + + +def create_version_app(global_config, **local_conf): + config.parse_args() + + versions = res.VersionResource() + wsgi_app = api = falcon.API() + api.add_route('/', versions) + + return wsgi_app diff --git a/barbican/tests/api/test_resources_policy.py b/barbican/tests/api/test_resources_policy.py index 0fd6a7a5d..7d995c69a 100644 --- a/barbican/tests/api/test_resources_policy.py +++ b/barbican/tests/api/test_resources_policy.py @@ -152,8 +152,13 @@ class WhenTestingVersionResource(BaseTestCase): self._invoke_on_get() self.setUp() # Need to re-setup - def test_should_fail_get_version(self): - self._assert_fail_rbac([None, 'bunkrolehere'], self._invoke_on_get) + def test_should_pass_get_version_with_bad_roles(self): + self.req = self._generate_req(roles=[None, 'bunkrolehere']) + self._invoke_on_get() + + def test_should_pass_get_version_with_no_roles(self): + self.req = self._generate_req() + self._invoke_on_get() def test_should_pass_get_version_multiple_roles(self): self.req = self._generate_req(roles=['admin', 'observer', 'creator', diff --git a/contrib/devstack/lib/barbican b/contrib/devstack/lib/barbican index 08eac8018..ceb8daa86 100755 --- a/contrib/devstack/lib/barbican +++ b/contrib/devstack/lib/barbican @@ -111,7 +111,7 @@ function configure_barbican { ## Set up keystone # Turn on the middleware - iniset $BARBICAN_PASTE_CONF 'pipeline:main' pipeline 'keystone_authtoken context apiapp' + iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'keystone_authtoken context apiapp' # Set the keystone parameters iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL diff --git a/etc/barbican/barbican-api-paste.ini b/etc/barbican/barbican-api-paste.ini index 603220acb..7fd571b5f 100644 --- a/etc/barbican/barbican-api-paste.ini +++ b/etc/barbican/barbican-api-paste.ini @@ -1,7 +1,17 @@ +[composite:main] +use = egg:Paste#urlmap +/: barbican_version +/v1: barbican_api + +# Use this pipeline for Barbican API - versions no authentication +[pipeline:barbican_version] +pipeline = unauthenticated-context versionapp + # Use this pipeline for Barbican API - DEFAULT no authentication -[pipeline:main] +[pipeline:barbican_api] pipeline = unauthenticated-context apiapp ####pipeline = simple apiapp +#pipeline = keystone_authtoken context apiapp #Use this pipeline to activate a repoze.profile middleware and HTTP port, # to provide profiling information for the REST API processing. @@ -15,6 +25,9 @@ pipeline = keystone_authtoken context apiapp [app:apiapp] paste.app_factory = barbican.api.app:create_main_app +[app:versionapp] +paste.app_factory = barbican.api.app:create_version_app + [filter:simple] paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory @@ -36,7 +49,7 @@ admin_user = barbican admin_password = orange auth_version = v2.0 #delay failing perhaps to log the unauthorized request in barbican .. -#delay_auth_decision = true +#delay_auth_decision = true [filter:profile] use = egg:repoze.profile diff --git a/etc/barbican/policy.json b/etc/barbican/policy.json index b40a44884..3a202ba30 100644 --- a/etc/barbican/policy.json +++ b/etc/barbican/policy.json @@ -1,5 +1,5 @@ { - "version:get": "rule:all_users", + "version:get": "@", "secret:decrypt": "rule:all_but_audit", "secret:get": "rule:all_users", "secret:put": "rule:admin_or_creator", diff --git a/functionaltests/run_tests.sh b/functionaltests/run_tests.sh index 6246a2962..3ea8f5698 100755 --- a/functionaltests/run_tests.sh +++ b/functionaltests/run_tests.sh @@ -15,7 +15,7 @@ # How many seconds to wait for the API to be responding before giving up API_RESPONDING_TIMEOUT=20 -if ! timeout ${API_RESPONDING_TIMEOUT} sh -c "while ! curl -s http://127.0.0.1:9311/ 2>/dev/null | grep -q 'Authentication required' ; do sleep 1; done"; then +if ! timeout ${API_RESPONDING_TIMEOUT} sh -c "while ! curl -s http://127.0.0.1:9311/ 2>/dev/null | grep -q 'v1' ; do sleep 1; done"; then echo "The Barbican (non-admin) API failed to respond within ${API_RESPONDING_TIMEOUT} seconds" exit 1 fi diff --git a/requirements.txt b/requirements.txt index 289232047..438c6213a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,6 +8,7 @@ kombu>=2.4.8 netaddr>=0.7.6 oslo.config>=1.2.0 PasteDeploy>=1.5.0 +Paste pbr>=0.5.21,<1.0 pycrypto>=2.6 pysqlite