Tests for NBI Quotas
[osm/NBI.git] / osm_nbi / admin_topics.py
1 # -*- coding: utf-8 -*-
2
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
12 # implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 # import logging
17 from uuid import uuid4
18 from hashlib import sha256
19 from http import HTTPStatus
20 from time import time
21 from osm_nbi.validation import user_new_schema, user_edit_schema, project_new_schema, project_edit_schema, \
22 vim_account_new_schema, vim_account_edit_schema, sdn_new_schema, sdn_edit_schema, \
23 wim_account_new_schema, wim_account_edit_schema, roles_new_schema, roles_edit_schema, \
24 validate_input, ValidationError, is_valid_uuid # To check that User/Project Names don't look like UUIDs
25 from osm_nbi.base_topic import BaseTopic, EngineException
26 from osm_nbi.authconn import AuthconnNotFoundException, AuthconnConflictException
27 from osm_common.dbbase import deep_update_rfc7396
28
29 __author__ = "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30
31
32 class UserTopic(BaseTopic):
33 topic = "users"
34 topic_msg = "users"
35 schema_new = user_new_schema
36 schema_edit = user_edit_schema
37 multiproject = False
38
39 def __init__(self, db, fs, msg, auth):
40 BaseTopic.__init__(self, db, fs, msg, auth)
41
42 @staticmethod
43 def _get_project_filter(session):
44 """
45 Generates a filter dictionary for querying database users.
46 Current policy is admin can show all, non admin, only its own user.
47 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
48 :return:
49 """
50 if session["admin"]: # allows all
51 return {}
52 else:
53 return {"username": session["username"]}
54
55 def check_conflict_on_new(self, session, indata):
56 # check username not exists
57 if self.db.get_one(self.topic, {"username": indata.get("username")}, fail_on_empty=False, fail_on_more=False):
58 raise EngineException("username '{}' exists".format(indata["username"]), HTTPStatus.CONFLICT)
59 # check projects
60 if not session["force"]:
61 for p in indata.get("projects") or []:
62 # To allow project addressing by Name as well as ID
63 if not self.db.get_one("projects", {BaseTopic.id_field("projects", p): p}, fail_on_empty=False,
64 fail_on_more=False):
65 raise EngineException("project '{}' does not exist".format(p), HTTPStatus.CONFLICT)
66
67 def check_conflict_on_del(self, session, _id, db_content):
68 """
69 Check if deletion can be done because of dependencies if it is not force. To override
70 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
71 :param _id: internal _id
72 :param db_content: The database content of this item _id
73 :return: None if ok or raises EngineException with the conflict
74 """
75 if _id == session["username"]:
76 raise EngineException("You cannot delete your own user", http_code=HTTPStatus.CONFLICT)
77
78 @staticmethod
79 def format_on_new(content, project_id=None, make_public=False):
80 BaseTopic.format_on_new(content, make_public=False)
81 # Removed so that the UUID is kept, to allow User Name modification
82 # content["_id"] = content["username"]
83 salt = uuid4().hex
84 content["_admin"]["salt"] = salt
85 if content.get("password"):
86 content["password"] = sha256(content["password"].encode('utf-8') + salt.encode('utf-8')).hexdigest()
87 if content.get("project_role_mappings"):
88 projects = [mapping["project"] for mapping in content["project_role_mappings"]]
89
90 if content.get("projects"):
91 content["projects"] += projects
92 else:
93 content["projects"] = projects
94
95 @staticmethod
96 def format_on_edit(final_content, edit_content):
97 BaseTopic.format_on_edit(final_content, edit_content)
98 if edit_content.get("password"):
99 salt = uuid4().hex
100 final_content["_admin"]["salt"] = salt
101 final_content["password"] = sha256(edit_content["password"].encode('utf-8') +
102 salt.encode('utf-8')).hexdigest()
103 return None
104
105 def edit(self, session, _id, indata=None, kwargs=None, content=None):
106 if not session["admin"]:
107 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
108 # Names that look like UUIDs are not allowed
109 name = (indata if indata else kwargs).get("username")
110 if is_valid_uuid(name):
111 raise EngineException("Usernames that look like UUIDs are not allowed",
112 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
113 return BaseTopic.edit(self, session, _id, indata=indata, kwargs=kwargs, content=content)
114
115 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
116 if not session["admin"]:
117 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
118 # Names that look like UUIDs are not allowed
119 name = indata["username"] if indata else kwargs["username"]
120 if is_valid_uuid(name):
121 raise EngineException("Usernames that look like UUIDs are not allowed",
122 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
123 return BaseTopic.new(self, rollback, session, indata=indata, kwargs=kwargs, headers=headers)
124
125
126 class ProjectTopic(BaseTopic):
127 topic = "projects"
128 topic_msg = "projects"
129 schema_new = project_new_schema
130 schema_edit = project_edit_schema
131 multiproject = False
132
133 def __init__(self, db, fs, msg, auth):
134 BaseTopic.__init__(self, db, fs, msg, auth)
135
136 @staticmethod
137 def _get_project_filter(session):
138 """
139 Generates a filter dictionary for querying database users.
140 Current policy is admin can show all, non admin, only its own user.
141 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
142 :return:
143 """
144 if session["admin"]: # allows all
145 return {}
146 else:
147 return {"_id.cont": session["project_id"]}
148
149 def check_conflict_on_new(self, session, indata):
150 if not indata.get("name"):
151 raise EngineException("missing 'name'")
152 # check name not exists
153 if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
154 raise EngineException("name '{}' exists".format(indata["name"]), HTTPStatus.CONFLICT)
155
156 @staticmethod
157 def format_on_new(content, project_id=None, make_public=False):
158 BaseTopic.format_on_new(content, None)
159 # Removed so that the UUID is kept, to allow Project Name modification
160 # content["_id"] = content["name"]
161
162 def check_conflict_on_del(self, session, _id, db_content):
163 """
164 Check if deletion can be done because of dependencies if it is not force. To override
165 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
166 :param _id: internal _id
167 :param db_content: The database content of this item _id
168 :return: None if ok or raises EngineException with the conflict
169 """
170 if _id in session["project_id"]:
171 raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
172 if session["force"]:
173 return
174 _filter = {"projects": _id}
175 if self.db.get_list("users", _filter):
176 raise EngineException("There is some USER that contains this project", http_code=HTTPStatus.CONFLICT)
177
178 def edit(self, session, _id, indata=None, kwargs=None, content=None):
179 if not session["admin"]:
180 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
181 # Names that look like UUIDs are not allowed
182 name = (indata if indata else kwargs).get("name")
183 if is_valid_uuid(name):
184 raise EngineException("Project names that look like UUIDs are not allowed",
185 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
186 return BaseTopic.edit(self, session, _id, indata=indata, kwargs=kwargs, content=content)
187
188 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
189 if not session["admin"]:
190 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
191 # Names that look like UUIDs are not allowed
192 name = indata["name"] if indata else kwargs["name"]
193 if is_valid_uuid(name):
194 raise EngineException("Project names that look like UUIDs are not allowed",
195 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
196 return BaseTopic.new(self, rollback, session, indata=indata, kwargs=kwargs, headers=headers)
197
198
199 class CommonVimWimSdn(BaseTopic):
200 """Common class for VIM, WIM SDN just to unify methods that are equal to all of them"""
201 config_to_encrypt = {} # what keys at config must be encrypted because contains passwords
202 password_to_encrypt = "" # key that contains a password
203
204 @staticmethod
205 def _create_operation(op_type, params=None):
206 """
207 Creates a dictionary with the information to an operation, similar to ns-lcm-op
208 :param op_type: can be create, edit, delete
209 :param params: operation input parameters
210 :return: new dictionary with
211 """
212 now = time()
213 return {
214 "lcmOperationType": op_type,
215 "operationState": "PROCESSING",
216 "startTime": now,
217 "statusEnteredTime": now,
218 "detailed-status": "",
219 "operationParams": params,
220 }
221
222 def check_conflict_on_new(self, session, indata):
223 """
224 Check that the data to be inserted is valid. It is checked that name is unique
225 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
226 :param indata: data to be inserted
227 :return: None or raises EngineException
228 """
229 self.check_unique_name(session, indata["name"], _id=None)
230
231 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
232 """
233 Check that the data to be edited/uploaded is valid. It is checked that name is unique
234 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
235 :param final_content: data once modified. This method may change it.
236 :param edit_content: incremental data that contains the modifications to apply
237 :param _id: internal _id
238 :return: None or raises EngineException
239 """
240 if not session["force"] and edit_content.get("name"):
241 self.check_unique_name(session, edit_content["name"], _id=_id)
242
243 def format_on_edit(self, final_content, edit_content):
244 """
245 Modifies final_content inserting admin information upon edition
246 :param final_content: final content to be stored at database
247 :param edit_content: user requested update content
248 :return: operation id
249 """
250
251 # encrypt passwords
252 schema_version = final_content.get("schema_version")
253 if schema_version:
254 if edit_content.get(self.password_to_encrypt):
255 final_content[self.password_to_encrypt] = self.db.encrypt(edit_content[self.password_to_encrypt],
256 schema_version=schema_version,
257 salt=final_content["_id"])
258 config_to_encrypt_keys = self.config_to_encrypt.get(schema_version) or self.config_to_encrypt.get("default")
259 if edit_content.get("config") and config_to_encrypt_keys:
260
261 for p in config_to_encrypt_keys:
262 if edit_content["config"].get(p):
263 final_content["config"][p] = self.db.encrypt(edit_content["config"][p],
264 schema_version=schema_version,
265 salt=final_content["_id"])
266
267 # create edit operation
268 final_content["_admin"]["operations"].append(self._create_operation("edit"))
269 return "{}:{}".format(final_content["_id"], len(final_content["_admin"]["operations"]) - 1)
270
271 def format_on_new(self, content, project_id=None, make_public=False):
272 """
273 Modifies content descriptor to include _admin and insert create operation
274 :param content: descriptor to be modified
275 :param project_id: if included, it add project read/write permissions. Can be None or a list
276 :param make_public: if included it is generated as public for reading.
277 :return: op_id: operation id on asynchronous operation, None otherwise. In addition content is modified
278 """
279 super().format_on_new(content, project_id=project_id, make_public=make_public)
280 content["schema_version"] = schema_version = "1.11"
281
282 # encrypt passwords
283 if content.get(self.password_to_encrypt):
284 content[self.password_to_encrypt] = self.db.encrypt(content[self.password_to_encrypt],
285 schema_version=schema_version,
286 salt=content["_id"])
287 config_to_encrypt_keys = self.config_to_encrypt.get(schema_version) or self.config_to_encrypt.get("default")
288 if content.get("config") and config_to_encrypt_keys:
289 for p in config_to_encrypt_keys:
290 if content["config"].get(p):
291 content["config"][p] = self.db.encrypt(content["config"][p],
292 schema_version=schema_version,
293 salt=content["_id"])
294
295 content["_admin"]["operationalState"] = "PROCESSING"
296
297 # create operation
298 content["_admin"]["operations"] = [self._create_operation("create")]
299 content["_admin"]["current_operation"] = None
300
301 return "{}:0".format(content["_id"])
302
303 def delete(self, session, _id, dry_run=False):
304 """
305 Delete item by its internal _id
306 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
307 :param _id: server internal id
308 :param dry_run: make checking but do not delete
309 :return: operation id if it is ordered to delete. None otherwise
310 """
311
312 filter_q = self._get_project_filter(session)
313 filter_q["_id"] = _id
314 db_content = self.db.get_one(self.topic, filter_q)
315
316 self.check_conflict_on_del(session, _id, db_content)
317 if dry_run:
318 return None
319
320 # remove reference from project_read. If not last delete
321 if session["project_id"]:
322 for project_id in session["project_id"]:
323 if project_id in db_content["_admin"]["projects_read"]:
324 db_content["_admin"]["projects_read"].remove(project_id)
325 if project_id in db_content["_admin"]["projects_write"]:
326 db_content["_admin"]["projects_write"].remove(project_id)
327 else:
328 db_content["_admin"]["projects_read"].clear()
329 db_content["_admin"]["projects_write"].clear()
330
331 update_dict = {"_admin.projects_read": db_content["_admin"]["projects_read"],
332 "_admin.projects_write": db_content["_admin"]["projects_write"]
333 }
334
335 # check if there are projects referencing it (apart from ANY that means public)....
336 if db_content["_admin"]["projects_read"] and (len(db_content["_admin"]["projects_read"]) > 1 or
337 db_content["_admin"]["projects_read"][0] != "ANY"):
338 self.db.set_one(self.topic, filter_q, update_dict=update_dict) # remove references but not delete
339 return None
340
341 # It must be deleted
342 if session["force"]:
343 self.db.del_one(self.topic, {"_id": _id})
344 op_id = None
345 self._send_msg("deleted", {"_id": _id, "op_id": op_id})
346 else:
347 update_dict["_admin.to_delete"] = True
348 self.db.set_one(self.topic, {"_id": _id},
349 update_dict=update_dict,
350 push={"_admin.operations": self._create_operation("delete")}
351 )
352 # the number of operations is the operation_id. db_content does not contains the new operation inserted,
353 # so the -1 is not needed
354 op_id = "{}:{}".format(db_content["_id"], len(db_content["_admin"]["operations"]))
355 self._send_msg("delete", {"_id": _id, "op_id": op_id})
356 return op_id
357
358
359 class VimAccountTopic(CommonVimWimSdn):
360 topic = "vim_accounts"
361 topic_msg = "vim_account"
362 schema_new = vim_account_new_schema
363 schema_edit = vim_account_edit_schema
364 multiproject = True
365 password_to_encrypt = "vim_password"
366 config_to_encrypt = {"1.1": ("admin_password", "nsx_password", "vcenter_password"),
367 "default": ("admin_password", "nsx_password", "vcenter_password", "vrops_password")}
368
369
370 class WimAccountTopic(CommonVimWimSdn):
371 topic = "wim_accounts"
372 topic_msg = "wim_account"
373 schema_new = wim_account_new_schema
374 schema_edit = wim_account_edit_schema
375 multiproject = True
376 password_to_encrypt = "wim_password"
377 config_to_encrypt = {}
378
379
380 class SdnTopic(CommonVimWimSdn):
381 topic = "sdns"
382 topic_msg = "sdn"
383 schema_new = sdn_new_schema
384 schema_edit = sdn_edit_schema
385 multiproject = True
386 password_to_encrypt = "password"
387 config_to_encrypt = {}
388
389
390 class UserTopicAuth(UserTopic):
391 # topic = "users"
392 # topic_msg = "users"
393 schema_new = user_new_schema
394 schema_edit = user_edit_schema
395
396 def __init__(self, db, fs, msg, auth):
397 UserTopic.__init__(self, db, fs, msg, auth)
398 # self.auth = auth
399
400 def check_conflict_on_new(self, session, indata):
401 """
402 Check that the data to be inserted is valid
403
404 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
405 :param indata: data to be inserted
406 :return: None or raises EngineException
407 """
408 username = indata.get("username")
409 if is_valid_uuid(username):
410 raise EngineException("username '{}' cannot have a uuid format".format(username),
411 HTTPStatus.UNPROCESSABLE_ENTITY)
412
413 # Check that username is not used, regardless keystone already checks this
414 if self.auth.get_user_list(filter_q={"name": username}):
415 raise EngineException("username '{}' is already used".format(username), HTTPStatus.CONFLICT)
416
417 if "projects" in indata.keys():
418 # convert to new format project_role_mappings
419 role = self.auth.get_role_list({"name": "project_admin"})
420 if not role:
421 role = self.auth.get_role_list()
422 if not role:
423 raise AuthconnNotFoundException("Can't find default role for user '{}'".format(username))
424 rid = role[0]["_id"]
425 if not indata.get("project_role_mappings"):
426 indata["project_role_mappings"] = []
427 for project in indata["projects"]:
428 pid = self.auth.get_project(project)["_id"]
429 prm = {"project": pid, "role": rid}
430 if prm not in indata["project_role_mappings"]:
431 indata["project_role_mappings"].append(prm)
432 # raise EngineException("Format invalid: the keyword 'projects' is not allowed for keystone authentication",
433 # HTTPStatus.BAD_REQUEST)
434
435 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
436 """
437 Check that the data to be edited/uploaded is valid
438
439 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
440 :param final_content: data once modified
441 :param edit_content: incremental data that contains the modifications to apply
442 :param _id: internal _id
443 :return: None or raises EngineException
444 """
445
446 if "username" in edit_content:
447 username = edit_content.get("username")
448 if is_valid_uuid(username):
449 raise EngineException("username '{}' cannot have an uuid format".format(username),
450 HTTPStatus.UNPROCESSABLE_ENTITY)
451
452 # Check that username is not used, regardless keystone already checks this
453 if self.auth.get_user_list(filter_q={"name": username}):
454 raise EngineException("username '{}' is already used".format(username), HTTPStatus.CONFLICT)
455
456 if final_content["username"] == "admin":
457 for mapping in edit_content.get("remove_project_role_mappings", ()):
458 if mapping["project"] == "admin" and mapping.get("role") in (None, "system_admin"):
459 # TODO make this also available for project id and role id
460 raise EngineException("You cannot remove system_admin role from admin user",
461 http_code=HTTPStatus.FORBIDDEN)
462
463 def check_conflict_on_del(self, session, _id, db_content):
464 """
465 Check if deletion can be done because of dependencies if it is not force. To override
466 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
467 :param _id: internal _id
468 :param db_content: The database content of this item _id
469 :return: None if ok or raises EngineException with the conflict
470 """
471 if db_content["username"] == session["username"]:
472 raise EngineException("You cannot delete your own login user ", http_code=HTTPStatus.CONFLICT)
473 # TODO: Check that user is not logged in ? How? (Would require listing current tokens)
474
475 @staticmethod
476 def format_on_show(content):
477 """
478 Modifies the content of the role information to separate the role
479 metadata from the role definition.
480 """
481 project_role_mappings = []
482
483 if "projects" in content:
484 for project in content["projects"]:
485 for role in project["roles"]:
486 project_role_mappings.append({"project": project["_id"],
487 "project_name": project["name"],
488 "role": role["_id"],
489 "role_name": role["name"]})
490 del content["projects"]
491 content["project_role_mappings"] = project_role_mappings
492
493 return content
494
495 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
496 """
497 Creates a new entry into the authentication backend.
498
499 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
500
501 :param rollback: list to append created items at database in case a rollback may to be done
502 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
503 :param indata: data to be inserted
504 :param kwargs: used to override the indata descriptor
505 :param headers: http request headers
506 :return: _id: identity of the inserted data, operation _id (None)
507 """
508 try:
509 content = BaseTopic._remove_envelop(indata)
510
511 # Override descriptor with query string kwargs
512 BaseTopic._update_input_with_kwargs(content, kwargs)
513 content = self._validate_input_new(content, session["force"])
514 self.check_conflict_on_new(session, content)
515 # self.format_on_new(content, session["project_id"], make_public=session["public"])
516 now = time()
517 content["_admin"] = {"created": now, "modified": now}
518 prms = []
519 for prm in content.get("project_role_mappings", []):
520 proj = self.auth.get_project(prm["project"], not session["force"])
521 role = self.auth.get_role(prm["role"], not session["force"])
522 pid = proj["_id"] if proj else None
523 rid = role["_id"] if role else None
524 prl = {"project": pid, "role": rid}
525 if prl not in prms:
526 prms.append(prl)
527 content["project_role_mappings"] = prms
528 # _id = self.auth.create_user(content["username"], content["password"])["_id"]
529 _id = self.auth.create_user(content)["_id"]
530
531 rollback.append({"topic": self.topic, "_id": _id})
532 # del content["password"]
533 # self._send_msg("create", content)
534 return _id, None
535 except ValidationError as e:
536 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
537
538 def show(self, session, _id):
539 """
540 Get complete information on an topic
541
542 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
543 :param _id: server internal id
544 :return: dictionary, raise exception if not found.
545 """
546 # Allow _id to be a name or uuid
547 filter_q = {self.id_field(self.topic, _id): _id}
548 users = self.auth.get_user_list(filter_q)
549
550 if len(users) == 1:
551 return users[0]
552 elif len(users) > 1:
553 raise EngineException("Too many users found", HTTPStatus.CONFLICT)
554 else:
555 raise EngineException("User not found", HTTPStatus.NOT_FOUND)
556
557 def edit(self, session, _id, indata=None, kwargs=None, content=None):
558 """
559 Updates an user entry.
560
561 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
562 :param _id:
563 :param indata: data to be inserted
564 :param kwargs: used to override the indata descriptor
565 :param content:
566 :return: _id: identity of the inserted data.
567 """
568 indata = self._remove_envelop(indata)
569
570 # Override descriptor with query string kwargs
571 if kwargs:
572 BaseTopic._update_input_with_kwargs(indata, kwargs)
573 try:
574 indata = self._validate_input_edit(indata, force=session["force"])
575
576 if not content:
577 content = self.show(session, _id)
578 self.check_conflict_on_edit(session, content, indata, _id=_id)
579 # self.format_on_edit(content, indata)
580
581 if not ("password" in indata or "username" in indata or indata.get("remove_project_role_mappings") or
582 indata.get("add_project_role_mappings") or indata.get("project_role_mappings") or
583 indata.get("projects") or indata.get("add_projects")):
584 return _id
585 if indata.get("project_role_mappings") \
586 and (indata.get("remove_project_role_mappings") or indata.get("add_project_role_mappings")):
587 raise EngineException("Option 'project_role_mappings' is incompatible with 'add_project_role_mappings"
588 "' or 'remove_project_role_mappings'", http_code=HTTPStatus.BAD_REQUEST)
589
590 if indata.get("projects") or indata.get("add_projects"):
591 role = self.auth.get_role_list({"name": "project_admin"})
592 if not role:
593 role = self.auth.get_role_list()
594 if not role:
595 raise AuthconnNotFoundException("Can't find a default role for user '{}'"
596 .format(content["username"]))
597 rid = role[0]["_id"]
598 if "add_project_role_mappings" not in indata:
599 indata["add_project_role_mappings"] = []
600 if "remove_project_role_mappings" not in indata:
601 indata["remove_project_role_mappings"] = []
602 if isinstance(indata.get("projects"), dict):
603 # backward compatible
604 for k, v in indata["projects"].items():
605 if k.startswith("$") and v is None:
606 indata["remove_project_role_mappings"].append({"project": k[1:]})
607 elif k.startswith("$+"):
608 indata["add_project_role_mappings"].append({"project": v, "role": rid})
609 del indata["projects"]
610 for proj in indata.get("projects", []) + indata.get("add_projects", []):
611 indata["add_project_role_mappings"].append({"project": proj, "role": rid})
612
613 # user = self.show(session, _id) # Already in 'content'
614 original_mapping = content["project_role_mappings"]
615
616 mappings_to_add = []
617 mappings_to_remove = []
618
619 # remove
620 for to_remove in indata.get("remove_project_role_mappings", ()):
621 for mapping in original_mapping:
622 if to_remove["project"] in (mapping["project"], mapping["project_name"]):
623 if not to_remove.get("role") or to_remove["role"] in (mapping["role"], mapping["role_name"]):
624 mappings_to_remove.append(mapping)
625
626 # add
627 for to_add in indata.get("add_project_role_mappings", ()):
628 for mapping in original_mapping:
629 if to_add["project"] in (mapping["project"], mapping["project_name"]) and \
630 to_add["role"] in (mapping["role"], mapping["role_name"]):
631
632 if mapping in mappings_to_remove: # do not remove
633 mappings_to_remove.remove(mapping)
634 break # do not add, it is already at user
635 else:
636 pid = self.auth.get_project(to_add["project"])["_id"]
637 rid = self.auth.get_role(to_add["role"])["_id"]
638 mappings_to_add.append({"project": pid, "role": rid})
639
640 # set
641 if indata.get("project_role_mappings"):
642 for to_set in indata["project_role_mappings"]:
643 for mapping in original_mapping:
644 if to_set["project"] in (mapping["project"], mapping["project_name"]) and \
645 to_set["role"] in (mapping["role"], mapping["role_name"]):
646 if mapping in mappings_to_remove: # do not remove
647 mappings_to_remove.remove(mapping)
648 break # do not add, it is already at user
649 else:
650 pid = self.auth.get_project(to_set["project"])["_id"]
651 rid = self.auth.get_role(to_set["role"])["_id"]
652 mappings_to_add.append({"project": pid, "role": rid})
653 for mapping in original_mapping:
654 for to_set in indata["project_role_mappings"]:
655 if to_set["project"] in (mapping["project"], mapping["project_name"]) and \
656 to_set["role"] in (mapping["role"], mapping["role_name"]):
657 break
658 else:
659 # delete
660 if mapping not in mappings_to_remove: # do not remove
661 mappings_to_remove.append(mapping)
662
663 self.auth.update_user({"_id": _id, "username": indata.get("username"), "password": indata.get("password"),
664 "add_project_role_mappings": mappings_to_add,
665 "remove_project_role_mappings": mappings_to_remove
666 })
667
668 # return _id
669 except ValidationError as e:
670 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
671
672 def list(self, session, filter_q=None):
673 """
674 Get a list of the topic that matches a filter
675 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
676 :param filter_q: filter of data to be applied
677 :return: The list, it can be empty if no one match the filter.
678 """
679 users = self.auth.get_user_list(filter_q)
680
681 return users
682
683 def delete(self, session, _id, dry_run=False):
684 """
685 Delete item by its internal _id
686
687 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
688 :param _id: server internal id
689 :param force: indicates if deletion must be forced in case of conflict
690 :param dry_run: make checking but do not delete
691 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
692 """
693 # Allow _id to be a name or uuid
694 user = self.auth.get_user(_id)
695 uid = user["_id"]
696 self.check_conflict_on_del(session, uid, user)
697 if not dry_run:
698 v = self.auth.delete_user(uid)
699 return v
700 return None
701
702
703 class ProjectTopicAuth(ProjectTopic):
704 # topic = "projects"
705 # topic_msg = "projects"
706 schema_new = project_new_schema
707 schema_edit = project_edit_schema
708
709 def __init__(self, db, fs, msg, auth):
710 ProjectTopic.__init__(self, db, fs, msg, auth)
711 # self.auth = auth
712
713 def check_conflict_on_new(self, session, indata):
714 """
715 Check that the data to be inserted is valid
716
717 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
718 :param indata: data to be inserted
719 :return: None or raises EngineException
720 """
721 project_name = indata.get("name")
722 if is_valid_uuid(project_name):
723 raise EngineException("project name '{}' cannot have an uuid format".format(project_name),
724 HTTPStatus.UNPROCESSABLE_ENTITY)
725
726 project_list = self.auth.get_project_list(filter_q={"name": project_name})
727
728 if project_list:
729 raise EngineException("project '{}' exists".format(project_name), HTTPStatus.CONFLICT)
730
731 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
732 """
733 Check that the data to be edited/uploaded is valid
734
735 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
736 :param final_content: data once modified
737 :param edit_content: incremental data that contains the modifications to apply
738 :param _id: internal _id
739 :return: None or raises EngineException
740 """
741
742 project_name = edit_content.get("name")
743 if project_name != final_content["name"]: # It is a true renaming
744 if is_valid_uuid(project_name):
745 raise EngineException("project name '{}' cannot have an uuid format".format(project_name),
746 HTTPStatus.UNPROCESSABLE_ENTITY)
747
748 if final_content["name"] == "admin":
749 raise EngineException("You cannot rename project 'admin'", http_code=HTTPStatus.CONFLICT)
750
751 # Check that project name is not used, regardless keystone already checks this
752 if project_name and self.auth.get_project_list(filter_q={"name": project_name}):
753 raise EngineException("project '{}' is already used".format(project_name), HTTPStatus.CONFLICT)
754
755 def check_conflict_on_del(self, session, _id, db_content):
756 """
757 Check if deletion can be done because of dependencies if it is not force. To override
758
759 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
760 :param _id: internal _id
761 :param db_content: The database content of this item _id
762 :return: None if ok or raises EngineException with the conflict
763 """
764
765 def check_rw_projects(topic, title, id_field):
766 for desc in self.db.get_list(topic):
767 if _id in desc["_admin"]["projects_read"] + desc["_admin"]["projects_write"]:
768 raise EngineException("Project '{}' ({}) is being used by {} '{}'"
769 .format(db_content["name"], _id, title, desc[id_field]), HTTPStatus.CONFLICT)
770
771 if _id in session["project_id"]:
772 raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
773
774 if db_content["name"] == "admin":
775 raise EngineException("You cannot delete project 'admin'", http_code=HTTPStatus.CONFLICT)
776
777 # If any user is using this project, raise CONFLICT exception
778 if not session["force"]:
779 for user in self.auth.get_user_list():
780 for prm in user.get("project_role_mappings"):
781 if prm["project"] == _id:
782 raise EngineException("Project '{}' ({}) is being used by user '{}'"
783 .format(db_content["name"], _id, user["username"]), HTTPStatus.CONFLICT)
784
785 # If any VNFD, NSD, NST, PDU, etc. is using this project, raise CONFLICT exception
786 if not session["force"]:
787 check_rw_projects("vnfds", "VNF Descriptor", "id")
788 check_rw_projects("nsds", "NS Descriptor", "id")
789 check_rw_projects("nsts", "NS Template", "id")
790 check_rw_projects("pdus", "PDU Descriptor", "name")
791
792 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
793 """
794 Creates a new entry into the authentication backend.
795
796 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
797
798 :param rollback: list to append created items at database in case a rollback may to be done
799 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
800 :param indata: data to be inserted
801 :param kwargs: used to override the indata descriptor
802 :param headers: http request headers
803 :return: _id: identity of the inserted data, operation _id (None)
804 """
805 try:
806 content = BaseTopic._remove_envelop(indata)
807
808 # Override descriptor with query string kwargs
809 BaseTopic._update_input_with_kwargs(content, kwargs)
810 content = self._validate_input_new(content, session["force"])
811 self.check_conflict_on_new(session, content)
812 self.format_on_new(content, project_id=session["project_id"], make_public=session["public"])
813 _id = self.auth.create_project(content)
814 rollback.append({"topic": self.topic, "_id": _id})
815 # self._send_msg("create", content)
816 return _id, None
817 except ValidationError as e:
818 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
819
820 def show(self, session, _id):
821 """
822 Get complete information on an topic
823
824 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
825 :param _id: server internal id
826 :return: dictionary, raise exception if not found.
827 """
828 # Allow _id to be a name or uuid
829 filter_q = {self.id_field(self.topic, _id): _id}
830 projects = self.auth.get_project_list(filter_q=filter_q)
831
832 if len(projects) == 1:
833 return projects[0]
834 elif len(projects) > 1:
835 raise EngineException("Too many projects found", HTTPStatus.CONFLICT)
836 else:
837 raise EngineException("Project not found", HTTPStatus.NOT_FOUND)
838
839 def list(self, session, filter_q=None):
840 """
841 Get a list of the topic that matches a filter
842
843 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
844 :param filter_q: filter of data to be applied
845 :return: The list, it can be empty if no one match the filter.
846 """
847 return self.auth.get_project_list(filter_q)
848
849 def delete(self, session, _id, dry_run=False):
850 """
851 Delete item by its internal _id
852
853 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
854 :param _id: server internal id
855 :param dry_run: make checking but do not delete
856 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
857 """
858 # Allow _id to be a name or uuid
859 proj = self.auth.get_project(_id)
860 pid = proj["_id"]
861 self.check_conflict_on_del(session, pid, proj)
862 if not dry_run:
863 v = self.auth.delete_project(pid)
864 return v
865 return None
866
867 def edit(self, session, _id, indata=None, kwargs=None, content=None):
868 """
869 Updates a project entry.
870
871 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
872 :param _id:
873 :param indata: data to be inserted
874 :param kwargs: used to override the indata descriptor
875 :param content:
876 :return: _id: identity of the inserted data.
877 """
878 indata = self._remove_envelop(indata)
879
880 # Override descriptor with query string kwargs
881 if kwargs:
882 BaseTopic._update_input_with_kwargs(indata, kwargs)
883 try:
884 indata = self._validate_input_edit(indata, force=session["force"])
885
886 if not content:
887 content = self.show(session, _id)
888 self.check_conflict_on_edit(session, content, indata, _id=_id)
889 self.format_on_edit(content, indata)
890
891 deep_update_rfc7396(content, indata)
892 self.auth.update_project(content["_id"], content)
893 except ValidationError as e:
894 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
895
896
897 class RoleTopicAuth(BaseTopic):
898 topic = "roles"
899 topic_msg = None # "roles"
900 schema_new = roles_new_schema
901 schema_edit = roles_edit_schema
902 multiproject = False
903
904 def __init__(self, db, fs, msg, auth, ops):
905 BaseTopic.__init__(self, db, fs, msg, auth)
906 # self.auth = auth
907 self.operations = ops
908 # self.topic = "roles_operations" if isinstance(auth, AuthconnKeystone) else "roles"
909
910 @staticmethod
911 def validate_role_definition(operations, role_definitions):
912 """
913 Validates the role definition against the operations defined in
914 the resources to operations files.
915
916 :param operations: operations list
917 :param role_definitions: role definition to test
918 :return: None if ok, raises ValidationError exception on error
919 """
920 if not role_definitions.get("permissions"):
921 return
922 ignore_fields = ["admin", "default"]
923 for role_def in role_definitions["permissions"].keys():
924 if role_def in ignore_fields:
925 continue
926 if role_def[-1] == ":":
927 raise ValidationError("Operation cannot end with ':'")
928
929 role_def_matches = [op for op in operations if op.startswith(role_def)]
930
931 if len(role_def_matches) == 0:
932 raise ValidationError("Invalid permission '{}'".format(role_def))
933
934 def _validate_input_new(self, input, force=False):
935 """
936 Validates input user content for a new entry.
937
938 :param input: user input content for the new topic
939 :param force: may be used for being more tolerant
940 :return: The same input content, or a changed version of it.
941 """
942 if self.schema_new:
943 validate_input(input, self.schema_new)
944 self.validate_role_definition(self.operations, input)
945
946 return input
947
948 def _validate_input_edit(self, input, force=False):
949 """
950 Validates input user content for updating an entry.
951
952 :param input: user input content for the new topic
953 :param force: may be used for being more tolerant
954 :return: The same input content, or a changed version of it.
955 """
956 if self.schema_edit:
957 validate_input(input, self.schema_edit)
958 self.validate_role_definition(self.operations, input)
959
960 return input
961
962 def check_conflict_on_new(self, session, indata):
963 """
964 Check that the data to be inserted is valid
965
966 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
967 :param indata: data to be inserted
968 :return: None or raises EngineException
969 """
970 # check name not exists
971 name = indata["name"]
972 # if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
973 if self.auth.get_role_list({"name": name}):
974 raise EngineException("role name '{}' exists".format(name), HTTPStatus.CONFLICT)
975
976 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
977 """
978 Check that the data to be edited/uploaded is valid
979
980 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
981 :param final_content: data once modified
982 :param edit_content: incremental data that contains the modifications to apply
983 :param _id: internal _id
984 :return: None or raises EngineException
985 """
986 if "default" not in final_content["permissions"]:
987 final_content["permissions"]["default"] = False
988 if "admin" not in final_content["permissions"]:
989 final_content["permissions"]["admin"] = False
990
991 # check name not exists
992 if "name" in edit_content:
993 role_name = edit_content["name"]
994 # if self.db.get_one(self.topic, {"name":role_name,"_id.ne":_id}, fail_on_empty=False, fail_on_more=False):
995 roles = self.auth.get_role_list({"name": role_name})
996 if roles and roles[0][BaseTopic.id_field("roles", _id)] != _id:
997 raise EngineException("role name '{}' exists".format(role_name), HTTPStatus.CONFLICT)
998
999 def check_conflict_on_del(self, session, _id, db_content):
1000 """
1001 Check if deletion can be done because of dependencies if it is not force. To override
1002
1003 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1004 :param _id: internal _id
1005 :param db_content: The database content of this item _id
1006 :return: None if ok or raises EngineException with the conflict
1007 """
1008 role = self.auth.get_role(_id)
1009 if role["name"] in ["system_admin", "project_admin"]:
1010 raise EngineException("You cannot delete role '{}'".format(role["name"]), http_code=HTTPStatus.FORBIDDEN)
1011
1012 # If any user is using this role, raise CONFLICT exception
1013 for user in self.auth.get_user_list():
1014 for prm in user.get("project_role_mappings"):
1015 if prm["role"] == _id:
1016 raise EngineException("Role '{}' ({}) is being used by user '{}'"
1017 .format(role["name"], _id, user["username"]), HTTPStatus.CONFLICT)
1018
1019 @staticmethod
1020 def format_on_new(content, project_id=None, make_public=False): # TO BE REMOVED ?
1021 """
1022 Modifies content descriptor to include _admin
1023
1024 :param content: descriptor to be modified
1025 :param project_id: if included, it add project read/write permissions
1026 :param make_public: if included it is generated as public for reading.
1027 :return: None, but content is modified
1028 """
1029 now = time()
1030 if "_admin" not in content:
1031 content["_admin"] = {}
1032 if not content["_admin"].get("created"):
1033 content["_admin"]["created"] = now
1034 content["_admin"]["modified"] = now
1035
1036 if "permissions" not in content:
1037 content["permissions"] = {}
1038
1039 if "default" not in content["permissions"]:
1040 content["permissions"]["default"] = False
1041 if "admin" not in content["permissions"]:
1042 content["permissions"]["admin"] = False
1043
1044 @staticmethod
1045 def format_on_edit(final_content, edit_content):
1046 """
1047 Modifies final_content descriptor to include the modified date.
1048
1049 :param final_content: final descriptor generated
1050 :param edit_content: alterations to be include
1051 :return: None, but final_content is modified
1052 """
1053 if "_admin" in final_content:
1054 final_content["_admin"]["modified"] = time()
1055
1056 if "permissions" not in final_content:
1057 final_content["permissions"] = {}
1058
1059 if "default" not in final_content["permissions"]:
1060 final_content["permissions"]["default"] = False
1061 if "admin" not in final_content["permissions"]:
1062 final_content["permissions"]["admin"] = False
1063 return None
1064
1065 def show(self, session, _id):
1066 """
1067 Get complete information on an topic
1068
1069 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1070 :param _id: server internal id
1071 :return: dictionary, raise exception if not found.
1072 """
1073 filter_q = {BaseTopic.id_field(self.topic, _id): _id}
1074 roles = self.auth.get_role_list(filter_q)
1075 if not roles:
1076 raise AuthconnNotFoundException("Not found any role with filter {}".format(filter_q))
1077 elif len(roles) > 1:
1078 raise AuthconnConflictException("Found more than one role with filter {}".format(filter_q))
1079 return roles[0]
1080
1081 def list(self, session, filter_q=None):
1082 """
1083 Get a list of the topic that matches a filter
1084
1085 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1086 :param filter_q: filter of data to be applied
1087 :return: The list, it can be empty if no one match the filter.
1088 """
1089 return self.auth.get_role_list(filter_q)
1090
1091 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
1092 """
1093 Creates a new entry into database.
1094
1095 :param rollback: list to append created items at database in case a rollback may to be done
1096 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1097 :param indata: data to be inserted
1098 :param kwargs: used to override the indata descriptor
1099 :param headers: http request headers
1100 :return: _id: identity of the inserted data, operation _id (None)
1101 """
1102 try:
1103 content = self._remove_envelop(indata)
1104
1105 # Override descriptor with query string kwargs
1106 self._update_input_with_kwargs(content, kwargs)
1107 content = self._validate_input_new(content, session["force"])
1108 self.check_conflict_on_new(session, content)
1109 self.format_on_new(content, project_id=session["project_id"], make_public=session["public"])
1110 # role_name = content["name"]
1111 rid = self.auth.create_role(content)
1112 content["_id"] = rid
1113 # _id = self.db.create(self.topic, content)
1114 rollback.append({"topic": self.topic, "_id": rid})
1115 # self._send_msg("create", content)
1116 return rid, None
1117 except ValidationError as e:
1118 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1119
1120 def delete(self, session, _id, dry_run=False):
1121 """
1122 Delete item by its internal _id
1123
1124 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1125 :param _id: server internal id
1126 :param dry_run: make checking but do not delete
1127 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1128 """
1129 filter_q = {BaseTopic.id_field(self.topic, _id): _id}
1130 roles = self.auth.get_role_list(filter_q)
1131 if not roles:
1132 raise AuthconnNotFoundException("Not found any role with filter {}".format(filter_q))
1133 elif len(roles) > 1:
1134 raise AuthconnConflictException("Found more than one role with filter {}".format(filter_q))
1135 rid = roles[0]["_id"]
1136 self.check_conflict_on_del(session, rid, None)
1137 # filter_q = {"_id": _id}
1138 # filter_q = {BaseTopic.id_field(self.topic, _id): _id} # To allow role addressing by name
1139 if not dry_run:
1140 v = self.auth.delete_role(rid)
1141 # v = self.db.del_one(self.topic, filter_q)
1142 return v
1143 return None
1144
1145 def edit(self, session, _id, indata=None, kwargs=None, content=None):
1146 """
1147 Updates a role entry.
1148
1149 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1150 :param _id:
1151 :param indata: data to be inserted
1152 :param kwargs: used to override the indata descriptor
1153 :param content:
1154 :return: _id: identity of the inserted data.
1155 """
1156 if kwargs:
1157 self._update_input_with_kwargs(indata, kwargs)
1158 try:
1159 indata = self._validate_input_edit(indata, force=session["force"])
1160 if not content:
1161 content = self.show(session, _id)
1162 deep_update_rfc7396(content, indata)
1163 self.check_conflict_on_edit(session, content, indata, _id=_id)
1164 self.format_on_edit(content, indata)
1165 self.auth.update_role(content)
1166 except ValidationError as e:
1167 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)