Barbican

Need to enforce project ownership of subCAs

Bug #1501862 reported by Dave McCowan on 2015-10-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	Fix Released	Critical	Dave McCowan	Barbican 1.0.0 "liberty"

Bug Description

The add-to-project and create CA commands can only be performed by a project administrator when the target CA is either a root CA or a subCA owned by the admin's project.

Checks should be added to enforce this condition.

Tags:

Dave McCowan (dave-mccowan) on 2015-10-01

Changed in barbican:
assignee:	nobody → Dave McCowan (dave-mccowan)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-01: Fix merged to barbican (master)

Reviewed: https://review.openstack.org/230062
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=8bbf06caae29c1cafa16f4ed8db83938b9cf94f3
Submitter: Jenkins
Branch: master

commit 8bbf06caae29c1cafa16f4ed8db83938b9cf94f3
Author: Dave McCowan <email address hidden>
Date: Thu Oct 1 14:13:15 2015 -0400

Enforce project ownership of subCAs

    The add-to-project and create CA commands can only be performed by
    a project administrator when the target CA is either a root CA
    or a subCA owned by the admin's project.

This CR adds checks to enforce this condition.

Change-Id: Ifbd7bb471b137a5549a8e627344f8f02adda2ed1
Closes-bug: #1501862

Changed in barbican:
status:	In Progress → Fix Committed

Douglas Mendizábal (dougmendizabal) on 2015-10-02

Changed in barbican:
importance:	Undecided → Critical
no longer affects:	barbican/kilo

Douglas Mendizábal (dougmendizabal) on 2015-10-02

no longer affects:	barbican/liberty
Changed in barbican:
milestone:	liberty-rc2 → mitaka-1

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-10-03:

We are tracking pre-release using a single series line (FixCommitted = Fixed in master, FixReleased = Fixed in liberty release branch)

no longer affects:	barbican/mitaka
no longer affects:	barbican/liberty
Changed in barbican:
status:	Triaged → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-05: Fix proposed to barbican (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/230891

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-05: Fix merged to barbican (stable/liberty)

Reviewed: https://review.openstack.org/230891
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=6845b19f99646d955d6edf18d166709efdc6cfef
Submitter: Jenkins
Branch: stable/liberty

commit 6845b19f99646d955d6edf18d166709efdc6cfef
Author: Dave McCowan <email address hidden>
Date: Thu Oct 1 14:13:15 2015 -0400

Enforce project ownership of subCAs

    The add-to-project and create CA commands can only be performed by
    a project administrator when the target CA is either a root CA
    or a subCA owned by the admin's project.

This CR adds checks to enforce this condition.

    Change-Id: Ifbd7bb471b137a5549a8e627344f8f02adda2ed1
    Closes-bug: #1501862
    (cherry picked from commit 8bbf06caae29c1cafa16f4ed8db83938b9cf94f3)

tags:

added: in-stable-liberty

Thierry Carrez (ttx) on 2015-10-05

Changed in barbican:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in barbican:
milestone:	liberty-rc2 → 1.0.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-15: Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/235154

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-16: Fix merged to barbican (master)

Download full text (3.5 KiB)

Reviewed: https://review.openstack.org/235154
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=63b69bd2778410fcc7f0530adc72fc8ed4585d0c
Submitter: Jenkins
Branch: master

commit 7a324b4d03e917f1c990282b39cacb9d543383c9
Author: Chris Solis <email address hidden>
Date: Mon Sep 28 23:19:19 2015 -0500

Fix db_manage to initialize mysql from base

    Change the db_manage script to include types when
    altering tables and drop constraints before altering tables
    because mysql will not allow actions on a table with constraints.

    Change-Id: Iafacd662f013cb846bcb3f4ecc50e586e04d55b8
    Closes-bug: #1500687
    (cherry picked from commit 2333d5c13a5e57bd6c763b1547c143d7f504ccc3)

commit 6845b19f99646d955d6edf18d166709efdc6cfef
Author: Dave McCowan <email address hidden>
Date: Thu Oct 1 14:13:15 2015 -0400

Enforce project ownership of subCAs

    The add-to-project and create CA commands can only be performed by
    a project administrator when the target CA is either a root CA
    or a subCA owned by the admin's project.

This CR adds checks to enforce this condition.

    Change-Id: Ifbd7bb471b137a5549a8e627344f8f02adda2ed1
    Closes-bug: #1501862
    (cherry picked from commit 8bbf06caae29c1cafa16f4ed8db83938b9cf94f3)

commit 588e5d3c48faef86b0746decb72a6ffb3d6d44d6
Author: Dave McCowan <email address hidden>
Date: Fri Sep 25 17:30:46 2015 -0400

Check a CA's status as project and preferred CA before deleting

If a CA is preferred and not the last CA of a project, it should
not be deleted. A user is informed of this with a 409 status code.

Otherwise, the CA can be deleted as well as any record of it in the
CA project list and the CA preferred list.

    Change-Id: I9a1ee91252ee17746cfcffd11cba520270d09f21
    Closes-bug: #1499876
    (cherry picked from commit 4afaee095a78cbc473278ac42bb2f9de949af0a8)

commit d582aa6226014b54f30b78bb509893440a780de7
Author: Ade Lee <email address hidden>
Date: Fri Sep 25 00:19:38 2015 -0400

Add subca functionality to the dogtag plugin

    The Dogtag CA plugin has been modified to support
    subordinate CAs. This includes updating the list of
    CAs read from the CA when the the ca list is refreshed.

Unit tests for the Dogtag CA have been updated, and functional
tests have been added for the Dogtag CA for subca creation.

Also added some exceptions to convey issues in subca creation
and deletion.

    Closes-Bug: #1502320
    Partially-Implements: blueprint add-cas
    Change-Id: I1766cb4a2069ea56d386067c9aa2811a50410a9d
    (cherry picked from commit be40fa7d0393cb30b4c03ce7ee4dcb6c990761a9)

commit 85c7d957495309fb8c9af010c93dd080dc63e97e
Author: Douglas Mendizábal <email address hidden>
Date: Mon Oct 5 00:51:57 2015 -0500

Update .gitreview to match stable/liberty

Change-Id: I194ec20f1d9f641455aebfd99e3bad5a38cf7725

commit 3cf0501dfc267dc77936b810b10c583e31cccf64
Author: jfwood <email address hidden>
Date: Mon Sep 28 09:02:33 2015 -0500

Exit with error code when db_manage.py fails

The DB migration script db_manage.py always returned a 0 ex...

Reviewed:  https://review.openstack.org/235154
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=63b69bd2778410fcc7f0530adc72fc8ed4585d0c
Submitter: Jenkins
Branch:    master

commit 7a324b4d03e917f1c990282b39cacb9d543383c9
Author: Chris Solis <cnsolis@us.ibm.com>
Date:   Mon Sep 28 23:19:19 2015 -0500

Fix db_manage to initialize mysql from base
    
    Change the db_manage script to include types when
    altering tables and drop constraints before altering tables
    because mysql will not allow actions on a table with constraints.
    
    Change-Id: Iafacd662f013cb846bcb3f4ecc50e586e04d55b8
    Closes-bug: #1500687
    (cherry picked from commit 2333d5c13a5e57bd6c763b1547c143d7f504ccc3)

commit 6845b19f99646d955d6edf18d166709efdc6cfef
Author: Dave McCowan <dmccowan@cisco.com>
Date:   Thu Oct 1 14:13:15 2015 -0400

Enforce project ownership of subCAs
    
    The add-to-project and create CA commands can only be performed by
    a project administrator when the target CA is either a root CA
    or a subCA owned by the admin's project.
    
    This CR adds checks to enforce this condition.
    
    Change-Id: Ifbd7bb471b137a5549a8e627344f8f02adda2ed1
    Closes-bug: #1501862
    (cherry picked from commit 8bbf06caae29c1cafa16f4ed8db83938b9cf94f3)

commit 588e5d3c48faef86b0746decb72a6ffb3d6d44d6
Author: Dave McCowan <dmccowan@cisco.com>
Date:   Fri Sep 25 17:30:46 2015 -0400

Check a CA's status as project and preferred CA before deleting
    
    If a CA is preferred and not the last CA of a project, it should
    not be deleted.  A user is informed of this with a 409 status code.
    
    Otherwise, the CA can be deleted as well as any record of it in the
    CA project list and the CA preferred list.
    
    Change-Id: I9a1ee91252ee17746cfcffd11cba520270d09f21
    Closes-bug: #1499876
    (cherry picked from commit 4afaee095a78cbc473278ac42bb2f9de949af0a8)

commit d582aa6226014b54f30b78bb509893440a780de7
Author: Ade Lee <alee@redhat.com>
Date:   Fri Sep 25 00:19:38 2015 -0400

Add subca functionality to the dogtag plugin
    
    The Dogtag CA plugin has been modified to support
    subordinate CAs.  This includes updating the list of
    CAs read from the CA when the the ca list is refreshed.
    
    Unit tests for the Dogtag CA have been updated, and functional
    tests have been added for the Dogtag CA for subca creation.
    
    Also added some exceptions to convey issues in subca creation
    and deletion.
    
    Closes-Bug: #1502320
    Partially-Implements: blueprint add-cas
    Change-Id: I1766cb4a2069ea56d386067c9aa2811a50410a9d
    (cherry picked from commit be40fa7d0393cb30b4c03ce7ee4dcb6c990761a9)

commit 85c7d957495309fb8c9af010c93dd080dc63e97e
Author: Douglas Mendizábal <douglas@redrobot.io>
Date:   Mon Oct 5 00:51:57 2015 -0500

Update .gitreview to match stable/liberty
    
    Change-Id: I194ec20f1d9f641455aebfd99e3bad5a38cf7725

commit 3cf0501dfc267dc77936b810b10c583e31cccf64
Author: jfwood <john.wood@rackspace.com>
Date:   Mon Sep 28 09:02:33 2015 -0500

Exit with error code when db_manage.py fails
    
    The DB migration script db_manage.py always returned a 0 exit code,
    even if errors were seen. This would break use of this script in
    automation since the next sequence in the workflow would always be
    executed even on errors. This script should return a 1 if errors are
    seen. This CR adds that error code return.
    
    Closes-bug: #1500448
    Change-Id: I9f51bca409d23a90f629acb124938ecefa11208a
    (cherry picked from commit 3e088f261957cd1cbd5fc184bf88540cc72ad726)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix included in openstack/barbican 1.0.0

This issue was fixed in the openstack/barbican 1.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.