1 # -*- coding: utf-8 -*-
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 from uuid
import uuid4
18 from hashlib
import sha256
19 from http
import HTTPStatus
21 from osm_nbi
.validation
import (
26 vim_account_new_schema
,
27 vim_account_edit_schema
,
30 wim_account_new_schema
,
31 wim_account_edit_schema
,
34 k8scluster_new_schema
,
35 k8scluster_edit_schema
,
45 ) # To check that User/Project Names don't look like UUIDs
46 from osm_nbi
.base_topic
import BaseTopic
, EngineException
47 from osm_nbi
.authconn
import AuthconnNotFoundException
, AuthconnConflictException
48 from osm_common
.dbbase
import deep_update_rfc7396
51 __author__
= "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
54 class UserTopic(BaseTopic
):
57 schema_new
= user_new_schema
58 schema_edit
= user_edit_schema
61 def __init__(self
, db
, fs
, msg
, auth
):
62 BaseTopic
.__init
__(self
, db
, fs
, msg
, auth
)
65 def _get_project_filter(session
):
67 Generates a filter dictionary for querying database users.
68 Current policy is admin can show all, non admin, only its own user.
69 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
72 if session
["admin"]: # allows all
75 return {"username": session
["username"]}
77 def check_conflict_on_new(self
, session
, indata
):
78 # check username not exists
81 {"username": indata
.get("username")},
85 raise EngineException(
86 "username '{}' exists".format(indata
["username"]), HTTPStatus
.CONFLICT
89 if not session
["force"]:
90 for p
in indata
.get("projects") or []:
91 # To allow project addressing by Name as well as ID
92 if not self
.db
.get_one(
94 {BaseTopic
.id_field("projects", p
): p
},
98 raise EngineException(
99 "project '{}' does not exist".format(p
), HTTPStatus
.CONFLICT
102 def check_conflict_on_del(self
, session
, _id
, db_content
):
104 Check if deletion can be done because of dependencies if it is not force. To override
105 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
106 :param _id: internal _id
107 :param db_content: The database content of this item _id
108 :return: None if ok or raises EngineException with the conflict
110 if _id
== session
["username"]:
111 raise EngineException(
112 "You cannot delete your own user", http_code
=HTTPStatus
.CONFLICT
116 def format_on_new(content
, project_id
=None, make_public
=False):
117 BaseTopic
.format_on_new(content
, make_public
=False)
118 # Removed so that the UUID is kept, to allow User Name modification
119 # content["_id"] = content["username"]
121 content
["_admin"]["salt"] = salt
122 if content
.get("password"):
123 content
["password"] = sha256(
124 content
["password"].encode("utf-8") + salt
.encode("utf-8")
126 if content
.get("project_role_mappings"):
128 mapping
["project"] for mapping
in content
["project_role_mappings"]
131 if content
.get("projects"):
132 content
["projects"] += projects
134 content
["projects"] = projects
137 def format_on_edit(final_content
, edit_content
):
138 BaseTopic
.format_on_edit(final_content
, edit_content
)
139 if edit_content
.get("password"):
141 final_content
["_admin"]["salt"] = salt
142 final_content
["password"] = sha256(
143 edit_content
["password"].encode("utf-8") + salt
.encode("utf-8")
147 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
148 if not session
["admin"]:
149 raise EngineException(
150 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
152 # Names that look like UUIDs are not allowed
153 name
= (indata
if indata
else kwargs
).get("username")
154 if is_valid_uuid(name
):
155 raise EngineException(
156 "Usernames that look like UUIDs are not allowed",
157 http_code
=HTTPStatus
.UNPROCESSABLE_ENTITY
,
159 return BaseTopic
.edit(
160 self
, session
, _id
, indata
=indata
, kwargs
=kwargs
, content
=content
163 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
164 if not session
["admin"]:
165 raise EngineException(
166 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
168 # Names that look like UUIDs are not allowed
169 name
= indata
["username"] if indata
else kwargs
["username"]
170 if is_valid_uuid(name
):
171 raise EngineException(
172 "Usernames that look like UUIDs are not allowed",
173 http_code
=HTTPStatus
.UNPROCESSABLE_ENTITY
,
175 return BaseTopic
.new(
176 self
, rollback
, session
, indata
=indata
, kwargs
=kwargs
, headers
=headers
180 class ProjectTopic(BaseTopic
):
182 topic_msg
= "projects"
183 schema_new
= project_new_schema
184 schema_edit
= project_edit_schema
187 def __init__(self
, db
, fs
, msg
, auth
):
188 BaseTopic
.__init
__(self
, db
, fs
, msg
, auth
)
191 def _get_project_filter(session
):
193 Generates a filter dictionary for querying database users.
194 Current policy is admin can show all, non admin, only its own user.
195 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
198 if session
["admin"]: # allows all
201 return {"_id.cont": session
["project_id"]}
203 def check_conflict_on_new(self
, session
, indata
):
204 if not indata
.get("name"):
205 raise EngineException("missing 'name'")
206 # check name not exists
209 {"name": indata
.get("name")},
213 raise EngineException(
214 "name '{}' exists".format(indata
["name"]), HTTPStatus
.CONFLICT
218 def format_on_new(content
, project_id
=None, make_public
=False):
219 BaseTopic
.format_on_new(content
, None)
220 # Removed so that the UUID is kept, to allow Project Name modification
221 # content["_id"] = content["name"]
223 def check_conflict_on_del(self
, session
, _id
, db_content
):
225 Check if deletion can be done because of dependencies if it is not force. To override
226 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
227 :param _id: internal _id
228 :param db_content: The database content of this item _id
229 :return: None if ok or raises EngineException with the conflict
231 if _id
in session
["project_id"]:
232 raise EngineException(
233 "You cannot delete your own project", http_code
=HTTPStatus
.CONFLICT
237 _filter
= {"projects": _id
}
238 if self
.db
.get_list("users", _filter
):
239 raise EngineException(
240 "There is some USER that contains this project",
241 http_code
=HTTPStatus
.CONFLICT
,
244 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
245 if not session
["admin"]:
246 raise EngineException(
247 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
249 # Names that look like UUIDs are not allowed
250 name
= (indata
if indata
else kwargs
).get("name")
251 if is_valid_uuid(name
):
252 raise EngineException(
253 "Project names that look like UUIDs are not allowed",
254 http_code
=HTTPStatus
.UNPROCESSABLE_ENTITY
,
256 return BaseTopic
.edit(
257 self
, session
, _id
, indata
=indata
, kwargs
=kwargs
, content
=content
260 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
261 if not session
["admin"]:
262 raise EngineException(
263 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
265 # Names that look like UUIDs are not allowed
266 name
= indata
["name"] if indata
else kwargs
["name"]
267 if is_valid_uuid(name
):
268 raise EngineException(
269 "Project names that look like UUIDs are not allowed",
270 http_code
=HTTPStatus
.UNPROCESSABLE_ENTITY
,
272 return BaseTopic
.new(
273 self
, rollback
, session
, indata
=indata
, kwargs
=kwargs
, headers
=headers
277 class CommonVimWimSdn(BaseTopic
):
278 """Common class for VIM, WIM SDN just to unify methods that are equal to all of them"""
280 config_to_encrypt
= (
282 ) # what keys at config must be encrypted because contains passwords
283 password_to_encrypt
= "" # key that contains a password
286 def _create_operation(op_type
, params
=None):
288 Creates a dictionary with the information to an operation, similar to ns-lcm-op
289 :param op_type: can be create, edit, delete
290 :param params: operation input parameters
291 :return: new dictionary with
295 "lcmOperationType": op_type
,
296 "operationState": "PROCESSING",
298 "statusEnteredTime": now
,
299 "detailed-status": "",
300 "operationParams": params
,
303 def check_conflict_on_new(self
, session
, indata
):
305 Check that the data to be inserted is valid. It is checked that name is unique
306 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
307 :param indata: data to be inserted
308 :return: None or raises EngineException
310 self
.check_unique_name(session
, indata
["name"], _id
=None)
312 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
314 Check that the data to be edited/uploaded is valid. It is checked that name is unique
315 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
316 :param final_content: data once modified. This method may change it.
317 :param edit_content: incremental data that contains the modifications to apply
318 :param _id: internal _id
319 :return: None or raises EngineException
321 if not session
["force"] and edit_content
.get("name"):
322 self
.check_unique_name(session
, edit_content
["name"], _id
=_id
)
326 def format_on_edit(self
, final_content
, edit_content
):
328 Modifies final_content inserting admin information upon edition
329 :param final_content: final content to be stored at database
330 :param edit_content: user requested update content
331 :return: operation id
333 super().format_on_edit(final_content
, edit_content
)
336 schema_version
= final_content
.get("schema_version")
338 if edit_content
.get(self
.password_to_encrypt
):
339 final_content
[self
.password_to_encrypt
] = self
.db
.encrypt(
340 edit_content
[self
.password_to_encrypt
],
341 schema_version
=schema_version
,
342 salt
=final_content
["_id"],
344 config_to_encrypt_keys
= self
.config_to_encrypt
.get(
346 ) or self
.config_to_encrypt
.get("default")
347 if edit_content
.get("config") and config_to_encrypt_keys
:
348 for p
in config_to_encrypt_keys
:
349 if edit_content
["config"].get(p
):
350 final_content
["config"][p
] = self
.db
.encrypt(
351 edit_content
["config"][p
],
352 schema_version
=schema_version
,
353 salt
=final_content
["_id"],
356 # create edit operation
357 final_content
["_admin"]["operations"].append(self
._create
_operation
("edit"))
358 return "{}:{}".format(
359 final_content
["_id"], len(final_content
["_admin"]["operations"]) - 1
362 def format_on_new(self
, content
, project_id
=None, make_public
=False):
364 Modifies content descriptor to include _admin and insert create operation
365 :param content: descriptor to be modified
366 :param project_id: if included, it add project read/write permissions. Can be None or a list
367 :param make_public: if included it is generated as public for reading.
368 :return: op_id: operation id on asynchronous operation, None otherwise. In addition content is modified
370 super().format_on_new(content
, project_id
=project_id
, make_public
=make_public
)
371 content
["schema_version"] = schema_version
= "1.11"
374 if content
.get(self
.password_to_encrypt
):
375 content
[self
.password_to_encrypt
] = self
.db
.encrypt(
376 content
[self
.password_to_encrypt
],
377 schema_version
=schema_version
,
380 config_to_encrypt_keys
= self
.config_to_encrypt
.get(
382 ) or self
.config_to_encrypt
.get("default")
383 if content
.get("config") and config_to_encrypt_keys
:
384 for p
in config_to_encrypt_keys
:
385 if content
["config"].get(p
):
386 content
["config"][p
] = self
.db
.encrypt(
387 content
["config"][p
],
388 schema_version
=schema_version
,
392 content
["_admin"]["operationalState"] = "PROCESSING"
395 content
["_admin"]["operations"] = [self
._create
_operation
("create")]
396 content
["_admin"]["current_operation"] = None
397 # create Resource in Openstack based VIM
398 if content
.get("vim_type"):
399 if content
["vim_type"] == "openstack":
401 "ram": {"total": None, "used": None},
402 "vcpus": {"total": None, "used": None},
403 "instances": {"total": None, "used": None},
406 "volumes": {"total": None, "used": None},
407 "snapshots": {"total": None, "used": None},
408 "storage": {"total": None, "used": None},
411 "networks": {"total": None, "used": None},
412 "subnets": {"total": None, "used": None},
413 "floating_ips": {"total": None, "used": None},
415 content
["resources"] = {
421 return "{}:0".format(content
["_id"])
423 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
425 Delete item by its internal _id
426 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
427 :param _id: server internal id
428 :param dry_run: make checking but do not delete
429 :param not_send_msg: To not send message (False) or store content (list) instead
430 :return: operation id if it is ordered to delete. None otherwise
433 filter_q
= self
._get
_project
_filter
(session
)
434 filter_q
["_id"] = _id
435 db_content
= self
.db
.get_one(self
.topic
, filter_q
)
437 self
.check_conflict_on_del(session
, _id
, db_content
)
441 # remove reference from project_read if there are more projects referencing it. If it last one,
442 # do not remove reference, but order via kafka to delete it
443 if session
["project_id"] and session
["project_id"]:
444 other_projects_referencing
= next(
447 for p
in db_content
["_admin"]["projects_read"]
448 if p
not in session
["project_id"] and p
!= "ANY"
453 # check if there are projects referencing it (apart from ANY, that means, public)....
454 if other_projects_referencing
:
455 # remove references but not delete
457 "_admin.projects_read": session
["project_id"],
458 "_admin.projects_write": session
["project_id"],
461 self
.topic
, filter_q
, update_dict
=None, pull_list
=update_dict_pull
468 for p
in db_content
["_admin"]["projects_write"]
469 if p
== "ANY" or p
in session
["project_id"]
474 raise EngineException(
475 "You have not write permission to delete it",
476 http_code
=HTTPStatus
.UNAUTHORIZED
,
481 self
.db
.del_one(self
.topic
, {"_id": _id
})
484 "deleted", {"_id": _id
, "op_id": op_id
}, not_send_msg
=not_send_msg
487 update_dict
= {"_admin.to_delete": True}
491 update_dict
=update_dict
,
492 push
={"_admin.operations": self
._create
_operation
("delete")},
494 # the number of operations is the operation_id. db_content does not contains the new operation inserted,
495 # so the -1 is not needed
496 op_id
= "{}:{}".format(
497 db_content
["_id"], len(db_content
["_admin"]["operations"])
500 "delete", {"_id": _id
, "op_id": op_id
}, not_send_msg
=not_send_msg
505 class VimAccountTopic(CommonVimWimSdn
):
506 topic
= "vim_accounts"
507 topic_msg
= "vim_account"
508 schema_new
= vim_account_new_schema
509 schema_edit
= vim_account_edit_schema
511 password_to_encrypt
= "vim_password"
512 config_to_encrypt
= {
513 "1.1": ("admin_password", "nsx_password", "vcenter_password"),
521 valid_paas_providers
= ["juju"]
523 def check_conflict_on_new(self
, session
, indata
):
524 super().check_conflict_on_new(session
, indata
)
525 self
._check
_paas
_account
(indata
)
527 def _is_paas_vim_type(self
, indata
):
528 return indata
.get("vim_type") and indata
["vim_type"] == "paas"
530 def _check_paas_account(self
, indata
):
531 if self
._is
_paas
_vim
_type
(indata
):
532 self
._check
_paas
_provider
_is
_valid
(indata
)
534 def _check_paas_provider_is_valid(self
, indata
):
536 paas_provider
= indata
["config"]["paas_provider"]
537 if paas_provider
in self
.valid_paas_providers
:
541 raise EngineException(
542 "Invalid paas_provider for VIM account '{}'.".format(indata
["name"]),
543 HTTPStatus
.UNPROCESSABLE_ENTITY
,
546 def check_conflict_on_del(self
, session
, _id
, db_content
):
548 Check if deletion can be done because of dependencies if it is not force. To override
549 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
550 :param _id: internal _id
551 :param db_content: The database content of this item _id
552 :return: None if ok or raises EngineException with the conflict
556 # check if used by VNF
557 if self
.db
.get_list("vnfrs", {"vim-account-id": _id
}):
558 raise EngineException(
559 "There is at least one VNF using this VIM account",
560 http_code
=HTTPStatus
.CONFLICT
,
562 super().check_conflict_on_del(session
, _id
, db_content
)
564 def _send_msg(self
, action
, content
, not_send_msg
=None):
565 if self
._is
_paas
_vim
_type
(content
):
567 super()._send
_msg
(action
, content
, not_send_msg
)
570 class WimAccountTopic(CommonVimWimSdn
):
571 topic
= "wim_accounts"
572 topic_msg
= "wim_account"
573 schema_new
= wim_account_new_schema
574 schema_edit
= wim_account_edit_schema
576 password_to_encrypt
= "password"
577 config_to_encrypt
= {}
580 class SdnTopic(CommonVimWimSdn
):
583 quota_name
= "sdn_controllers"
584 schema_new
= sdn_new_schema
585 schema_edit
= sdn_edit_schema
587 password_to_encrypt
= "password"
588 config_to_encrypt
= {}
590 def _obtain_url(self
, input, create
):
591 if input.get("ip") or input.get("port"):
592 if not input.get("ip") or not input.get("port") or input.get("url"):
593 raise ValidationError(
594 "You must provide both 'ip' and 'port' (deprecated); or just 'url' (prefered)"
596 input["url"] = "http://{}:{}/".format(input["ip"], input["port"])
599 elif create
and not input.get("url"):
600 raise ValidationError("You must provide 'url'")
603 def _validate_input_new(self
, input, force
=False):
604 input = super()._validate
_input
_new
(input, force
)
605 return self
._obtain
_url
(input, True)
607 def _validate_input_edit(self
, input, content
, force
=False):
608 input = super()._validate
_input
_edit
(input, content
, force
)
609 return self
._obtain
_url
(input, False)
612 class K8sClusterTopic(CommonVimWimSdn
):
613 topic
= "k8sclusters"
614 topic_msg
= "k8scluster"
615 schema_new
= k8scluster_new_schema
616 schema_edit
= k8scluster_edit_schema
618 password_to_encrypt
= None
619 config_to_encrypt
= {}
621 def format_on_new(self
, content
, project_id
=None, make_public
=False):
622 oid
= super().format_on_new(content
, project_id
, make_public
)
623 self
.db
.encrypt_decrypt_fields(
624 content
["credentials"],
626 ["password", "secret"],
627 schema_version
=content
["schema_version"],
630 # Add Helm/Juju Repo lists
631 repos
= {"helm-chart": [], "juju-bundle": []}
632 for proj
in content
["_admin"]["projects_read"]:
634 for repo
in self
.db
.get_list(
635 "k8srepos", {"_admin.projects_read": proj
}
637 if repo
["_id"] not in repos
[repo
["type"]]:
638 repos
[repo
["type"]].append(repo
["_id"])
640 content
["_admin"][k
.replace("-", "_") + "_repos"] = repos
[k
]
643 def format_on_edit(self
, final_content
, edit_content
):
644 if final_content
.get("schema_version") and edit_content
.get("credentials"):
645 self
.db
.encrypt_decrypt_fields(
646 edit_content
["credentials"],
648 ["password", "secret"],
649 schema_version
=final_content
["schema_version"],
650 salt
=final_content
["_id"],
653 final_content
["credentials"], edit_content
["credentials"]
655 oid
= super().format_on_edit(final_content
, edit_content
)
658 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
659 final_content
= super(CommonVimWimSdn
, self
).check_conflict_on_edit(
660 session
, final_content
, edit_content
, _id
662 final_content
= super().check_conflict_on_edit(
663 session
, final_content
, edit_content
, _id
665 # Update Helm/Juju Repo lists
666 repos
= {"helm-chart": [], "juju-bundle": []}
667 for proj
in session
.get("set_project", []):
669 for repo
in self
.db
.get_list(
670 "k8srepos", {"_admin.projects_read": proj
}
672 if repo
["_id"] not in repos
[repo
["type"]]:
673 repos
[repo
["type"]].append(repo
["_id"])
675 rlist
= k
.replace("-", "_") + "_repos"
676 if rlist
not in final_content
["_admin"]:
677 final_content
["_admin"][rlist
] = []
678 final_content
["_admin"][rlist
] += repos
[k
]
681 def check_conflict_on_del(self
, session
, _id
, db_content
):
683 Check if deletion can be done because of dependencies if it is not force. To override
684 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
685 :param _id: internal _id
686 :param db_content: The database content of this item _id
687 :return: None if ok or raises EngineException with the conflict
691 # check if used by VNF
692 filter_q
= {"kdur.k8s-cluster.id": _id
}
693 if session
["project_id"]:
694 filter_q
["_admin.projects_read.cont"] = session
["project_id"]
695 if self
.db
.get_list("vnfrs", filter_q
):
696 raise EngineException(
697 "There is at least one VNF using this k8scluster",
698 http_code
=HTTPStatus
.CONFLICT
,
700 super().check_conflict_on_del(session
, _id
, db_content
)
703 class VcaTopic(CommonVimWimSdn
):
706 schema_new
= vca_new_schema
707 schema_edit
= vca_edit_schema
709 password_to_encrypt
= None
711 def format_on_new(self
, content
, project_id
=None, make_public
=False):
712 oid
= super().format_on_new(content
, project_id
, make_public
)
713 content
["schema_version"] = schema_version
= "1.11"
714 for key
in ["secret", "cacert"]:
715 content
[key
] = self
.db
.encrypt(
716 content
[key
], schema_version
=schema_version
, salt
=content
["_id"]
720 def format_on_edit(self
, final_content
, edit_content
):
721 oid
= super().format_on_edit(final_content
, edit_content
)
722 schema_version
= final_content
.get("schema_version")
723 for key
in ["secret", "cacert"]:
724 if key
in edit_content
:
725 final_content
[key
] = self
.db
.encrypt(
727 schema_version
=schema_version
,
728 salt
=final_content
["_id"],
732 def check_conflict_on_del(self
, session
, _id
, db_content
):
734 Check if deletion can be done because of dependencies if it is not force. To override
735 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
736 :param _id: internal _id
737 :param db_content: The database content of this item _id
738 :return: None if ok or raises EngineException with the conflict
742 # check if used by VNF
743 filter_q
= {"vca": _id
}
744 if session
["project_id"]:
745 filter_q
["_admin.projects_read.cont"] = session
["project_id"]
746 if self
.db
.get_list("vim_accounts", filter_q
):
747 raise EngineException(
748 "There is at least one VIM account using this vca",
749 http_code
=HTTPStatus
.CONFLICT
,
751 super().check_conflict_on_del(session
, _id
, db_content
)
754 class K8sRepoTopic(CommonVimWimSdn
):
756 topic_msg
= "k8srepo"
757 schema_new
= k8srepo_new_schema
758 schema_edit
= k8srepo_edit_schema
760 password_to_encrypt
= None
761 config_to_encrypt
= {}
763 def format_on_new(self
, content
, project_id
=None, make_public
=False):
764 oid
= super().format_on_new(content
, project_id
, make_public
)
765 # Update Helm/Juju Repo lists
766 repo_list
= content
["type"].replace("-", "_") + "_repos"
767 for proj
in content
["_admin"]["projects_read"]:
772 "_admin.projects_read": proj
,
773 "_admin." + repo_list
+ ".ne": content
["_id"],
776 push
={"_admin." + repo_list
: content
["_id"]},
780 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
781 type = self
.db
.get_one("k8srepos", {"_id": _id
})["type"]
782 oid
= super().delete(session
, _id
, dry_run
, not_send_msg
)
784 # Remove from Helm/Juju Repo lists
785 repo_list
= type.replace("-", "_") + "_repos"
788 {"_admin." + repo_list
: _id
},
790 pull
={"_admin." + repo_list
: _id
},
795 class OsmRepoTopic(BaseTopic
):
797 topic_msg
= "osmrepos"
798 schema_new
= osmrepo_new_schema
799 schema_edit
= osmrepo_edit_schema
801 # TODO: Implement user/password
804 class UserTopicAuth(UserTopic
):
807 schema_new
= user_new_schema
808 schema_edit
= user_edit_schema
810 def __init__(self
, db
, fs
, msg
, auth
):
811 UserTopic
.__init
__(self
, db
, fs
, msg
, auth
)
814 def check_conflict_on_new(self
, session
, indata
):
816 Check that the data to be inserted is valid
818 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
819 :param indata: data to be inserted
820 :return: None or raises EngineException
822 username
= indata
.get("username")
823 if is_valid_uuid(username
):
824 raise EngineException(
825 "username '{}' cannot have a uuid format".format(username
),
826 HTTPStatus
.UNPROCESSABLE_ENTITY
,
829 # Check that username is not used, regardless keystone already checks this
830 if self
.auth
.get_user_list(filter_q
={"name": username
}):
831 raise EngineException(
832 "username '{}' is already used".format(username
), HTTPStatus
.CONFLICT
835 if "projects" in indata
.keys():
836 # convert to new format project_role_mappings
837 role
= self
.auth
.get_role_list({"name": "project_admin"})
839 role
= self
.auth
.get_role_list()
841 raise AuthconnNotFoundException(
842 "Can't find default role for user '{}'".format(username
)
845 if not indata
.get("project_role_mappings"):
846 indata
["project_role_mappings"] = []
847 for project
in indata
["projects"]:
848 pid
= self
.auth
.get_project(project
)["_id"]
849 prm
= {"project": pid
, "role": rid
}
850 if prm
not in indata
["project_role_mappings"]:
851 indata
["project_role_mappings"].append(prm
)
852 # raise EngineException("Format invalid: the keyword 'projects' is not allowed for keystone authentication",
853 # HTTPStatus.BAD_REQUEST)
855 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
857 Check that the data to be edited/uploaded is valid
859 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
860 :param final_content: data once modified
861 :param edit_content: incremental data that contains the modifications to apply
862 :param _id: internal _id
863 :return: None or raises EngineException
866 if "username" in edit_content
:
867 username
= edit_content
.get("username")
868 if is_valid_uuid(username
):
869 raise EngineException(
870 "username '{}' cannot have an uuid format".format(username
),
871 HTTPStatus
.UNPROCESSABLE_ENTITY
,
874 # Check that username is not used, regardless keystone already checks this
875 if self
.auth
.get_user_list(filter_q
={"name": username
}):
876 raise EngineException(
877 "username '{}' is already used".format(username
),
881 if final_content
["username"] == "admin":
882 for mapping
in edit_content
.get("remove_project_role_mappings", ()):
883 if mapping
["project"] == "admin" and mapping
.get("role") in (
887 # TODO make this also available for project id and role id
888 raise EngineException(
889 "You cannot remove system_admin role from admin user",
890 http_code
=HTTPStatus
.FORBIDDEN
,
895 def check_conflict_on_del(self
, session
, _id
, db_content
):
897 Check if deletion can be done because of dependencies if it is not force. To override
898 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
899 :param _id: internal _id
900 :param db_content: The database content of this item _id
901 :return: None if ok or raises EngineException with the conflict
903 if db_content
["username"] == session
["username"]:
904 raise EngineException(
905 "You cannot delete your own login user ", http_code
=HTTPStatus
.CONFLICT
907 # TODO: Check that user is not logged in ? How? (Would require listing current tokens)
910 def format_on_show(content
):
912 Modifies the content of the role information to separate the role
913 metadata from the role definition.
915 project_role_mappings
= []
917 if "projects" in content
:
918 for project
in content
["projects"]:
919 for role
in project
["roles"]:
920 project_role_mappings
.append(
922 "project": project
["_id"],
923 "project_name": project
["name"],
925 "role_name": role
["name"],
928 del content
["projects"]
929 content
["project_role_mappings"] = project_role_mappings
933 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
935 Creates a new entry into the authentication backend.
937 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
939 :param rollback: list to append created items at database in case a rollback may to be done
940 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
941 :param indata: data to be inserted
942 :param kwargs: used to override the indata descriptor
943 :param headers: http request headers
944 :return: _id: identity of the inserted data, operation _id (None)
947 content
= BaseTopic
._remove
_envelop
(indata
)
949 # Override descriptor with query string kwargs
950 BaseTopic
._update
_input
_with
_kwargs
(content
, kwargs
)
951 content
= self
._validate
_input
_new
(content
, session
["force"])
952 self
.check_conflict_on_new(session
, content
)
953 # self.format_on_new(content, session["project_id"], make_public=session["public"])
955 content
["_admin"] = {"created": now
, "modified": now
}
957 for prm
in content
.get("project_role_mappings", []):
958 proj
= self
.auth
.get_project(prm
["project"], not session
["force"])
959 role
= self
.auth
.get_role(prm
["role"], not session
["force"])
960 pid
= proj
["_id"] if proj
else None
961 rid
= role
["_id"] if role
else None
962 prl
= {"project": pid
, "role": rid
}
965 content
["project_role_mappings"] = prms
966 # _id = self.auth.create_user(content["username"], content["password"])["_id"]
967 _id
= self
.auth
.create_user(content
)["_id"]
969 rollback
.append({"topic": self
.topic
, "_id": _id
})
970 # del content["password"]
971 self
._send
_msg
("created", content
, not_send_msg
=None)
973 except ValidationError
as e
:
974 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
976 def show(self
, session
, _id
, filter_q
=None, api_req
=False):
978 Get complete information on an topic
980 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
981 :param _id: server internal id or username
982 :param filter_q: dict: query parameter
983 :param api_req: True if this call is serving an external API request. False if serving internal request.
984 :return: dictionary, raise exception if not found.
986 # Allow _id to be a name or uuid
987 filter_q
= {"username": _id
}
988 # users = self.auth.get_user_list(filter_q)
989 users
= self
.list(session
, filter_q
) # To allow default filtering (Bug 853)
993 raise EngineException(
994 "Too many users found for '{}'".format(_id
), HTTPStatus
.CONFLICT
997 raise EngineException(
998 "User '{}' not found".format(_id
), HTTPStatus
.NOT_FOUND
1001 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
1003 Updates an user entry.
1005 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1007 :param indata: data to be inserted
1008 :param kwargs: used to override the indata descriptor
1010 :return: _id: identity of the inserted data.
1012 indata
= self
._remove
_envelop
(indata
)
1014 # Override descriptor with query string kwargs
1016 BaseTopic
._update
_input
_with
_kwargs
(indata
, kwargs
)
1019 content
= self
.show(session
, _id
)
1020 indata
= self
._validate
_input
_edit
(indata
, content
, force
=session
["force"])
1021 content
= self
.check_conflict_on_edit(session
, content
, indata
, _id
=_id
)
1022 # self.format_on_edit(content, indata)
1025 "password" in indata
1026 or "username" in indata
1027 or indata
.get("remove_project_role_mappings")
1028 or indata
.get("add_project_role_mappings")
1029 or indata
.get("project_role_mappings")
1030 or indata
.get("projects")
1031 or indata
.get("add_projects")
1034 if indata
.get("project_role_mappings") and (
1035 indata
.get("remove_project_role_mappings")
1036 or indata
.get("add_project_role_mappings")
1038 raise EngineException(
1039 "Option 'project_role_mappings' is incompatible with 'add_project_role_mappings"
1040 "' or 'remove_project_role_mappings'",
1041 http_code
=HTTPStatus
.BAD_REQUEST
,
1044 if indata
.get("projects") or indata
.get("add_projects"):
1045 role
= self
.auth
.get_role_list({"name": "project_admin"})
1047 role
= self
.auth
.get_role_list()
1049 raise AuthconnNotFoundException(
1050 "Can't find a default role for user '{}'".format(
1054 rid
= role
[0]["_id"]
1055 if "add_project_role_mappings" not in indata
:
1056 indata
["add_project_role_mappings"] = []
1057 if "remove_project_role_mappings" not in indata
:
1058 indata
["remove_project_role_mappings"] = []
1059 if isinstance(indata
.get("projects"), dict):
1060 # backward compatible
1061 for k
, v
in indata
["projects"].items():
1062 if k
.startswith("$") and v
is None:
1063 indata
["remove_project_role_mappings"].append(
1066 elif k
.startswith("$+"):
1067 indata
["add_project_role_mappings"].append(
1068 {"project": v
, "role": rid
}
1070 del indata
["projects"]
1071 for proj
in indata
.get("projects", []) + indata
.get("add_projects", []):
1072 indata
["add_project_role_mappings"].append(
1073 {"project": proj
, "role": rid
}
1076 # user = self.show(session, _id) # Already in 'content'
1077 original_mapping
= content
["project_role_mappings"]
1079 mappings_to_add
= []
1080 mappings_to_remove
= []
1083 for to_remove
in indata
.get("remove_project_role_mappings", ()):
1084 for mapping
in original_mapping
:
1085 if to_remove
["project"] in (
1087 mapping
["project_name"],
1089 if not to_remove
.get("role") or to_remove
["role"] in (
1091 mapping
["role_name"],
1093 mappings_to_remove
.append(mapping
)
1096 for to_add
in indata
.get("add_project_role_mappings", ()):
1097 for mapping
in original_mapping
:
1098 if to_add
["project"] in (
1100 mapping
["project_name"],
1101 ) and to_add
["role"] in (
1103 mapping
["role_name"],
1105 if mapping
in mappings_to_remove
: # do not remove
1106 mappings_to_remove
.remove(mapping
)
1107 break # do not add, it is already at user
1109 pid
= self
.auth
.get_project(to_add
["project"])["_id"]
1110 rid
= self
.auth
.get_role(to_add
["role"])["_id"]
1111 mappings_to_add
.append({"project": pid
, "role": rid
})
1114 if indata
.get("project_role_mappings"):
1115 for to_set
in indata
["project_role_mappings"]:
1116 for mapping
in original_mapping
:
1117 if to_set
["project"] in (
1119 mapping
["project_name"],
1120 ) and to_set
["role"] in (
1122 mapping
["role_name"],
1124 if mapping
in mappings_to_remove
: # do not remove
1125 mappings_to_remove
.remove(mapping
)
1126 break # do not add, it is already at user
1128 pid
= self
.auth
.get_project(to_set
["project"])["_id"]
1129 rid
= self
.auth
.get_role(to_set
["role"])["_id"]
1130 mappings_to_add
.append({"project": pid
, "role": rid
})
1131 for mapping
in original_mapping
:
1132 for to_set
in indata
["project_role_mappings"]:
1133 if to_set
["project"] in (
1135 mapping
["project_name"],
1136 ) and to_set
["role"] in (
1138 mapping
["role_name"],
1143 if mapping
not in mappings_to_remove
: # do not remove
1144 mappings_to_remove
.append(mapping
)
1146 self
.auth
.update_user(
1149 "username": indata
.get("username"),
1150 "password": indata
.get("password"),
1151 "old_password": indata
.get("old_password"),
1152 "add_project_role_mappings": mappings_to_add
,
1153 "remove_project_role_mappings": mappings_to_remove
,
1156 data_to_send
= {"_id": _id
, "changes": indata
}
1157 self
._send
_msg
("edited", data_to_send
, not_send_msg
=None)
1160 except ValidationError
as e
:
1161 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1163 def list(self
, session
, filter_q
=None, api_req
=False):
1165 Get a list of the topic that matches a filter
1166 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1167 :param filter_q: filter of data to be applied
1168 :param api_req: True if this call is serving an external API request. False if serving internal request.
1169 :return: The list, it can be empty if no one match the filter.
1171 user_list
= self
.auth
.get_user_list(filter_q
)
1172 if not session
["allow_show_user_project_role"]:
1173 # Bug 853 - Default filtering
1175 usr
for usr
in user_list
if usr
["username"] == session
["username"]
1179 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
1181 Delete item by its internal _id
1183 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1184 :param _id: server internal id
1185 :param force: indicates if deletion must be forced in case of conflict
1186 :param dry_run: make checking but do not delete
1187 :param not_send_msg: To not send message (False) or store content (list) instead
1188 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1190 # Allow _id to be a name or uuid
1191 user
= self
.auth
.get_user(_id
)
1193 self
.check_conflict_on_del(session
, uid
, user
)
1195 v
= self
.auth
.delete_user(uid
)
1196 self
._send
_msg
("deleted", user
, not_send_msg
=not_send_msg
)
1201 class ProjectTopicAuth(ProjectTopic
):
1202 # topic = "projects"
1203 topic_msg
= "project"
1204 schema_new
= project_new_schema
1205 schema_edit
= project_edit_schema
1207 def __init__(self
, db
, fs
, msg
, auth
):
1208 ProjectTopic
.__init
__(self
, db
, fs
, msg
, auth
)
1211 def check_conflict_on_new(self
, session
, indata
):
1213 Check that the data to be inserted is valid
1215 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1216 :param indata: data to be inserted
1217 :return: None or raises EngineException
1219 project_name
= indata
.get("name")
1220 if is_valid_uuid(project_name
):
1221 raise EngineException(
1222 "project name '{}' cannot have an uuid format".format(project_name
),
1223 HTTPStatus
.UNPROCESSABLE_ENTITY
,
1226 project_list
= self
.auth
.get_project_list(filter_q
={"name": project_name
})
1229 raise EngineException(
1230 "project '{}' exists".format(project_name
), HTTPStatus
.CONFLICT
1233 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
1235 Check that the data to be edited/uploaded is valid
1237 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1238 :param final_content: data once modified
1239 :param edit_content: incremental data that contains the modifications to apply
1240 :param _id: internal _id
1241 :return: None or raises EngineException
1244 project_name
= edit_content
.get("name")
1245 if project_name
!= final_content
["name"]: # It is a true renaming
1246 if is_valid_uuid(project_name
):
1247 raise EngineException(
1248 "project name '{}' cannot have an uuid format".format(project_name
),
1249 HTTPStatus
.UNPROCESSABLE_ENTITY
,
1252 if final_content
["name"] == "admin":
1253 raise EngineException(
1254 "You cannot rename project 'admin'", http_code
=HTTPStatus
.CONFLICT
1257 # Check that project name is not used, regardless keystone already checks this
1258 if project_name
and self
.auth
.get_project_list(
1259 filter_q
={"name": project_name
}
1261 raise EngineException(
1262 "project '{}' is already used".format(project_name
),
1263 HTTPStatus
.CONFLICT
,
1265 return final_content
1267 def check_conflict_on_del(self
, session
, _id
, db_content
):
1269 Check if deletion can be done because of dependencies if it is not force. To override
1271 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1272 :param _id: internal _id
1273 :param db_content: The database content of this item _id
1274 :return: None if ok or raises EngineException with the conflict
1277 def check_rw_projects(topic
, title
, id_field
):
1278 for desc
in self
.db
.get_list(topic
):
1281 in desc
["_admin"]["projects_read"]
1282 + desc
["_admin"]["projects_write"]
1284 raise EngineException(
1285 "Project '{}' ({}) is being used by {} '{}'".format(
1286 db_content
["name"], _id
, title
, desc
[id_field
]
1288 HTTPStatus
.CONFLICT
,
1291 if _id
in session
["project_id"]:
1292 raise EngineException(
1293 "You cannot delete your own project", http_code
=HTTPStatus
.CONFLICT
1296 if db_content
["name"] == "admin":
1297 raise EngineException(
1298 "You cannot delete project 'admin'", http_code
=HTTPStatus
.CONFLICT
1301 # If any user is using this project, raise CONFLICT exception
1302 if not session
["force"]:
1303 for user
in self
.auth
.get_user_list():
1304 for prm
in user
.get("project_role_mappings"):
1305 if prm
["project"] == _id
:
1306 raise EngineException(
1307 "Project '{}' ({}) is being used by user '{}'".format(
1308 db_content
["name"], _id
, user
["username"]
1310 HTTPStatus
.CONFLICT
,
1313 # If any VNFD, NSD, NST, PDU, etc. is using this project, raise CONFLICT exception
1314 if not session
["force"]:
1315 check_rw_projects("vnfds", "VNF Descriptor", "id")
1316 check_rw_projects("nsds", "NS Descriptor", "id")
1317 check_rw_projects("nsts", "NS Template", "id")
1318 check_rw_projects("pdus", "PDU Descriptor", "name")
1320 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
1322 Creates a new entry into the authentication backend.
1324 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
1326 :param rollback: list to append created items at database in case a rollback may to be done
1327 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1328 :param indata: data to be inserted
1329 :param kwargs: used to override the indata descriptor
1330 :param headers: http request headers
1331 :return: _id: identity of the inserted data, operation _id (None)
1334 content
= BaseTopic
._remove
_envelop
(indata
)
1336 # Override descriptor with query string kwargs
1337 BaseTopic
._update
_input
_with
_kwargs
(content
, kwargs
)
1338 content
= self
._validate
_input
_new
(content
, session
["force"])
1339 self
.check_conflict_on_new(session
, content
)
1341 content
, project_id
=session
["project_id"], make_public
=session
["public"]
1343 _id
= self
.auth
.create_project(content
)
1344 rollback
.append({"topic": self
.topic
, "_id": _id
})
1345 self
._send
_msg
("created", content
, not_send_msg
=None)
1347 except ValidationError
as e
:
1348 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1350 def show(self
, session
, _id
, filter_q
=None, api_req
=False):
1352 Get complete information on an topic
1354 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1355 :param _id: server internal id
1356 :param filter_q: dict: query parameter
1357 :param api_req: True if this call is serving an external API request. False if serving internal request.
1358 :return: dictionary, raise exception if not found.
1360 # Allow _id to be a name or uuid
1361 filter_q
= {self
.id_field(self
.topic
, _id
): _id
}
1362 # projects = self.auth.get_project_list(filter_q=filter_q)
1363 projects
= self
.list(session
, filter_q
) # To allow default filtering (Bug 853)
1364 if len(projects
) == 1:
1366 elif len(projects
) > 1:
1367 raise EngineException("Too many projects found", HTTPStatus
.CONFLICT
)
1369 raise EngineException("Project not found", HTTPStatus
.NOT_FOUND
)
1371 def list(self
, session
, filter_q
=None, api_req
=False):
1373 Get a list of the topic that matches a filter
1375 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1376 :param filter_q: filter of data to be applied
1377 :return: The list, it can be empty if no one match the filter.
1379 project_list
= self
.auth
.get_project_list(filter_q
)
1380 if not session
["allow_show_user_project_role"]:
1381 # Bug 853 - Default filtering
1382 user
= self
.auth
.get_user(session
["username"])
1383 projects
= [prm
["project"] for prm
in user
["project_role_mappings"]]
1384 project_list
= [proj
for proj
in project_list
if proj
["_id"] in projects
]
1387 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
1389 Delete item by its internal _id
1391 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1392 :param _id: server internal id
1393 :param dry_run: make checking but do not delete
1394 :param not_send_msg: To not send message (False) or store content (list) instead
1395 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1397 # Allow _id to be a name or uuid
1398 proj
= self
.auth
.get_project(_id
)
1400 self
.check_conflict_on_del(session
, pid
, proj
)
1402 v
= self
.auth
.delete_project(pid
)
1403 self
._send
_msg
("deleted", proj
, not_send_msg
=None)
1407 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
1409 Updates a project entry.
1411 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1413 :param indata: data to be inserted
1414 :param kwargs: used to override the indata descriptor
1416 :return: _id: identity of the inserted data.
1418 indata
= self
._remove
_envelop
(indata
)
1420 # Override descriptor with query string kwargs
1422 BaseTopic
._update
_input
_with
_kwargs
(indata
, kwargs
)
1425 content
= self
.show(session
, _id
)
1426 indata
= self
._validate
_input
_edit
(indata
, content
, force
=session
["force"])
1427 content
= self
.check_conflict_on_edit(session
, content
, indata
, _id
=_id
)
1428 self
.format_on_edit(content
, indata
)
1429 content_original
= copy
.deepcopy(content
)
1430 deep_update_rfc7396(content
, indata
)
1431 self
.auth
.update_project(content
["_id"], content
)
1432 proj_data
= {"_id": _id
, "changes": indata
, "original": content_original
}
1433 self
._send
_msg
("edited", proj_data
, not_send_msg
=None)
1434 except ValidationError
as e
:
1435 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1438 class RoleTopicAuth(BaseTopic
):
1440 topic_msg
= None # "roles"
1441 schema_new
= roles_new_schema
1442 schema_edit
= roles_edit_schema
1443 multiproject
= False
1445 def __init__(self
, db
, fs
, msg
, auth
):
1446 BaseTopic
.__init
__(self
, db
, fs
, msg
, auth
)
1448 self
.operations
= auth
.role_permissions
1449 # self.topic = "roles_operations" if isinstance(auth, AuthconnKeystone) else "roles"
1452 def validate_role_definition(operations
, role_definitions
):
1454 Validates the role definition against the operations defined in
1455 the resources to operations files.
1457 :param operations: operations list
1458 :param role_definitions: role definition to test
1459 :return: None if ok, raises ValidationError exception on error
1461 if not role_definitions
.get("permissions"):
1463 ignore_fields
= ["admin", "default"]
1464 for role_def
in role_definitions
["permissions"].keys():
1465 if role_def
in ignore_fields
:
1467 if role_def
[-1] == ":":
1468 raise ValidationError("Operation cannot end with ':'")
1473 for op
in operations
1474 if op
== role_def
or op
.startswith(role_def
+ ":")
1480 raise ValidationError("Invalid permission '{}'".format(role_def
))
1482 def _validate_input_new(self
, input, force
=False):
1484 Validates input user content for a new entry.
1486 :param input: user input content for the new topic
1487 :param force: may be used for being more tolerant
1488 :return: The same input content, or a changed version of it.
1491 validate_input(input, self
.schema_new
)
1492 self
.validate_role_definition(self
.operations
, input)
1496 def _validate_input_edit(self
, input, content
, force
=False):
1498 Validates input user content for updating an entry.
1500 :param input: user input content for the new topic
1501 :param force: may be used for being more tolerant
1502 :return: The same input content, or a changed version of it.
1504 if self
.schema_edit
:
1505 validate_input(input, self
.schema_edit
)
1506 self
.validate_role_definition(self
.operations
, input)
1510 def check_conflict_on_new(self
, session
, indata
):
1512 Check that the data to be inserted is valid
1514 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1515 :param indata: data to be inserted
1516 :return: None or raises EngineException
1518 # check name is not uuid
1519 role_name
= indata
.get("name")
1520 if is_valid_uuid(role_name
):
1521 raise EngineException(
1522 "role name '{}' cannot have an uuid format".format(role_name
),
1523 HTTPStatus
.UNPROCESSABLE_ENTITY
,
1525 # check name not exists
1526 name
= indata
["name"]
1527 # if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
1528 if self
.auth
.get_role_list({"name": name
}):
1529 raise EngineException(
1530 "role name '{}' exists".format(name
), HTTPStatus
.CONFLICT
1533 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
1535 Check that the data to be edited/uploaded is valid
1537 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1538 :param final_content: data once modified
1539 :param edit_content: incremental data that contains the modifications to apply
1540 :param _id: internal _id
1541 :return: None or raises EngineException
1543 if "default" not in final_content
["permissions"]:
1544 final_content
["permissions"]["default"] = False
1545 if "admin" not in final_content
["permissions"]:
1546 final_content
["permissions"]["admin"] = False
1548 # check name is not uuid
1549 role_name
= edit_content
.get("name")
1550 if is_valid_uuid(role_name
):
1551 raise EngineException(
1552 "role name '{}' cannot have an uuid format".format(role_name
),
1553 HTTPStatus
.UNPROCESSABLE_ENTITY
,
1556 # Check renaming of admin roles
1557 role
= self
.auth
.get_role(_id
)
1558 if role
["name"] in ["system_admin", "project_admin"]:
1559 raise EngineException(
1560 "You cannot rename role '{}'".format(role
["name"]),
1561 http_code
=HTTPStatus
.FORBIDDEN
,
1564 # check name not exists
1565 if "name" in edit_content
:
1566 role_name
= edit_content
["name"]
1567 # if self.db.get_one(self.topic, {"name":role_name,"_id.ne":_id}, fail_on_empty=False, fail_on_more=False):
1568 roles
= self
.auth
.get_role_list({"name": role_name
})
1569 if roles
and roles
[0][BaseTopic
.id_field("roles", _id
)] != _id
:
1570 raise EngineException(
1571 "role name '{}' exists".format(role_name
), HTTPStatus
.CONFLICT
1574 return final_content
1576 def check_conflict_on_del(self
, session
, _id
, db_content
):
1578 Check if deletion can be done because of dependencies if it is not force. To override
1580 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1581 :param _id: internal _id
1582 :param db_content: The database content of this item _id
1583 :return: None if ok or raises EngineException with the conflict
1585 role
= self
.auth
.get_role(_id
)
1586 if role
["name"] in ["system_admin", "project_admin"]:
1587 raise EngineException(
1588 "You cannot delete role '{}'".format(role
["name"]),
1589 http_code
=HTTPStatus
.FORBIDDEN
,
1592 # If any user is using this role, raise CONFLICT exception
1593 if not session
["force"]:
1594 for user
in self
.auth
.get_user_list():
1595 for prm
in user
.get("project_role_mappings"):
1596 if prm
["role"] == _id
:
1597 raise EngineException(
1598 "Role '{}' ({}) is being used by user '{}'".format(
1599 role
["name"], _id
, user
["username"]
1601 HTTPStatus
.CONFLICT
,
1605 def format_on_new(content
, project_id
=None, make_public
=False): # TO BE REMOVED ?
1607 Modifies content descriptor to include _admin
1609 :param content: descriptor to be modified
1610 :param project_id: if included, it add project read/write permissions
1611 :param make_public: if included it is generated as public for reading.
1612 :return: None, but content is modified
1615 if "_admin" not in content
:
1616 content
["_admin"] = {}
1617 if not content
["_admin"].get("created"):
1618 content
["_admin"]["created"] = now
1619 content
["_admin"]["modified"] = now
1621 if "permissions" not in content
:
1622 content
["permissions"] = {}
1624 if "default" not in content
["permissions"]:
1625 content
["permissions"]["default"] = False
1626 if "admin" not in content
["permissions"]:
1627 content
["permissions"]["admin"] = False
1630 def format_on_edit(final_content
, edit_content
):
1632 Modifies final_content descriptor to include the modified date.
1634 :param final_content: final descriptor generated
1635 :param edit_content: alterations to be include
1636 :return: None, but final_content is modified
1638 if "_admin" in final_content
:
1639 final_content
["_admin"]["modified"] = time()
1641 if "permissions" not in final_content
:
1642 final_content
["permissions"] = {}
1644 if "default" not in final_content
["permissions"]:
1645 final_content
["permissions"]["default"] = False
1646 if "admin" not in final_content
["permissions"]:
1647 final_content
["permissions"]["admin"] = False
1650 def show(self
, session
, _id
, filter_q
=None, api_req
=False):
1652 Get complete information on an topic
1654 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1655 :param _id: server internal id
1656 :param filter_q: dict: query parameter
1657 :param api_req: True if this call is serving an external API request. False if serving internal request.
1658 :return: dictionary, raise exception if not found.
1660 filter_q
= {BaseTopic
.id_field(self
.topic
, _id
): _id
}
1661 # roles = self.auth.get_role_list(filter_q)
1662 roles
= self
.list(session
, filter_q
) # To allow default filtering (Bug 853)
1664 raise AuthconnNotFoundException(
1665 "Not found any role with filter {}".format(filter_q
)
1667 elif len(roles
) > 1:
1668 raise AuthconnConflictException(
1669 "Found more than one role with filter {}".format(filter_q
)
1673 def list(self
, session
, filter_q
=None, api_req
=False):
1675 Get a list of the topic that matches a filter
1677 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1678 :param filter_q: filter of data to be applied
1679 :return: The list, it can be empty if no one match the filter.
1681 role_list
= self
.auth
.get_role_list(filter_q
)
1682 if not session
["allow_show_user_project_role"]:
1683 # Bug 853 - Default filtering
1684 user
= self
.auth
.get_user(session
["username"])
1685 roles
= [prm
["role"] for prm
in user
["project_role_mappings"]]
1686 role_list
= [role
for role
in role_list
if role
["_id"] in roles
]
1689 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
1691 Creates a new entry into database.
1693 :param rollback: list to append created items at database in case a rollback may to be done
1694 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1695 :param indata: data to be inserted
1696 :param kwargs: used to override the indata descriptor
1697 :param headers: http request headers
1698 :return: _id: identity of the inserted data, operation _id (None)
1701 content
= self
._remove
_envelop
(indata
)
1703 # Override descriptor with query string kwargs
1704 self
._update
_input
_with
_kwargs
(content
, kwargs
)
1705 content
= self
._validate
_input
_new
(content
, session
["force"])
1706 self
.check_conflict_on_new(session
, content
)
1708 content
, project_id
=session
["project_id"], make_public
=session
["public"]
1710 # role_name = content["name"]
1711 rid
= self
.auth
.create_role(content
)
1712 content
["_id"] = rid
1713 # _id = self.db.create(self.topic, content)
1714 rollback
.append({"topic": self
.topic
, "_id": rid
})
1715 # self._send_msg("created", content, not_send_msg=not_send_msg)
1717 except ValidationError
as e
:
1718 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1720 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
1722 Delete item by its internal _id
1724 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1725 :param _id: server internal id
1726 :param dry_run: make checking but do not delete
1727 :param not_send_msg: To not send message (False) or store content (list) instead
1728 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1730 filter_q
= {BaseTopic
.id_field(self
.topic
, _id
): _id
}
1731 roles
= self
.auth
.get_role_list(filter_q
)
1733 raise AuthconnNotFoundException(
1734 "Not found any role with filter {}".format(filter_q
)
1736 elif len(roles
) > 1:
1737 raise AuthconnConflictException(
1738 "Found more than one role with filter {}".format(filter_q
)
1740 rid
= roles
[0]["_id"]
1741 self
.check_conflict_on_del(session
, rid
, None)
1742 # filter_q = {"_id": _id}
1743 # filter_q = {BaseTopic.id_field(self.topic, _id): _id} # To allow role addressing by name
1745 v
= self
.auth
.delete_role(rid
)
1746 # v = self.db.del_one(self.topic, filter_q)
1750 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
1752 Updates a role entry.
1754 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1756 :param indata: data to be inserted
1757 :param kwargs: used to override the indata descriptor
1759 :return: _id: identity of the inserted data.
1762 self
._update
_input
_with
_kwargs
(indata
, kwargs
)
1765 content
= self
.show(session
, _id
)
1766 indata
= self
._validate
_input
_edit
(indata
, content
, force
=session
["force"])
1767 deep_update_rfc7396(content
, indata
)
1768 content
= self
.check_conflict_on_edit(session
, content
, indata
, _id
=_id
)
1769 self
.format_on_edit(content
, indata
)
1770 self
.auth
.update_role(content
)
1771 except ValidationError
as e
:
1772 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)