This patch set modifies lines which are importing objects
instead of modules. As per openstack import guide lines,
user should import modules in a file not objects.
http://docs.openstack.org/developer/hacking/#imports
Change-Id: Iec8caf72cbaa4f245e38aa7d68632783842a34be
In the secrets controller, the list functionality had a "secret_type"
argument, but wasn't being used in the actual query to the secrets repo.
This fixes the issue and adds functional tests to ensure the filter
queries are working correctly.
Change-Id: Ifa42f5e817908973dd8b927e4744cdc754a4b027
This patch includes changes:
1. use more specified 'assert' check
2. remove use of str() on an exception
3. use a dict comprehension instead of a dict constructor
Change-Id: I24fbf16d0bcbe5ca9780770212b511f49927303d
I believe this is the correct behavior, as it would match how
containers handles these operations. This change facilitates
the LBaaS Barbican TLS workflow (which should be the same as
what other services will use in the future too).
The RBAC settings for consumer POST should be set to
use the same ACL rules as container GET (plus admin).
The RBAC settings for consumer DELETE should be:
* Any user with Delete permissions on the Container
* Any user that both: has ACL Read access to the Container; is a member
of the project that created the Consumer being deleted
Change-Id: Ie84784573893934c2887814a200e7386314b4f18
Closes-Bug: #1519170
In some part in the code we import objects.
In the Openstack style guidelines they recommend to import only modules.
http://docs.openstack.org/developer/hacking/#imports
Change-Id: Ibd3464b52fd70bbfe77ce35cdffbbef95de24b12
Modified policy and tests to verify this change.
As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.
There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.
Updated role docs to reflect this behavior.
Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
When retrieving secret's payload without providing payload_content_type,
if the payload_content_type is not default as "text/plain", we get 500 error.
Since this is generated by invalid input, we should mark this as 406 error.
Closes-bug: #1590097
Change-Id: I9ca94b7c66995991a9b0df37a46bd082e9795b74
Currently barbican provides hostname part of hrefs returned in response
based on host_href value defined in barbican.conf.
This approach would not work if barbican API needs to be accessed via
public or internal endpoint as they can be different endpoints in
control planes. The endpoint used by client depends on which network client
is making the API request. For same reasons, keystone also allows different
endpoint for a service to expose as public or internal interface in service
catalog.
To allow that kind of deployment model for barbican service, now enhancing
its logic to derive this hostname (http_scheme+host+port) information from
wsgi requests when host_href value is not set in barbican.conf. So deployment
requiring this behavior can leave host_href blank in their barbican.conf. The
host_href needs to be set empty as not setting it results in default.
Generally in this kind of deployment, proxy (e.g. haproxy) will set
appropriate host, http scheme header. Request url received at barbican side
will have the client IP address and scheme inserted directly inside it.
Reference: https://en.wikipedia.org/wiki/X-Forwarded-For
Updated existing 'change host header' related functional test to skip when
host_href is not set in barbican server side. Added new functional tests when
hrefs are derived from wsgi request. New tests are skipped when host_href is
set at server side.
Added a flag in barbican-functional.conf to indicate barbican server setting
Default is to use CONF.host_href value. Explicit flag is added as functional
test setup may not always have barbican server conf available locally.
Change-Id: Idb8e62867f6cbd457eb64ea31500e93e74d247ea
Closes-Bug: 1541118
One of the messages for a skipped test was "The following plugin(s)
need to be enabled:" and would not list any further info. This fixes
the minor formatting issue.
Change-Id: If946d69646a25bfe3df801b986032dd8bc67c0e1
In preparation for adding a KMIP gate, adds the ability to skip functional
tests that are not compatible with a KMIP device. Some tests are skipped
because invalid algorithms or bit lengths are passed to the device. Other
tests are skipped because the tested feature doesn't exist for the PyKMIP
software server yet.
To enable skipping the non-compatible functional tests for a KMIP back
end, set the environment variable using:
export KMIP_PLUGIN_ENABLED=1
Co-authored-by: Nathan Reller <nathan.reller@jhuapl.edu>
Change-Id: Id908bf57233af84bff56d90c75d175b04ccd4373
Currently when a Secret payload GET is performed, a 500 Error will
be thrown if there is no payload present. The correct behavior
would be to throw a 404.
Change-Id: Ibbe8a592c853fc0196ae7c2daf365754c800fc87
Partial-Bug: #1561701
This CR updates the tests to check for existing project quotas
and uses that count when validating the project quota paging tests.
Change-Id: Ic9e58207207396239280f29b6874fb503fd5195b
Created cleanup functions for secrets and containers. They can be
run just like a single testcase but they aren't included when you
run the functional test suite.
The serets cleanup is run using:
nosetests functionaltests/api/v1/functional/test_secrets.py:SecretsTestCase._cleanup_all_secrets
The containers cleanup is run using:
nosetests functionaltests/api/v1/functional/test_containers.py:ContainersTestCase._cleanup_all_containers
The cleanup code will walk through the list of functional test users
(ie the users specified in the barbican-functional.conf) and delete
all secrets and containers for those users.
You can use this in your own CI/CD process to ensure that a functional
test run always starts zero secrets/containers for the functional
test users.
Change-Id: I949f78729ea7b9a228676a23a2ebc11826e3baf8
This patch adds the api functions for user metadata and tests for
those functions. It is the second of several patches which will
complete the "User Defined Metadata for Barbican Secrets" blueprint.
Other Patches will include:
1.) Documentation
Implements: blueprint add-user-metadata
Change-Id: Iaf83bf5a3b9ed2ea22d4cd3e83ba3a0d5d087adf
This patch introduces the user-meta database table, model, and
repository. It is the first of several patches which will complete
the "User Defined Metadata for Barbican Secrets" Blueprint.
Other Patches will include:
1. ) API and Tests(Unit and Functional)
2. ) Documentation
3. ) Client Upgrades
Implements: blueprint add-user-metadata
Change-Id: I4b6ae9e7090eb66fe8c89e62116d9a8483642a29
Functional tests had default values for Accept header which were
masking a bug when you try to GET a secret with /payload and don't
pass in an accept header.
Fixed this and also updated the functional test client to allow
tests to specify headers to be omitted on a test-by-test basis.
Change-Id: Ia67d37571ca3d561cdcc67ce3c4fb896def35a24
When a large offset is specified in GET API, causes
failure with 500 error. Adding check if offset is
greater than sys.maxsize, set offset to 0 instead of
failing with 500. Setting offset to 0, returns the
number of records (as specified by limit) ordered by
created_date.
Comparing offset with the sys.maxsize which is
compatible of all the different python versions available.
Closes-bug: #1481012
Change-Id: I70a59e0edb9378271e62b6759dfb02c8c0110ac0
Added tests to show the impact of ACL's on container consumers.
Added several edge case ACL tests to verify ACLs do not
override RBAC
Change-Id: Ia503a7abf32640260babb693c94c051e478f7b65
Also refactored the consumer tests to support auth and
unauth tests, as well as certificate container consumers.
Change-Id: I6df0b1c74de37b0b9d4123b4391f11dacdf6b417
The add-to-project and create CA commands can only be performed by
a project administrator when the target CA is either a root CA
or a subCA owned by the admin's project.
This CR adds checks to enforce this condition.
Change-Id: Ifbd7bb471b137a5549a8e627344f8f02adda2ed1
Closes-bug: #1501862
If a CA is preferred and not the last CA of a project, it should
not be deleted. A user is informed of this with a 409 status code.
Otherwise, the CA can be deleted as well as any record of it in the
CA project list and the CA preferred list.
Change-Id: I9a1ee91252ee17746cfcffd11cba520270d09f21
Closes-bug: #1499876
With Python3, the iteritems() method has been removed from dictionarys.
This leaves us with two options:
1) replace with six.iteritems(dictionary)
2) replace with dictionary.items()
The OpenStack Python 3 coders have documented their preference,
and we should follow it. Their preference is dictionary.items()
Change-Id: I2e27819404ae071bd21bfe4555e50dc8df9c65aa
Partially-Implements: blueprint barbican-py3
The Dogtag CA plugin has been modified to support
subordinate CAs. This includes updating the list of
CAs read from the CA when the the ca list is refreshed.
Unit tests for the Dogtag CA have been updated, and functional
tests have been added for the Dogtag CA for subca creation.
Also added some exceptions to convey issues in subca creation
and deletion.
Partially-Implements: blueprint add-cas
Change-Id: I1766cb4a2069ea56d386067c9aa2811a50410a9d
Snakeoil was always using the root CA to sign CSRs. With this
commit it will use the CA whose reference was passed.
Change-Id: I6afee4414aa4d2878f619f0f3650361a7b1d6ea8
Closes-Bug: 1499874
Partially-implements: blueprint add-cas
A subCA is owned by a project and should only be used by a user with
a role in that project. This change adds a check that forces a 403
error indicating authorization issues if a user from a different
project posts and order referencing a subCA.
Change-Id: Ia34c4b0d48f605c491b9604099e8715cb9eff316
Closes-bug: #1498289
Partially-implements: blueprint add-cas