projects / osm / NBI.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fix bug 865 fix error deleting a non-instantiated ns
[osm/NBI.git] / osm_nbi / admin_topics.py
1 # -*- coding: utf-8 -*-
2
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
12 # implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 # import logging
17 from uuid import uuid4
18 from hashlib import sha256
19 from http import HTTPStatus
20 from time import time
21 from osm_nbi.validation import user_new_schema, user_edit_schema, project_new_schema, project_edit_schema, \
22 vim_account_new_schema, vim_account_edit_schema, sdn_new_schema, sdn_edit_schema, \
23 wim_account_new_schema, wim_account_edit_schema, roles_new_schema, roles_edit_schema, \
24 validate_input, ValidationError, is_valid_uuid # To check that User/Project Names don't look like UUIDs
25 from osm_nbi.base_topic import BaseTopic, EngineException
26 from osm_nbi.authconn import AuthconnNotFoundException, AuthconnConflictException
27 from osm_common.dbbase import deep_update_rfc7396
28
29 __author__ = "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30
31
32 class UserTopic(BaseTopic):
33 topic = "users"
34 topic_msg = "users"
35 schema_new = user_new_schema
36 schema_edit = user_edit_schema
37 multiproject = False
38
39 def __init__(self, db, fs, msg, auth):
40 BaseTopic.__init__(self, db, fs, msg, auth)
41
42 @staticmethod
43 def _get_project_filter(session):
44 """
45 Generates a filter dictionary for querying database users.
46 Current policy is admin can show all, non admin, only its own user.
47 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
48 :return:
49 """
50 if session["admin"]: # allows all
51 return {}
52 else:
53 return {"username": session["username"]}
54
55 def check_conflict_on_new(self, session, indata):
56 # check username not exists
57 if self.db.get_one(self.topic, {"username": indata.get("username")}, fail_on_empty=False, fail_on_more=False):
58 raise EngineException("username '{}' exists".format(indata["username"]), HTTPStatus.CONFLICT)
59 # check projects
60 if not session["force"]:
61 for p in indata.get("projects") or []:
62 # To allow project addressing by Name as well as ID
63 if not self.db.get_one("projects", {BaseTopic.id_field("projects", p): p}, fail_on_empty=False,
64 fail_on_more=False):
65 raise EngineException("project '{}' does not exist".format(p), HTTPStatus.CONFLICT)
66
67 def check_conflict_on_del(self, session, _id, db_content):
68 """
69 Check if deletion can be done because of dependencies if it is not force. To override
70 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
71 :param _id: internal _id
72 :param db_content: The database content of this item _id
73 :return: None if ok or raises EngineException with the conflict
74 """
75 if _id == session["username"]:
76 raise EngineException("You cannot delete your own user", http_code=HTTPStatus.CONFLICT)
77
78 @staticmethod
79 def format_on_new(content, project_id=None, make_public=False):
80 BaseTopic.format_on_new(content, make_public=False)
81 # Removed so that the UUID is kept, to allow User Name modification
82 # content["_id"] = content["username"]
83 salt = uuid4().hex
84 content["_admin"]["salt"] = salt
85 if content.get("password"):
86 content["password"] = sha256(content["password"].encode('utf-8') + salt.encode('utf-8')).hexdigest()
87 if content.get("project_role_mappings"):
88 projects = [mapping["project"] for mapping in content["project_role_mappings"]]
89
90 if content.get("projects"):
91 content["projects"] += projects
92 else:
93 content["projects"] = projects
94
95 @staticmethod
96 def format_on_edit(final_content, edit_content):
97 BaseTopic.format_on_edit(final_content, edit_content)
98 if edit_content.get("password"):
99 salt = uuid4().hex
100 final_content["_admin"]["salt"] = salt
101 final_content["password"] = sha256(edit_content["password"].encode('utf-8') +
102 salt.encode('utf-8')).hexdigest()
103 return None
104
105 def edit(self, session, _id, indata=None, kwargs=None, content=None):
106 if not session["admin"]:
107 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
108 # Names that look like UUIDs are not allowed
109 name = (indata if indata else kwargs).get("username")
110 if is_valid_uuid(name):
111 raise EngineException("Usernames that look like UUIDs are not allowed",
112 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
113 return BaseTopic.edit(self, session, _id, indata=indata, kwargs=kwargs, content=content)
114
115 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
116 if not session["admin"]:
117 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
118 # Names that look like UUIDs are not allowed
119 name = indata["username"] if indata else kwargs["username"]
120 if is_valid_uuid(name):
121 raise EngineException("Usernames that look like UUIDs are not allowed",
122 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
123 return BaseTopic.new(self, rollback, session, indata=indata, kwargs=kwargs, headers=headers)
124
125
126 class ProjectTopic(BaseTopic):
127 topic = "projects"
128 topic_msg = "projects"
129 schema_new = project_new_schema
130 schema_edit = project_edit_schema
131 multiproject = False
132
133 def __init__(self, db, fs, msg, auth):
134 BaseTopic.__init__(self, db, fs, msg, auth)
135
136 @staticmethod
137 def _get_project_filter(session):
138 """
139 Generates a filter dictionary for querying database users.
140 Current policy is admin can show all, non admin, only its own user.
141 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
142 :return:
143 """
144 if session["admin"]: # allows all
145 return {}
146 else:
147 return {"_id.cont": session["project_id"]}
148
149 def check_conflict_on_new(self, session, indata):
150 if not indata.get("name"):
151 raise EngineException("missing 'name'")
152 # check name not exists
153 if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
154 raise EngineException("name '{}' exists".format(indata["name"]), HTTPStatus.CONFLICT)
155
156 @staticmethod
157 def format_on_new(content, project_id=None, make_public=False):
158 BaseTopic.format_on_new(content, None)
159 # Removed so that the UUID is kept, to allow Project Name modification
160 # content["_id"] = content["name"]
161
162 def check_conflict_on_del(self, session, _id, db_content):
163 """
164 Check if deletion can be done because of dependencies if it is not force. To override
165 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
166 :param _id: internal _id
167 :param db_content: The database content of this item _id
168 :return: None if ok or raises EngineException with the conflict
169 """
170 if _id in session["project_id"]:
171 raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
172 if session["force"]:
173 return
174 _filter = {"projects": _id}
175 if self.db.get_list("users", _filter):
176 raise EngineException("There is some USER that contains this project", http_code=HTTPStatus.CONFLICT)
177
178 def edit(self, session, _id, indata=None, kwargs=None, content=None):
179 if not session["admin"]:
180 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
181 # Names that look like UUIDs are not allowed
182 name = (indata if indata else kwargs).get("name")
183 if is_valid_uuid(name):
184 raise EngineException("Project names that look like UUIDs are not allowed",
185 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
186 return BaseTopic.edit(self, session, _id, indata=indata, kwargs=kwargs, content=content)
187
188 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
189 if not session["admin"]:
190 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
191 # Names that look like UUIDs are not allowed
192 name = indata["name"] if indata else kwargs["name"]
193 if is_valid_uuid(name):
194 raise EngineException("Project names that look like UUIDs are not allowed",
195 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
196 return BaseTopic.new(self, rollback, session, indata=indata, kwargs=kwargs, headers=headers)
197
198
199 class CommonVimWimSdn(BaseTopic):
200 """Common class for VIM, WIM SDN just to unify methods that are equal to all of them"""
201 config_to_encrypt = {} # what keys at config must be encrypted because contains passwords
202 password_to_encrypt = "" # key that contains a password
203
204 @staticmethod
205 def _create_operation(op_type, params=None):
206 """
207 Creates a dictionary with the information to an operation, similar to ns-lcm-op
208 :param op_type: can be create, edit, delete
209 :param params: operation input parameters
210 :return: new dictionary with
211 """
212 now = time()
213 return {
214 "lcmOperationType": op_type,
215 "operationState": "PROCESSING",
216 "startTime": now,
217 "statusEnteredTime": now,
218 "detailed-status": "",
219 "operationParams": params,
220 }
221
222 def check_conflict_on_new(self, session, indata):
223 """
224 Check that the data to be inserted is valid. It is checked that name is unique
225 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
226 :param indata: data to be inserted
227 :return: None or raises EngineException
228 """
229 self.check_unique_name(session, indata["name"], _id=None)
230
231 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
232 """
233 Check that the data to be edited/uploaded is valid. It is checked that name is unique
234 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
235 :param final_content: data once modified. This method may change it.
236 :param edit_content: incremental data that contains the modifications to apply
237 :param _id: internal _id
238 :return: None or raises EngineException
239 """
240 if not session["force"] and edit_content.get("name"):
241 self.check_unique_name(session, edit_content["name"], _id=_id)
242
243 def format_on_edit(self, final_content, edit_content):
244 """
245 Modifies final_content inserting admin information upon edition
246 :param final_content: final content to be stored at database
247 :param edit_content: user requested update content
248 :return: operation id
249 """
250
251 # encrypt passwords
252 schema_version = final_content.get("schema_version")
253 if schema_version:
254 if edit_content.get(self.password_to_encrypt):
255 final_content[self.password_to_encrypt] = self.db.encrypt(edit_content[self.password_to_encrypt],
256 schema_version=schema_version,
257 salt=final_content["_id"])
258 config_to_encrypt_keys = self.config_to_encrypt.get(schema_version) or self.config_to_encrypt.get("default")
259 if edit_content.get("config") and config_to_encrypt_keys:
260
261 for p in config_to_encrypt_keys:
262 if edit_content["config"].get(p):
263 final_content["config"][p] = self.db.encrypt(edit_content["config"][p],
264 schema_version=schema_version,
265 salt=final_content["_id"])
266
267 # create edit operation
268 final_content["_admin"]["operations"].append(self._create_operation("edit"))
269 return "{}:{}".format(final_content["_id"], len(final_content["_admin"]["operations"]) - 1)
270
271 def format_on_new(self, content, project_id=None, make_public=False):
272 """
273 Modifies content descriptor to include _admin and insert create operation
274 :param content: descriptor to be modified
275 :param project_id: if included, it add project read/write permissions. Can be None or a list
276 :param make_public: if included it is generated as public for reading.
277 :return: op_id: operation id on asynchronous operation, None otherwise. In addition content is modified
278 """
279 super().format_on_new(content, project_id=project_id, make_public=make_public)
280 content["schema_version"] = schema_version = "1.11"
281
282 # encrypt passwords
283 if content.get(self.password_to_encrypt):
284 content[self.password_to_encrypt] = self.db.encrypt(content[self.password_to_encrypt],
285 schema_version=schema_version,
286 salt=content["_id"])
287 config_to_encrypt_keys = self.config_to_encrypt.get(schema_version) or self.config_to_encrypt.get("default")
288 if content.get("config") and config_to_encrypt_keys:
289 for p in config_to_encrypt_keys:
290 if content["config"].get(p):
291 content["config"][p] = self.db.encrypt(content["config"][p],
292 schema_version=schema_version,
293 salt=content["_id"])
294
295 content["_admin"]["operationalState"] = "PROCESSING"
296
297 # create operation
298 content["_admin"]["operations"] = [self._create_operation("create")]
299 content["_admin"]["current_operation"] = None
300
301 return "{}:0".format(content["_id"])
302
303 def delete(self, session, _id, dry_run=False):
304 """
305 Delete item by its internal _id
306 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
307 :param _id: server internal id
308 :param dry_run: make checking but do not delete
309 :return: operation id if it is ordered to delete. None otherwise
310 """
311
312 filter_q = self._get_project_filter(session)
313 filter_q["_id"] = _id
314 db_content = self.db.get_one(self.topic, filter_q)
315
316 self.check_conflict_on_del(session, _id, db_content)
317 if dry_run:
318 return None
319
320 # remove reference from project_read. If not last delete
321 if session["project_id"]:
322 for project_id in session["project_id"]:
323 if project_id in db_content["_admin"]["projects_read"]:
324 db_content["_admin"]["projects_read"].remove(project_id)
325 if project_id in db_content["_admin"]["projects_write"]:
326 db_content["_admin"]["projects_write"].remove(project_id)
327 else:
328 db_content["_admin"]["projects_read"].clear()
329 db_content["_admin"]["projects_write"].clear()
330
331 update_dict = {"_admin.projects_read": db_content["_admin"]["projects_read"],
332 "_admin.projects_write": db_content["_admin"]["projects_write"]
333 }
334
335 # check if there are projects referencing it (apart from ANY that means public)....
336 if db_content["_admin"]["projects_read"] and (len(db_content["_admin"]["projects_read"]) > 1 or
337 db_content["_admin"]["projects_read"][0] != "ANY"):
338 self.db.set_one(self.topic, filter_q, update_dict=update_dict) # remove references but not delete
339 return None
340
341 # It must be deleted
342 if session["force"]:
343 self.db.del_one(self.topic, {"_id": _id})
344 op_id = None
345 self._send_msg("deleted", {"_id": _id, "op_id": op_id})
346 else:
347 update_dict["_admin.to_delete"] = True
348 self.db.set_one(self.topic, {"_id": _id},
349 update_dict=update_dict,
350 push={"_admin.operations": self._create_operation("delete")}
351 )
352 # the number of operations is the operation_id. db_content does not contains the new operation inserted,
353 # so the -1 is not needed
354 op_id = "{}:{}".format(db_content["_id"], len(db_content["_admin"]["operations"]))
355 self._send_msg("delete", {"_id": _id, "op_id": op_id})
356 return op_id
357
358
359 class VimAccountTopic(CommonVimWimSdn):
360 topic = "vim_accounts"
361 topic_msg = "vim_account"
362 schema_new = vim_account_new_schema
363 schema_edit = vim_account_edit_schema
364 multiproject = True
365 password_to_encrypt = "vim_password"
366 config_to_encrypt = {"1.1": ("admin_password", "nsx_password", "vcenter_password"),
367 "default": ("admin_password", "nsx_password", "vcenter_password", "vrops_password")}
368
369
370 class WimAccountTopic(CommonVimWimSdn):
371 topic = "wim_accounts"
372 topic_msg = "wim_account"
373 schema_new = wim_account_new_schema
374 schema_edit = wim_account_edit_schema
375 multiproject = True
376 password_to_encrypt = "wim_password"
377 config_to_encrypt = {}
378
379
380 class SdnTopic(CommonVimWimSdn):
381 topic = "sdns"
382 topic_msg = "sdn"
383 schema_new = sdn_new_schema
384 schema_edit = sdn_edit_schema
385 multiproject = True
386 password_to_encrypt = "password"
387 config_to_encrypt = {}
388
389
390 class UserTopicAuth(UserTopic):
391 # topic = "users"
392 # topic_msg = "users"
393 schema_new = user_new_schema
394 schema_edit = user_edit_schema
395
396 def __init__(self, db, fs, msg, auth):
397 UserTopic.__init__(self, db, fs, msg, auth)
398 # self.auth = auth
399
400 def check_conflict_on_new(self, session, indata):
401 """
402 Check that the data to be inserted is valid
403
404 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
405 :param indata: data to be inserted
406 :return: None or raises EngineException
407 """
408 username = indata.get("username")
409 if is_valid_uuid(username):
410 raise EngineException("username '{}' cannot have a uuid format".format(username),
411 HTTPStatus.UNPROCESSABLE_ENTITY)
412
413 # Check that username is not used, regardless keystone already checks this
414 if self.auth.get_user_list(filter_q={"name": username}):
415 raise EngineException("username '{}' is already used".format(username), HTTPStatus.CONFLICT)
416
417 if "projects" in indata.keys():
418 # convert to new format project_role_mappings
419 role = self.auth.get_role_list({"name": "project_admin"})
420 if not role:
421 role = self.auth.get_role_list()
422 if not role:
423 raise AuthconnNotFoundException("Can't find default role for user '{}'".format(username))
424 rid = role[0]["_id"]
425 if not indata.get("project_role_mappings"):
426 indata["project_role_mappings"] = []
427 for project in indata["projects"]:
428 pid = self.auth.get_project(project)["_id"]
429 prm = {"project": pid, "role": rid}
430 if prm not in indata["project_role_mappings"]:
431 indata["project_role_mappings"].append(prm)
432 # raise EngineException("Format invalid: the keyword 'projects' is not allowed for keystone authentication",
433 # HTTPStatus.BAD_REQUEST)
434
435 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
436 """
437 Check that the data to be edited/uploaded is valid
438
439 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
440 :param final_content: data once modified
441 :param edit_content: incremental data that contains the modifications to apply
442 :param _id: internal _id
443 :return: None or raises EngineException
444 """
445
446 if "username" in edit_content:
447 username = edit_content.get("username")
448 if is_valid_uuid(username):
449 raise EngineException("username '{}' cannot have an uuid format".format(username),
450 HTTPStatus.UNPROCESSABLE_ENTITY)
451
452 # Check that username is not used, regardless keystone already checks this
453 if self.auth.get_user_list(filter_q={"name": username}):
454 raise EngineException("username '{}' is already used".format(username), HTTPStatus.CONFLICT)
455
456 if final_content["username"] == "admin":
457 for mapping in edit_content.get("remove_project_role_mappings", ()):
458 if mapping["project"] == "admin" and mapping.get("role") in (None, "system_admin"):
459 # TODO make this also available for project id and role id
460 raise EngineException("You cannot remove system_admin role from admin user",
461 http_code=HTTPStatus.FORBIDDEN)
462
463 def check_conflict_on_del(self, session, _id, db_content):
464 """
465 Check if deletion can be done because of dependencies if it is not force. To override
466 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
467 :param _id: internal _id
468 :param db_content: The database content of this item _id
469 :return: None if ok or raises EngineException with the conflict
470 """
471 if db_content["username"] == session["username"]:
472 raise EngineException("You cannot delete your own login user ", http_code=HTTPStatus.CONFLICT)
473 # TODO: Check that user is not logged in ? How? (Would require listing current tokens)
474
475 @staticmethod
476 def format_on_show(content):
477 """
478 Modifies the content of the role information to separate the role
479 metadata from the role definition.
480 """
481 project_role_mappings = []
482
483 if "projects" in content:
484 for project in content["projects"]:
485 for role in project["roles"]:
486 project_role_mappings.append({"project": project["_id"],
487 "project_name": project["name"],
488 "role": role["_id"],
489 "role_name": role["name"]})
490 del content["projects"]
491 content["project_role_mappings"] = project_role_mappings
492
493 return content
494
495 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
496 """
497 Creates a new entry into the authentication backend.
498
499 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
500
501 :param rollback: list to append created items at database in case a rollback may to be done
502 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
503 :param indata: data to be inserted
504 :param kwargs: used to override the indata descriptor
505 :param headers: http request headers
506 :return: _id: identity of the inserted data, operation _id (None)
507 """
508 try:
509 content = BaseTopic._remove_envelop(indata)
510
511 # Override descriptor with query string kwargs
512 BaseTopic._update_input_with_kwargs(content, kwargs)
513 content = self._validate_input_new(content, session["force"])
514 self.check_conflict_on_new(session, content)
515 # self.format_on_new(content, session["project_id"], make_public=session["public"])
516 now = time()
517 content["_admin"] = {"created": now, "modified": now}
518 prms = []
519 for prm in content.get("project_role_mappings", []):
520 proj = self.auth.get_project(prm["project"], not session["force"])
521 role = self.auth.get_role(prm["role"], not session["force"])
522 pid = proj["_id"] if proj else None
523 rid = role["_id"] if role else None
524 prl = {"project": pid, "role": rid}
525 if prl not in prms:
526 prms.append(prl)
527 content["project_role_mappings"] = prms
528 # _id = self.auth.create_user(content["username"], content["password"])["_id"]
529 _id = self.auth.create_user(content)["_id"]
530
531 rollback.append({"topic": self.topic, "_id": _id})
532 # del content["password"]
533 # self._send_msg("created", content)
534 return _id, None
535 except ValidationError as e:
536 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
537
538 def show(self, session, _id):
539 """
540 Get complete information on an topic
541
542 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
543 :param _id: server internal id
544 :return: dictionary, raise exception if not found.
545 """
546 # Allow _id to be a name or uuid
547 filter_q = {self.id_field(self.topic, _id): _id}
548 # users = self.auth.get_user_list(filter_q)
549 users = self.list(session, filter_q) # To allow default filtering (Bug 853)
550 if len(users) == 1:
551 return users[0]
552 elif len(users) > 1:
553 raise EngineException("Too many users found", HTTPStatus.CONFLICT)
554 else:
555 raise EngineException("User not found", HTTPStatus.NOT_FOUND)
556
557 def edit(self, session, _id, indata=None, kwargs=None, content=None):
558 """
559 Updates an user entry.
560
561 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
562 :param _id:
563 :param indata: data to be inserted
564 :param kwargs: used to override the indata descriptor
565 :param content:
566 :return: _id: identity of the inserted data.
567 """
568 indata = self._remove_envelop(indata)
569
570 # Override descriptor with query string kwargs
571 if kwargs:
572 BaseTopic._update_input_with_kwargs(indata, kwargs)
573 try:
574 indata = self._validate_input_edit(indata, force=session["force"])
575
576 if not content:
577 content = self.show(session, _id)
578 self.check_conflict_on_edit(session, content, indata, _id=_id)
579 # self.format_on_edit(content, indata)
580
581 if not ("password" in indata or "username" in indata or indata.get("remove_project_role_mappings") or
582 indata.get("add_project_role_mappings") or indata.get("project_role_mappings") or
583 indata.get("projects") or indata.get("add_projects")):
584 return _id
585 if indata.get("project_role_mappings") \
586 and (indata.get("remove_project_role_mappings") or indata.get("add_project_role_mappings")):
587 raise EngineException("Option 'project_role_mappings' is incompatible with 'add_project_role_mappings"
588 "' or 'remove_project_role_mappings'", http_code=HTTPStatus.BAD_REQUEST)
589
590 if indata.get("projects") or indata.get("add_projects"):
591 role = self.auth.get_role_list({"name": "project_admin"})
592 if not role:
593 role = self.auth.get_role_list()
594 if not role:
595 raise AuthconnNotFoundException("Can't find a default role for user '{}'"
596 .format(content["username"]))
597 rid = role[0]["_id"]
598 if "add_project_role_mappings" not in indata:
599 indata["add_project_role_mappings"] = []
600 if "remove_project_role_mappings" not in indata:
601 indata["remove_project_role_mappings"] = []
602 if isinstance(indata.get("projects"), dict):
603 # backward compatible
604 for k, v in indata["projects"].items():
605 if k.startswith("$") and v is None:
606 indata["remove_project_role_mappings"].append({"project": k[1:]})
607 elif k.startswith("$+"):
608 indata["add_project_role_mappings"].append({"project": v, "role": rid})
609 del indata["projects"]
610 for proj in indata.get("projects", []) + indata.get("add_projects", []):
611 indata["add_project_role_mappings"].append({"project": proj, "role": rid})
612
613 # user = self.show(session, _id) # Already in 'content'
614 original_mapping = content["project_role_mappings"]
615
616 mappings_to_add = []
617 mappings_to_remove = []
618
619 # remove
620 for to_remove in indata.get("remove_project_role_mappings", ()):
621 for mapping in original_mapping:
622 if to_remove["project"] in (mapping["project"], mapping["project_name"]):
623 if not to_remove.get("role") or to_remove["role"] in (mapping["role"], mapping["role_name"]):
624 mappings_to_remove.append(mapping)
625
626 # add
627 for to_add in indata.get("add_project_role_mappings", ()):
628 for mapping in original_mapping:
629 if to_add["project"] in (mapping["project"], mapping["project_name"]) and \
630 to_add["role"] in (mapping["role"], mapping["role_name"]):
631
632 if mapping in mappings_to_remove: # do not remove
633 mappings_to_remove.remove(mapping)
634 break # do not add, it is already at user
635 else:
636 pid = self.auth.get_project(to_add["project"])["_id"]
637 rid = self.auth.get_role(to_add["role"])["_id"]
638 mappings_to_add.append({"project": pid, "role": rid})
639
640 # set
641 if indata.get("project_role_mappings"):
642 for to_set in indata["project_role_mappings"]:
643 for mapping in original_mapping:
644 if to_set["project"] in (mapping["project"], mapping["project_name"]) and \
645 to_set["role"] in (mapping["role"], mapping["role_name"]):
646 if mapping in mappings_to_remove: # do not remove
647 mappings_to_remove.remove(mapping)
648 break # do not add, it is already at user
649 else:
650 pid = self.auth.get_project(to_set["project"])["_id"]
651 rid = self.auth.get_role(to_set["role"])["_id"]
652 mappings_to_add.append({"project": pid, "role": rid})
653 for mapping in original_mapping:
654 for to_set in indata["project_role_mappings"]:
655 if to_set["project"] in (mapping["project"], mapping["project_name"]) and \
656 to_set["role"] in (mapping["role"], mapping["role_name"]):
657 break
658 else:
659 # delete
660 if mapping not in mappings_to_remove: # do not remove
661 mappings_to_remove.append(mapping)
662
663 self.auth.update_user({"_id": _id, "username": indata.get("username"), "password": indata.get("password"),
664 "add_project_role_mappings": mappings_to_add,
665 "remove_project_role_mappings": mappings_to_remove
666 })
667
668 # return _id
669 except ValidationError as e:
670 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
671
672 def list(self, session, filter_q=None):
673 """
674 Get a list of the topic that matches a filter
675 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
676 :param filter_q: filter of data to be applied
677 :return: The list, it can be empty if no one match the filter.
678 """
679 user_list = self.auth.get_user_list(filter_q)
680 if not session["allow_show_user_project_role"]:
681 # Bug 853 - Default filtering
682 user_list = [usr for usr in user_list if usr["username"] == session["username"]]
683 return user_list
684
685 def delete(self, session, _id, dry_run=False):
686 """
687 Delete item by its internal _id
688
689 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
690 :param _id: server internal id
691 :param force: indicates if deletion must be forced in case of conflict
692 :param dry_run: make checking but do not delete
693 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
694 """
695 # Allow _id to be a name or uuid
696 user = self.auth.get_user(_id)
697 uid = user["_id"]
698 self.check_conflict_on_del(session, uid, user)
699 if not dry_run:
700 v = self.auth.delete_user(uid)
701 return v
702 return None
703
704
705 class ProjectTopicAuth(ProjectTopic):
706 # topic = "projects"
707 # topic_msg = "projects"
708 schema_new = project_new_schema
709 schema_edit = project_edit_schema
710
711 def __init__(self, db, fs, msg, auth):
712 ProjectTopic.__init__(self, db, fs, msg, auth)
713 # self.auth = auth
714
715 def check_conflict_on_new(self, session, indata):
716 """
717 Check that the data to be inserted is valid
718
719 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
720 :param indata: data to be inserted
721 :return: None or raises EngineException
722 """
723 project_name = indata.get("name")
724 if is_valid_uuid(project_name):
725 raise EngineException("project name '{}' cannot have an uuid format".format(project_name),
726 HTTPStatus.UNPROCESSABLE_ENTITY)
727
728 project_list = self.auth.get_project_list(filter_q={"name": project_name})
729
730 if project_list:
731 raise EngineException("project '{}' exists".format(project_name), HTTPStatus.CONFLICT)
732
733 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
734 """
735 Check that the data to be edited/uploaded is valid
736
737 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
738 :param final_content: data once modified
739 :param edit_content: incremental data that contains the modifications to apply
740 :param _id: internal _id
741 :return: None or raises EngineException
742 """
743
744 project_name = edit_content.get("name")
745 if project_name != final_content["name"]: # It is a true renaming
746 if is_valid_uuid(project_name):
747 raise EngineException("project name '{}' cannot have an uuid format".format(project_name),
748 HTTPStatus.UNPROCESSABLE_ENTITY)
749
750 if final_content["name"] == "admin":
751 raise EngineException("You cannot rename project 'admin'", http_code=HTTPStatus.CONFLICT)
752
753 # Check that project name is not used, regardless keystone already checks this
754 if project_name and self.auth.get_project_list(filter_q={"name": project_name}):
755 raise EngineException("project '{}' is already used".format(project_name), HTTPStatus.CONFLICT)
756
757 def check_conflict_on_del(self, session, _id, db_content):
758 """
759 Check if deletion can be done because of dependencies if it is not force. To override
760
761 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
762 :param _id: internal _id
763 :param db_content: The database content of this item _id
764 :return: None if ok or raises EngineException with the conflict
765 """
766
767 def check_rw_projects(topic, title, id_field):
768 for desc in self.db.get_list(topic):
769 if _id in desc["_admin"]["projects_read"] + desc["_admin"]["projects_write"]:
770 raise EngineException("Project '{}' ({}) is being used by {} '{}'"
771 .format(db_content["name"], _id, title, desc[id_field]), HTTPStatus.CONFLICT)
772
773 if _id in session["project_id"]:
774 raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
775
776 if db_content["name"] == "admin":
777 raise EngineException("You cannot delete project 'admin'", http_code=HTTPStatus.CONFLICT)
778
779 # If any user is using this project, raise CONFLICT exception
780 if not session["force"]:
781 for user in self.auth.get_user_list():
782 for prm in user.get("project_role_mappings"):
783 if prm["project"] == _id:
784 raise EngineException("Project '{}' ({}) is being used by user '{}'"
785 .format(db_content["name"], _id, user["username"]), HTTPStatus.CONFLICT)
786
787 # If any VNFD, NSD, NST, PDU, etc. is using this project, raise CONFLICT exception
788 if not session["force"]:
789 check_rw_projects("vnfds", "VNF Descriptor", "id")
790 check_rw_projects("nsds", "NS Descriptor", "id")
791 check_rw_projects("nsts", "NS Template", "id")
792 check_rw_projects("pdus", "PDU Descriptor", "name")
793
794 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
795 """
796 Creates a new entry into the authentication backend.
797
798 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
799
800 :param rollback: list to append created items at database in case a rollback may to be done
801 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
802 :param indata: data to be inserted
803 :param kwargs: used to override the indata descriptor
804 :param headers: http request headers
805 :return: _id: identity of the inserted data, operation _id (None)
806 """
807 try:
808 content = BaseTopic._remove_envelop(indata)
809
810 # Override descriptor with query string kwargs
811 BaseTopic._update_input_with_kwargs(content, kwargs)
812 content = self._validate_input_new(content, session["force"])
813 self.check_conflict_on_new(session, content)
814 self.format_on_new(content, project_id=session["project_id"], make_public=session["public"])
815 _id = self.auth.create_project(content)
816 rollback.append({"topic": self.topic, "_id": _id})
817 # self._send_msg("created", content)
818 return _id, None
819 except ValidationError as e:
820 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
821
822 def show(self, session, _id):
823 """
824 Get complete information on an topic
825
826 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
827 :param _id: server internal id
828 :return: dictionary, raise exception if not found.
829 """
830 # Allow _id to be a name or uuid
831 filter_q = {self.id_field(self.topic, _id): _id}
832 # projects = self.auth.get_project_list(filter_q=filter_q)
833 projects = self.list(session, filter_q) # To allow default filtering (Bug 853)
834 if len(projects) == 1:
835 return projects[0]
836 elif len(projects) > 1:
837 raise EngineException("Too many projects found", HTTPStatus.CONFLICT)
838 else:
839 raise EngineException("Project not found", HTTPStatus.NOT_FOUND)
840
841 def list(self, session, filter_q=None):
842 """
843 Get a list of the topic that matches a filter
844
845 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
846 :param filter_q: filter of data to be applied
847 :return: The list, it can be empty if no one match the filter.
848 """
849 project_list = self.auth.get_project_list(filter_q)
850 if not session["allow_show_user_project_role"]:
851 # Bug 853 - Default filtering
852 user = self.auth.get_user(session["username"])
853 projects = [prm["project"] for prm in user["project_role_mappings"]]
854 project_list = [proj for proj in project_list if proj["_id"] in projects]
855 return project_list
856
857 def delete(self, session, _id, dry_run=False):
858 """
859 Delete item by its internal _id
860
861 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
862 :param _id: server internal id
863 :param dry_run: make checking but do not delete
864 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
865 """
866 # Allow _id to be a name or uuid
867 proj = self.auth.get_project(_id)
868 pid = proj["_id"]
869 self.check_conflict_on_del(session, pid, proj)
870 if not dry_run:
871 v = self.auth.delete_project(pid)
872 return v
873 return None
874
875 def edit(self, session, _id, indata=None, kwargs=None, content=None):
876 """
877 Updates a project entry.
878
879 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
880 :param _id:
881 :param indata: data to be inserted
882 :param kwargs: used to override the indata descriptor
883 :param content:
884 :return: _id: identity of the inserted data.
885 """
886 indata = self._remove_envelop(indata)
887
888 # Override descriptor with query string kwargs
889 if kwargs:
890 BaseTopic._update_input_with_kwargs(indata, kwargs)
891 try:
892 indata = self._validate_input_edit(indata, force=session["force"])
893
894 if not content:
895 content = self.show(session, _id)
896 self.check_conflict_on_edit(session, content, indata, _id=_id)
897 self.format_on_edit(content, indata)
898
899 deep_update_rfc7396(content, indata)
900 self.auth.update_project(content["_id"], content)
901 except ValidationError as e:
902 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
903
904
905 class RoleTopicAuth(BaseTopic):
906 topic = "roles"
907 topic_msg = None # "roles"
908 schema_new = roles_new_schema
909 schema_edit = roles_edit_schema
910 multiproject = False
911
912 def __init__(self, db, fs, msg, auth, ops):
913 BaseTopic.__init__(self, db, fs, msg, auth)
914 # self.auth = auth
915 self.operations = ops
916 # self.topic = "roles_operations" if isinstance(auth, AuthconnKeystone) else "roles"
917
918 @staticmethod
919 def validate_role_definition(operations, role_definitions):
920 """
921 Validates the role definition against the operations defined in
922 the resources to operations files.
923
924 :param operations: operations list
925 :param role_definitions: role definition to test
926 :return: None if ok, raises ValidationError exception on error
927 """
928 if not role_definitions.get("permissions"):
929 return
930 ignore_fields = ["admin", "default"]
931 for role_def in role_definitions["permissions"].keys():
932 if role_def in ignore_fields:
933 continue
934 if role_def[-1] == ":":
935 raise ValidationError("Operation cannot end with ':'")
936
937 role_def_matches = [op for op in operations if op.startswith(role_def)]
938
939 if len(role_def_matches) == 0:
940 raise ValidationError("Invalid permission '{}'".format(role_def))
941
942 def _validate_input_new(self, input, force=False):
943 """
944 Validates input user content for a new entry.
945
946 :param input: user input content for the new topic
947 :param force: may be used for being more tolerant
948 :return: The same input content, or a changed version of it.
949 """
950 if self.schema_new:
951 validate_input(input, self.schema_new)
952 self.validate_role_definition(self.operations, input)
953
954 return input
955
956 def _validate_input_edit(self, input, force=False):
957 """
958 Validates input user content for updating an entry.
959
960 :param input: user input content for the new topic
961 :param force: may be used for being more tolerant
962 :return: The same input content, or a changed version of it.
963 """
964 if self.schema_edit:
965 validate_input(input, self.schema_edit)
966 self.validate_role_definition(self.operations, input)
967
968 return input
969
970 def check_conflict_on_new(self, session, indata):
971 """
972 Check that the data to be inserted is valid
973
974 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
975 :param indata: data to be inserted
976 :return: None or raises EngineException
977 """
978 # check name not exists
979 name = indata["name"]
980 # if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
981 if self.auth.get_role_list({"name": name}):
982 raise EngineException("role name '{}' exists".format(name), HTTPStatus.CONFLICT)
983
984 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
985 """
986 Check that the data to be edited/uploaded is valid
987
988 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
989 :param final_content: data once modified
990 :param edit_content: incremental data that contains the modifications to apply
991 :param _id: internal _id
992 :return: None or raises EngineException
993 """
994 if "default" not in final_content["permissions"]:
995 final_content["permissions"]["default"] = False
996 if "admin" not in final_content["permissions"]:
997 final_content["permissions"]["admin"] = False
998
999 # check name not exists
1000 if "name" in edit_content:
1001 role_name = edit_content["name"]
1002 # if self.db.get_one(self.topic, {"name":role_name,"_id.ne":_id}, fail_on_empty=False, fail_on_more=False):
1003 roles = self.auth.get_role_list({"name": role_name})
1004 if roles and roles[0][BaseTopic.id_field("roles", _id)] != _id:
1005 raise EngineException("role name '{}' exists".format(role_name), HTTPStatus.CONFLICT)
1006
1007 def check_conflict_on_del(self, session, _id, db_content):
1008 """
1009 Check if deletion can be done because of dependencies if it is not force. To override
1010
1011 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1012 :param _id: internal _id
1013 :param db_content: The database content of this item _id
1014 :return: None if ok or raises EngineException with the conflict
1015 """
1016 role = self.auth.get_role(_id)
1017 if role["name"] in ["system_admin", "project_admin"]:
1018 raise EngineException("You cannot delete role '{}'".format(role["name"]), http_code=HTTPStatus.FORBIDDEN)
1019
1020 # If any user is using this role, raise CONFLICT exception
1021 for user in self.auth.get_user_list():
1022 for prm in user.get("project_role_mappings"):
1023 if prm["role"] == _id:
1024 raise EngineException("Role '{}' ({}) is being used by user '{}'"
1025 .format(role["name"], _id, user["username"]), HTTPStatus.CONFLICT)
1026
1027 @staticmethod
1028 def format_on_new(content, project_id=None, make_public=False): # TO BE REMOVED ?
1029 """
1030 Modifies content descriptor to include _admin
1031
1032 :param content: descriptor to be modified
1033 :param project_id: if included, it add project read/write permissions
1034 :param make_public: if included it is generated as public for reading.
1035 :return: None, but content is modified
1036 """
1037 now = time()
1038 if "_admin" not in content:
1039 content["_admin"] = {}
1040 if not content["_admin"].get("created"):
1041 content["_admin"]["created"] = now
1042 content["_admin"]["modified"] = now
1043
1044 if "permissions" not in content:
1045 content["permissions"] = {}
1046
1047 if "default" not in content["permissions"]:
1048 content["permissions"]["default"] = False
1049 if "admin" not in content["permissions"]:
1050 content["permissions"]["admin"] = False
1051
1052 @staticmethod
1053 def format_on_edit(final_content, edit_content):
1054 """
1055 Modifies final_content descriptor to include the modified date.
1056
1057 :param final_content: final descriptor generated
1058 :param edit_content: alterations to be include
1059 :return: None, but final_content is modified
1060 """
1061 if "_admin" in final_content:
1062 final_content["_admin"]["modified"] = time()
1063
1064 if "permissions" not in final_content:
1065 final_content["permissions"] = {}
1066
1067 if "default" not in final_content["permissions"]:
1068 final_content["permissions"]["default"] = False
1069 if "admin" not in final_content["permissions"]:
1070 final_content["permissions"]["admin"] = False
1071 return None
1072
1073 def show(self, session, _id):
1074 """
1075 Get complete information on an topic
1076
1077 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1078 :param _id: server internal id
1079 :return: dictionary, raise exception if not found.
1080 """
1081 filter_q = {BaseTopic.id_field(self.topic, _id): _id}
1082 # roles = self.auth.get_role_list(filter_q)
1083 roles = self.list(session, filter_q) # To allow default filtering (Bug 853)
1084 if not roles:
1085 raise AuthconnNotFoundException("Not found any role with filter {}".format(filter_q))
1086 elif len(roles) > 1:
1087 raise AuthconnConflictException("Found more than one role with filter {}".format(filter_q))
1088 return roles[0]
1089
1090 def list(self, session, filter_q=None):
1091 """
1092 Get a list of the topic that matches a filter
1093
1094 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1095 :param filter_q: filter of data to be applied
1096 :return: The list, it can be empty if no one match the filter.
1097 """
1098 role_list = self.auth.get_role_list(filter_q)
1099 if not session["allow_show_user_project_role"]:
1100 # Bug 853 - Default filtering
1101 user = self.auth.get_user(session["username"])
1102 roles = [prm["role"] for prm in user["project_role_mappings"]]
1103 role_list = [role for role in role_list if role["_id"] in roles]
1104 return role_list
1105
1106 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
1107 """
1108 Creates a new entry into database.
1109
1110 :param rollback: list to append created items at database in case a rollback may to be done
1111 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1112 :param indata: data to be inserted
1113 :param kwargs: used to override the indata descriptor
1114 :param headers: http request headers
1115 :return: _id: identity of the inserted data, operation _id (None)
1116 """
1117 try:
1118 content = self._remove_envelop(indata)
1119
1120 # Override descriptor with query string kwargs
1121 self._update_input_with_kwargs(content, kwargs)
1122 content = self._validate_input_new(content, session["force"])
1123 self.check_conflict_on_new(session, content)
1124 self.format_on_new(content, project_id=session["project_id"], make_public=session["public"])
1125 # role_name = content["name"]
1126 rid = self.auth.create_role(content)
1127 content["_id"] = rid
1128 # _id = self.db.create(self.topic, content)
1129 rollback.append({"topic": self.topic, "_id": rid})
1130 # self._send_msg("created", content)
1131 return rid, None
1132 except ValidationError as e:
1133 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1134
1135 def delete(self, session, _id, dry_run=False):
1136 """
1137 Delete item by its internal _id
1138
1139 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1140 :param _id: server internal id
1141 :param dry_run: make checking but do not delete
1142 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1143 """
1144 filter_q = {BaseTopic.id_field(self.topic, _id): _id}
1145 roles = self.auth.get_role_list(filter_q)
1146 if not roles:
1147 raise AuthconnNotFoundException("Not found any role with filter {}".format(filter_q))
1148 elif len(roles) > 1:
1149 raise AuthconnConflictException("Found more than one role with filter {}".format(filter_q))
1150 rid = roles[0]["_id"]
1151 self.check_conflict_on_del(session, rid, None)
1152 # filter_q = {"_id": _id}
1153 # filter_q = {BaseTopic.id_field(self.topic, _id): _id} # To allow role addressing by name
1154 if not dry_run:
1155 v = self.auth.delete_role(rid)
1156 # v = self.db.del_one(self.topic, filter_q)
1157 return v
1158 return None
1159
1160 def edit(self, session, _id, indata=None, kwargs=None, content=None):
1161 """
1162 Updates a role entry.
1163
1164 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1165 :param _id:
1166 :param indata: data to be inserted
1167 :param kwargs: used to override the indata descriptor
1168 :param content:
1169 :return: _id: identity of the inserted data.
1170 """
1171 if kwargs:
1172 self._update_input_with_kwargs(indata, kwargs)
1173 try:
1174 indata = self._validate_input_edit(indata, force=session["force"])
1175 if not content:
1176 content = self.show(session, _id)
1177 deep_update_rfc7396(content, indata)
1178 self.check_conflict_on_edit(session, content, indata, _id=_id)
1179 self.format_on_edit(content, indata)
1180 self.auth.update_role(content)
1181 except ValidationError as e:
1182 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)