1 # -*- coding: utf-8 -*-
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 from uuid
import uuid4
18 from hashlib
import sha256
19 from http
import HTTPStatus
21 from osm_nbi
.validation
import (
26 vim_account_new_schema
,
27 vim_account_edit_schema
,
30 wim_account_new_schema
,
31 wim_account_edit_schema
,
34 k8scluster_new_schema
,
35 k8scluster_edit_schema
,
45 ) # To check that User/Project Names don't look like UUIDs
46 from osm_nbi
.base_topic
import BaseTopic
, EngineException
47 from osm_nbi
.authconn
import AuthconnNotFoundException
, AuthconnConflictException
48 from osm_common
.dbbase
import deep_update_rfc7396
50 from osm_nbi
.temporal
.nbi_temporal
import NbiTemporal
52 __author__
= "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
55 class UserTopic(BaseTopic
):
58 schema_new
= user_new_schema
59 schema_edit
= user_edit_schema
62 def __init__(self
, db
, fs
, msg
, auth
):
63 BaseTopic
.__init
__(self
, db
, fs
, msg
, auth
)
66 def _get_project_filter(session
):
68 Generates a filter dictionary for querying database users.
69 Current policy is admin can show all, non admin, only its own user.
70 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
73 if session
["admin"]: # allows all
76 return {"username": session
["username"]}
78 def check_conflict_on_new(self
, session
, indata
):
79 # check username not exists
82 {"username": indata
.get("username")},
86 raise EngineException(
87 "username '{}' exists".format(indata
["username"]), HTTPStatus
.CONFLICT
90 if not session
["force"]:
91 for p
in indata
.get("projects") or []:
92 # To allow project addressing by Name as well as ID
93 if not self
.db
.get_one(
95 {BaseTopic
.id_field("projects", p
): p
},
99 raise EngineException(
100 "project '{}' does not exist".format(p
), HTTPStatus
.CONFLICT
103 def check_conflict_on_del(self
, session
, _id
, db_content
):
105 Check if deletion can be done because of dependencies if it is not force. To override
106 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
107 :param _id: internal _id
108 :param db_content: The database content of this item _id
109 :return: None if ok or raises EngineException with the conflict
111 if _id
== session
["username"]:
112 raise EngineException(
113 "You cannot delete your own user", http_code
=HTTPStatus
.CONFLICT
117 def format_on_new(content
, project_id
=None, make_public
=False):
118 BaseTopic
.format_on_new(content
, make_public
=False)
119 # Removed so that the UUID is kept, to allow User Name modification
120 # content["_id"] = content["username"]
122 content
["_admin"]["salt"] = salt
123 if content
.get("password"):
124 content
["password"] = sha256(
125 content
["password"].encode("utf-8") + salt
.encode("utf-8")
127 if content
.get("project_role_mappings"):
129 mapping
["project"] for mapping
in content
["project_role_mappings"]
132 if content
.get("projects"):
133 content
["projects"] += projects
135 content
["projects"] = projects
138 def format_on_edit(final_content
, edit_content
):
139 BaseTopic
.format_on_edit(final_content
, edit_content
)
140 if edit_content
.get("password"):
142 final_content
["_admin"]["salt"] = salt
143 final_content
["password"] = sha256(
144 edit_content
["password"].encode("utf-8") + salt
.encode("utf-8")
148 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
149 if not session
["admin"]:
150 raise EngineException(
151 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
153 # Names that look like UUIDs are not allowed
154 name
= (indata
if indata
else kwargs
).get("username")
155 if is_valid_uuid(name
):
156 raise EngineException(
157 "Usernames that look like UUIDs are not allowed",
158 http_code
=HTTPStatus
.UNPROCESSABLE_ENTITY
,
160 return BaseTopic
.edit(
161 self
, session
, _id
, indata
=indata
, kwargs
=kwargs
, content
=content
164 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
165 if not session
["admin"]:
166 raise EngineException(
167 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
169 # Names that look like UUIDs are not allowed
170 name
= indata
["username"] if indata
else kwargs
["username"]
171 if is_valid_uuid(name
):
172 raise EngineException(
173 "Usernames that look like UUIDs are not allowed",
174 http_code
=HTTPStatus
.UNPROCESSABLE_ENTITY
,
176 return BaseTopic
.new(
177 self
, rollback
, session
, indata
=indata
, kwargs
=kwargs
, headers
=headers
181 class ProjectTopic(BaseTopic
):
183 topic_msg
= "projects"
184 schema_new
= project_new_schema
185 schema_edit
= project_edit_schema
188 def __init__(self
, db
, fs
, msg
, auth
):
189 BaseTopic
.__init
__(self
, db
, fs
, msg
, auth
)
192 def _get_project_filter(session
):
194 Generates a filter dictionary for querying database users.
195 Current policy is admin can show all, non admin, only its own user.
196 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
199 if session
["admin"]: # allows all
202 return {"_id.cont": session
["project_id"]}
204 def check_conflict_on_new(self
, session
, indata
):
205 if not indata
.get("name"):
206 raise EngineException("missing 'name'")
207 # check name not exists
210 {"name": indata
.get("name")},
214 raise EngineException(
215 "name '{}' exists".format(indata
["name"]), HTTPStatus
.CONFLICT
219 def format_on_new(content
, project_id
=None, make_public
=False):
220 BaseTopic
.format_on_new(content
, None)
221 # Removed so that the UUID is kept, to allow Project Name modification
222 # content["_id"] = content["name"]
224 def check_conflict_on_del(self
, session
, _id
, db_content
):
226 Check if deletion can be done because of dependencies if it is not force. To override
227 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
228 :param _id: internal _id
229 :param db_content: The database content of this item _id
230 :return: None if ok or raises EngineException with the conflict
232 if _id
in session
["project_id"]:
233 raise EngineException(
234 "You cannot delete your own project", http_code
=HTTPStatus
.CONFLICT
238 _filter
= {"projects": _id
}
239 if self
.db
.get_list("users", _filter
):
240 raise EngineException(
241 "There is some USER that contains this project",
242 http_code
=HTTPStatus
.CONFLICT
,
245 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
246 if not session
["admin"]:
247 raise EngineException(
248 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
250 # Names that look like UUIDs are not allowed
251 name
= (indata
if indata
else kwargs
).get("name")
252 if is_valid_uuid(name
):
253 raise EngineException(
254 "Project names that look like UUIDs are not allowed",
255 http_code
=HTTPStatus
.UNPROCESSABLE_ENTITY
,
257 return BaseTopic
.edit(
258 self
, session
, _id
, indata
=indata
, kwargs
=kwargs
, content
=content
261 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
262 if not session
["admin"]:
263 raise EngineException(
264 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
266 # Names that look like UUIDs are not allowed
267 name
= indata
["name"] if indata
else kwargs
["name"]
268 if is_valid_uuid(name
):
269 raise EngineException(
270 "Project names that look like UUIDs are not allowed",
271 http_code
=HTTPStatus
.UNPROCESSABLE_ENTITY
,
273 return BaseTopic
.new(
274 self
, rollback
, session
, indata
=indata
, kwargs
=kwargs
, headers
=headers
278 class CommonVimWimSdn(BaseTopic
):
279 """Common class for VIM, WIM SDN just to unify methods that are equal to all of them"""
281 config_to_encrypt
= (
283 ) # what keys at config must be encrypted because contains passwords
284 password_to_encrypt
= "" # key that contains a password
287 def _create_operation(op_type
, params
=None):
289 Creates a dictionary with the information to an operation, similar to ns-lcm-op
290 :param op_type: can be create, edit, delete
291 :param params: operation input parameters
292 :return: new dictionary with
296 "lcmOperationType": op_type
,
297 "operationState": "PROCESSING",
299 "statusEnteredTime": now
,
300 "detailed-status": "",
301 "operationParams": params
,
304 def check_conflict_on_new(self
, session
, indata
):
306 Check that the data to be inserted is valid. It is checked that name is unique
307 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
308 :param indata: data to be inserted
309 :return: None or raises EngineException
311 self
.check_unique_name(session
, indata
["name"], _id
=None)
313 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
315 Check that the data to be edited/uploaded is valid. It is checked that name is unique
316 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
317 :param final_content: data once modified. This method may change it.
318 :param edit_content: incremental data that contains the modifications to apply
319 :param _id: internal _id
320 :return: None or raises EngineException
322 if not session
["force"] and edit_content
.get("name"):
323 self
.check_unique_name(session
, edit_content
["name"], _id
=_id
)
327 def _validate_input_edit(self
, input, content
, force
=False):
329 Validates input user content for an edition. It uses jsonschema. Some overrides will use pyangbind
330 :param input: user input content for the new topic
331 :param force: may be used for being more tolerant
332 :return: The same input content, or a changed version of it.
335 if "vim_type" in content
:
336 input["vim_type"] = content
["vim_type"]
337 return super()._validate
_input
_edit
(input, content
, force
)
339 def format_on_edit(self
, final_content
, edit_content
):
341 Modifies final_content inserting admin information upon edition
342 :param final_content: final content to be stored at database
343 :param edit_content: user requested update content
344 :return: operation id
346 super().format_on_edit(final_content
, edit_content
)
349 schema_version
= final_content
.get("schema_version")
351 if edit_content
.get(self
.password_to_encrypt
):
352 final_content
[self
.password_to_encrypt
] = self
.db
.encrypt(
353 edit_content
[self
.password_to_encrypt
],
354 schema_version
=schema_version
,
355 salt
=final_content
["_id"],
357 config_to_encrypt_keys
= self
.config_to_encrypt
.get(
359 ) or self
.config_to_encrypt
.get("default")
360 if edit_content
.get("config") and config_to_encrypt_keys
:
361 for p
in config_to_encrypt_keys
:
362 if edit_content
["config"].get(p
):
363 final_content
["config"][p
] = self
.db
.encrypt(
364 edit_content
["config"][p
],
365 schema_version
=schema_version
,
366 salt
=final_content
["_id"],
369 # create edit operation
370 final_content
["_admin"]["operations"].append(self
._create
_operation
("edit"))
371 return "{}:{}".format(
372 final_content
["_id"], len(final_content
["_admin"]["operations"]) - 1
375 def format_on_new(self
, content
, project_id
=None, make_public
=False):
377 Modifies content descriptor to include _admin and insert create operation
378 :param content: descriptor to be modified
379 :param project_id: if included, it add project read/write permissions. Can be None or a list
380 :param make_public: if included it is generated as public for reading.
381 :return: op_id: operation id on asynchronous operation, None otherwise. In addition content is modified
383 super().format_on_new(content
, project_id
=project_id
, make_public
=make_public
)
384 content
["schema_version"] = schema_version
= "1.11"
387 if content
.get(self
.password_to_encrypt
):
388 content
[self
.password_to_encrypt
] = self
.db
.encrypt(
389 content
[self
.password_to_encrypt
],
390 schema_version
=schema_version
,
393 config_to_encrypt_keys
= self
.config_to_encrypt
.get(
395 ) or self
.config_to_encrypt
.get("default")
396 if content
.get("config") and config_to_encrypt_keys
:
397 for p
in config_to_encrypt_keys
:
398 if content
["config"].get(p
):
399 content
["config"][p
] = self
.db
.encrypt(
400 content
["config"][p
],
401 schema_version
=schema_version
,
405 content
["_admin"]["operationalState"] = "PROCESSING"
408 content
["_admin"]["operations"] = [self
._create
_operation
("create")]
409 content
["_admin"]["current_operation"] = None
410 # create Resource in Openstack based VIM
411 if content
.get("vim_type"):
412 if content
["vim_type"] == "openstack":
414 "ram": {"total": None, "used": None},
415 "vcpus": {"total": None, "used": None},
416 "instances": {"total": None, "used": None},
419 "volumes": {"total": None, "used": None},
420 "snapshots": {"total": None, "used": None},
421 "storage": {"total": None, "used": None},
424 "networks": {"total": None, "used": None},
425 "subnets": {"total": None, "used": None},
426 "floating_ips": {"total": None, "used": None},
428 content
["resources"] = {
434 return "{}:0".format(content
["_id"])
436 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
438 Delete item by its internal _id
439 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
440 :param _id: server internal id
441 :param dry_run: make checking but do not delete
442 :param not_send_msg: To not send message (False) or store content (list) instead
443 :return: operation id if it is ordered to delete. None otherwise
446 filter_q
= self
._get
_project
_filter
(session
)
447 filter_q
["_id"] = _id
448 db_content
= self
.db
.get_one(self
.topic
, filter_q
)
450 self
.check_conflict_on_del(session
, _id
, db_content
)
454 # remove reference from project_read if there are more projects referencing it. If it last one,
455 # do not remove reference, but order via kafka to delete it
456 if session
["project_id"] and session
["project_id"]:
457 other_projects_referencing
= next(
460 for p
in db_content
["_admin"]["projects_read"]
461 if p
not in session
["project_id"] and p
!= "ANY"
466 # check if there are projects referencing it (apart from ANY, that means, public)....
467 if other_projects_referencing
:
468 # remove references but not delete
470 "_admin.projects_read": session
["project_id"],
471 "_admin.projects_write": session
["project_id"],
474 self
.topic
, filter_q
, update_dict
=None, pull_list
=update_dict_pull
481 for p
in db_content
["_admin"]["projects_write"]
482 if p
== "ANY" or p
in session
["project_id"]
487 raise EngineException(
488 "You have not write permission to delete it",
489 http_code
=HTTPStatus
.UNAUTHORIZED
,
494 self
.db
.del_one(self
.topic
, {"_id": _id
})
496 message
= {"_id": _id
, "op_id": op_id
}
497 # The vim_type is a temporary hack to shim in temporal workflows in the create
498 if "vim_type" in db_content
:
499 message
["vim_type"] = db_content
["vim_type"]
504 not_send_msg
=not_send_msg
,
507 update_dict
= {"_admin.to_delete": True}
511 update_dict
=update_dict
,
512 push
={"_admin.operations": self
._create
_operation
("delete")},
514 # the number of operations is the operation_id. db_content does not contains the new operation inserted,
515 # so the -1 is not needed
516 op_id
= "{}:{}".format(
517 db_content
["_id"], len(db_content
["_admin"]["operations"])
519 message
= {"_id": _id
, "op_id": op_id
}
520 # The vim_type is a temporary hack to shim in temporal workflows in the create
521 if "vim_type" in db_content
:
522 message
["vim_type"] = db_content
["vim_type"]
527 not_send_msg
=not_send_msg
,
532 class VimAccountTopic(CommonVimWimSdn
):
533 topic
= "vim_accounts"
534 topic_msg
= "vim_account"
535 schema_new
= vim_account_new_schema
536 schema_edit
= vim_account_edit_schema
538 password_to_encrypt
= "vim_password"
539 config_to_encrypt
= {
540 "1.1": ("admin_password", "nsx_password", "vcenter_password"),
548 valid_paas_providers
= ["juju"]
549 temporal
= NbiTemporal()
551 def check_conflict_on_new(self
, session
, indata
):
552 super().check_conflict_on_new(session
, indata
)
553 self
._check
_paas
_account
(indata
)
555 def _is_paas_vim_type(self
, indata
):
556 return indata
.get("vim_type") and indata
["vim_type"] == "paas"
558 def _check_paas_account(self
, indata
):
559 if not self
._is
_paas
_vim
_type
(indata
):
561 if not self
._is
_valid
_paas
_config
(indata
.get("config")):
562 raise EngineException(
563 "Invalid config for VIM account '{}'.".format(indata
["name"]),
564 HTTPStatus
.UNPROCESSABLE_ENTITY
,
567 def _is_valid_paas_config(self
, config
) -> bool:
570 paas_provider
= config
.get("paas_provider")
571 is_valid_paas_provider
= paas_provider
in self
.valid_paas_providers
572 if paas_provider
== "juju":
573 return self
._is
_valid
_juju
_paas
_config
(config
)
574 return is_valid_paas_provider
576 def _is_valid_juju_paas_config(self
, config
) -> bool:
586 return all(key
in config
for key
in config_keys
)
588 def check_conflict_on_del(self
, session
, _id
, db_content
):
590 Check if deletion can be done because of dependencies if it is not force. To override
591 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
592 :param _id: internal _id
593 :param db_content: The database content of this item _id
594 :return: None if ok or raises EngineException with the conflict
598 # check if used by VNF
599 if self
.db
.get_list("vnfrs", {"vim-account-id": _id
}):
600 raise EngineException(
601 "There is at least one VNF using this VIM account",
602 http_code
=HTTPStatus
.CONFLICT
,
604 super().check_conflict_on_del(session
, _id
, db_content
)
606 def _send_msg(self
, action
, content
, not_send_msg
=None):
607 if self
._is
_paas
_vim
_type
(content
):
608 self
.temporal
.start_vim_workflow(action
, content
)
611 super()._send
_msg
(action
, content
, not_send_msg
)
614 class WimAccountTopic(CommonVimWimSdn
):
615 topic
= "wim_accounts"
616 topic_msg
= "wim_account"
617 schema_new
= wim_account_new_schema
618 schema_edit
= wim_account_edit_schema
620 password_to_encrypt
= "password"
621 config_to_encrypt
= {}
624 class SdnTopic(CommonVimWimSdn
):
627 quota_name
= "sdn_controllers"
628 schema_new
= sdn_new_schema
629 schema_edit
= sdn_edit_schema
631 password_to_encrypt
= "password"
632 config_to_encrypt
= {}
634 def _obtain_url(self
, input, create
):
635 if input.get("ip") or input.get("port"):
636 if not input.get("ip") or not input.get("port") or input.get("url"):
637 raise ValidationError(
638 "You must provide both 'ip' and 'port' (deprecated); or just 'url' (prefered)"
640 input["url"] = "http://{}:{}/".format(input["ip"], input["port"])
643 elif create
and not input.get("url"):
644 raise ValidationError("You must provide 'url'")
647 def _validate_input_new(self
, input, force
=False):
648 input = super()._validate
_input
_new
(input, force
)
649 return self
._obtain
_url
(input, True)
651 def _validate_input_edit(self
, input, content
, force
=False):
652 input = super()._validate
_input
_edit
(input, content
, force
)
653 return self
._obtain
_url
(input, False)
656 class K8sClusterTopic(CommonVimWimSdn
):
657 topic
= "k8sclusters"
658 topic_msg
= "k8scluster"
659 schema_new
= k8scluster_new_schema
660 schema_edit
= k8scluster_edit_schema
662 password_to_encrypt
= None
663 config_to_encrypt
= {}
665 def format_on_new(self
, content
, project_id
=None, make_public
=False):
666 oid
= super().format_on_new(content
, project_id
, make_public
)
667 self
.db
.encrypt_decrypt_fields(
668 content
["credentials"],
670 ["password", "secret"],
671 schema_version
=content
["schema_version"],
674 # Add Helm/Juju Repo lists
675 repos
= {"helm-chart": [], "juju-bundle": []}
676 for proj
in content
["_admin"]["projects_read"]:
678 for repo
in self
.db
.get_list(
679 "k8srepos", {"_admin.projects_read": proj
}
681 if repo
["_id"] not in repos
[repo
["type"]]:
682 repos
[repo
["type"]].append(repo
["_id"])
684 content
["_admin"][k
.replace("-", "_") + "_repos"] = repos
[k
]
687 def format_on_edit(self
, final_content
, edit_content
):
688 if final_content
.get("schema_version") and edit_content
.get("credentials"):
689 self
.db
.encrypt_decrypt_fields(
690 edit_content
["credentials"],
692 ["password", "secret"],
693 schema_version
=final_content
["schema_version"],
694 salt
=final_content
["_id"],
697 final_content
["credentials"], edit_content
["credentials"]
699 oid
= super().format_on_edit(final_content
, edit_content
)
702 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
703 final_content
= super(CommonVimWimSdn
, self
).check_conflict_on_edit(
704 session
, final_content
, edit_content
, _id
706 final_content
= super().check_conflict_on_edit(
707 session
, final_content
, edit_content
, _id
709 # Update Helm/Juju Repo lists
710 repos
= {"helm-chart": [], "juju-bundle": []}
711 for proj
in session
.get("set_project", []):
713 for repo
in self
.db
.get_list(
714 "k8srepos", {"_admin.projects_read": proj
}
716 if repo
["_id"] not in repos
[repo
["type"]]:
717 repos
[repo
["type"]].append(repo
["_id"])
719 rlist
= k
.replace("-", "_") + "_repos"
720 if rlist
not in final_content
["_admin"]:
721 final_content
["_admin"][rlist
] = []
722 final_content
["_admin"][rlist
] += repos
[k
]
725 def check_conflict_on_del(self
, session
, _id
, db_content
):
727 Check if deletion can be done because of dependencies if it is not force. To override
728 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
729 :param _id: internal _id
730 :param db_content: The database content of this item _id
731 :return: None if ok or raises EngineException with the conflict
735 # check if used by VNF
736 filter_q
= {"kdur.k8s-cluster.id": _id
}
737 if session
["project_id"]:
738 filter_q
["_admin.projects_read.cont"] = session
["project_id"]
739 if self
.db
.get_list("vnfrs", filter_q
):
740 raise EngineException(
741 "There is at least one VNF using this k8scluster",
742 http_code
=HTTPStatus
.CONFLICT
,
744 super().check_conflict_on_del(session
, _id
, db_content
)
747 class VcaTopic(CommonVimWimSdn
):
750 schema_new
= vca_new_schema
751 schema_edit
= vca_edit_schema
753 password_to_encrypt
= None
755 def format_on_new(self
, content
, project_id
=None, make_public
=False):
756 oid
= super().format_on_new(content
, project_id
, make_public
)
757 content
["schema_version"] = schema_version
= "1.11"
758 for key
in ["secret", "cacert"]:
759 content
[key
] = self
.db
.encrypt(
760 content
[key
], schema_version
=schema_version
, salt
=content
["_id"]
764 def format_on_edit(self
, final_content
, edit_content
):
765 oid
= super().format_on_edit(final_content
, edit_content
)
766 schema_version
= final_content
.get("schema_version")
767 for key
in ["secret", "cacert"]:
768 if key
in edit_content
:
769 final_content
[key
] = self
.db
.encrypt(
771 schema_version
=schema_version
,
772 salt
=final_content
["_id"],
776 def check_conflict_on_del(self
, session
, _id
, db_content
):
778 Check if deletion can be done because of dependencies if it is not force. To override
779 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
780 :param _id: internal _id
781 :param db_content: The database content of this item _id
782 :return: None if ok or raises EngineException with the conflict
786 # check if used by VNF
787 filter_q
= {"vca": _id
}
788 if session
["project_id"]:
789 filter_q
["_admin.projects_read.cont"] = session
["project_id"]
790 if self
.db
.get_list("vim_accounts", filter_q
):
791 raise EngineException(
792 "There is at least one VIM account using this vca",
793 http_code
=HTTPStatus
.CONFLICT
,
795 super().check_conflict_on_del(session
, _id
, db_content
)
798 class K8sRepoTopic(CommonVimWimSdn
):
800 topic_msg
= "k8srepo"
801 schema_new
= k8srepo_new_schema
802 schema_edit
= k8srepo_edit_schema
804 password_to_encrypt
= None
805 config_to_encrypt
= {}
807 def format_on_new(self
, content
, project_id
=None, make_public
=False):
808 oid
= super().format_on_new(content
, project_id
, make_public
)
809 # Update Helm/Juju Repo lists
810 repo_list
= content
["type"].replace("-", "_") + "_repos"
811 for proj
in content
["_admin"]["projects_read"]:
816 "_admin.projects_read": proj
,
817 "_admin." + repo_list
+ ".ne": content
["_id"],
820 push
={"_admin." + repo_list
: content
["_id"]},
824 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
825 type = self
.db
.get_one("k8srepos", {"_id": _id
})["type"]
826 oid
= super().delete(session
, _id
, dry_run
, not_send_msg
)
828 # Remove from Helm/Juju Repo lists
829 repo_list
= type.replace("-", "_") + "_repos"
832 {"_admin." + repo_list
: _id
},
834 pull
={"_admin." + repo_list
: _id
},
839 class OsmRepoTopic(BaseTopic
):
841 topic_msg
= "osmrepos"
842 schema_new
= osmrepo_new_schema
843 schema_edit
= osmrepo_edit_schema
845 # TODO: Implement user/password
848 class UserTopicAuth(UserTopic
):
851 schema_new
= user_new_schema
852 schema_edit
= user_edit_schema
854 def __init__(self
, db
, fs
, msg
, auth
):
855 UserTopic
.__init
__(self
, db
, fs
, msg
, auth
)
858 def check_conflict_on_new(self
, session
, indata
):
860 Check that the data to be inserted is valid
862 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
863 :param indata: data to be inserted
864 :return: None or raises EngineException
866 username
= indata
.get("username")
867 if is_valid_uuid(username
):
868 raise EngineException(
869 "username '{}' cannot have a uuid format".format(username
),
870 HTTPStatus
.UNPROCESSABLE_ENTITY
,
873 # Check that username is not used, regardless keystone already checks this
874 if self
.auth
.get_user_list(filter_q
={"name": username
}):
875 raise EngineException(
876 "username '{}' is already used".format(username
), HTTPStatus
.CONFLICT
879 if "projects" in indata
.keys():
880 # convert to new format project_role_mappings
881 role
= self
.auth
.get_role_list({"name": "project_admin"})
883 role
= self
.auth
.get_role_list()
885 raise AuthconnNotFoundException(
886 "Can't find default role for user '{}'".format(username
)
889 if not indata
.get("project_role_mappings"):
890 indata
["project_role_mappings"] = []
891 for project
in indata
["projects"]:
892 pid
= self
.auth
.get_project(project
)["_id"]
893 prm
= {"project": pid
, "role": rid
}
894 if prm
not in indata
["project_role_mappings"]:
895 indata
["project_role_mappings"].append(prm
)
896 # raise EngineException("Format invalid: the keyword 'projects' is not allowed for keystone authentication",
897 # HTTPStatus.BAD_REQUEST)
899 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
901 Check that the data to be edited/uploaded is valid
903 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
904 :param final_content: data once modified
905 :param edit_content: incremental data that contains the modifications to apply
906 :param _id: internal _id
907 :return: None or raises EngineException
910 if "username" in edit_content
:
911 username
= edit_content
.get("username")
912 if is_valid_uuid(username
):
913 raise EngineException(
914 "username '{}' cannot have an uuid format".format(username
),
915 HTTPStatus
.UNPROCESSABLE_ENTITY
,
918 # Check that username is not used, regardless keystone already checks this
919 if self
.auth
.get_user_list(filter_q
={"name": username
}):
920 raise EngineException(
921 "username '{}' is already used".format(username
),
925 if final_content
["username"] == "admin":
926 for mapping
in edit_content
.get("remove_project_role_mappings", ()):
927 if mapping
["project"] == "admin" and mapping
.get("role") in (
931 # TODO make this also available for project id and role id
932 raise EngineException(
933 "You cannot remove system_admin role from admin user",
934 http_code
=HTTPStatus
.FORBIDDEN
,
939 def check_conflict_on_del(self
, session
, _id
, db_content
):
941 Check if deletion can be done because of dependencies if it is not force. To override
942 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
943 :param _id: internal _id
944 :param db_content: The database content of this item _id
945 :return: None if ok or raises EngineException with the conflict
947 if db_content
["username"] == session
["username"]:
948 raise EngineException(
949 "You cannot delete your own login user ", http_code
=HTTPStatus
.CONFLICT
951 # TODO: Check that user is not logged in ? How? (Would require listing current tokens)
954 def format_on_show(content
):
956 Modifies the content of the role information to separate the role
957 metadata from the role definition.
959 project_role_mappings
= []
961 if "projects" in content
:
962 for project
in content
["projects"]:
963 for role
in project
["roles"]:
964 project_role_mappings
.append(
966 "project": project
["_id"],
967 "project_name": project
["name"],
969 "role_name": role
["name"],
972 del content
["projects"]
973 content
["project_role_mappings"] = project_role_mappings
977 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
979 Creates a new entry into the authentication backend.
981 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
983 :param rollback: list to append created items at database in case a rollback may to be done
984 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
985 :param indata: data to be inserted
986 :param kwargs: used to override the indata descriptor
987 :param headers: http request headers
988 :return: _id: identity of the inserted data, operation _id (None)
991 content
= BaseTopic
._remove
_envelop
(indata
)
993 # Override descriptor with query string kwargs
994 BaseTopic
._update
_input
_with
_kwargs
(content
, kwargs
)
995 content
= self
._validate
_input
_new
(content
, session
["force"])
996 self
.check_conflict_on_new(session
, content
)
997 # self.format_on_new(content, session["project_id"], make_public=session["public"])
999 content
["_admin"] = {"created": now
, "modified": now
}
1001 for prm
in content
.get("project_role_mappings", []):
1002 proj
= self
.auth
.get_project(prm
["project"], not session
["force"])
1003 role
= self
.auth
.get_role(prm
["role"], not session
["force"])
1004 pid
= proj
["_id"] if proj
else None
1005 rid
= role
["_id"] if role
else None
1006 prl
= {"project": pid
, "role": rid
}
1009 content
["project_role_mappings"] = prms
1010 # _id = self.auth.create_user(content["username"], content["password"])["_id"]
1011 _id
= self
.auth
.create_user(content
)["_id"]
1013 rollback
.append({"topic": self
.topic
, "_id": _id
})
1014 # del content["password"]
1015 self
._send
_msg
("created", content
, not_send_msg
=None)
1017 except ValidationError
as e
:
1018 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1020 def show(self
, session
, _id
, filter_q
=None, api_req
=False):
1022 Get complete information on an topic
1024 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1025 :param _id: server internal id or username
1026 :param filter_q: dict: query parameter
1027 :param api_req: True if this call is serving an external API request. False if serving internal request.
1028 :return: dictionary, raise exception if not found.
1030 # Allow _id to be a name or uuid
1031 filter_q
= {"username": _id
}
1032 # users = self.auth.get_user_list(filter_q)
1033 users
= self
.list(session
, filter_q
) # To allow default filtering (Bug 853)
1036 elif len(users
) > 1:
1037 raise EngineException(
1038 "Too many users found for '{}'".format(_id
), HTTPStatus
.CONFLICT
1041 raise EngineException(
1042 "User '{}' not found".format(_id
), HTTPStatus
.NOT_FOUND
1045 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
1047 Updates an user entry.
1049 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1051 :param indata: data to be inserted
1052 :param kwargs: used to override the indata descriptor
1054 :return: _id: identity of the inserted data.
1056 indata
= self
._remove
_envelop
(indata
)
1058 # Override descriptor with query string kwargs
1060 BaseTopic
._update
_input
_with
_kwargs
(indata
, kwargs
)
1063 content
= self
.show(session
, _id
)
1064 indata
= self
._validate
_input
_edit
(indata
, content
, force
=session
["force"])
1065 content
= self
.check_conflict_on_edit(session
, content
, indata
, _id
=_id
)
1066 # self.format_on_edit(content, indata)
1069 "password" in indata
1070 or "username" in indata
1071 or indata
.get("remove_project_role_mappings")
1072 or indata
.get("add_project_role_mappings")
1073 or indata
.get("project_role_mappings")
1074 or indata
.get("projects")
1075 or indata
.get("add_projects")
1078 if indata
.get("project_role_mappings") and (
1079 indata
.get("remove_project_role_mappings")
1080 or indata
.get("add_project_role_mappings")
1082 raise EngineException(
1083 "Option 'project_role_mappings' is incompatible with 'add_project_role_mappings"
1084 "' or 'remove_project_role_mappings'",
1085 http_code
=HTTPStatus
.BAD_REQUEST
,
1088 if indata
.get("projects") or indata
.get("add_projects"):
1089 role
= self
.auth
.get_role_list({"name": "project_admin"})
1091 role
= self
.auth
.get_role_list()
1093 raise AuthconnNotFoundException(
1094 "Can't find a default role for user '{}'".format(
1098 rid
= role
[0]["_id"]
1099 if "add_project_role_mappings" not in indata
:
1100 indata
["add_project_role_mappings"] = []
1101 if "remove_project_role_mappings" not in indata
:
1102 indata
["remove_project_role_mappings"] = []
1103 if isinstance(indata
.get("projects"), dict):
1104 # backward compatible
1105 for k
, v
in indata
["projects"].items():
1106 if k
.startswith("$") and v
is None:
1107 indata
["remove_project_role_mappings"].append(
1110 elif k
.startswith("$+"):
1111 indata
["add_project_role_mappings"].append(
1112 {"project": v
, "role": rid
}
1114 del indata
["projects"]
1115 for proj
in indata
.get("projects", []) + indata
.get("add_projects", []):
1116 indata
["add_project_role_mappings"].append(
1117 {"project": proj
, "role": rid
}
1120 # user = self.show(session, _id) # Already in 'content'
1121 original_mapping
= content
["project_role_mappings"]
1123 mappings_to_add
= []
1124 mappings_to_remove
= []
1127 for to_remove
in indata
.get("remove_project_role_mappings", ()):
1128 for mapping
in original_mapping
:
1129 if to_remove
["project"] in (
1131 mapping
["project_name"],
1133 if not to_remove
.get("role") or to_remove
["role"] in (
1135 mapping
["role_name"],
1137 mappings_to_remove
.append(mapping
)
1140 for to_add
in indata
.get("add_project_role_mappings", ()):
1141 for mapping
in original_mapping
:
1142 if to_add
["project"] in (
1144 mapping
["project_name"],
1145 ) and to_add
["role"] in (
1147 mapping
["role_name"],
1149 if mapping
in mappings_to_remove
: # do not remove
1150 mappings_to_remove
.remove(mapping
)
1151 break # do not add, it is already at user
1153 pid
= self
.auth
.get_project(to_add
["project"])["_id"]
1154 rid
= self
.auth
.get_role(to_add
["role"])["_id"]
1155 mappings_to_add
.append({"project": pid
, "role": rid
})
1158 if indata
.get("project_role_mappings"):
1159 for to_set
in indata
["project_role_mappings"]:
1160 for mapping
in original_mapping
:
1161 if to_set
["project"] in (
1163 mapping
["project_name"],
1164 ) and to_set
["role"] in (
1166 mapping
["role_name"],
1168 if mapping
in mappings_to_remove
: # do not remove
1169 mappings_to_remove
.remove(mapping
)
1170 break # do not add, it is already at user
1172 pid
= self
.auth
.get_project(to_set
["project"])["_id"]
1173 rid
= self
.auth
.get_role(to_set
["role"])["_id"]
1174 mappings_to_add
.append({"project": pid
, "role": rid
})
1175 for mapping
in original_mapping
:
1176 for to_set
in indata
["project_role_mappings"]:
1177 if to_set
["project"] in (
1179 mapping
["project_name"],
1180 ) and to_set
["role"] in (
1182 mapping
["role_name"],
1187 if mapping
not in mappings_to_remove
: # do not remove
1188 mappings_to_remove
.append(mapping
)
1190 self
.auth
.update_user(
1193 "username": indata
.get("username"),
1194 "password": indata
.get("password"),
1195 "old_password": indata
.get("old_password"),
1196 "add_project_role_mappings": mappings_to_add
,
1197 "remove_project_role_mappings": mappings_to_remove
,
1200 data_to_send
= {"_id": _id
, "changes": indata
}
1201 self
._send
_msg
("edited", data_to_send
, not_send_msg
=None)
1204 except ValidationError
as e
:
1205 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1207 def list(self
, session
, filter_q
=None, api_req
=False):
1209 Get a list of the topic that matches a filter
1210 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1211 :param filter_q: filter of data to be applied
1212 :param api_req: True if this call is serving an external API request. False if serving internal request.
1213 :return: The list, it can be empty if no one match the filter.
1215 user_list
= self
.auth
.get_user_list(filter_q
)
1216 if not session
["allow_show_user_project_role"]:
1217 # Bug 853 - Default filtering
1219 usr
for usr
in user_list
if usr
["username"] == session
["username"]
1223 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
1225 Delete item by its internal _id
1227 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1228 :param _id: server internal id
1229 :param force: indicates if deletion must be forced in case of conflict
1230 :param dry_run: make checking but do not delete
1231 :param not_send_msg: To not send message (False) or store content (list) instead
1232 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1234 # Allow _id to be a name or uuid
1235 user
= self
.auth
.get_user(_id
)
1237 self
.check_conflict_on_del(session
, uid
, user
)
1239 v
= self
.auth
.delete_user(uid
)
1240 self
._send
_msg
("deleted", user
, not_send_msg
=not_send_msg
)
1245 class ProjectTopicAuth(ProjectTopic
):
1246 # topic = "projects"
1247 topic_msg
= "project"
1248 schema_new
= project_new_schema
1249 schema_edit
= project_edit_schema
1251 def __init__(self
, db
, fs
, msg
, auth
):
1252 ProjectTopic
.__init
__(self
, db
, fs
, msg
, auth
)
1255 def check_conflict_on_new(self
, session
, indata
):
1257 Check that the data to be inserted is valid
1259 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1260 :param indata: data to be inserted
1261 :return: None or raises EngineException
1263 project_name
= indata
.get("name")
1264 if is_valid_uuid(project_name
):
1265 raise EngineException(
1266 "project name '{}' cannot have an uuid format".format(project_name
),
1267 HTTPStatus
.UNPROCESSABLE_ENTITY
,
1270 project_list
= self
.auth
.get_project_list(filter_q
={"name": project_name
})
1273 raise EngineException(
1274 "project '{}' exists".format(project_name
), HTTPStatus
.CONFLICT
1277 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
1279 Check that the data to be edited/uploaded is valid
1281 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1282 :param final_content: data once modified
1283 :param edit_content: incremental data that contains the modifications to apply
1284 :param _id: internal _id
1285 :return: None or raises EngineException
1288 project_name
= edit_content
.get("name")
1289 if project_name
!= final_content
["name"]: # It is a true renaming
1290 if is_valid_uuid(project_name
):
1291 raise EngineException(
1292 "project name '{}' cannot have an uuid format".format(project_name
),
1293 HTTPStatus
.UNPROCESSABLE_ENTITY
,
1296 if final_content
["name"] == "admin":
1297 raise EngineException(
1298 "You cannot rename project 'admin'", http_code
=HTTPStatus
.CONFLICT
1301 # Check that project name is not used, regardless keystone already checks this
1302 if project_name
and self
.auth
.get_project_list(
1303 filter_q
={"name": project_name
}
1305 raise EngineException(
1306 "project '{}' is already used".format(project_name
),
1307 HTTPStatus
.CONFLICT
,
1309 return final_content
1311 def check_conflict_on_del(self
, session
, _id
, db_content
):
1313 Check if deletion can be done because of dependencies if it is not force. To override
1315 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1316 :param _id: internal _id
1317 :param db_content: The database content of this item _id
1318 :return: None if ok or raises EngineException with the conflict
1321 def check_rw_projects(topic
, title
, id_field
):
1322 for desc
in self
.db
.get_list(topic
):
1325 in desc
["_admin"]["projects_read"]
1326 + desc
["_admin"]["projects_write"]
1328 raise EngineException(
1329 "Project '{}' ({}) is being used by {} '{}'".format(
1330 db_content
["name"], _id
, title
, desc
[id_field
]
1332 HTTPStatus
.CONFLICT
,
1335 if _id
in session
["project_id"]:
1336 raise EngineException(
1337 "You cannot delete your own project", http_code
=HTTPStatus
.CONFLICT
1340 if db_content
["name"] == "admin":
1341 raise EngineException(
1342 "You cannot delete project 'admin'", http_code
=HTTPStatus
.CONFLICT
1345 # If any user is using this project, raise CONFLICT exception
1346 if not session
["force"]:
1347 for user
in self
.auth
.get_user_list():
1348 for prm
in user
.get("project_role_mappings"):
1349 if prm
["project"] == _id
:
1350 raise EngineException(
1351 "Project '{}' ({}) is being used by user '{}'".format(
1352 db_content
["name"], _id
, user
["username"]
1354 HTTPStatus
.CONFLICT
,
1357 # If any VNFD, NSD, NST, PDU, etc. is using this project, raise CONFLICT exception
1358 if not session
["force"]:
1359 check_rw_projects("vnfds", "VNF Descriptor", "id")
1360 check_rw_projects("nsds", "NS Descriptor", "id")
1361 check_rw_projects("nsts", "NS Template", "id")
1362 check_rw_projects("pdus", "PDU Descriptor", "name")
1364 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
1366 Creates a new entry into the authentication backend.
1368 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
1370 :param rollback: list to append created items at database in case a rollback may to be done
1371 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1372 :param indata: data to be inserted
1373 :param kwargs: used to override the indata descriptor
1374 :param headers: http request headers
1375 :return: _id: identity of the inserted data, operation _id (None)
1378 content
= BaseTopic
._remove
_envelop
(indata
)
1380 # Override descriptor with query string kwargs
1381 BaseTopic
._update
_input
_with
_kwargs
(content
, kwargs
)
1382 content
= self
._validate
_input
_new
(content
, session
["force"])
1383 self
.check_conflict_on_new(session
, content
)
1385 content
, project_id
=session
["project_id"], make_public
=session
["public"]
1387 _id
= self
.auth
.create_project(content
)
1388 rollback
.append({"topic": self
.topic
, "_id": _id
})
1389 self
._send
_msg
("created", content
, not_send_msg
=None)
1391 except ValidationError
as e
:
1392 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1394 def show(self
, session
, _id
, filter_q
=None, api_req
=False):
1396 Get complete information on an topic
1398 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1399 :param _id: server internal id
1400 :param filter_q: dict: query parameter
1401 :param api_req: True if this call is serving an external API request. False if serving internal request.
1402 :return: dictionary, raise exception if not found.
1404 # Allow _id to be a name or uuid
1405 filter_q
= {self
.id_field(self
.topic
, _id
): _id
}
1406 # projects = self.auth.get_project_list(filter_q=filter_q)
1407 projects
= self
.list(session
, filter_q
) # To allow default filtering (Bug 853)
1408 if len(projects
) == 1:
1410 elif len(projects
) > 1:
1411 raise EngineException("Too many projects found", HTTPStatus
.CONFLICT
)
1413 raise EngineException("Project not found", HTTPStatus
.NOT_FOUND
)
1415 def list(self
, session
, filter_q
=None, api_req
=False):
1417 Get a list of the topic that matches a filter
1419 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1420 :param filter_q: filter of data to be applied
1421 :return: The list, it can be empty if no one match the filter.
1423 project_list
= self
.auth
.get_project_list(filter_q
)
1424 if not session
["allow_show_user_project_role"]:
1425 # Bug 853 - Default filtering
1426 user
= self
.auth
.get_user(session
["username"])
1427 projects
= [prm
["project"] for prm
in user
["project_role_mappings"]]
1428 project_list
= [proj
for proj
in project_list
if proj
["_id"] in projects
]
1431 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
1433 Delete item by its internal _id
1435 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1436 :param _id: server internal id
1437 :param dry_run: make checking but do not delete
1438 :param not_send_msg: To not send message (False) or store content (list) instead
1439 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1441 # Allow _id to be a name or uuid
1442 proj
= self
.auth
.get_project(_id
)
1444 self
.check_conflict_on_del(session
, pid
, proj
)
1446 v
= self
.auth
.delete_project(pid
)
1447 self
._send
_msg
("deleted", proj
, not_send_msg
=None)
1451 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
1453 Updates a project entry.
1455 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1457 :param indata: data to be inserted
1458 :param kwargs: used to override the indata descriptor
1460 :return: _id: identity of the inserted data.
1462 indata
= self
._remove
_envelop
(indata
)
1464 # Override descriptor with query string kwargs
1466 BaseTopic
._update
_input
_with
_kwargs
(indata
, kwargs
)
1469 content
= self
.show(session
, _id
)
1470 indata
= self
._validate
_input
_edit
(indata
, content
, force
=session
["force"])
1471 content
= self
.check_conflict_on_edit(session
, content
, indata
, _id
=_id
)
1472 self
.format_on_edit(content
, indata
)
1473 content_original
= copy
.deepcopy(content
)
1474 deep_update_rfc7396(content
, indata
)
1475 self
.auth
.update_project(content
["_id"], content
)
1476 proj_data
= {"_id": _id
, "changes": indata
, "original": content_original
}
1477 self
._send
_msg
("edited", proj_data
, not_send_msg
=None)
1478 except ValidationError
as e
:
1479 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1482 class RoleTopicAuth(BaseTopic
):
1484 topic_msg
= None # "roles"
1485 schema_new
= roles_new_schema
1486 schema_edit
= roles_edit_schema
1487 multiproject
= False
1489 def __init__(self
, db
, fs
, msg
, auth
):
1490 BaseTopic
.__init
__(self
, db
, fs
, msg
, auth
)
1492 self
.operations
= auth
.role_permissions
1493 # self.topic = "roles_operations" if isinstance(auth, AuthconnKeystone) else "roles"
1496 def validate_role_definition(operations
, role_definitions
):
1498 Validates the role definition against the operations defined in
1499 the resources to operations files.
1501 :param operations: operations list
1502 :param role_definitions: role definition to test
1503 :return: None if ok, raises ValidationError exception on error
1505 if not role_definitions
.get("permissions"):
1507 ignore_fields
= ["admin", "default"]
1508 for role_def
in role_definitions
["permissions"].keys():
1509 if role_def
in ignore_fields
:
1511 if role_def
[-1] == ":":
1512 raise ValidationError("Operation cannot end with ':'")
1517 for op
in operations
1518 if op
== role_def
or op
.startswith(role_def
+ ":")
1524 raise ValidationError("Invalid permission '{}'".format(role_def
))
1526 def _validate_input_new(self
, input, force
=False):
1528 Validates input user content for a new entry.
1530 :param input: user input content for the new topic
1531 :param force: may be used for being more tolerant
1532 :return: The same input content, or a changed version of it.
1535 validate_input(input, self
.schema_new
)
1536 self
.validate_role_definition(self
.operations
, input)
1540 def _validate_input_edit(self
, input, content
, force
=False):
1542 Validates input user content for updating an entry.
1544 :param input: user input content for the new topic
1545 :param force: may be used for being more tolerant
1546 :return: The same input content, or a changed version of it.
1548 if self
.schema_edit
:
1549 validate_input(input, self
.schema_edit
)
1550 self
.validate_role_definition(self
.operations
, input)
1554 def check_conflict_on_new(self
, session
, indata
):
1556 Check that the data to be inserted is valid
1558 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1559 :param indata: data to be inserted
1560 :return: None or raises EngineException
1562 # check name is not uuid
1563 role_name
= indata
.get("name")
1564 if is_valid_uuid(role_name
):
1565 raise EngineException(
1566 "role name '{}' cannot have an uuid format".format(role_name
),
1567 HTTPStatus
.UNPROCESSABLE_ENTITY
,
1569 # check name not exists
1570 name
= indata
["name"]
1571 # if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
1572 if self
.auth
.get_role_list({"name": name
}):
1573 raise EngineException(
1574 "role name '{}' exists".format(name
), HTTPStatus
.CONFLICT
1577 def check_conflict_on_edit(self
, session
, final_content
, edit_content
, _id
):
1579 Check that the data to be edited/uploaded is valid
1581 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1582 :param final_content: data once modified
1583 :param edit_content: incremental data that contains the modifications to apply
1584 :param _id: internal _id
1585 :return: None or raises EngineException
1587 if "default" not in final_content
["permissions"]:
1588 final_content
["permissions"]["default"] = False
1589 if "admin" not in final_content
["permissions"]:
1590 final_content
["permissions"]["admin"] = False
1592 # check name is not uuid
1593 role_name
= edit_content
.get("name")
1594 if is_valid_uuid(role_name
):
1595 raise EngineException(
1596 "role name '{}' cannot have an uuid format".format(role_name
),
1597 HTTPStatus
.UNPROCESSABLE_ENTITY
,
1600 # Check renaming of admin roles
1601 role
= self
.auth
.get_role(_id
)
1602 if role
["name"] in ["system_admin", "project_admin"]:
1603 raise EngineException(
1604 "You cannot rename role '{}'".format(role
["name"]),
1605 http_code
=HTTPStatus
.FORBIDDEN
,
1608 # check name not exists
1609 if "name" in edit_content
:
1610 role_name
= edit_content
["name"]
1611 # if self.db.get_one(self.topic, {"name":role_name,"_id.ne":_id}, fail_on_empty=False, fail_on_more=False):
1612 roles
= self
.auth
.get_role_list({"name": role_name
})
1613 if roles
and roles
[0][BaseTopic
.id_field("roles", _id
)] != _id
:
1614 raise EngineException(
1615 "role name '{}' exists".format(role_name
), HTTPStatus
.CONFLICT
1618 return final_content
1620 def check_conflict_on_del(self
, session
, _id
, db_content
):
1622 Check if deletion can be done because of dependencies if it is not force. To override
1624 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1625 :param _id: internal _id
1626 :param db_content: The database content of this item _id
1627 :return: None if ok or raises EngineException with the conflict
1629 role
= self
.auth
.get_role(_id
)
1630 if role
["name"] in ["system_admin", "project_admin"]:
1631 raise EngineException(
1632 "You cannot delete role '{}'".format(role
["name"]),
1633 http_code
=HTTPStatus
.FORBIDDEN
,
1636 # If any user is using this role, raise CONFLICT exception
1637 if not session
["force"]:
1638 for user
in self
.auth
.get_user_list():
1639 for prm
in user
.get("project_role_mappings"):
1640 if prm
["role"] == _id
:
1641 raise EngineException(
1642 "Role '{}' ({}) is being used by user '{}'".format(
1643 role
["name"], _id
, user
["username"]
1645 HTTPStatus
.CONFLICT
,
1649 def format_on_new(content
, project_id
=None, make_public
=False): # TO BE REMOVED ?
1651 Modifies content descriptor to include _admin
1653 :param content: descriptor to be modified
1654 :param project_id: if included, it add project read/write permissions
1655 :param make_public: if included it is generated as public for reading.
1656 :return: None, but content is modified
1659 if "_admin" not in content
:
1660 content
["_admin"] = {}
1661 if not content
["_admin"].get("created"):
1662 content
["_admin"]["created"] = now
1663 content
["_admin"]["modified"] = now
1665 if "permissions" not in content
:
1666 content
["permissions"] = {}
1668 if "default" not in content
["permissions"]:
1669 content
["permissions"]["default"] = False
1670 if "admin" not in content
["permissions"]:
1671 content
["permissions"]["admin"] = False
1674 def format_on_edit(final_content
, edit_content
):
1676 Modifies final_content descriptor to include the modified date.
1678 :param final_content: final descriptor generated
1679 :param edit_content: alterations to be include
1680 :return: None, but final_content is modified
1682 if "_admin" in final_content
:
1683 final_content
["_admin"]["modified"] = time()
1685 if "permissions" not in final_content
:
1686 final_content
["permissions"] = {}
1688 if "default" not in final_content
["permissions"]:
1689 final_content
["permissions"]["default"] = False
1690 if "admin" not in final_content
["permissions"]:
1691 final_content
["permissions"]["admin"] = False
1694 def show(self
, session
, _id
, filter_q
=None, api_req
=False):
1696 Get complete information on an topic
1698 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1699 :param _id: server internal id
1700 :param filter_q: dict: query parameter
1701 :param api_req: True if this call is serving an external API request. False if serving internal request.
1702 :return: dictionary, raise exception if not found.
1704 filter_q
= {BaseTopic
.id_field(self
.topic
, _id
): _id
}
1705 # roles = self.auth.get_role_list(filter_q)
1706 roles
= self
.list(session
, filter_q
) # To allow default filtering (Bug 853)
1708 raise AuthconnNotFoundException(
1709 "Not found any role with filter {}".format(filter_q
)
1711 elif len(roles
) > 1:
1712 raise AuthconnConflictException(
1713 "Found more than one role with filter {}".format(filter_q
)
1717 def list(self
, session
, filter_q
=None, api_req
=False):
1719 Get a list of the topic that matches a filter
1721 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1722 :param filter_q: filter of data to be applied
1723 :return: The list, it can be empty if no one match the filter.
1725 role_list
= self
.auth
.get_role_list(filter_q
)
1726 if not session
["allow_show_user_project_role"]:
1727 # Bug 853 - Default filtering
1728 user
= self
.auth
.get_user(session
["username"])
1729 roles
= [prm
["role"] for prm
in user
["project_role_mappings"]]
1730 role_list
= [role
for role
in role_list
if role
["_id"] in roles
]
1733 def new(self
, rollback
, session
, indata
=None, kwargs
=None, headers
=None):
1735 Creates a new entry into database.
1737 :param rollback: list to append created items at database in case a rollback may to be done
1738 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1739 :param indata: data to be inserted
1740 :param kwargs: used to override the indata descriptor
1741 :param headers: http request headers
1742 :return: _id: identity of the inserted data, operation _id (None)
1745 content
= self
._remove
_envelop
(indata
)
1747 # Override descriptor with query string kwargs
1748 self
._update
_input
_with
_kwargs
(content
, kwargs
)
1749 content
= self
._validate
_input
_new
(content
, session
["force"])
1750 self
.check_conflict_on_new(session
, content
)
1752 content
, project_id
=session
["project_id"], make_public
=session
["public"]
1754 # role_name = content["name"]
1755 rid
= self
.auth
.create_role(content
)
1756 content
["_id"] = rid
1757 # _id = self.db.create(self.topic, content)
1758 rollback
.append({"topic": self
.topic
, "_id": rid
})
1759 # self._send_msg("created", content, not_send_msg=not_send_msg)
1761 except ValidationError
as e
:
1762 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)
1764 def delete(self
, session
, _id
, dry_run
=False, not_send_msg
=None):
1766 Delete item by its internal _id
1768 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1769 :param _id: server internal id
1770 :param dry_run: make checking but do not delete
1771 :param not_send_msg: To not send message (False) or store content (list) instead
1772 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1774 filter_q
= {BaseTopic
.id_field(self
.topic
, _id
): _id
}
1775 roles
= self
.auth
.get_role_list(filter_q
)
1777 raise AuthconnNotFoundException(
1778 "Not found any role with filter {}".format(filter_q
)
1780 elif len(roles
) > 1:
1781 raise AuthconnConflictException(
1782 "Found more than one role with filter {}".format(filter_q
)
1784 rid
= roles
[0]["_id"]
1785 self
.check_conflict_on_del(session
, rid
, None)
1786 # filter_q = {"_id": _id}
1787 # filter_q = {BaseTopic.id_field(self.topic, _id): _id} # To allow role addressing by name
1789 v
= self
.auth
.delete_role(rid
)
1790 # v = self.db.del_one(self.topic, filter_q)
1794 def edit(self
, session
, _id
, indata
=None, kwargs
=None, content
=None):
1796 Updates a role entry.
1798 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1800 :param indata: data to be inserted
1801 :param kwargs: used to override the indata descriptor
1803 :return: _id: identity of the inserted data.
1806 self
._update
_input
_with
_kwargs
(indata
, kwargs
)
1809 content
= self
.show(session
, _id
)
1810 indata
= self
._validate
_input
_edit
(indata
, content
, force
=session
["force"])
1811 deep_update_rfc7396(content
, indata
)
1812 content
= self
.check_conflict_on_edit(session
, content
, indata
, _id
=_id
)
1813 self
.format_on_edit(content
, indata
)
1814 self
.auth
.update_role(content
)
1815 except ValidationError
as e
:
1816 raise EngineException(e
, HTTPStatus
.UNPROCESSABLE_ENTITY
)