Barbican

Restrict Use of SubCAs to the owning project

Bug #1498289 reported by Dave McCowan on 2015-09-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	Fix Released	Critical	Dave McCowan	Barbican 1.0.0 "liberty"

Bug Description

Only a user with an acceptable role within a project should be able to POST a certificate Order for a SubCA.

A 403 should be returned if a user attempts to POST an Order referencing a SubCA owned by a different project.

Dave McCowan (dave-mccowan) on 2015-09-22

Changed in barbican:
status:	New → In Progress
assignee:	nobody → Dave McCowan (dave-mccowan)

Douglas Mendizábal (dougmendizabal) on 2015-09-22

Changed in barbican:
importance:	Undecided → High
milestone:	none → liberty-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-22: Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/226161

Douglas Mendizábal (dougmendizabal) on 2015-09-22

Changed in barbican:
importance:	High → Critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-24: Fix merged to barbican (master)

Reviewed: https://review.openstack.org/226161
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=6e782931db0ab18eb70953b9afcb6d220bc1f756
Submitter: Jenkins
Branch: master

commit 6e782931db0ab18eb70953b9afcb6d220bc1f756
Author: Dave McCowan <email address hidden>
Date: Tue Sep 22 00:51:30 2015 -0400

Add check to validators that SubCA's project id matches order's project id

    A subCA is owned by a project and should only be used by a user with
    a role in that project. This change adds a check that forces a 403
    error indicating authorization issues if a user from a different
    project posts and order referencing a subCA.

    Change-Id: Ia34c4b0d48f605c491b9604099e8715cb9eff316
    Closes-bug: #1498289
    Partially-implements: blueprint add-cas

Changed in barbican:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-26

Changed in barbican:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in barbican:
milestone:	liberty-rc1 → 1.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.