Refactor to centralize project ownership validations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
This is a wishlist item to refactor some validation checks.
Barbican has a great design for validating incoming API requests. The checks are centralized in common/
However, these routines do not check for project ownership. These validation checks have leaked out of the validators, and into the contollers. They have been implemented ad hoc.
Some examples:
Certificate order with subCA: check that the requester has access to that CA
Certificate order with shared key: check that the requester has access to that key.
Modify SubCA membership to project list or preferred state: check that the requester has ownership of the subCA.
Secret Containers: make sure the container permissions match the secret permissions
One challenge in implementing this: the current validator routines do not have access to the Barbican context information.
The request: centralize ownership related checks into a common set of routines for all API requests that need these checks.
Changed in barbican: | |
importance: | Undecided → Wishlist |
subCA examples don't need to be fixed as they will be deprecated.