From a0380d71aae0c82265d571dd3a115df07723a474 Mon Sep 17 00:00:00 2001 From: Dave McCowan Date: Mon, 21 Sep 2015 22:49:21 -0400 Subject: [PATCH] Change behavior of GET cas/preferred A user will want to know information about which CA has been assigned to him by either the project admin or the system admin. Get /cas/preferred will return the ref of either the project preferred CA (set by /add-to-project) or the global preferred CA (set by /set-global-preferred). If the admins have not set a preferred CA, then 404 is returned. Change-Id: I56e5d4d62e0b99c9151f25f0f395ffe7c3ad41d1 Partially-implements: blueprint add-cas Closes-bug: #1498269 --- barbican/api/controllers/cas.py | 7 +- barbican/tasks/certificate_resources.py | 19 ++++-- functionaltests/api/v1/functional/test_cas.py | 65 ++++++++++++++++++- 3 files changed, 80 insertions(+), 11 deletions(-) diff --git a/barbican/api/controllers/cas.py b/barbican/api/controllers/cas.py index 1f9447984..b5a1c1304 100644 --- a/barbican/api/controllers/cas.py +++ b/barbican/api/controllers/cas.py @@ -444,14 +444,13 @@ class CertificateAuthoritiesController(controllers.ACLMixin): project = res.get_or_create_project(external_project_id) - pref_cas = self.preferred_ca_repo.get_project_entities(project.id) - if not pref_cas: + pref_ca_id = cert_resources.get_project_preferred_ca_id(project.id) + if not pref_ca_id: pecan.abort(404, u._("No preferred CA defined for this project")) - ca = pref_cas[0] return { 'ca_ref': - hrefs.convert_certificate_authority_to_href(ca.ca_id) + hrefs.convert_certificate_authority_to_href(pref_ca_id) } @index.when(method='POST', template='json') diff --git a/barbican/tasks/certificate_resources.py b/barbican/tasks/certificate_resources.py index 1e59eea15..14594bc64 100644 --- a/barbican/tasks/certificate_resources.py +++ b/barbican/tasks/certificate_resources.py @@ -326,22 +326,29 @@ def get_global_preferred_ca(): return cas[0] -def _get_ca_id(order_meta, project_id): - ca_id = order_meta.get(cert.CA_ID) - if ca_id: - return ca_id +def get_project_preferred_ca_id(project_id): + """Compute the preferred CA ID for a project + First priority: a preferred CA is defined for the project + Second priority: a preferred CA is defined globally + Else: None + """ preferred_ca_repository = repos.get_preferred_ca_repository() cas, offset, limit, total = preferred_ca_repository.get_by_create_date( project_id=project_id, suppress_exception=True) if total > 0: return cas[0].ca_id - global_ca = get_global_preferred_ca() if global_ca: return global_ca.ca_id - return None + +def _get_ca_id(order_meta, project_id): + ca_id = order_meta.get(cert.CA_ID) + if ca_id: + return ca_id + + return get_project_preferred_ca_id(project_id) def _update_result_follow_on( diff --git a/functionaltests/api/v1/functional/test_cas.py b/functionaltests/api/v1/functional/test_cas.py index eb8c31980..c1ec3530f 100644 --- a/functionaltests/api/v1/functional/test_cas.py +++ b/functionaltests/api/v1/functional/test_cas.py @@ -365,7 +365,7 @@ class GlobalPreferredCATestCase(CATestCommon): def test_global_preferred_update(self): if self.num_cas < 2: - self.sTest("At least two CAs are required for this test") + self.skipTest("At least two CAs are required for this test") resp = self.ca_behaviors.set_global_preferred( ca_ref=self.cas[0], user_name=service_admin) self.assertEqual(204, resp.status_code) @@ -400,3 +400,66 @@ class GlobalPreferredCATestCase(CATestCommon): self.assertEqual(204, resp.status_code) resp = self.ca_behaviors.get_global_preferred(user_name=service_admin) self.assertEqual(404, resp.status_code) + + def test_global_preferred_affects_project_preferred(self): + if self.num_cas < 2: + self.skipTest("At least two CAs are required for this test") + + resp = self.ca_behaviors.get_preferred(user_name=admin_a) + self.assertEqual(404, resp.status_code) + + resp = self.ca_behaviors.set_global_preferred( + ca_ref=self.cas[1], user_name=service_admin) + self.assertEqual(204, resp.status_code) + + resp = self.ca_behaviors.get_preferred(user_name=admin_a) + self.assertEqual(200, resp.status_code) + ca_id = hrefs.get_ca_id_from_ref(resp.model.ca_ref) + self.assertEqual(self.ca_ids[1], ca_id) + + resp = self.ca_behaviors.unset_global_preferred( + user_name=service_admin) + self.assertEqual(204, resp.status_code) + + resp = self.ca_behaviors.get_preferred(user_name=admin_a) + self.assertEqual(404, resp.status_code) + + def test_project_preferred_overrides_global_preferred(self): + if self.num_cas < 2: + self.skipTest("At least two CAs are required for this test") + + resp = self.ca_behaviors.get_preferred(user_name=admin_a) + self.assertEqual(404, resp.status_code) + + resp = self.ca_behaviors.set_global_preferred( + ca_ref=self.cas[1], user_name=service_admin) + self.assertEqual(204, resp.status_code) + + resp = self.ca_behaviors.get_preferred(user_name=admin_a) + self.assertEqual(200, resp.status_code) + ca_id = hrefs.get_ca_id_from_ref(resp.model.ca_ref) + self.assertEqual(self.ca_ids[1], ca_id) + + resp = self.ca_behaviors.add_ca_to_project( + ca_ref=self.cas[0], user_name=admin_a) + self.assertEqual(204, resp.status_code) + + resp = self.ca_behaviors.get_preferred(user_name=admin_a) + self.assertEqual(200, resp.status_code) + ca_id = hrefs.get_ca_id_from_ref(resp.model.ca_ref) + self.assertEqual(self.ca_ids[0], ca_id) + + resp = self.ca_behaviors.remove_ca_from_project( + ca_ref=self.cas[0], user_name=admin_a) + self.assertEqual(204, resp.status_code) + + resp = self.ca_behaviors.get_preferred(user_name=admin_a) + ca_id = hrefs.get_ca_id_from_ref(resp.model.ca_ref) + self.assertEqual(self.ca_ids[1], ca_id) + + resp = self.ca_behaviors.unset_global_preferred( + user_name=service_admin) + self.assertEqual(204, resp.status_code) + + resp = self.ca_behaviors.get_preferred(user_name=admin_a) + self.assertEqual(404, resp.status_code)