From ef9a6f38679ce838e8ebc523b8c4796cafd0702c Mon Sep 17 00:00:00 2001 From: Nam Nguyen Hoai Date: Fri, 6 Apr 2018 14:43:55 +0700 Subject: [PATCH] Initial OVO for Barbican Creating a initial patch set for OVO in Barbican. Partial Implements: blueprint rolling-upgrade Change-Id: I13ae209bdafd8ed857925650fbe13b3b9ca78847 --- barbican/model/repositories.py | 54 +++++++++ barbican/objects/__init__.py | 83 +++++++++++++ barbican/objects/base.py | 205 +++++++++++++++++++++++++++++++++ barbican/objects/fields.py | 98 ++++++++++++++++ lower-constraints.txt | 1 + requirements.txt | 1 + tox.ini | 1 + 7 files changed, 443 insertions(+) create mode 100644 barbican/objects/__init__.py create mode 100644 barbican/objects/base.py create mode 100644 barbican/objects/fields.py diff --git a/barbican/model/repositories.py b/barbican/model/repositories.py index 1845ff975..8319f1fa7 100644 --- a/barbican/model/repositories.py +++ b/barbican/model/repositories.py @@ -52,6 +52,7 @@ sa_logger = None # Singleton repository references, instantiated via get_xxxx_repository() # functions below. Please keep this list in alphabetical order. _CA_REPOSITORY = None +_CONTAINER_ACL_USER_REPOSITORY = None _CONTAINER_ACL_REPOSITORY = None _CONTAINER_CONSUMER_REPOSITORY = None _CONTAINER_REPOSITORY = None @@ -66,6 +67,7 @@ _PREFERRED_CA_REPOSITORY = None _PROJECT_REPOSITORY = None _PROJECT_CA_REPOSITORY = None _PROJECT_QUOTAS_REPOSITORY = None +_SECRET_ACL_USER_REPOSITORY = None _SECRET_ACL_REPOSITORY = None _SECRET_META_REPOSITORY = None _SECRET_USER_META_REPOSITORY = None @@ -1984,6 +1986,26 @@ class SecretACLRepo(BaseRepo): entity.delete(session=session) +class SecretACLUserRepo(BaseRepo): + """Repository for the SecretACLUser entity.""" + + def _do_entity_name(self): + """Sub-class hook: return entity name, such as for debugging.""" + return "SecretACLUser" + + def _do_build_get_query(self, entity_id, external_project_id, session): + """Sub-class hook: build a retrieve query.""" + + query = session.query(models.SecretACLUser) + query = query.filter_by(id=entity_id) + + return query + + def _do_validate(self, values): + """Sub-class hook: validate values.""" + pass + + class ContainerACLRepo(BaseRepo): """Repository for the ContainerACL entity. @@ -2080,6 +2102,25 @@ class ContainerACLRepo(BaseRepo): entity.delete(session=session) +class ContainerACLUserRepo(BaseRepo): + """Repository for ContainerACLUser entity.""" + def _do_entity_name(self): + """Sub-class hook: return entity name, such as for debugging.""" + return "ContainerACLUser" + + def _do_build_get_query(self, entity_id, external_project_id, session): + """Sub-class hook: build a retrieve query.""" + + query = session.query(models.ContainerACLUser) + query = query.filter_by(id=entity_id) + + return query + + def _do_validate(self, values): + """Sub-class hook: validate values.""" + pass + + class ProjectQuotasRepo(BaseRepo): """Repository for the ProjectQuotas entity.""" def _do_entity_name(self): @@ -2382,6 +2423,13 @@ def get_container_secret_repository(): return _get_repository(_CONTAINER_SECRET_REPOSITORY, ContainerSecretRepo) +def get_container_acl_user_repository(): + """Returns a singleton Container-ACL-User repository instance.""" + global _CONTAINER_ACL_USER_REPOSITORY + return _get_repository(_CONTAINER_ACL_USER_REPOSITORY, + ContainerACLUserRepo) + + def get_encrypted_datum_repository(): """Returns a singleton Encrypted Datum repository instance.""" global _ENCRYPTED_DATUM_REPOSITORY @@ -2453,6 +2501,12 @@ def get_secret_acl_repository(): return _get_repository(_SECRET_ACL_REPOSITORY, SecretACLRepo) +def get_secret_acl_user_repository(): + """Returns a singleton Secret-ACL-User repository instance.""" + global _SECRET_ACL_USER_REPOSITORY + return _get_repository(_SECRET_ACL_USER_REPOSITORY, SecretACLUserRepo) + + def get_secret_meta_repository(): """Returns a singleton Secret meta repository instance.""" global _SECRET_META_REPOSITORY diff --git a/barbican/objects/__init__.py b/barbican/objects/__init__.py new file mode 100644 index 000000000..31c7e2cdb --- /dev/null +++ b/barbican/objects/__init__.py @@ -0,0 +1,83 @@ +# Copyright 2018 Fujitsu. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from barbican.objects import base +from barbican.objects import certificate_authority +from barbican.objects import container +from barbican.objects import container_acl +from barbican.objects import container_consumer_meta +from barbican.objects import container_secret +from barbican.objects import encrypted_datum +from barbican.objects import kekdatum +from barbican.objects import order +from barbican.objects import order_barbican_metadatum +from barbican.objects import order_plugin_metadatum +from barbican.objects import order_retry_task +from barbican.objects import project +from barbican.objects import project_quotas +from barbican.objects import project_secret_store +from barbican.objects import secret +from barbican.objects import secret_acl +from barbican.objects import secret_store_metadatum +from barbican.objects import secret_stores +from barbican.objects import secret_user_metadatum +from barbican.objects import transport_key + +States = base.States +BarbicanObject = base.BarbicanObject +CertificateAuthority = certificate_authority.CertificateAuthority +Container = container.Container +ContainerACL = container_acl.ContainerACL +ContainerConsumerMetadatum = container_consumer_meta.ContainerConsumerMetadatum +ContainerSecret = container_secret.ContainerSecret +EncryptedDatum = encrypted_datum.EncryptedDatum +Order = order.Order +OrderBarbicanMetadatum = order_barbican_metadatum.OrderBarbicanMetadatum +OrderPluginMetadatum = order_plugin_metadatum.OrderPluginMetadatum +OrderRetryTask = order_retry_task.OrderRetryTask +Project = project.Project +ProjectQuotas = project_quotas.ProjectQuotas +ProjectSecretStore = project_secret_store.ProjectSecretStore +TransportKey = transport_key.TransportKey +KEKDatum = kekdatum.KEKDatum +Secret = secret.Secret +SecretACL = secret_acl.SecretACL +SecretStores = secret_stores.SecretStores +SecretUserMetadatum = secret_user_metadatum.SecretUserMetadatum +SecretStoreMetadatum = secret_store_metadatum.SecretStoreMetadatum + +__all__ = ( + States, + BarbicanObject, + CertificateAuthority, + Container, + ContainerACL, + ContainerConsumerMetadatum, + ContainerSecret, + EncryptedDatum, + Order, + OrderBarbicanMetadatum, + OrderPluginMetadatum, + OrderRetryTask, + Project, + ProjectQuotas, + ProjectSecretStore, + KEKDatum, + Secret, + SecretACL, + SecretStores, + SecretUserMetadatum, + SecretStoreMetadatum, + TransportKey, +) diff --git a/barbican/objects/base.py b/barbican/objects/base.py new file mode 100644 index 000000000..ccf66b214 --- /dev/null +++ b/barbican/objects/base.py @@ -0,0 +1,205 @@ +# Copyright 2018 Fujitsu. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +"""Barbican common internal objects model""" + +from oslo_versionedobjects import base as object_base + +from barbican.model import repositories as repos +from barbican.objects import fields + + +class States(object): + PENDING = 'PENDING' + ACTIVE = 'ACTIVE' + ERROR = 'ERROR' + + @classmethod + def is_valid(cls, state_to_test): + """Tests if a state is a valid one.""" + return state_to_test in cls.__dict__ + + +class BarbicanPersistentObject(object): + fields = { + 'id': fields.StringField(nullable=True, default=None), + 'created_at': fields.DateTimeField(nullable=True, tzinfo_aware=False), + 'updated_at': fields.DateTimeField(nullable=True, tzinfo_aware=False), + 'deleted_at': fields.DateTimeField(nullable=True, tzinfo_aware=False), + 'deleted': fields.BooleanField(nullable=True), + 'status': fields.StringField(nullable=True, default=States.PENDING) + } + + +class BarbicanObject(object_base.VersionedObject): + + # Version 1.0: Initial version + VERSION = '1.0' + + OBJ_PROJECT_NAMESPACE = 'barbican' + synthetic_fields = [] + + # NOTE(namnh): The db_model, db_repo class variable should be inherited + # by sub-classes. + # For example, in the Secret object has to have "db_model = models.Secret" + # and "db_repo = repo.get_secret_repository()". + db_model = None + db_repo = repos.BaseRepo() + + def __init__(self, context=None, **kwargs): + super(BarbicanObject, self).__init__(context=context, **kwargs) + self.dict_fields = None + self.obj_set_defaults() + + def set_attribute(self, name_attr, value_attr=None): + setattr(self, name_attr, value_attr) + + def _get_db_entity(self): + return self.db_model() + + def _get_changed_persistent_fields(self): + change_fields = self.obj_get_changes() + for field in self.synthetic_fields: + if field in change_fields: + del change_fields[field] + return change_fields + + def _validate_fields(self, change_fields): + """Validate fields before creating model + + In order to verify fields before saving a model to database. It should + be inherited by sub-class in case the class need to verify. + """ + pass + + def _from_db_object(self, db_entity): + if db_entity is None: + return None + for field in self.fields: + if field not in self.synthetic_fields: + self.set_attribute(field, db_entity[field]) + self.load_synthetic_db_fields(db_entity=db_entity) + self.dict_fields = db_entity.to_dict_fields() + self.obj_reset_changes() + return self + + def to_dict_fields(self): + return self.dict_fields + + def register_value(self, data=None, **kwargs): + data = data or dict() + data.update(kwargs) + for key, value in data.items(): + setattr(self, key, value) + + @classmethod + def is_synthetic(cls, field): + return field in cls.synthetic_fields + + @classmethod + def load_object(cls, db_entity): + obj = cls() + obj._from_db_object(db_entity=db_entity) + return obj + + def load_synthetic_db_fields(self, db_entity): + """Load synthetic database field. + + :param db_entity: Database model + :return: None + """ + for field in self.synthetic_fields: + objclasses = object_base.VersionedObjectRegistry.obj_classes( + ).get(self.fields[field].objname) + + objclass = objclasses[0] + synth_db_objs = db_entity.get(field, None) + + # NOTE(namnh): synth_db_objs can be list, dict, empty list + if isinstance(self.fields[field], fields.DictOfObjectsField): + dict_entity_object = {key: objclass.load_object(value) + for key, value in synth_db_objs.items()} + setattr(self, field, dict_entity_object) + elif isinstance(self.fields[field], fields.ListOfObjectsField): + entities_object = [objclass.load_object(entity) + for entity in synth_db_objs] + setattr(self, field, entities_object) + else: + # At this moment, this field is an ObjectField. + entity_object = objclass.load_object(synth_db_objs) + setattr(self, field, entity_object) + self.obj_reset_changes([fields]) + + def create(self, session=None): + change_fields = self._get_changed_persistent_fields() + self._validate_fields(change_fields) + db_entity = self._get_db_entity() + db_entity.update(change_fields) + db_entity = self.db_repo.create_from(db_entity, session=session) + self._from_db_object(db_entity) + + def save(self, session=None): + """To update new values to a row in database.""" + change_fields = self._get_changed_persistent_fields() + self.db_repo.update_from(self.db_model, self.id, + change_fields, session=session) + self.obj_reset_changes() + + def delete(self, session): + raise NotImplementedError() + + @classmethod + def get(cls, entity_id, external_project_id=None, + force_show_deleted=False, + suppress_exception=False, session=None): + """Get an entity or raise if it does not exist""" + db_entity = cls.db_repo.get( + entity_id, external_project_id=external_project_id, + force_show_deleted=force_show_deleted, + suppress_exception=suppress_exception, session=session) + if db_entity: + return cls()._from_db_object(db_entity) + else: + return None + + @classmethod + def get_session(cls, session=None): + return cls.db_repo.get_session(session) + + @classmethod + def delete_entity_by_id(cls, entity_id, external_project_id, + session=None): + cls.db_repo.delete_entity_by_id( + entity_id, external_project_id, session=session) + + @classmethod + def get_project_entities(cls, project_id, session=None): + """Gets entities associated with a given project.""" + entities_db = cls.db_repo.get_project_entities(project_id, + session=session) + entities_object = [cls()._from_db_object(entity_db) + for entity_db in entities_db] if entities_db else [] + return entities_object + + @classmethod + def get_count(cls, project_id, session=None): + """Gets count of entities associated with a given project""" + return cls.db_repo.get_count(project_id, session=session) + + @classmethod + def delete_project_entities(cls, project_id, + suppress_exception=False, + session=None): + """Deletes entities for a given project.""" + cls.db_repo.delete_project_entities( + project_id, suppress_exception=suppress_exception, session=session) diff --git a/barbican/objects/fields.py b/barbican/objects/fields.py new file mode 100644 index 000000000..229c2eee3 --- /dev/null +++ b/barbican/objects/fields.py @@ -0,0 +1,98 @@ +# Copyright 2018 Fujitsu. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +import json + +from oslo_versionedobjects import fields +import six + +# Import field errors from oslo.versionedobjects +KeyTypeError = fields.KeyTypeError +ElementTypeError = fields.ElementTypeError + +# Import fields from oslo.versionedobjects +BooleanField = fields.BooleanField +UnspecifiedDefault = fields.UnspecifiedDefault +IntegerField = fields.IntegerField +NonNegativeIntegerField = fields.NonNegativeIntegerField +UUIDField = fields.UUIDField +FloatField = fields.FloatField +NonNegativeFloatField = fields.NonNegativeFloatField +StringField = fields.StringField +SensitiveStringField = fields.SensitiveStringField +EnumField = fields.EnumField +DateTimeField = fields.DateTimeField +DictOfStringsField = fields.DictOfStringsField +DictOfNullableStringsField = fields.DictOfNullableStringsField +DictOfIntegersField = fields.DictOfIntegersField +ListOfStringsField = fields.ListOfStringsField +SetOfIntegersField = fields.SetOfIntegersField +ListOfSetsOfIntegersField = fields.ListOfSetsOfIntegersField +ListOfDictOfNullableStringsField = fields.ListOfDictOfNullableStringsField +DictProxyField = fields.DictProxyField +ObjectField = fields.ObjectField +ListOfObjectsField = fields.ListOfObjectsField +VersionPredicateField = fields.VersionPredicateField +FlexibleBooleanField = fields.FlexibleBooleanField +DictOfListOfStringsField = fields.DictOfListOfStringsField +IPAddressField = fields.IPAddressField +IPV4AddressField = fields.IPV4AddressField +IPV6AddressField = fields.IPV6AddressField +IPV4AndV6AddressField = fields.IPV4AndV6AddressField +IPNetworkField = fields.IPNetworkField +IPV4NetworkField = fields.IPV4NetworkField +IPV6NetworkField = fields.IPV6NetworkField +AutoTypedField = fields.AutoTypedField +BaseEnumField = fields.BaseEnumField +MACAddressField = fields.MACAddressField +ListOfIntegersField = fields.ListOfIntegersField +PCIAddressField = fields.PCIAddressField + +Enum = fields.Enum +Field = fields.Field +FieldType = fields.FieldType +Set = fields.Set +Dict = fields.Dict +List = fields.List +Object = fields.Object +IPAddress = fields.IPAddress +IPV4Address = fields.IPV4Address +IPV6Address = fields.IPV6Address +IPNetwork = fields.IPNetwork +IPV4Network = fields.IPV4Network +IPV6Network = fields.IPV6Network + + +class Json(FieldType): + def coerce(self, obj, attr, value): + if isinstance(value, six.string_types): + loaded = json.loads(value) + return loaded + return value + + def from_primitive(self, obj, attr, value): + return self.coerce(obj, attr, value) + + def to_primitive(self, obj, attr, value): + return json.dumps(value) + + +class DictOfObjectsField(AutoTypedField): + def __init__(self, objtype, subclasses=False, **kwargs): + self.AUTO_TYPE = Dict(Object(objtype, subclasses)) + self.objname = objtype + super(DictOfObjectsField, self).__init__(**kwargs) + + +class JsonField(AutoTypedField): + AUTO_TYPE = Json() diff --git a/lower-constraints.txt b/lower-constraints.txt index a3037bf62..b7df09545 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -74,6 +74,7 @@ oslo.policy==1.30.0 oslo.serialization==2.18.0 oslo.service==1.24.0 oslo.utils==3.33.0 +oslo.versionedobjects==1.31.2 oslotest==3.2.0 paramiko==2.4.1 Paste==2.0.2 diff --git a/requirements.txt b/requirements.txt index fdf57a4e4..86ded330a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,6 +18,7 @@ oslo.policy>=1.30.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0 +oslo.versionedobjects>=1.31.2 # Apache-2.0 Paste>=2.0.2 # MIT PasteDeploy>=1.5.0 # MIT pbr!=2.1.0,>=2.0.0 # Apache-2.0 diff --git a/tox.ini b/tox.ini index e46ce0e37..ee398ad00 100644 --- a/tox.ini +++ b/tox.ini @@ -141,3 +141,4 @@ deps = -c{toxinidir}/lower-constraints.txt -r{toxinidir}/test-requirements.txt -r{toxinidir}/requirements.txt +