Correct RBAC response codes

Change response code form 401 to 403 when an authenticated user attempts to access a resource they do not have permission to. Closes-Bug: 1291008 Change-Id: I3954da658eaa73e96d0ba1eb91c0892bb03f5fea
2014-03-11 14:59:33 -05:00
parent dbcc1d9408
commit 8abef19c1e
3 changed files with 8 additions and 8 deletions
--- a/barbican/api/init.py
+++ b/barbican/api/init.py
@@ -124,10 +124,10 @@ def generate_safe_exception_message(operation_name, excep):
        message = f.title
        status = f.status
    except policy.PolicyNotAuthorized:
-        message = u._('{0} attempt was not authorized - '
+        message = u._('{0} attempt not allowed - '
                      'please review your '
                      'user/tenant privileges').format(operation_name)
-        status = falcon.HTTP_401
+        status = falcon.HTTP_403
    except em.CryptoContentTypeNotSupportedException as cctnse:
        reason = u._("content-type of '{0}' not "
                     "supported").format(cctnse.content_type)
--- a/barbican/api/resources.py
+++ b/barbican/api/resources.py
@@ -36,9 +36,9 @@ from barbican import version
 LOG = utils.getLogger(__name__)


-def _authorization_failed(message, req, resp):
-    """Throw exception that authorization failed."""
-    api.abort(falcon.HTTP_401, message, req, resp)
+def _not_allowed(message, req, resp):
+    """Throw exception for forbidden resource."""
+    api.abort(falcon.HTTP_403, message, req, resp)


 def _secret_not_found(req, resp):
@@ -236,8 +236,8 @@ def enforce_rbac(req, resp, action_name, keystone_id=None):

        # Verify keystone_id matches the tenant ID.
        if keystone_id and keystone_id != ctx.tenant:
-            _authorization_failed(u._("URI tenant does not match "
-                                      "authenticated tenant."), req, resp)
+            _not_allowed(u._("URI tenant does not match "
+                             "authenticated tenant."), req, resp)

        # Enforce special case: secret GET decryption
        if 'secret:get' == action_name and not is_json_request_accept(req):
--- a/barbican/tests/api/test_resources_policy.py
+++ b/barbican/tests/api/test_resources_policy.py
@@ -132,7 +132,7 @@ class BaseTestCase(unittest.TestCase):
                method_under_test()

            exception = cm.exception
-            self.assertEqual(falcon.HTTP_401, exception.status,
+            self.assertEqual(falcon.HTTP_403, exception.status,
                             msg="Expected RBAC fail for role '{0}'".format(
                                 role))