From 1598d1e44ceaf9a712a32815fa0e7ab5e2096593 Mon Sep 17 00:00:00 2001 From: Nam Nguyen Hoai Date: Fri, 1 Sep 2017 09:16:09 +0700 Subject: [PATCH] Implement OVO for Barbican [3] This patch set is to create a Base class OVO and implement some model classes like below: - Container - ContainerACL - ContainerACLUser - ContainerCosumerMetadatum - ContainerSecret Change-Id: I641811388292d1ad71dbd19935d2785c94da7b73 Co-Authored-By: Kien Nguyen Partial-Implements: blueprint rolling-upgrade --- barbican/objects/container.py | 130 +++++++++++++++ barbican/objects/container_acl.py | 174 ++++++++++++++++++++ barbican/objects/container_acl_user.py | 46 ++++++ barbican/objects/container_consumer_meta.py | 125 ++++++++++++++ barbican/objects/container_secret.py | 40 +++++ 5 files changed, 515 insertions(+) create mode 100644 barbican/objects/container.py create mode 100644 barbican/objects/container_acl.py create mode 100644 barbican/objects/container_acl_user.py create mode 100644 barbican/objects/container_consumer_meta.py create mode 100644 barbican/objects/container_secret.py diff --git a/barbican/objects/container.py b/barbican/objects/container.py new file mode 100644 index 000000000..40114be9f --- /dev/null +++ b/barbican/objects/container.py @@ -0,0 +1,130 @@ +# Copyright 2018 Fujitsu. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_versionedobjects import base as object_base + +from barbican.model import models +from barbican.model import repositories as repos +from barbican.objects import base +from barbican.objects import container_secret as con_se +from barbican.objects import fields + +TYPE_VALUE = ['generic', 'rsa', 'dsa', 'certificate'] + + +@object_base.VersionedObjectRegistry.register +class Container(base.BarbicanObject, base.BarbicanPersistentObject, + object_base.VersionedObjectDictCompat): + fields = { + 'name': fields.StringField(nullable=True, default=None), + 'type': fields.EnumField(nullable=True, valid_values=TYPE_VALUE), + 'project_id': fields.StringField(nullable=True, default=None), + 'creator_id': fields.StringField(nullable=True, default=None), + 'consumers': fields.ListOfObjectsField('ContainerConsumerMetadatum', + default=list()), + 'container_secrets': fields.ListOfObjectsField('ContainerSecret', + default=list()), + 'container_acls': fields.ListOfObjectsField('ContainerACL', + default=list()), + 'project': fields.ObjectField('Project', nullable=True, default=None) + } + + db_model = models.Container + db_repo = repos.get_container_repository() + synthetic_fields = ['consumers', 'container_secrets', + 'container_acls', 'project'] + + def __init__(self, context=None, parsed_request=None, **kwargs): + super(Container, self).__init__(context=context, **kwargs) + if parsed_request: + self.name = parsed_request.get('name') + self.type = parsed_request.get('type') + self.status = base.States.ACTIVE + self.creator_id = parsed_request.get('creator_id') + + secret_refs = parsed_request.get('secret_refs') + if secret_refs: + for secret_ref in parsed_request.get('secret_refs'): + container_secret = con_se.ContainerSecret() + container_secret.name = secret_ref.get('name') + secret_id = secret_ref.get('secret_ref') + if secret_id.endswith('/'): + secret_id = secret_id.rsplit('/', 2)[1] + elif '/' in secret_id: + secret_id = secret_id.rsplit('/', 1)[1] + else: + secret_id = secret_id + container_secret.secret_id = secret_id + self.container_secrets.append(container_secret) + + def _get_db_entity(self, data=None): + return self.db_model(parsed_request=data) + + def _attach_container_secret(self, container_secrets, container_id, + session): + if container_secrets: + for container_secret in container_secrets: + container_secret.container_id = container_id + if container_secret.id is None: + self.container_secrets.append(container_secret.create( + session=session)) + else: + self.container_secrets.append(container_secret.save( + session=session)) + + def _attach_consumers(self, consumers, container_id, session): + if consumers: + for consumer in consumers: + consumer.container_id = container_id + if consumer.id is None: + self.consumers.append(consumer.create(session=session)) + else: + self.consumers.append(consumer.save(session=session)) + + def create(self, session=None): + fields = self.obj_get_changes() + super(Container, self).create(session=session) + if 'container_secrets' in fields: + self._attach_container_secret( + fields['container_secrets'], + container_id=self.id, session=session) + if 'consumers' in fields: + self._attach_consumers(fields['consumers'], + container_id=self.id, session=session) + + def save(self, session=None): + fields = self.obj_get_changes() + super(Container, self).save(session=session) + if 'consumers' in fields: + self._attach_consumers(fields['consumers'], + container_id=self.id, session=session) + + @classmethod + def get_by_create_date(cls, external_project_id, offset_arg=None, + limit_arg=None, name_arg=None, + suppress_exception=False, session=None): + entities_db, offset, limit, total = cls.db_repo.get_by_create_date( + external_project_id, offset_arg, limit_arg, name_arg, + suppress_exception, session + ) + entities_obj = [cls()._from_db_object(entity_db) + for entity_db in entities_db] + return entities_obj, offset, limit, total + + @classmethod + def get_container_by_id(cls, entity_id, suppress_exception=False, + session=None): + entity_db = cls.db_repo.get_container_by_id(entity_id, + suppress_exception, + session) + return cls()._from_db_object(entity_db) diff --git a/barbican/objects/container_acl.py b/barbican/objects/container_acl.py new file mode 100644 index 000000000..890f2406a --- /dev/null +++ b/barbican/objects/container_acl.py @@ -0,0 +1,174 @@ +# Copyright 2018 Fujitsu. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_utils import timeutils +from oslo_versionedobjects import base as object_base + +from barbican.common import exception +from barbican import i18n as u +from barbican.model import models +from barbican.model import repositories as repo +from barbican.objects import base +from barbican.objects import container_acl_user +from barbican.objects import fields + + +@object_base.VersionedObjectRegistry.register +class ContainerACL(base.BarbicanObject, base.BarbicanPersistentObject, + object_base.VersionedObjectDictCompat): + fields = { + 'container_id': fields.StringField(), + 'operation': fields.StringField(), + 'project_access': fields.BooleanField(default=True), + 'acl_users': fields.ListOfObjectsField('ContainerACLUser', + default=list()), + 'status': fields.StringField(nullable=True, default=base.States.ACTIVE) + } + + db_model = models.ContainerACL + db_repo = repo.get_container_acl_repository() + synthetic_fields = ['acl_users'] + + def _validate_fields(self, change_fields): + + msg = u._("Must supply non-None {0} argument for ContainerACL entry.") + + if change_fields.get('container_id') is None: + raise exception.MissingArgumentError(msg.format("container_id")) + + if change_fields.get('operation') is None: + raise exception.MissingArgumentError(msg.format("operation")) + + def _get_db_entity(self, user_ids=None): + return self.db_model(user_ids=user_ids) + + def create(self, session=None, user_ids=None): + change_fields = self._get_changed_persistent_fields() + self._validate_fields(change_fields) + db_entity = self._get_db_entity(user_ids=user_ids) + db_entity.update(change_fields) + db_entity = self.db_repo.create_from(db_entity, session=session) + self._from_db_object(db_entity) + + def delete(self, session): + entity_id = self.id + self.db_repo.delete_entity_by_id( + entity_id=entity_id, external_project_id=None, session=session) + + @classmethod + def get_by_container_id(cls, container_id, session=None): + entities_db = cls.db_repo.get_by_container_id(container_id, session) + entities = [cls()._from_db_object(entity_db) + for entity_db in entities_db] + return entities + + @classmethod + def create_or_replace_from(cls, container, container_acl, + user_ids=None, session=None): + """Create or replace Secret and SecretACL + + :param container: an instance of Container object + :param container_acl: an instance of ContainerACL object + :param user_ids: + :param session: a session to connect with database + """ + session = cls.get_session(session) + container.updated_at = timeutils.utcnow() + container.save(session=session) + container_acl.updated_at = timeutils.utcnow() + if container_acl.id is None: + container_acl.create(session=session, user_ids=user_ids) + else: + container_acl.save(session=session) + cls._create_or_replace_acl_users(container_acl=container_acl, + user_ids=user_ids, session=session) + + @classmethod + def create_or_replace_from_model(cls, container, container_acl, + user_ids=None, session=None): + """Create or replace Secret and SecretACL + + :param container: an instance of Container model + :param container_acl: an instance of ContainerACL object + :param user_ids: + :param session: a session to connect with database + + It is used during converting from model to OVO. It will be removed + after Container resource is implemented OVO. + """ + session = cls.get_session(session) + container.updated_at = timeutils.utcnow() + container.save(session=session) + now = timeutils.utcnow() + container_acl.updated_at = now + if container_acl.id is None: + container_acl.create(session=session, user_ids=user_ids) + else: + container_acl.save(session=session) + cls._create_or_replace_acl_users(container_acl=container_acl, + user_ids=user_ids, session=session) + + @classmethod + def _create_or_replace_acl_users(cls, container_acl, user_ids, + session=None): + if user_ids is None: + return + + user_ids = set(user_ids) + + now = timeutils.utcnow() + session = session or cls.get_session(session) + container_acl.updated_at = now + + for acl_user in container_acl.acl_users: + if acl_user.user_id in user_ids: # input user_id already exists + acl_user.updated_at = now + acl_user.save(session=session) + user_ids.remove(acl_user.user_id) + else: + acl_user.delete(session=session) + + for user_id in user_ids: + acl_user = container_acl_user.ContainerACLUser( + acl_id=container_acl.id, user_id=user_id) + acl_user.create(session=session) + + if container_acl.id: + container_acl.save(session=session) + else: + container_acl.create(session=session) + + @classmethod + def get_count(cls, container_id, session=None): + query = cls.db_repo.get_count(container_id, session) + return query + + @classmethod + def delete_acls_for_container(cls, container, session=None): + + # TODO(namnh) + # After Container resource is implemented, This function + # will be updated source code being used. + session = cls.get_session(session=session) + for entity in container.container_acls: + entity.delete(session=session) + + @classmethod + def delete_acls_for_container_model(cls, container, session=None): + """Delete ACLs in Container + + Used during converting Model to OVO, it will be removed in near future. + :param container: instance of Container model + :param session: connection to database + """ + cls.db_repo.delete_acls_for_container(container, session) diff --git a/barbican/objects/container_acl_user.py b/barbican/objects/container_acl_user.py new file mode 100644 index 000000000..5325a0c09 --- /dev/null +++ b/barbican/objects/container_acl_user.py @@ -0,0 +1,46 @@ +# Copyright 2018 Fujitsu. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_versionedobjects import base as object_base + +from barbican.common import exception +from barbican import i18n as u +from barbican.model import models +from barbican.model import repositories as repos +from barbican.objects import base +from barbican.objects import fields + + +@object_base.VersionedObjectRegistry.register +class ContainerACLUser(base.BarbicanObject, base.BarbicanPersistentObject, + object_base.VersionedObjectDictCompat): + fields = { + 'acl_id': fields.StringField(), + 'user_id': fields.StringField(), + 'status': fields.StringField(nullable=True, default=base.States.ACTIVE) + } + + db_model = models.ContainerACLUser + db_repo = repos.get_container_acl_user_repository() + + def _validate_fields(self, change_fields): + + if change_fields.get('user_id') is None: + msg = u._("Must supply non-None {0} argument for ContainerACLUser " + "entry.") + raise exception.MissingArgumentError(msg.format("user_id")) + + def delete(self, session): + entity_id = self.id + self.db_repo.delete_entity_by_id( + entity_id=entity_id, external_project_id=None, session=session) diff --git a/barbican/objects/container_consumer_meta.py b/barbican/objects/container_consumer_meta.py new file mode 100644 index 000000000..478b01eea --- /dev/null +++ b/barbican/objects/container_consumer_meta.py @@ -0,0 +1,125 @@ +# Copyright 2018 Fujitsu. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_db import exception as db_exc +from oslo_utils import timeutils +from oslo_versionedobjects import base as object_base + +from barbican.common import utils +from barbican.model import models +from barbican.model import repositories as repos +from barbican.objects import base +from barbican.objects import fields + +LOG = utils.getLogger(__name__) + + +@object_base.VersionedObjectRegistry.register +class ContainerConsumerMetadatum(base.BarbicanObject, + base.BarbicanPersistentObject, + object_base.VersionedObjectDictCompat): + fields = { + 'container_id': fields.StringField(nullable=False), + 'project_id': fields.StringField(nullable=True, default=None), + 'name': fields.StringField(nullable=True, default=None), + 'URL': fields.StringField(nullable=True, default=None), + 'data_hash': fields.StringField(nullable=True, default=None) + } + + db_model = models.ContainerConsumerMetadatum + db_repo = repos.get_container_consumer_repository() + + @classmethod + def get_by_container_id(cls, container_id, offset_arg=None, limit_arg=None, + suppress_exception=False, session=None): + entities_db, offset, limit, total = \ + cls.db_repo.get_by_container_id( + container_id, offset_arg, limit_arg, + suppress_exception, session) + entities = [cls()._from_db_object(entity_db) for entity_db in + entities_db] + return entities, offset, limit, total + + @classmethod + def get_by_values(cls, container_id, name, URL, suppress_exception=False, + show_deleted=False, session=None): + consumer_db = cls.db_repo.get_by_values(container_id, name, + URL, + suppress_exception, + show_deleted, + session) + return cls()._from_db_object(consumer_db) + + @classmethod + def create_or_update_from_model(cls, new_consumer, + container, session=None): + """Create or update container + + :param new_consumer: a instance of ContainerConsumerMetadatum model + :param container: a instance of Container OVO + :param session: a session to connect with database + :return: None + + It is used during converting from model to OVO. It will be removed + after Container resource is implemented OVO. + """ + session = cls.get_session(session=session) + try: + container.updated_at = timeutils.utcnow() + container.save(session=session) + new_consumer.save(session=session) + except db_exc.DBDuplicateEntry: + session.rollback() # We know consumer already exists. + + # This operation is idempotent, so log this and move on + LOG.debug("Consumer %s with URL %s already exists for " + "container %s, continuing...", new_consumer.name, + new_consumer.URL, new_consumer.container_id) + # Get the existing entry and reuse it by clearing the deleted flags + existing_consumer = cls.get_by_values( + new_consumer.container_id, new_consumer.name, new_consumer.URL, + show_deleted=True) + existing_consumer.deleted = False + existing_consumer.deleted_at = None + # We are not concerned about timing here -- set only, no reads + existing_consumer.save(session=session) + + @classmethod + def create_or_update_from(cls, new_consumer, container, session=None): + """Create or update container + + :param new_consumer: a instance of ContainerConsumerMetadatum OVO + :param container: a instance of Container OVO + :param session: a session to connect with database + :return: None + """ + session = cls.get_session(session=session) + try: + container.updated_at = timeutils.utcnow() + container.consumers.append(new_consumer) + container.save(session=session) + except db_exc.DBDuplicateEntry: + session.rollback() # We know consumer already exists. + + # This operation is idempotent, so log this and move on + LOG.debug("Consumer %s with URL %s already exists for " + "container %s, continuing...", new_consumer.name, + new_consumer.URL, new_consumer.container_id) + # Get the existing entry and reuse it by clearing the deleted flags + existing_consumer = cls.get_by_values( + new_consumer.container_id, new_consumer.name, new_consumer.URL, + show_deleted=True) + existing_consumer.deleted = False + existing_consumer.deleted_at = None + # We are not concerned about timing here -- set only, no reads + existing_consumer.save(session=session) diff --git a/barbican/objects/container_secret.py b/barbican/objects/container_secret.py new file mode 100644 index 000000000..55b1b6bc2 --- /dev/null +++ b/barbican/objects/container_secret.py @@ -0,0 +1,40 @@ +# Copyright 2018 Fujitsu. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_versionedobjects import base as object_base + +from barbican.model import models +from barbican.model import repositories as repos +from barbican.objects import base +from barbican.objects import fields + + +@object_base.VersionedObjectRegistry.register +class ContainerSecret(base.BarbicanObject, base.BarbicanPersistentObject, + object_base.VersionedObjectDictCompat): + fields = { + 'name': fields.StringField(nullable=True, default=None), + 'container_id': fields.StringField(), + 'secret_id': fields.StringField(), + } + + db_model = models.ContainerSecret + db_repo = repos.get_container_secret_repository() + + def create(self, session=None): + change_fields = self._get_changed_persistent_fields() + self._validate_fields(change_fields) + db_entity = self._get_db_entity() + db_entity.update(change_fields) + db_entity = self.db_repo.create_from(db_entity, session=session) + return self._from_db_object(db_entity)