projects / osm / NBI.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Feature5950: Management of quotas in VIM Account
[osm/NBI.git] / osm_nbi / admin_topics.py
1 # -*- coding: utf-8 -*-
2
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
12 # implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 # import logging
17 from uuid import uuid4
18 from hashlib import sha256
19 from http import HTTPStatus
20 from time import time
21 from osm_nbi.validation import (
22 user_new_schema,
23 user_edit_schema,
24 project_new_schema,
25 project_edit_schema,
26 vim_account_new_schema,
27 vim_account_edit_schema,
28 sdn_new_schema,
29 sdn_edit_schema,
30 wim_account_new_schema,
31 wim_account_edit_schema,
32 roles_new_schema,
33 roles_edit_schema,
34 k8scluster_new_schema,
35 k8scluster_edit_schema,
36 k8srepo_new_schema,
37 k8srepo_edit_schema,
38 vca_new_schema,
39 vca_edit_schema,
40 osmrepo_new_schema,
41 osmrepo_edit_schema,
42 validate_input,
43 ValidationError,
44 is_valid_uuid,
45 ) # To check that User/Project Names don't look like UUIDs
46 from osm_nbi.base_topic import BaseTopic, EngineException
47 from osm_nbi.authconn import AuthconnNotFoundException, AuthconnConflictException
48 from osm_common.dbbase import deep_update_rfc7396
49 import copy
50
51 __author__ = "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
52
53
54 class UserTopic(BaseTopic):
55 topic = "users"
56 topic_msg = "users"
57 schema_new = user_new_schema
58 schema_edit = user_edit_schema
59 multiproject = False
60
61 def __init__(self, db, fs, msg, auth):
62 BaseTopic.__init__(self, db, fs, msg, auth)
63
64 @staticmethod
65 def _get_project_filter(session):
66 """
67 Generates a filter dictionary for querying database users.
68 Current policy is admin can show all, non admin, only its own user.
69 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
70 :return:
71 """
72 if session["admin"]: # allows all
73 return {}
74 else:
75 return {"username": session["username"]}
76
77 def check_conflict_on_new(self, session, indata):
78 # check username not exists
79 if self.db.get_one(
80 self.topic,
81 {"username": indata.get("username")},
82 fail_on_empty=False,
83 fail_on_more=False,
84 ):
85 raise EngineException(
86 "username '{}' exists".format(indata["username"]), HTTPStatus.CONFLICT
87 )
88 # check projects
89 if not session["force"]:
90 for p in indata.get("projects") or []:
91 # To allow project addressing by Name as well as ID
92 if not self.db.get_one(
93 "projects",
94 {BaseTopic.id_field("projects", p): p},
95 fail_on_empty=False,
96 fail_on_more=False,
97 ):
98 raise EngineException(
99 "project '{}' does not exist".format(p), HTTPStatus.CONFLICT
100 )
101
102 def check_conflict_on_del(self, session, _id, db_content):
103 """
104 Check if deletion can be done because of dependencies if it is not force. To override
105 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
106 :param _id: internal _id
107 :param db_content: The database content of this item _id
108 :return: None if ok or raises EngineException with the conflict
109 """
110 if _id == session["username"]:
111 raise EngineException(
112 "You cannot delete your own user", http_code=HTTPStatus.CONFLICT
113 )
114
115 @staticmethod
116 def format_on_new(content, project_id=None, make_public=False):
117 BaseTopic.format_on_new(content, make_public=False)
118 # Removed so that the UUID is kept, to allow User Name modification
119 # content["_id"] = content["username"]
120 salt = uuid4().hex
121 content["_admin"]["salt"] = salt
122 if content.get("password"):
123 content["password"] = sha256(
124 content["password"].encode("utf-8") + salt.encode("utf-8")
125 ).hexdigest()
126 if content.get("project_role_mappings"):
127 projects = [
128 mapping["project"] for mapping in content["project_role_mappings"]
129 ]
130
131 if content.get("projects"):
132 content["projects"] += projects
133 else:
134 content["projects"] = projects
135
136 @staticmethod
137 def format_on_edit(final_content, edit_content):
138 BaseTopic.format_on_edit(final_content, edit_content)
139 if edit_content.get("password"):
140 salt = uuid4().hex
141 final_content["_admin"]["salt"] = salt
142 final_content["password"] = sha256(
143 edit_content["password"].encode("utf-8") + salt.encode("utf-8")
144 ).hexdigest()
145 return None
146
147 def edit(self, session, _id, indata=None, kwargs=None, content=None):
148 if not session["admin"]:
149 raise EngineException(
150 "needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED
151 )
152 # Names that look like UUIDs are not allowed
153 name = (indata if indata else kwargs).get("username")
154 if is_valid_uuid(name):
155 raise EngineException(
156 "Usernames that look like UUIDs are not allowed",
157 http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
158 )
159 return BaseTopic.edit(
160 self, session, _id, indata=indata, kwargs=kwargs, content=content
161 )
162
163 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
164 if not session["admin"]:
165 raise EngineException(
166 "needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED
167 )
168 # Names that look like UUIDs are not allowed
169 name = indata["username"] if indata else kwargs["username"]
170 if is_valid_uuid(name):
171 raise EngineException(
172 "Usernames that look like UUIDs are not allowed",
173 http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
174 )
175 return BaseTopic.new(
176 self, rollback, session, indata=indata, kwargs=kwargs, headers=headers
177 )
178
179
180 class ProjectTopic(BaseTopic):
181 topic = "projects"
182 topic_msg = "projects"
183 schema_new = project_new_schema
184 schema_edit = project_edit_schema
185 multiproject = False
186
187 def __init__(self, db, fs, msg, auth):
188 BaseTopic.__init__(self, db, fs, msg, auth)
189
190 @staticmethod
191 def _get_project_filter(session):
192 """
193 Generates a filter dictionary for querying database users.
194 Current policy is admin can show all, non admin, only its own user.
195 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
196 :return:
197 """
198 if session["admin"]: # allows all
199 return {}
200 else:
201 return {"_id.cont": session["project_id"]}
202
203 def check_conflict_on_new(self, session, indata):
204 if not indata.get("name"):
205 raise EngineException("missing 'name'")
206 # check name not exists
207 if self.db.get_one(
208 self.topic,
209 {"name": indata.get("name")},
210 fail_on_empty=False,
211 fail_on_more=False,
212 ):
213 raise EngineException(
214 "name '{}' exists".format(indata["name"]), HTTPStatus.CONFLICT
215 )
216
217 @staticmethod
218 def format_on_new(content, project_id=None, make_public=False):
219 BaseTopic.format_on_new(content, None)
220 # Removed so that the UUID is kept, to allow Project Name modification
221 # content["_id"] = content["name"]
222
223 def check_conflict_on_del(self, session, _id, db_content):
224 """
225 Check if deletion can be done because of dependencies if it is not force. To override
226 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
227 :param _id: internal _id
228 :param db_content: The database content of this item _id
229 :return: None if ok or raises EngineException with the conflict
230 """
231 if _id in session["project_id"]:
232 raise EngineException(
233 "You cannot delete your own project", http_code=HTTPStatus.CONFLICT
234 )
235 if session["force"]:
236 return
237 _filter = {"projects": _id}
238 if self.db.get_list("users", _filter):
239 raise EngineException(
240 "There is some USER that contains this project",
241 http_code=HTTPStatus.CONFLICT,
242 )
243
244 def edit(self, session, _id, indata=None, kwargs=None, content=None):
245 if not session["admin"]:
246 raise EngineException(
247 "needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED
248 )
249 # Names that look like UUIDs are not allowed
250 name = (indata if indata else kwargs).get("name")
251 if is_valid_uuid(name):
252 raise EngineException(
253 "Project names that look like UUIDs are not allowed",
254 http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
255 )
256 return BaseTopic.edit(
257 self, session, _id, indata=indata, kwargs=kwargs, content=content
258 )
259
260 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
261 if not session["admin"]:
262 raise EngineException(
263 "needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED
264 )
265 # Names that look like UUIDs are not allowed
266 name = indata["name"] if indata else kwargs["name"]
267 if is_valid_uuid(name):
268 raise EngineException(
269 "Project names that look like UUIDs are not allowed",
270 http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
271 )
272 return BaseTopic.new(
273 self, rollback, session, indata=indata, kwargs=kwargs, headers=headers
274 )
275
276
277 class CommonVimWimSdn(BaseTopic):
278 """Common class for VIM, WIM SDN just to unify methods that are equal to all of them"""
279
280 config_to_encrypt = (
281 {}
282 ) # what keys at config must be encrypted because contains passwords
283 password_to_encrypt = "" # key that contains a password
284
285 @staticmethod
286 def _create_operation(op_type, params=None):
287 """
288 Creates a dictionary with the information to an operation, similar to ns-lcm-op
289 :param op_type: can be create, edit, delete
290 :param params: operation input parameters
291 :return: new dictionary with
292 """
293 now = time()
294 return {
295 "lcmOperationType": op_type,
296 "operationState": "PROCESSING",
297 "startTime": now,
298 "statusEnteredTime": now,
299 "detailed-status": "",
300 "operationParams": params,
301 }
302
303 def check_conflict_on_new(self, session, indata):
304 """
305 Check that the data to be inserted is valid. It is checked that name is unique
306 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
307 :param indata: data to be inserted
308 :return: None or raises EngineException
309 """
310 self.check_unique_name(session, indata["name"], _id=None)
311
312 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
313 """
314 Check that the data to be edited/uploaded is valid. It is checked that name is unique
315 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
316 :param final_content: data once modified. This method may change it.
317 :param edit_content: incremental data that contains the modifications to apply
318 :param _id: internal _id
319 :return: None or raises EngineException
320 """
321 if not session["force"] and edit_content.get("name"):
322 self.check_unique_name(session, edit_content["name"], _id=_id)
323
324 return final_content
325
326 def format_on_edit(self, final_content, edit_content):
327 """
328 Modifies final_content inserting admin information upon edition
329 :param final_content: final content to be stored at database
330 :param edit_content: user requested update content
331 :return: operation id
332 """
333 super().format_on_edit(final_content, edit_content)
334
335 # encrypt passwords
336 schema_version = final_content.get("schema_version")
337 if schema_version:
338 if edit_content.get(self.password_to_encrypt):
339 final_content[self.password_to_encrypt] = self.db.encrypt(
340 edit_content[self.password_to_encrypt],
341 schema_version=schema_version,
342 salt=final_content["_id"],
343 )
344 config_to_encrypt_keys = self.config_to_encrypt.get(
345 schema_version
346 ) or self.config_to_encrypt.get("default")
347 if edit_content.get("config") and config_to_encrypt_keys:
348
349 for p in config_to_encrypt_keys:
350 if edit_content["config"].get(p):
351 final_content["config"][p] = self.db.encrypt(
352 edit_content["config"][p],
353 schema_version=schema_version,
354 salt=final_content["_id"],
355 )
356
357 # create edit operation
358 final_content["_admin"]["operations"].append(self._create_operation("edit"))
359 return "{}:{}".format(
360 final_content["_id"], len(final_content["_admin"]["operations"]) - 1
361 )
362
363 def format_on_new(self, content, project_id=None, make_public=False):
364 """
365 Modifies content descriptor to include _admin and insert create operation
366 :param content: descriptor to be modified
367 :param project_id: if included, it add project read/write permissions. Can be None or a list
368 :param make_public: if included it is generated as public for reading.
369 :return: op_id: operation id on asynchronous operation, None otherwise. In addition content is modified
370 """
371 super().format_on_new(content, project_id=project_id, make_public=make_public)
372 content["schema_version"] = schema_version = "1.11"
373
374 # encrypt passwords
375 if content.get(self.password_to_encrypt):
376 content[self.password_to_encrypt] = self.db.encrypt(
377 content[self.password_to_encrypt],
378 schema_version=schema_version,
379 salt=content["_id"],
380 )
381 config_to_encrypt_keys = self.config_to_encrypt.get(
382 schema_version
383 ) or self.config_to_encrypt.get("default")
384 if content.get("config") and config_to_encrypt_keys:
385 for p in config_to_encrypt_keys:
386 if content["config"].get(p):
387 content["config"][p] = self.db.encrypt(
388 content["config"][p],
389 schema_version=schema_version,
390 salt=content["_id"],
391 )
392
393 content["_admin"]["operationalState"] = "PROCESSING"
394
395 # create operation
396 content["_admin"]["operations"] = [self._create_operation("create")]
397 content["_admin"]["current_operation"] = None
398 # create Resource in Openstack based VIM
399 if content.get("vim_type"):
400 if content["vim_type"] == "openstack":
401 compute = {
402 "ram": {
403 "total": None,
404 "used": None
405 },
406 "vcpus": {
407 "total": None,
408 "used": None
409 },
410 "instances": {
411 "total": None,
412 "used": None
413 }
414 }
415 storage = {
416 "volumes": {
417 "total": None,
418 "used": None
419 },
420 "snapshots": {
421 "total": None,
422 "used": None
423 },
424 "storage": {
425 "total": None,
426 "used": None
427 }
428 }
429 network = {
430 "networks": {
431 "total": None,
432 "used": None
433 },
434 "subnets": {
435 "total": None,
436 "used": None
437 },
438 "floating_ips": {
439 "total": None,
440 "used": None
441 }
442 }
443 content["resources"] = {"compute": compute, "storage": storage, "network": network}
444
445
446 return "{}:0".format(content["_id"])
447
448 def delete(self, session, _id, dry_run=False, not_send_msg=None):
449 """
450 Delete item by its internal _id
451 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
452 :param _id: server internal id
453 :param dry_run: make checking but do not delete
454 :param not_send_msg: To not send message (False) or store content (list) instead
455 :return: operation id if it is ordered to delete. None otherwise
456 """
457
458 filter_q = self._get_project_filter(session)
459 filter_q["_id"] = _id
460 db_content = self.db.get_one(self.topic, filter_q)
461
462 self.check_conflict_on_del(session, _id, db_content)
463 if dry_run:
464 return None
465
466 # remove reference from project_read if there are more projects referencing it. If it last one,
467 # do not remove reference, but order via kafka to delete it
468 if session["project_id"] and session["project_id"]:
469 other_projects_referencing = next(
470 (
471 p
472 for p in db_content["_admin"]["projects_read"]
473 if p not in session["project_id"] and p != "ANY"
474 ),
475 None,
476 )
477
478 # check if there are projects referencing it (apart from ANY, that means, public)....
479 if other_projects_referencing:
480 # remove references but not delete
481 update_dict_pull = {
482 "_admin.projects_read": session["project_id"],
483 "_admin.projects_write": session["project_id"],
484 }
485 self.db.set_one(
486 self.topic, filter_q, update_dict=None, pull_list=update_dict_pull
487 )
488 return None
489 else:
490 can_write = next(
491 (
492 p
493 for p in db_content["_admin"]["projects_write"]
494 if p == "ANY" or p in session["project_id"]
495 ),
496 None,
497 )
498 if not can_write:
499 raise EngineException(
500 "You have not write permission to delete it",
501 http_code=HTTPStatus.UNAUTHORIZED,
502 )
503
504 # It must be deleted
505 if session["force"]:
506 self.db.del_one(self.topic, {"_id": _id})
507 op_id = None
508 self._send_msg(
509 "deleted", {"_id": _id, "op_id": op_id}, not_send_msg=not_send_msg
510 )
511 else:
512 update_dict = {"_admin.to_delete": True}
513 self.db.set_one(
514 self.topic,
515 {"_id": _id},
516 update_dict=update_dict,
517 push={"_admin.operations": self._create_operation("delete")},
518 )
519 # the number of operations is the operation_id. db_content does not contains the new operation inserted,
520 # so the -1 is not needed
521 op_id = "{}:{}".format(
522 db_content["_id"], len(db_content["_admin"]["operations"])
523 )
524 self._send_msg(
525 "delete", {"_id": _id, "op_id": op_id}, not_send_msg=not_send_msg
526 )
527 return op_id
528
529
530 class VimAccountTopic(CommonVimWimSdn):
531 topic = "vim_accounts"
532 topic_msg = "vim_account"
533 schema_new = vim_account_new_schema
534 schema_edit = vim_account_edit_schema
535 multiproject = True
536 password_to_encrypt = "vim_password"
537 config_to_encrypt = {
538 "1.1": ("admin_password", "nsx_password", "vcenter_password"),
539 "default": (
540 "admin_password",
541 "nsx_password",
542 "vcenter_password",
543 "vrops_password",
544 ),
545 }
546
547 def check_conflict_on_del(self, session, _id, db_content):
548 """
549 Check if deletion can be done because of dependencies if it is not force. To override
550 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
551 :param _id: internal _id
552 :param db_content: The database content of this item _id
553 :return: None if ok or raises EngineException with the conflict
554 """
555 if session["force"]:
556 return
557 # check if used by VNF
558 if self.db.get_list("vnfrs", {"vim-account-id": _id}):
559 raise EngineException(
560 "There is at least one VNF using this VIM account",
561 http_code=HTTPStatus.CONFLICT,
562 )
563 super().check_conflict_on_del(session, _id, db_content)
564
565
566 class WimAccountTopic(CommonVimWimSdn):
567 topic = "wim_accounts"
568 topic_msg = "wim_account"
569 schema_new = wim_account_new_schema
570 schema_edit = wim_account_edit_schema
571 multiproject = True
572 password_to_encrypt = "wim_password"
573 config_to_encrypt = {}
574
575
576 class SdnTopic(CommonVimWimSdn):
577 topic = "sdns"
578 topic_msg = "sdn"
579 quota_name = "sdn_controllers"
580 schema_new = sdn_new_schema
581 schema_edit = sdn_edit_schema
582 multiproject = True
583 password_to_encrypt = "password"
584 config_to_encrypt = {}
585
586 def _obtain_url(self, input, create):
587 if input.get("ip") or input.get("port"):
588 if not input.get("ip") or not input.get("port") or input.get("url"):
589 raise ValidationError(
590 "You must provide both 'ip' and 'port' (deprecated); or just 'url' (prefered)"
591 )
592 input["url"] = "http://{}:{}/".format(input["ip"], input["port"])
593 del input["ip"]
594 del input["port"]
595 elif create and not input.get("url"):
596 raise ValidationError("You must provide 'url'")
597 return input
598
599 def _validate_input_new(self, input, force=False):
600 input = super()._validate_input_new(input, force)
601 return self._obtain_url(input, True)
602
603 def _validate_input_edit(self, input, content, force=False):
604 input = super()._validate_input_edit(input, content, force)
605 return self._obtain_url(input, False)
606
607
608 class K8sClusterTopic(CommonVimWimSdn):
609 topic = "k8sclusters"
610 topic_msg = "k8scluster"
611 schema_new = k8scluster_new_schema
612 schema_edit = k8scluster_edit_schema
613 multiproject = True
614 password_to_encrypt = None
615 config_to_encrypt = {}
616
617 def format_on_new(self, content, project_id=None, make_public=False):
618 oid = super().format_on_new(content, project_id, make_public)
619 self.db.encrypt_decrypt_fields(
620 content["credentials"],
621 "encrypt",
622 ["password", "secret"],
623 schema_version=content["schema_version"],
624 salt=content["_id"],
625 )
626 # Add Helm/Juju Repo lists
627 repos = {"helm-chart": [], "juju-bundle": []}
628 for proj in content["_admin"]["projects_read"]:
629 if proj != "ANY":
630 for repo in self.db.get_list(
631 "k8srepos", {"_admin.projects_read": proj}
632 ):
633 if repo["_id"] not in repos[repo["type"]]:
634 repos[repo["type"]].append(repo["_id"])
635 for k in repos:
636 content["_admin"][k.replace("-", "_") + "_repos"] = repos[k]
637 return oid
638
639 def format_on_edit(self, final_content, edit_content):
640 if final_content.get("schema_version") and edit_content.get("credentials"):
641 self.db.encrypt_decrypt_fields(
642 edit_content["credentials"],
643 "encrypt",
644 ["password", "secret"],
645 schema_version=final_content["schema_version"],
646 salt=final_content["_id"],
647 )
648 deep_update_rfc7396(
649 final_content["credentials"], edit_content["credentials"]
650 )
651 oid = super().format_on_edit(final_content, edit_content)
652 return oid
653
654 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
655 final_content = super(CommonVimWimSdn, self).check_conflict_on_edit(
656 session, final_content, edit_content, _id
657 )
658 final_content = super().check_conflict_on_edit(
659 session, final_content, edit_content, _id
660 )
661 # Update Helm/Juju Repo lists
662 repos = {"helm-chart": [], "juju-bundle": []}
663 for proj in session.get("set_project", []):
664 if proj != "ANY":
665 for repo in self.db.get_list(
666 "k8srepos", {"_admin.projects_read": proj}
667 ):
668 if repo["_id"] not in repos[repo["type"]]:
669 repos[repo["type"]].append(repo["_id"])
670 for k in repos:
671 rlist = k.replace("-", "_") + "_repos"
672 if rlist not in final_content["_admin"]:
673 final_content["_admin"][rlist] = []
674 final_content["_admin"][rlist] += repos[k]
675 return final_content
676
677 def check_conflict_on_del(self, session, _id, db_content):
678 """
679 Check if deletion can be done because of dependencies if it is not force. To override
680 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
681 :param _id: internal _id
682 :param db_content: The database content of this item _id
683 :return: None if ok or raises EngineException with the conflict
684 """
685 if session["force"]:
686 return
687 # check if used by VNF
688 filter_q = {"kdur.k8s-cluster.id": _id}
689 if session["project_id"]:
690 filter_q["_admin.projects_read.cont"] = session["project_id"]
691 if self.db.get_list("vnfrs", filter_q):
692 raise EngineException(
693 "There is at least one VNF using this k8scluster",
694 http_code=HTTPStatus.CONFLICT,
695 )
696 super().check_conflict_on_del(session, _id, db_content)
697
698
699 class VcaTopic(CommonVimWimSdn):
700 topic = "vca"
701 topic_msg = "vca"
702 schema_new = vca_new_schema
703 schema_edit = vca_edit_schema
704 multiproject = True
705 password_to_encrypt = None
706
707 def format_on_new(self, content, project_id=None, make_public=False):
708 oid = super().format_on_new(content, project_id, make_public)
709 content["schema_version"] = schema_version = "1.11"
710 for key in ["secret", "cacert"]:
711 content[key] = self.db.encrypt(
712 content[key], schema_version=schema_version, salt=content["_id"]
713 )
714 return oid
715
716 def format_on_edit(self, final_content, edit_content):
717 oid = super().format_on_edit(final_content, edit_content)
718 schema_version = final_content.get("schema_version")
719 for key in ["secret", "cacert"]:
720 if key in edit_content:
721 final_content[key] = self.db.encrypt(
722 edit_content[key],
723 schema_version=schema_version,
724 salt=final_content["_id"],
725 )
726 return oid
727
728 def check_conflict_on_del(self, session, _id, db_content):
729 """
730 Check if deletion can be done because of dependencies if it is not force. To override
731 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
732 :param _id: internal _id
733 :param db_content: The database content of this item _id
734 :return: None if ok or raises EngineException with the conflict
735 """
736 if session["force"]:
737 return
738 # check if used by VNF
739 filter_q = {"vca": _id}
740 if session["project_id"]:
741 filter_q["_admin.projects_read.cont"] = session["project_id"]
742 if self.db.get_list("vim_accounts", filter_q):
743 raise EngineException(
744 "There is at least one VIM account using this vca",
745 http_code=HTTPStatus.CONFLICT,
746 )
747 super().check_conflict_on_del(session, _id, db_content)
748
749
750 class K8sRepoTopic(CommonVimWimSdn):
751 topic = "k8srepos"
752 topic_msg = "k8srepo"
753 schema_new = k8srepo_new_schema
754 schema_edit = k8srepo_edit_schema
755 multiproject = True
756 password_to_encrypt = None
757 config_to_encrypt = {}
758
759 def format_on_new(self, content, project_id=None, make_public=False):
760 oid = super().format_on_new(content, project_id, make_public)
761 # Update Helm/Juju Repo lists
762 repo_list = content["type"].replace("-", "_") + "_repos"
763 for proj in content["_admin"]["projects_read"]:
764 if proj != "ANY":
765 self.db.set_list(
766 "k8sclusters",
767 {
768 "_admin.projects_read": proj,
769 "_admin." + repo_list + ".ne": content["_id"],
770 },
771 {},
772 push={"_admin." + repo_list: content["_id"]},
773 )
774 return oid
775
776 def delete(self, session, _id, dry_run=False, not_send_msg=None):
777 type = self.db.get_one("k8srepos", {"_id": _id})["type"]
778 oid = super().delete(session, _id, dry_run, not_send_msg)
779 if oid:
780 # Remove from Helm/Juju Repo lists
781 repo_list = type.replace("-", "_") + "_repos"
782 self.db.set_list(
783 "k8sclusters",
784 {"_admin." + repo_list: _id},
785 {},
786 pull={"_admin." + repo_list: _id},
787 )
788 return oid
789
790
791 class OsmRepoTopic(BaseTopic):
792 topic = "osmrepos"
793 topic_msg = "osmrepos"
794 schema_new = osmrepo_new_schema
795 schema_edit = osmrepo_edit_schema
796 multiproject = True
797 # TODO: Implement user/password
798
799
800 class UserTopicAuth(UserTopic):
801 # topic = "users"
802 topic_msg = "users"
803 schema_new = user_new_schema
804 schema_edit = user_edit_schema
805
806 def __init__(self, db, fs, msg, auth):
807 UserTopic.__init__(self, db, fs, msg, auth)
808 # self.auth = auth
809
810 def check_conflict_on_new(self, session, indata):
811 """
812 Check that the data to be inserted is valid
813
814 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
815 :param indata: data to be inserted
816 :return: None or raises EngineException
817 """
818 username = indata.get("username")
819 if is_valid_uuid(username):
820 raise EngineException(
821 "username '{}' cannot have a uuid format".format(username),
822 HTTPStatus.UNPROCESSABLE_ENTITY,
823 )
824
825 # Check that username is not used, regardless keystone already checks this
826 if self.auth.get_user_list(filter_q={"name": username}):
827 raise EngineException(
828 "username '{}' is already used".format(username), HTTPStatus.CONFLICT
829 )
830
831 if "projects" in indata.keys():
832 # convert to new format project_role_mappings
833 role = self.auth.get_role_list({"name": "project_admin"})
834 if not role:
835 role = self.auth.get_role_list()
836 if not role:
837 raise AuthconnNotFoundException(
838 "Can't find default role for user '{}'".format(username)
839 )
840 rid = role[0]["_id"]
841 if not indata.get("project_role_mappings"):
842 indata["project_role_mappings"] = []
843 for project in indata["projects"]:
844 pid = self.auth.get_project(project)["_id"]
845 prm = {"project": pid, "role": rid}
846 if prm not in indata["project_role_mappings"]:
847 indata["project_role_mappings"].append(prm)
848 # raise EngineException("Format invalid: the keyword 'projects' is not allowed for keystone authentication",
849 # HTTPStatus.BAD_REQUEST)
850
851 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
852 """
853 Check that the data to be edited/uploaded is valid
854
855 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
856 :param final_content: data once modified
857 :param edit_content: incremental data that contains the modifications to apply
858 :param _id: internal _id
859 :return: None or raises EngineException
860 """
861
862 if "username" in edit_content:
863 username = edit_content.get("username")
864 if is_valid_uuid(username):
865 raise EngineException(
866 "username '{}' cannot have an uuid format".format(username),
867 HTTPStatus.UNPROCESSABLE_ENTITY,
868 )
869
870 # Check that username is not used, regardless keystone already checks this
871 if self.auth.get_user_list(filter_q={"name": username}):
872 raise EngineException(
873 "username '{}' is already used".format(username),
874 HTTPStatus.CONFLICT,
875 )
876
877 if final_content["username"] == "admin":
878 for mapping in edit_content.get("remove_project_role_mappings", ()):
879 if mapping["project"] == "admin" and mapping.get("role") in (
880 None,
881 "system_admin",
882 ):
883 # TODO make this also available for project id and role id
884 raise EngineException(
885 "You cannot remove system_admin role from admin user",
886 http_code=HTTPStatus.FORBIDDEN,
887 )
888
889 return final_content
890
891 def check_conflict_on_del(self, session, _id, db_content):
892 """
893 Check if deletion can be done because of dependencies if it is not force. To override
894 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
895 :param _id: internal _id
896 :param db_content: The database content of this item _id
897 :return: None if ok or raises EngineException with the conflict
898 """
899 if db_content["username"] == session["username"]:
900 raise EngineException(
901 "You cannot delete your own login user ", http_code=HTTPStatus.CONFLICT
902 )
903 # TODO: Check that user is not logged in ? How? (Would require listing current tokens)
904
905 @staticmethod
906 def format_on_show(content):
907 """
908 Modifies the content of the role information to separate the role
909 metadata from the role definition.
910 """
911 project_role_mappings = []
912
913 if "projects" in content:
914 for project in content["projects"]:
915 for role in project["roles"]:
916 project_role_mappings.append(
917 {
918 "project": project["_id"],
919 "project_name": project["name"],
920 "role": role["_id"],
921 "role_name": role["name"],
922 }
923 )
924 del content["projects"]
925 content["project_role_mappings"] = project_role_mappings
926
927 return content
928
929 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
930 """
931 Creates a new entry into the authentication backend.
932
933 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
934
935 :param rollback: list to append created items at database in case a rollback may to be done
936 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
937 :param indata: data to be inserted
938 :param kwargs: used to override the indata descriptor
939 :param headers: http request headers
940 :return: _id: identity of the inserted data, operation _id (None)
941 """
942 try:
943 content = BaseTopic._remove_envelop(indata)
944
945 # Override descriptor with query string kwargs
946 BaseTopic._update_input_with_kwargs(content, kwargs)
947 content = self._validate_input_new(content, session["force"])
948 self.check_conflict_on_new(session, content)
949 # self.format_on_new(content, session["project_id"], make_public=session["public"])
950 now = time()
951 content["_admin"] = {"created": now, "modified": now}
952 prms = []
953 for prm in content.get("project_role_mappings", []):
954 proj = self.auth.get_project(prm["project"], not session["force"])
955 role = self.auth.get_role(prm["role"], not session["force"])
956 pid = proj["_id"] if proj else None
957 rid = role["_id"] if role else None
958 prl = {"project": pid, "role": rid}
959 if prl not in prms:
960 prms.append(prl)
961 content["project_role_mappings"] = prms
962 # _id = self.auth.create_user(content["username"], content["password"])["_id"]
963 _id = self.auth.create_user(content)["_id"]
964
965 rollback.append({"topic": self.topic, "_id": _id})
966 # del content["password"]
967 self._send_msg("created", content, not_send_msg=None)
968 return _id, None
969 except ValidationError as e:
970 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
971
972 def show(self, session, _id, filter_q=None, api_req=False):
973 """
974 Get complete information on an topic
975
976 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
977 :param _id: server internal id or username
978 :param filter_q: dict: query parameter
979 :param api_req: True if this call is serving an external API request. False if serving internal request.
980 :return: dictionary, raise exception if not found.
981 """
982 # Allow _id to be a name or uuid
983 filter_q = {"username": _id}
984 # users = self.auth.get_user_list(filter_q)
985 users = self.list(session, filter_q) # To allow default filtering (Bug 853)
986 if len(users) == 1:
987 return users[0]
988 elif len(users) > 1:
989 raise EngineException(
990 "Too many users found for '{}'".format(_id), HTTPStatus.CONFLICT
991 )
992 else:
993 raise EngineException(
994 "User '{}' not found".format(_id), HTTPStatus.NOT_FOUND
995 )
996
997 def edit(self, session, _id, indata=None, kwargs=None, content=None):
998 """
999 Updates an user entry.
1000
1001 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1002 :param _id:
1003 :param indata: data to be inserted
1004 :param kwargs: used to override the indata descriptor
1005 :param content:
1006 :return: _id: identity of the inserted data.
1007 """
1008 indata = self._remove_envelop(indata)
1009
1010 # Override descriptor with query string kwargs
1011 if kwargs:
1012 BaseTopic._update_input_with_kwargs(indata, kwargs)
1013 try:
1014 if not content:
1015 content = self.show(session, _id)
1016 indata = self._validate_input_edit(indata, content, force=session["force"])
1017 content = self.check_conflict_on_edit(session, content, indata, _id=_id)
1018 # self.format_on_edit(content, indata)
1019
1020 if not (
1021 "password" in indata
1022 or "username" in indata
1023 or indata.get("remove_project_role_mappings")
1024 or indata.get("add_project_role_mappings")
1025 or indata.get("project_role_mappings")
1026 or indata.get("projects")
1027 or indata.get("add_projects")
1028 ):
1029 return _id
1030 if indata.get("project_role_mappings") and (
1031 indata.get("remove_project_role_mappings")
1032 or indata.get("add_project_role_mappings")
1033 ):
1034 raise EngineException(
1035 "Option 'project_role_mappings' is incompatible with 'add_project_role_mappings"
1036 "' or 'remove_project_role_mappings'",
1037 http_code=HTTPStatus.BAD_REQUEST,
1038 )
1039
1040 if indata.get("projects") or indata.get("add_projects"):
1041 role = self.auth.get_role_list({"name": "project_admin"})
1042 if not role:
1043 role = self.auth.get_role_list()
1044 if not role:
1045 raise AuthconnNotFoundException(
1046 "Can't find a default role for user '{}'".format(
1047 content["username"]
1048 )
1049 )
1050 rid = role[0]["_id"]
1051 if "add_project_role_mappings" not in indata:
1052 indata["add_project_role_mappings"] = []
1053 if "remove_project_role_mappings" not in indata:
1054 indata["remove_project_role_mappings"] = []
1055 if isinstance(indata.get("projects"), dict):
1056 # backward compatible
1057 for k, v in indata["projects"].items():
1058 if k.startswith("$") and v is None:
1059 indata["remove_project_role_mappings"].append(
1060 {"project": k[1:]}
1061 )
1062 elif k.startswith("$+"):
1063 indata["add_project_role_mappings"].append(
1064 {"project": v, "role": rid}
1065 )
1066 del indata["projects"]
1067 for proj in indata.get("projects", []) + indata.get("add_projects", []):
1068 indata["add_project_role_mappings"].append(
1069 {"project": proj, "role": rid}
1070 )
1071
1072 # user = self.show(session, _id) # Already in 'content'
1073 original_mapping = content["project_role_mappings"]
1074
1075 mappings_to_add = []
1076 mappings_to_remove = []
1077
1078 # remove
1079 for to_remove in indata.get("remove_project_role_mappings", ()):
1080 for mapping in original_mapping:
1081 if to_remove["project"] in (
1082 mapping["project"],
1083 mapping["project_name"],
1084 ):
1085 if not to_remove.get("role") or to_remove["role"] in (
1086 mapping["role"],
1087 mapping["role_name"],
1088 ):
1089 mappings_to_remove.append(mapping)
1090
1091 # add
1092 for to_add in indata.get("add_project_role_mappings", ()):
1093 for mapping in original_mapping:
1094 if to_add["project"] in (
1095 mapping["project"],
1096 mapping["project_name"],
1097 ) and to_add["role"] in (
1098 mapping["role"],
1099 mapping["role_name"],
1100 ):
1101
1102 if mapping in mappings_to_remove: # do not remove
1103 mappings_to_remove.remove(mapping)
1104 break # do not add, it is already at user
1105 else:
1106 pid = self.auth.get_project(to_add["project"])["_id"]
1107 rid = self.auth.get_role(to_add["role"])["_id"]
1108 mappings_to_add.append({"project": pid, "role": rid})
1109
1110 # set
1111 if indata.get("project_role_mappings"):
1112 for to_set in indata["project_role_mappings"]:
1113 for mapping in original_mapping:
1114 if to_set["project"] in (
1115 mapping["project"],
1116 mapping["project_name"],
1117 ) and to_set["role"] in (
1118 mapping["role"],
1119 mapping["role_name"],
1120 ):
1121 if mapping in mappings_to_remove: # do not remove
1122 mappings_to_remove.remove(mapping)
1123 break # do not add, it is already at user
1124 else:
1125 pid = self.auth.get_project(to_set["project"])["_id"]
1126 rid = self.auth.get_role(to_set["role"])["_id"]
1127 mappings_to_add.append({"project": pid, "role": rid})
1128 for mapping in original_mapping:
1129 for to_set in indata["project_role_mappings"]:
1130 if to_set["project"] in (
1131 mapping["project"],
1132 mapping["project_name"],
1133 ) and to_set["role"] in (
1134 mapping["role"],
1135 mapping["role_name"],
1136 ):
1137 break
1138 else:
1139 # delete
1140 if mapping not in mappings_to_remove: # do not remove
1141 mappings_to_remove.append(mapping)
1142
1143 self.auth.update_user(
1144 {
1145 "_id": _id,
1146 "username": indata.get("username"),
1147 "password": indata.get("password"),
1148 "add_project_role_mappings": mappings_to_add,
1149 "remove_project_role_mappings": mappings_to_remove,
1150 }
1151 )
1152 data_to_send = {"_id": _id, "changes": indata}
1153 self._send_msg("edited", data_to_send, not_send_msg=None)
1154
1155 # return _id
1156 except ValidationError as e:
1157 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1158
1159 def list(self, session, filter_q=None, api_req=False):
1160 """
1161 Get a list of the topic that matches a filter
1162 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1163 :param filter_q: filter of data to be applied
1164 :param api_req: True if this call is serving an external API request. False if serving internal request.
1165 :return: The list, it can be empty if no one match the filter.
1166 """
1167 user_list = self.auth.get_user_list(filter_q)
1168 if not session["allow_show_user_project_role"]:
1169 # Bug 853 - Default filtering
1170 user_list = [
1171 usr for usr in user_list if usr["username"] == session["username"]
1172 ]
1173 return user_list
1174
1175 def delete(self, session, _id, dry_run=False, not_send_msg=None):
1176 """
1177 Delete item by its internal _id
1178
1179 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1180 :param _id: server internal id
1181 :param force: indicates if deletion must be forced in case of conflict
1182 :param dry_run: make checking but do not delete
1183 :param not_send_msg: To not send message (False) or store content (list) instead
1184 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1185 """
1186 # Allow _id to be a name or uuid
1187 user = self.auth.get_user(_id)
1188 uid = user["_id"]
1189 self.check_conflict_on_del(session, uid, user)
1190 if not dry_run:
1191 v = self.auth.delete_user(uid)
1192 self._send_msg("deleted", user, not_send_msg=not_send_msg)
1193 return v
1194 return None
1195
1196
1197 class ProjectTopicAuth(ProjectTopic):
1198 # topic = "projects"
1199 topic_msg = "project"
1200 schema_new = project_new_schema
1201 schema_edit = project_edit_schema
1202
1203 def __init__(self, db, fs, msg, auth):
1204 ProjectTopic.__init__(self, db, fs, msg, auth)
1205 # self.auth = auth
1206
1207 def check_conflict_on_new(self, session, indata):
1208 """
1209 Check that the data to be inserted is valid
1210
1211 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1212 :param indata: data to be inserted
1213 :return: None or raises EngineException
1214 """
1215 project_name = indata.get("name")
1216 if is_valid_uuid(project_name):
1217 raise EngineException(
1218 "project name '{}' cannot have an uuid format".format(project_name),
1219 HTTPStatus.UNPROCESSABLE_ENTITY,
1220 )
1221
1222 project_list = self.auth.get_project_list(filter_q={"name": project_name})
1223
1224 if project_list:
1225 raise EngineException(
1226 "project '{}' exists".format(project_name), HTTPStatus.CONFLICT
1227 )
1228
1229 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
1230 """
1231 Check that the data to be edited/uploaded is valid
1232
1233 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1234 :param final_content: data once modified
1235 :param edit_content: incremental data that contains the modifications to apply
1236 :param _id: internal _id
1237 :return: None or raises EngineException
1238 """
1239
1240 project_name = edit_content.get("name")
1241 if project_name != final_content["name"]: # It is a true renaming
1242 if is_valid_uuid(project_name):
1243 raise EngineException(
1244 "project name '{}' cannot have an uuid format".format(project_name),
1245 HTTPStatus.UNPROCESSABLE_ENTITY,
1246 )
1247
1248 if final_content["name"] == "admin":
1249 raise EngineException(
1250 "You cannot rename project 'admin'", http_code=HTTPStatus.CONFLICT
1251 )
1252
1253 # Check that project name is not used, regardless keystone already checks this
1254 if project_name and self.auth.get_project_list(
1255 filter_q={"name": project_name}
1256 ):
1257 raise EngineException(
1258 "project '{}' is already used".format(project_name),
1259 HTTPStatus.CONFLICT,
1260 )
1261 return final_content
1262
1263 def check_conflict_on_del(self, session, _id, db_content):
1264 """
1265 Check if deletion can be done because of dependencies if it is not force. To override
1266
1267 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1268 :param _id: internal _id
1269 :param db_content: The database content of this item _id
1270 :return: None if ok or raises EngineException with the conflict
1271 """
1272
1273 def check_rw_projects(topic, title, id_field):
1274 for desc in self.db.get_list(topic):
1275 if (
1276 _id
1277 in desc["_admin"]["projects_read"]
1278 + desc["_admin"]["projects_write"]
1279 ):
1280 raise EngineException(
1281 "Project '{}' ({}) is being used by {} '{}'".format(
1282 db_content["name"], _id, title, desc[id_field]
1283 ),
1284 HTTPStatus.CONFLICT,
1285 )
1286
1287 if _id in session["project_id"]:
1288 raise EngineException(
1289 "You cannot delete your own project", http_code=HTTPStatus.CONFLICT
1290 )
1291
1292 if db_content["name"] == "admin":
1293 raise EngineException(
1294 "You cannot delete project 'admin'", http_code=HTTPStatus.CONFLICT
1295 )
1296
1297 # If any user is using this project, raise CONFLICT exception
1298 if not session["force"]:
1299 for user in self.auth.get_user_list():
1300 for prm in user.get("project_role_mappings"):
1301 if prm["project"] == _id:
1302 raise EngineException(
1303 "Project '{}' ({}) is being used by user '{}'".format(
1304 db_content["name"], _id, user["username"]
1305 ),
1306 HTTPStatus.CONFLICT,
1307 )
1308
1309 # If any VNFD, NSD, NST, PDU, etc. is using this project, raise CONFLICT exception
1310 if not session["force"]:
1311 check_rw_projects("vnfds", "VNF Descriptor", "id")
1312 check_rw_projects("nsds", "NS Descriptor", "id")
1313 check_rw_projects("nsts", "NS Template", "id")
1314 check_rw_projects("pdus", "PDU Descriptor", "name")
1315
1316 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
1317 """
1318 Creates a new entry into the authentication backend.
1319
1320 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
1321
1322 :param rollback: list to append created items at database in case a rollback may to be done
1323 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1324 :param indata: data to be inserted
1325 :param kwargs: used to override the indata descriptor
1326 :param headers: http request headers
1327 :return: _id: identity of the inserted data, operation _id (None)
1328 """
1329 try:
1330 content = BaseTopic._remove_envelop(indata)
1331
1332 # Override descriptor with query string kwargs
1333 BaseTopic._update_input_with_kwargs(content, kwargs)
1334 content = self._validate_input_new(content, session["force"])
1335 self.check_conflict_on_new(session, content)
1336 self.format_on_new(
1337 content, project_id=session["project_id"], make_public=session["public"]
1338 )
1339 _id = self.auth.create_project(content)
1340 rollback.append({"topic": self.topic, "_id": _id})
1341 self._send_msg("created", content, not_send_msg=None)
1342 return _id, None
1343 except ValidationError as e:
1344 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1345
1346 def show(self, session, _id, filter_q=None, api_req=False):
1347 """
1348 Get complete information on an topic
1349
1350 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1351 :param _id: server internal id
1352 :param filter_q: dict: query parameter
1353 :param api_req: True if this call is serving an external API request. False if serving internal request.
1354 :return: dictionary, raise exception if not found.
1355 """
1356 # Allow _id to be a name or uuid
1357 filter_q = {self.id_field(self.topic, _id): _id}
1358 # projects = self.auth.get_project_list(filter_q=filter_q)
1359 projects = self.list(session, filter_q) # To allow default filtering (Bug 853)
1360 if len(projects) == 1:
1361 return projects[0]
1362 elif len(projects) > 1:
1363 raise EngineException("Too many projects found", HTTPStatus.CONFLICT)
1364 else:
1365 raise EngineException("Project not found", HTTPStatus.NOT_FOUND)
1366
1367 def list(self, session, filter_q=None, api_req=False):
1368 """
1369 Get a list of the topic that matches a filter
1370
1371 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1372 :param filter_q: filter of data to be applied
1373 :return: The list, it can be empty if no one match the filter.
1374 """
1375 project_list = self.auth.get_project_list(filter_q)
1376 if not session["allow_show_user_project_role"]:
1377 # Bug 853 - Default filtering
1378 user = self.auth.get_user(session["username"])
1379 projects = [prm["project"] for prm in user["project_role_mappings"]]
1380 project_list = [proj for proj in project_list if proj["_id"] in projects]
1381 return project_list
1382
1383 def delete(self, session, _id, dry_run=False, not_send_msg=None):
1384 """
1385 Delete item by its internal _id
1386
1387 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1388 :param _id: server internal id
1389 :param dry_run: make checking but do not delete
1390 :param not_send_msg: To not send message (False) or store content (list) instead
1391 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1392 """
1393 # Allow _id to be a name or uuid
1394 proj = self.auth.get_project(_id)
1395 pid = proj["_id"]
1396 self.check_conflict_on_del(session, pid, proj)
1397 if not dry_run:
1398 v = self.auth.delete_project(pid)
1399 self._send_msg("deleted", proj, not_send_msg=None)
1400 return v
1401 return None
1402
1403 def edit(self, session, _id, indata=None, kwargs=None, content=None):
1404 """
1405 Updates a project entry.
1406
1407 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1408 :param _id:
1409 :param indata: data to be inserted
1410 :param kwargs: used to override the indata descriptor
1411 :param content:
1412 :return: _id: identity of the inserted data.
1413 """
1414 indata = self._remove_envelop(indata)
1415
1416 # Override descriptor with query string kwargs
1417 if kwargs:
1418 BaseTopic._update_input_with_kwargs(indata, kwargs)
1419 try:
1420 if not content:
1421 content = self.show(session, _id)
1422 indata = self._validate_input_edit(indata, content, force=session["force"])
1423 content = self.check_conflict_on_edit(session, content, indata, _id=_id)
1424 self.format_on_edit(content, indata)
1425 content_original = copy.deepcopy(content)
1426 deep_update_rfc7396(content, indata)
1427 self.auth.update_project(content["_id"], content)
1428 proj_data = {"_id": _id, "changes": indata, "original": content_original}
1429 self._send_msg("edited", proj_data, not_send_msg=None)
1430 except ValidationError as e:
1431 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1432
1433
1434 class RoleTopicAuth(BaseTopic):
1435 topic = "roles"
1436 topic_msg = None # "roles"
1437 schema_new = roles_new_schema
1438 schema_edit = roles_edit_schema
1439 multiproject = False
1440
1441 def __init__(self, db, fs, msg, auth):
1442 BaseTopic.__init__(self, db, fs, msg, auth)
1443 # self.auth = auth
1444 self.operations = auth.role_permissions
1445 # self.topic = "roles_operations" if isinstance(auth, AuthconnKeystone) else "roles"
1446
1447 @staticmethod
1448 def validate_role_definition(operations, role_definitions):
1449 """
1450 Validates the role definition against the operations defined in
1451 the resources to operations files.
1452
1453 :param operations: operations list
1454 :param role_definitions: role definition to test
1455 :return: None if ok, raises ValidationError exception on error
1456 """
1457 if not role_definitions.get("permissions"):
1458 return
1459 ignore_fields = ["admin", "default"]
1460 for role_def in role_definitions["permissions"].keys():
1461 if role_def in ignore_fields:
1462 continue
1463 if role_def[-1] == ":":
1464 raise ValidationError("Operation cannot end with ':'")
1465
1466 match = next(
1467 (
1468 op
1469 for op in operations
1470 if op == role_def or op.startswith(role_def + ":")
1471 ),
1472 None,
1473 )
1474
1475 if not match:
1476 raise ValidationError("Invalid permission '{}'".format(role_def))
1477
1478 def _validate_input_new(self, input, force=False):
1479 """
1480 Validates input user content for a new entry.
1481
1482 :param input: user input content for the new topic
1483 :param force: may be used for being more tolerant
1484 :return: The same input content, or a changed version of it.
1485 """
1486 if self.schema_new:
1487 validate_input(input, self.schema_new)
1488 self.validate_role_definition(self.operations, input)
1489
1490 return input
1491
1492 def _validate_input_edit(self, input, content, force=False):
1493 """
1494 Validates input user content for updating an entry.
1495
1496 :param input: user input content for the new topic
1497 :param force: may be used for being more tolerant
1498 :return: The same input content, or a changed version of it.
1499 """
1500 if self.schema_edit:
1501 validate_input(input, self.schema_edit)
1502 self.validate_role_definition(self.operations, input)
1503
1504 return input
1505
1506 def check_conflict_on_new(self, session, indata):
1507 """
1508 Check that the data to be inserted is valid
1509
1510 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1511 :param indata: data to be inserted
1512 :return: None or raises EngineException
1513 """
1514 # check name is not uuid
1515 role_name = indata.get("name")
1516 if is_valid_uuid(role_name):
1517 raise EngineException(
1518 "role name '{}' cannot have an uuid format".format(role_name),
1519 HTTPStatus.UNPROCESSABLE_ENTITY,
1520 )
1521 # check name not exists
1522 name = indata["name"]
1523 # if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
1524 if self.auth.get_role_list({"name": name}):
1525 raise EngineException(
1526 "role name '{}' exists".format(name), HTTPStatus.CONFLICT
1527 )
1528
1529 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
1530 """
1531 Check that the data to be edited/uploaded is valid
1532
1533 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1534 :param final_content: data once modified
1535 :param edit_content: incremental data that contains the modifications to apply
1536 :param _id: internal _id
1537 :return: None or raises EngineException
1538 """
1539 if "default" not in final_content["permissions"]:
1540 final_content["permissions"]["default"] = False
1541 if "admin" not in final_content["permissions"]:
1542 final_content["permissions"]["admin"] = False
1543
1544 # check name is not uuid
1545 role_name = edit_content.get("name")
1546 if is_valid_uuid(role_name):
1547 raise EngineException(
1548 "role name '{}' cannot have an uuid format".format(role_name),
1549 HTTPStatus.UNPROCESSABLE_ENTITY,
1550 )
1551
1552 # Check renaming of admin roles
1553 role = self.auth.get_role(_id)
1554 if role["name"] in ["system_admin", "project_admin"]:
1555 raise EngineException(
1556 "You cannot rename role '{}'".format(role["name"]),
1557 http_code=HTTPStatus.FORBIDDEN,
1558 )
1559
1560 # check name not exists
1561 if "name" in edit_content:
1562 role_name = edit_content["name"]
1563 # if self.db.get_one(self.topic, {"name":role_name,"_id.ne":_id}, fail_on_empty=False, fail_on_more=False):
1564 roles = self.auth.get_role_list({"name": role_name})
1565 if roles and roles[0][BaseTopic.id_field("roles", _id)] != _id:
1566 raise EngineException(
1567 "role name '{}' exists".format(role_name), HTTPStatus.CONFLICT
1568 )
1569
1570 return final_content
1571
1572 def check_conflict_on_del(self, session, _id, db_content):
1573 """
1574 Check if deletion can be done because of dependencies if it is not force. To override
1575
1576 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1577 :param _id: internal _id
1578 :param db_content: The database content of this item _id
1579 :return: None if ok or raises EngineException with the conflict
1580 """
1581 role = self.auth.get_role(_id)
1582 if role["name"] in ["system_admin", "project_admin"]:
1583 raise EngineException(
1584 "You cannot delete role '{}'".format(role["name"]),
1585 http_code=HTTPStatus.FORBIDDEN,
1586 )
1587
1588 # If any user is using this role, raise CONFLICT exception
1589 if not session["force"]:
1590 for user in self.auth.get_user_list():
1591 for prm in user.get("project_role_mappings"):
1592 if prm["role"] == _id:
1593 raise EngineException(
1594 "Role '{}' ({}) is being used by user '{}'".format(
1595 role["name"], _id, user["username"]
1596 ),
1597 HTTPStatus.CONFLICT,
1598 )
1599
1600 @staticmethod
1601 def format_on_new(content, project_id=None, make_public=False): # TO BE REMOVED ?
1602 """
1603 Modifies content descriptor to include _admin
1604
1605 :param content: descriptor to be modified
1606 :param project_id: if included, it add project read/write permissions
1607 :param make_public: if included it is generated as public for reading.
1608 :return: None, but content is modified
1609 """
1610 now = time()
1611 if "_admin" not in content:
1612 content["_admin"] = {}
1613 if not content["_admin"].get("created"):
1614 content["_admin"]["created"] = now
1615 content["_admin"]["modified"] = now
1616
1617 if "permissions" not in content:
1618 content["permissions"] = {}
1619
1620 if "default" not in content["permissions"]:
1621 content["permissions"]["default"] = False
1622 if "admin" not in content["permissions"]:
1623 content["permissions"]["admin"] = False
1624
1625 @staticmethod
1626 def format_on_edit(final_content, edit_content):
1627 """
1628 Modifies final_content descriptor to include the modified date.
1629
1630 :param final_content: final descriptor generated
1631 :param edit_content: alterations to be include
1632 :return: None, but final_content is modified
1633 """
1634 if "_admin" in final_content:
1635 final_content["_admin"]["modified"] = time()
1636
1637 if "permissions" not in final_content:
1638 final_content["permissions"] = {}
1639
1640 if "default" not in final_content["permissions"]:
1641 final_content["permissions"]["default"] = False
1642 if "admin" not in final_content["permissions"]:
1643 final_content["permissions"]["admin"] = False
1644 return None
1645
1646 def show(self, session, _id, filter_q=None, api_req=False):
1647 """
1648 Get complete information on an topic
1649
1650 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1651 :param _id: server internal id
1652 :param filter_q: dict: query parameter
1653 :param api_req: True if this call is serving an external API request. False if serving internal request.
1654 :return: dictionary, raise exception if not found.
1655 """
1656 filter_q = {BaseTopic.id_field(self.topic, _id): _id}
1657 # roles = self.auth.get_role_list(filter_q)
1658 roles = self.list(session, filter_q) # To allow default filtering (Bug 853)
1659 if not roles:
1660 raise AuthconnNotFoundException(
1661 "Not found any role with filter {}".format(filter_q)
1662 )
1663 elif len(roles) > 1:
1664 raise AuthconnConflictException(
1665 "Found more than one role with filter {}".format(filter_q)
1666 )
1667 return roles[0]
1668
1669 def list(self, session, filter_q=None, api_req=False):
1670 """
1671 Get a list of the topic that matches a filter
1672
1673 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1674 :param filter_q: filter of data to be applied
1675 :return: The list, it can be empty if no one match the filter.
1676 """
1677 role_list = self.auth.get_role_list(filter_q)
1678 if not session["allow_show_user_project_role"]:
1679 # Bug 853 - Default filtering
1680 user = self.auth.get_user(session["username"])
1681 roles = [prm["role"] for prm in user["project_role_mappings"]]
1682 role_list = [role for role in role_list if role["_id"] in roles]
1683 return role_list
1684
1685 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
1686 """
1687 Creates a new entry into database.
1688
1689 :param rollback: list to append created items at database in case a rollback may to be done
1690 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1691 :param indata: data to be inserted
1692 :param kwargs: used to override the indata descriptor
1693 :param headers: http request headers
1694 :return: _id: identity of the inserted data, operation _id (None)
1695 """
1696 try:
1697 content = self._remove_envelop(indata)
1698
1699 # Override descriptor with query string kwargs
1700 self._update_input_with_kwargs(content, kwargs)
1701 content = self._validate_input_new(content, session["force"])
1702 self.check_conflict_on_new(session, content)
1703 self.format_on_new(
1704 content, project_id=session["project_id"], make_public=session["public"]
1705 )
1706 # role_name = content["name"]
1707 rid = self.auth.create_role(content)
1708 content["_id"] = rid
1709 # _id = self.db.create(self.topic, content)
1710 rollback.append({"topic": self.topic, "_id": rid})
1711 # self._send_msg("created", content, not_send_msg=not_send_msg)
1712 return rid, None
1713 except ValidationError as e:
1714 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1715
1716 def delete(self, session, _id, dry_run=False, not_send_msg=None):
1717 """
1718 Delete item by its internal _id
1719
1720 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1721 :param _id: server internal id
1722 :param dry_run: make checking but do not delete
1723 :param not_send_msg: To not send message (False) or store content (list) instead
1724 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1725 """
1726 filter_q = {BaseTopic.id_field(self.topic, _id): _id}
1727 roles = self.auth.get_role_list(filter_q)
1728 if not roles:
1729 raise AuthconnNotFoundException(
1730 "Not found any role with filter {}".format(filter_q)
1731 )
1732 elif len(roles) > 1:
1733 raise AuthconnConflictException(
1734 "Found more than one role with filter {}".format(filter_q)
1735 )
1736 rid = roles[0]["_id"]
1737 self.check_conflict_on_del(session, rid, None)
1738 # filter_q = {"_id": _id}
1739 # filter_q = {BaseTopic.id_field(self.topic, _id): _id} # To allow role addressing by name
1740 if not dry_run:
1741 v = self.auth.delete_role(rid)
1742 # v = self.db.del_one(self.topic, filter_q)
1743 return v
1744 return None
1745
1746 def edit(self, session, _id, indata=None, kwargs=None, content=None):
1747 """
1748 Updates a role entry.
1749
1750 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1751 :param _id:
1752 :param indata: data to be inserted
1753 :param kwargs: used to override the indata descriptor
1754 :param content:
1755 :return: _id: identity of the inserted data.
1756 """
1757 if kwargs:
1758 self._update_input_with_kwargs(indata, kwargs)
1759 try:
1760 if not content:
1761 content = self.show(session, _id)
1762 indata = self._validate_input_edit(indata, content, force=session["force"])
1763 deep_update_rfc7396(content, indata)
1764 content = self.check_conflict_on_edit(session, content, indata, _id=_id)
1765 self.format_on_edit(content, indata)
1766 self.auth.update_role(content)
1767 except ValidationError as e:
1768 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)