1 files changed, 16 insertions, 6 deletions

diff --git a/src/mailman_pgp/rest/lists.py b/src/mailman_pgp/rest/lists.py
index bbe2e20..b8175d2 100644
--- a/src/mailman_pgp/rest/lists.py
+++ b/src/mailman_pgp/rest/lists.py
@@ -19,11 +19,14 @@
 from lazr.config import as_boolean
 from mailman.interfaces.action import Action
 from mailman.interfaces.listmanager import IListManager
+from mailman.interfaces.member import MemberRole
 from mailman.rest.helpers import (accepted, bad_request,
                                   child, CollectionMixin, etag, GetterSetter,
-                                  no_content, not_found, NotFound, okay)
+                                  no_content, not_found, NotFound, okay,
+                                  ChildError)
 from mailman.rest.validator import (enum_validator, PatchValidator,
                                     UnknownPATCHRequestError, Validator)
+from pgpy.errors import PGPError
 from public import public
 from zope.component import getUtility
 
@@ -31,6 +34,9 @@ from mailman_pgp.config import config
 from mailman_pgp.database import transaction
 from mailman_pgp.model.list import PGPMailingList
 from mailman_pgp.utils.pgp import key_from_blob
+from mailman_pgp.utils.rest import enumflag_validator, workflow_validator
+from mailman_pgp.workflows.key_change import (KeyChangeWorkflow,
+                                              KeyChangeModWorkflow)
 
 CONFIGURATION = dict(
         unsigned_msg_action=GetterSetter(enum_validator(Action)),
@@ -42,7 +48,10 @@ CONFIGURATION = dict(
         strip_original_sig=GetterSetter(as_boolean),
         sign_outgoing=GetterSetter(as_boolean),
         nonencrypted_msg_action=GetterSetter(enum_validator(Action)),
-        encrypt_outgoing=GetterSetter(as_boolean)
+        encrypt_outgoing=GetterSetter(as_boolean),
+        key_change_workflow=GetterSetter(
+                workflow_validator(KeyChangeWorkflow, KeyChangeModWorkflow)),
+        key_signing_allowed=GetterSetter(enumflag_validator(MemberRole))
 )
 
 
@@ -120,9 +129,8 @@ class APGPList(_PGPListBase):
             try:
                 validator = PatchValidator(request, CONFIGURATION)
             except UnknownPATCHRequestError as error:
-                bad_request(
-                        response,
-                        'Unknown attribute: {}'.format(error.attribute))
+                bad_request(response,
+                            'Unknown attribute: {}'.format(error.attribute))
                 return
             try:
                 with transaction():
@@ -136,6 +144,8 @@ class APGPList(_PGPListBase):
     def key(self, context, segments):
         if self._mlist is None:
             return NotFound(), []
+        if not config.get_value('rest', 'expose_private_key'):
+            return ChildError(403), []
         return AListKey(self._mlist), []
 
     @child()
@@ -167,7 +177,7 @@ class AListKey:
         try:
             validator = Validator(key=GetterSetter(key_from_blob))
             values = validator(request)
-        except ValueError as error:
+        except (ValueError, PGPError) as error:
             bad_request(response, str(error))
             return
         with transaction():