Refactor to centralize project ownership validations
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Barbican |
Won't Fix
|
Wishlist
|
Unassigned | ||
Bug Description
This is a wishlist item to refactor some validation checks.
Barbican has a great design for validating incoming API requests. The checks are centralized in common/
However, these routines do not check for project ownership. These validation checks have leaked out of the validators, and into the contollers. They have been implemented ad hoc.
Some examples:
Certificate order with subCA: check that the requester has access to that CA
Certificate order with shared key: check that the requester has access to that key.
Modify SubCA membership to project list or preferred state: check that the requester has ownership of the subCA.
Secret Containers: make sure the container permissions match the secret permissions
One challenge in implementing this: the current validator routines do not have access to the Barbican context information.
The request: centralize ownership related checks into a common set of routines for all API requests that need these checks.
| Dave McCowan (dave-mccowan) wrote | #1 |
| Changed in barbican: | |
| importance: | Undecided → Wishlist |
| Grzegorz Grasza (xek) wrote | #2 |
| Changed in barbican: | |
| status: | New → Won't Fix |
subCA examples don't need to be fixed as they will be deprecated.