Bug 1844: LTS Support
[osm/NBI.git] / osm_nbi / admin_topics.py
1 # -*- coding: utf-8 -*-
2
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
12 # implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 # import logging
17 from uuid import uuid4
18 from hashlib import sha256
19 from http import HTTPStatus
20 from time import time
21 from osm_nbi.validation import (
22 user_new_schema,
23 user_edit_schema,
24 project_new_schema,
25 project_edit_schema,
26 vim_account_new_schema,
27 vim_account_edit_schema,
28 sdn_new_schema,
29 sdn_edit_schema,
30 wim_account_new_schema,
31 wim_account_edit_schema,
32 roles_new_schema,
33 roles_edit_schema,
34 k8scluster_new_schema,
35 k8scluster_edit_schema,
36 k8srepo_new_schema,
37 k8srepo_edit_schema,
38 vca_new_schema,
39 vca_edit_schema,
40 osmrepo_new_schema,
41 osmrepo_edit_schema,
42 validate_input,
43 ValidationError,
44 is_valid_uuid,
45 ) # To check that User/Project Names don't look like UUIDs
46 from osm_nbi.base_topic import BaseTopic, EngineException
47 from osm_nbi.authconn import AuthconnNotFoundException, AuthconnConflictException
48 from osm_common.dbbase import deep_update_rfc7396
49 import copy
50
51 __author__ = "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
52
53
54 class UserTopic(BaseTopic):
55 topic = "users"
56 topic_msg = "users"
57 schema_new = user_new_schema
58 schema_edit = user_edit_schema
59 multiproject = False
60
61 def __init__(self, db, fs, msg, auth):
62 BaseTopic.__init__(self, db, fs, msg, auth)
63
64 @staticmethod
65 def _get_project_filter(session):
66 """
67 Generates a filter dictionary for querying database users.
68 Current policy is admin can show all, non admin, only its own user.
69 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
70 :return:
71 """
72 if session["admin"]: # allows all
73 return {}
74 else:
75 return {"username": session["username"]}
76
77 def check_conflict_on_new(self, session, indata):
78 # check username not exists
79 if self.db.get_one(
80 self.topic,
81 {"username": indata.get("username")},
82 fail_on_empty=False,
83 fail_on_more=False,
84 ):
85 raise EngineException(
86 "username '{}' exists".format(indata["username"]), HTTPStatus.CONFLICT
87 )
88 # check projects
89 if not session["force"]:
90 for p in indata.get("projects") or []:
91 # To allow project addressing by Name as well as ID
92 if not self.db.get_one(
93 "projects",
94 {BaseTopic.id_field("projects", p): p},
95 fail_on_empty=False,
96 fail_on_more=False,
97 ):
98 raise EngineException(
99 "project '{}' does not exist".format(p), HTTPStatus.CONFLICT
100 )
101
102 def check_conflict_on_del(self, session, _id, db_content):
103 """
104 Check if deletion can be done because of dependencies if it is not force. To override
105 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
106 :param _id: internal _id
107 :param db_content: The database content of this item _id
108 :return: None if ok or raises EngineException with the conflict
109 """
110 if _id == session["username"]:
111 raise EngineException(
112 "You cannot delete your own user", http_code=HTTPStatus.CONFLICT
113 )
114
115 @staticmethod
116 def format_on_new(content, project_id=None, make_public=False):
117 BaseTopic.format_on_new(content, make_public=False)
118 # Removed so that the UUID is kept, to allow User Name modification
119 # content["_id"] = content["username"]
120 salt = uuid4().hex
121 content["_admin"]["salt"] = salt
122 if content.get("password"):
123 content["password"] = sha256(
124 content["password"].encode("utf-8") + salt.encode("utf-8")
125 ).hexdigest()
126 if content.get("project_role_mappings"):
127 projects = [
128 mapping["project"] for mapping in content["project_role_mappings"]
129 ]
130
131 if content.get("projects"):
132 content["projects"] += projects
133 else:
134 content["projects"] = projects
135
136 @staticmethod
137 def format_on_edit(final_content, edit_content):
138 BaseTopic.format_on_edit(final_content, edit_content)
139 if edit_content.get("password"):
140 salt = uuid4().hex
141 final_content["_admin"]["salt"] = salt
142 final_content["password"] = sha256(
143 edit_content["password"].encode("utf-8") + salt.encode("utf-8")
144 ).hexdigest()
145 return None
146
147 def edit(self, session, _id, indata=None, kwargs=None, content=None):
148 if not session["admin"]:
149 raise EngineException(
150 "needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED
151 )
152 # Names that look like UUIDs are not allowed
153 name = (indata if indata else kwargs).get("username")
154 if is_valid_uuid(name):
155 raise EngineException(
156 "Usernames that look like UUIDs are not allowed",
157 http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
158 )
159 return BaseTopic.edit(
160 self, session, _id, indata=indata, kwargs=kwargs, content=content
161 )
162
163 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
164 if not session["admin"]:
165 raise EngineException(
166 "needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED
167 )
168 # Names that look like UUIDs are not allowed
169 name = indata["username"] if indata else kwargs["username"]
170 if is_valid_uuid(name):
171 raise EngineException(
172 "Usernames that look like UUIDs are not allowed",
173 http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
174 )
175 return BaseTopic.new(
176 self, rollback, session, indata=indata, kwargs=kwargs, headers=headers
177 )
178
179
180 class ProjectTopic(BaseTopic):
181 topic = "projects"
182 topic_msg = "projects"
183 schema_new = project_new_schema
184 schema_edit = project_edit_schema
185 multiproject = False
186
187 def __init__(self, db, fs, msg, auth):
188 BaseTopic.__init__(self, db, fs, msg, auth)
189
190 @staticmethod
191 def _get_project_filter(session):
192 """
193 Generates a filter dictionary for querying database users.
194 Current policy is admin can show all, non admin, only its own user.
195 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
196 :return:
197 """
198 if session["admin"]: # allows all
199 return {}
200 else:
201 return {"_id.cont": session["project_id"]}
202
203 def check_conflict_on_new(self, session, indata):
204 if not indata.get("name"):
205 raise EngineException("missing 'name'")
206 # check name not exists
207 if self.db.get_one(
208 self.topic,
209 {"name": indata.get("name")},
210 fail_on_empty=False,
211 fail_on_more=False,
212 ):
213 raise EngineException(
214 "name '{}' exists".format(indata["name"]), HTTPStatus.CONFLICT
215 )
216
217 @staticmethod
218 def format_on_new(content, project_id=None, make_public=False):
219 BaseTopic.format_on_new(content, None)
220 # Removed so that the UUID is kept, to allow Project Name modification
221 # content["_id"] = content["name"]
222
223 def check_conflict_on_del(self, session, _id, db_content):
224 """
225 Check if deletion can be done because of dependencies if it is not force. To override
226 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
227 :param _id: internal _id
228 :param db_content: The database content of this item _id
229 :return: None if ok or raises EngineException with the conflict
230 """
231 if _id in session["project_id"]:
232 raise EngineException(
233 "You cannot delete your own project", http_code=HTTPStatus.CONFLICT
234 )
235 if session["force"]:
236 return
237 _filter = {"projects": _id}
238 if self.db.get_list("users", _filter):
239 raise EngineException(
240 "There is some USER that contains this project",
241 http_code=HTTPStatus.CONFLICT,
242 )
243
244 def edit(self, session, _id, indata=None, kwargs=None, content=None):
245 if not session["admin"]:
246 raise EngineException(
247 "needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED
248 )
249 # Names that look like UUIDs are not allowed
250 name = (indata if indata else kwargs).get("name")
251 if is_valid_uuid(name):
252 raise EngineException(
253 "Project names that look like UUIDs are not allowed",
254 http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
255 )
256 return BaseTopic.edit(
257 self, session, _id, indata=indata, kwargs=kwargs, content=content
258 )
259
260 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
261 if not session["admin"]:
262 raise EngineException(
263 "needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED
264 )
265 # Names that look like UUIDs are not allowed
266 name = indata["name"] if indata else kwargs["name"]
267 if is_valid_uuid(name):
268 raise EngineException(
269 "Project names that look like UUIDs are not allowed",
270 http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
271 )
272 return BaseTopic.new(
273 self, rollback, session, indata=indata, kwargs=kwargs, headers=headers
274 )
275
276
277 class CommonVimWimSdn(BaseTopic):
278 """Common class for VIM, WIM SDN just to unify methods that are equal to all of them"""
279
280 config_to_encrypt = (
281 {}
282 ) # what keys at config must be encrypted because contains passwords
283 password_to_encrypt = "" # key that contains a password
284
285 @staticmethod
286 def _create_operation(op_type, params=None):
287 """
288 Creates a dictionary with the information to an operation, similar to ns-lcm-op
289 :param op_type: can be create, edit, delete
290 :param params: operation input parameters
291 :return: new dictionary with
292 """
293 now = time()
294 return {
295 "lcmOperationType": op_type,
296 "operationState": "PROCESSING",
297 "startTime": now,
298 "statusEnteredTime": now,
299 "detailed-status": "",
300 "operationParams": params,
301 }
302
303 def check_conflict_on_new(self, session, indata):
304 """
305 Check that the data to be inserted is valid. It is checked that name is unique
306 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
307 :param indata: data to be inserted
308 :return: None or raises EngineException
309 """
310 self.check_unique_name(session, indata["name"], _id=None)
311
312 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
313 """
314 Check that the data to be edited/uploaded is valid. It is checked that name is unique
315 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
316 :param final_content: data once modified. This method may change it.
317 :param edit_content: incremental data that contains the modifications to apply
318 :param _id: internal _id
319 :return: None or raises EngineException
320 """
321 if not session["force"] and edit_content.get("name"):
322 self.check_unique_name(session, edit_content["name"], _id=_id)
323
324 return final_content
325
326 def format_on_edit(self, final_content, edit_content):
327 """
328 Modifies final_content inserting admin information upon edition
329 :param final_content: final content to be stored at database
330 :param edit_content: user requested update content
331 :return: operation id
332 """
333 super().format_on_edit(final_content, edit_content)
334
335 # encrypt passwords
336 schema_version = final_content.get("schema_version")
337 if schema_version:
338 if edit_content.get(self.password_to_encrypt):
339 final_content[self.password_to_encrypt] = self.db.encrypt(
340 edit_content[self.password_to_encrypt],
341 schema_version=schema_version,
342 salt=final_content["_id"],
343 )
344 config_to_encrypt_keys = self.config_to_encrypt.get(
345 schema_version
346 ) or self.config_to_encrypt.get("default")
347 if edit_content.get("config") and config_to_encrypt_keys:
348
349 for p in config_to_encrypt_keys:
350 if edit_content["config"].get(p):
351 final_content["config"][p] = self.db.encrypt(
352 edit_content["config"][p],
353 schema_version=schema_version,
354 salt=final_content["_id"],
355 )
356
357 # create edit operation
358 final_content["_admin"]["operations"].append(self._create_operation("edit"))
359 return "{}:{}".format(
360 final_content["_id"], len(final_content["_admin"]["operations"]) - 1
361 )
362
363 def format_on_new(self, content, project_id=None, make_public=False):
364 """
365 Modifies content descriptor to include _admin and insert create operation
366 :param content: descriptor to be modified
367 :param project_id: if included, it add project read/write permissions. Can be None or a list
368 :param make_public: if included it is generated as public for reading.
369 :return: op_id: operation id on asynchronous operation, None otherwise. In addition content is modified
370 """
371 super().format_on_new(content, project_id=project_id, make_public=make_public)
372 content["schema_version"] = schema_version = "1.11"
373
374 # encrypt passwords
375 if content.get(self.password_to_encrypt):
376 content[self.password_to_encrypt] = self.db.encrypt(
377 content[self.password_to_encrypt],
378 schema_version=schema_version,
379 salt=content["_id"],
380 )
381 config_to_encrypt_keys = self.config_to_encrypt.get(
382 schema_version
383 ) or self.config_to_encrypt.get("default")
384 if content.get("config") and config_to_encrypt_keys:
385 for p in config_to_encrypt_keys:
386 if content["config"].get(p):
387 content["config"][p] = self.db.encrypt(
388 content["config"][p],
389 schema_version=schema_version,
390 salt=content["_id"],
391 )
392
393 content["_admin"]["operationalState"] = "PROCESSING"
394
395 # create operation
396 content["_admin"]["operations"] = [self._create_operation("create")]
397 content["_admin"]["current_operation"] = None
398 # create Resource in Openstack based VIM
399 if content.get("vim_type"):
400 if content["vim_type"] == "openstack":
401 compute = {
402 "ram": {
403 "total": None,
404 "used": None
405 },
406 "vcpus": {
407 "total": None,
408 "used": None
409 },
410 "instances": {
411 "total": None,
412 "used": None
413 }
414 }
415 storage = {
416 "volumes": {
417 "total": None,
418 "used": None
419 },
420 "snapshots": {
421 "total": None,
422 "used": None
423 },
424 "storage": {
425 "total": None,
426 "used": None
427 }
428 }
429 network = {
430 "networks": {
431 "total": None,
432 "used": None
433 },
434 "subnets": {
435 "total": None,
436 "used": None
437 },
438 "floating_ips": {
439 "total": None,
440 "used": None
441 }
442 }
443 content["resources"] = {"compute": compute, "storage": storage, "network": network}
444
445 return "{}:0".format(content["_id"])
446
447 def delete(self, session, _id, dry_run=False, not_send_msg=None):
448 """
449 Delete item by its internal _id
450 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
451 :param _id: server internal id
452 :param dry_run: make checking but do not delete
453 :param not_send_msg: To not send message (False) or store content (list) instead
454 :return: operation id if it is ordered to delete. None otherwise
455 """
456
457 filter_q = self._get_project_filter(session)
458 filter_q["_id"] = _id
459 db_content = self.db.get_one(self.topic, filter_q)
460
461 self.check_conflict_on_del(session, _id, db_content)
462 if dry_run:
463 return None
464
465 # remove reference from project_read if there are more projects referencing it. If it last one,
466 # do not remove reference, but order via kafka to delete it
467 if session["project_id"] and session["project_id"]:
468 other_projects_referencing = next(
469 (
470 p
471 for p in db_content["_admin"]["projects_read"]
472 if p not in session["project_id"] and p != "ANY"
473 ),
474 None,
475 )
476
477 # check if there are projects referencing it (apart from ANY, that means, public)....
478 if other_projects_referencing:
479 # remove references but not delete
480 update_dict_pull = {
481 "_admin.projects_read": session["project_id"],
482 "_admin.projects_write": session["project_id"],
483 }
484 self.db.set_one(
485 self.topic, filter_q, update_dict=None, pull_list=update_dict_pull
486 )
487 return None
488 else:
489 can_write = next(
490 (
491 p
492 for p in db_content["_admin"]["projects_write"]
493 if p == "ANY" or p in session["project_id"]
494 ),
495 None,
496 )
497 if not can_write:
498 raise EngineException(
499 "You have not write permission to delete it",
500 http_code=HTTPStatus.UNAUTHORIZED,
501 )
502
503 # It must be deleted
504 if session["force"]:
505 self.db.del_one(self.topic, {"_id": _id})
506 op_id = None
507 self._send_msg(
508 "deleted", {"_id": _id, "op_id": op_id}, not_send_msg=not_send_msg
509 )
510 else:
511 update_dict = {"_admin.to_delete": True}
512 self.db.set_one(
513 self.topic,
514 {"_id": _id},
515 update_dict=update_dict,
516 push={"_admin.operations": self._create_operation("delete")},
517 )
518 # the number of operations is the operation_id. db_content does not contains the new operation inserted,
519 # so the -1 is not needed
520 op_id = "{}:{}".format(
521 db_content["_id"], len(db_content["_admin"]["operations"])
522 )
523 self._send_msg(
524 "delete", {"_id": _id, "op_id": op_id}, not_send_msg=not_send_msg
525 )
526 return op_id
527
528
529 class VimAccountTopic(CommonVimWimSdn):
530 topic = "vim_accounts"
531 topic_msg = "vim_account"
532 schema_new = vim_account_new_schema
533 schema_edit = vim_account_edit_schema
534 multiproject = True
535 password_to_encrypt = "vim_password"
536 config_to_encrypt = {
537 "1.1": ("admin_password", "nsx_password", "vcenter_password"),
538 "default": (
539 "admin_password",
540 "nsx_password",
541 "vcenter_password",
542 "vrops_password",
543 ),
544 }
545
546 def check_conflict_on_del(self, session, _id, db_content):
547 """
548 Check if deletion can be done because of dependencies if it is not force. To override
549 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
550 :param _id: internal _id
551 :param db_content: The database content of this item _id
552 :return: None if ok or raises EngineException with the conflict
553 """
554 if session["force"]:
555 return
556 # check if used by VNF
557 if self.db.get_list("vnfrs", {"vim-account-id": _id}):
558 raise EngineException(
559 "There is at least one VNF using this VIM account",
560 http_code=HTTPStatus.CONFLICT,
561 )
562 super().check_conflict_on_del(session, _id, db_content)
563
564
565 class WimAccountTopic(CommonVimWimSdn):
566 topic = "wim_accounts"
567 topic_msg = "wim_account"
568 schema_new = wim_account_new_schema
569 schema_edit = wim_account_edit_schema
570 multiproject = True
571 password_to_encrypt = "wim_password"
572 config_to_encrypt = {}
573
574
575 class SdnTopic(CommonVimWimSdn):
576 topic = "sdns"
577 topic_msg = "sdn"
578 quota_name = "sdn_controllers"
579 schema_new = sdn_new_schema
580 schema_edit = sdn_edit_schema
581 multiproject = True
582 password_to_encrypt = "password"
583 config_to_encrypt = {}
584
585 def _obtain_url(self, input, create):
586 if input.get("ip") or input.get("port"):
587 if not input.get("ip") or not input.get("port") or input.get("url"):
588 raise ValidationError(
589 "You must provide both 'ip' and 'port' (deprecated); or just 'url' (prefered)"
590 )
591 input["url"] = "http://{}:{}/".format(input["ip"], input["port"])
592 del input["ip"]
593 del input["port"]
594 elif create and not input.get("url"):
595 raise ValidationError("You must provide 'url'")
596 return input
597
598 def _validate_input_new(self, input, force=False):
599 input = super()._validate_input_new(input, force)
600 return self._obtain_url(input, True)
601
602 def _validate_input_edit(self, input, content, force=False):
603 input = super()._validate_input_edit(input, content, force)
604 return self._obtain_url(input, False)
605
606
607 class K8sClusterTopic(CommonVimWimSdn):
608 topic = "k8sclusters"
609 topic_msg = "k8scluster"
610 schema_new = k8scluster_new_schema
611 schema_edit = k8scluster_edit_schema
612 multiproject = True
613 password_to_encrypt = None
614 config_to_encrypt = {}
615
616 def format_on_new(self, content, project_id=None, make_public=False):
617 oid = super().format_on_new(content, project_id, make_public)
618 self.db.encrypt_decrypt_fields(
619 content["credentials"],
620 "encrypt",
621 ["password", "secret"],
622 schema_version=content["schema_version"],
623 salt=content["_id"],
624 )
625 # Add Helm/Juju Repo lists
626 repos = {"helm-chart": [], "juju-bundle": []}
627 for proj in content["_admin"]["projects_read"]:
628 if proj != "ANY":
629 for repo in self.db.get_list(
630 "k8srepos", {"_admin.projects_read": proj}
631 ):
632 if repo["_id"] not in repos[repo["type"]]:
633 repos[repo["type"]].append(repo["_id"])
634 for k in repos:
635 content["_admin"][k.replace("-", "_") + "_repos"] = repos[k]
636 return oid
637
638 def format_on_edit(self, final_content, edit_content):
639 if final_content.get("schema_version") and edit_content.get("credentials"):
640 self.db.encrypt_decrypt_fields(
641 edit_content["credentials"],
642 "encrypt",
643 ["password", "secret"],
644 schema_version=final_content["schema_version"],
645 salt=final_content["_id"],
646 )
647 deep_update_rfc7396(
648 final_content["credentials"], edit_content["credentials"]
649 )
650 oid = super().format_on_edit(final_content, edit_content)
651 return oid
652
653 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
654 final_content = super(CommonVimWimSdn, self).check_conflict_on_edit(
655 session, final_content, edit_content, _id
656 )
657 final_content = super().check_conflict_on_edit(
658 session, final_content, edit_content, _id
659 )
660 # Update Helm/Juju Repo lists
661 repos = {"helm-chart": [], "juju-bundle": []}
662 for proj in session.get("set_project", []):
663 if proj != "ANY":
664 for repo in self.db.get_list(
665 "k8srepos", {"_admin.projects_read": proj}
666 ):
667 if repo["_id"] not in repos[repo["type"]]:
668 repos[repo["type"]].append(repo["_id"])
669 for k in repos:
670 rlist = k.replace("-", "_") + "_repos"
671 if rlist not in final_content["_admin"]:
672 final_content["_admin"][rlist] = []
673 final_content["_admin"][rlist] += repos[k]
674 return final_content
675
676 def check_conflict_on_del(self, session, _id, db_content):
677 """
678 Check if deletion can be done because of dependencies if it is not force. To override
679 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
680 :param _id: internal _id
681 :param db_content: The database content of this item _id
682 :return: None if ok or raises EngineException with the conflict
683 """
684 if session["force"]:
685 return
686 # check if used by VNF
687 filter_q = {"kdur.k8s-cluster.id": _id}
688 if session["project_id"]:
689 filter_q["_admin.projects_read.cont"] = session["project_id"]
690 if self.db.get_list("vnfrs", filter_q):
691 raise EngineException(
692 "There is at least one VNF using this k8scluster",
693 http_code=HTTPStatus.CONFLICT,
694 )
695 super().check_conflict_on_del(session, _id, db_content)
696
697
698 class VcaTopic(CommonVimWimSdn):
699 topic = "vca"
700 topic_msg = "vca"
701 schema_new = vca_new_schema
702 schema_edit = vca_edit_schema
703 multiproject = True
704 password_to_encrypt = None
705
706 def format_on_new(self, content, project_id=None, make_public=False):
707 oid = super().format_on_new(content, project_id, make_public)
708 content["schema_version"] = schema_version = "1.11"
709 for key in ["secret", "cacert"]:
710 content[key] = self.db.encrypt(
711 content[key], schema_version=schema_version, salt=content["_id"]
712 )
713 return oid
714
715 def format_on_edit(self, final_content, edit_content):
716 oid = super().format_on_edit(final_content, edit_content)
717 schema_version = final_content.get("schema_version")
718 for key in ["secret", "cacert"]:
719 if key in edit_content:
720 final_content[key] = self.db.encrypt(
721 edit_content[key],
722 schema_version=schema_version,
723 salt=final_content["_id"],
724 )
725 return oid
726
727 def check_conflict_on_del(self, session, _id, db_content):
728 """
729 Check if deletion can be done because of dependencies if it is not force. To override
730 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
731 :param _id: internal _id
732 :param db_content: The database content of this item _id
733 :return: None if ok or raises EngineException with the conflict
734 """
735 if session["force"]:
736 return
737 # check if used by VNF
738 filter_q = {"vca": _id}
739 if session["project_id"]:
740 filter_q["_admin.projects_read.cont"] = session["project_id"]
741 if self.db.get_list("vim_accounts", filter_q):
742 raise EngineException(
743 "There is at least one VIM account using this vca",
744 http_code=HTTPStatus.CONFLICT,
745 )
746 super().check_conflict_on_del(session, _id, db_content)
747
748
749 class K8sRepoTopic(CommonVimWimSdn):
750 topic = "k8srepos"
751 topic_msg = "k8srepo"
752 schema_new = k8srepo_new_schema
753 schema_edit = k8srepo_edit_schema
754 multiproject = True
755 password_to_encrypt = None
756 config_to_encrypt = {}
757
758 def format_on_new(self, content, project_id=None, make_public=False):
759 oid = super().format_on_new(content, project_id, make_public)
760 # Update Helm/Juju Repo lists
761 repo_list = content["type"].replace("-", "_") + "_repos"
762 for proj in content["_admin"]["projects_read"]:
763 if proj != "ANY":
764 self.db.set_list(
765 "k8sclusters",
766 {
767 "_admin.projects_read": proj,
768 "_admin." + repo_list + ".ne": content["_id"],
769 },
770 {},
771 push={"_admin." + repo_list: content["_id"]},
772 )
773 return oid
774
775 def delete(self, session, _id, dry_run=False, not_send_msg=None):
776 type = self.db.get_one("k8srepos", {"_id": _id})["type"]
777 oid = super().delete(session, _id, dry_run, not_send_msg)
778 if oid:
779 # Remove from Helm/Juju Repo lists
780 repo_list = type.replace("-", "_") + "_repos"
781 self.db.set_list(
782 "k8sclusters",
783 {"_admin." + repo_list: _id},
784 {},
785 pull={"_admin." + repo_list: _id},
786 )
787 return oid
788
789
790 class OsmRepoTopic(BaseTopic):
791 topic = "osmrepos"
792 topic_msg = "osmrepos"
793 schema_new = osmrepo_new_schema
794 schema_edit = osmrepo_edit_schema
795 multiproject = True
796 # TODO: Implement user/password
797
798
799 class UserTopicAuth(UserTopic):
800 # topic = "users"
801 topic_msg = "users"
802 schema_new = user_new_schema
803 schema_edit = user_edit_schema
804
805 def __init__(self, db, fs, msg, auth):
806 UserTopic.__init__(self, db, fs, msg, auth)
807 # self.auth = auth
808
809 def check_conflict_on_new(self, session, indata):
810 """
811 Check that the data to be inserted is valid
812
813 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
814 :param indata: data to be inserted
815 :return: None or raises EngineException
816 """
817 username = indata.get("username")
818 if is_valid_uuid(username):
819 raise EngineException(
820 "username '{}' cannot have a uuid format".format(username),
821 HTTPStatus.UNPROCESSABLE_ENTITY,
822 )
823
824 # Check that username is not used, regardless keystone already checks this
825 if self.auth.get_user_list(filter_q={"name": username}):
826 raise EngineException(
827 "username '{}' is already used".format(username), HTTPStatus.CONFLICT
828 )
829
830 if "projects" in indata.keys():
831 # convert to new format project_role_mappings
832 role = self.auth.get_role_list({"name": "project_admin"})
833 if not role:
834 role = self.auth.get_role_list()
835 if not role:
836 raise AuthconnNotFoundException(
837 "Can't find default role for user '{}'".format(username)
838 )
839 rid = role[0]["_id"]
840 if not indata.get("project_role_mappings"):
841 indata["project_role_mappings"] = []
842 for project in indata["projects"]:
843 pid = self.auth.get_project(project)["_id"]
844 prm = {"project": pid, "role": rid}
845 if prm not in indata["project_role_mappings"]:
846 indata["project_role_mappings"].append(prm)
847 # raise EngineException("Format invalid: the keyword 'projects' is not allowed for keystone authentication",
848 # HTTPStatus.BAD_REQUEST)
849
850 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
851 """
852 Check that the data to be edited/uploaded is valid
853
854 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
855 :param final_content: data once modified
856 :param edit_content: incremental data that contains the modifications to apply
857 :param _id: internal _id
858 :return: None or raises EngineException
859 """
860
861 if "username" in edit_content:
862 username = edit_content.get("username")
863 if is_valid_uuid(username):
864 raise EngineException(
865 "username '{}' cannot have an uuid format".format(username),
866 HTTPStatus.UNPROCESSABLE_ENTITY,
867 )
868
869 # Check that username is not used, regardless keystone already checks this
870 if self.auth.get_user_list(filter_q={"name": username}):
871 raise EngineException(
872 "username '{}' is already used".format(username),
873 HTTPStatus.CONFLICT,
874 )
875
876 if final_content["username"] == "admin":
877 for mapping in edit_content.get("remove_project_role_mappings", ()):
878 if mapping["project"] == "admin" and mapping.get("role") in (
879 None,
880 "system_admin",
881 ):
882 # TODO make this also available for project id and role id
883 raise EngineException(
884 "You cannot remove system_admin role from admin user",
885 http_code=HTTPStatus.FORBIDDEN,
886 )
887
888 return final_content
889
890 def check_conflict_on_del(self, session, _id, db_content):
891 """
892 Check if deletion can be done because of dependencies if it is not force. To override
893 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
894 :param _id: internal _id
895 :param db_content: The database content of this item _id
896 :return: None if ok or raises EngineException with the conflict
897 """
898 if db_content["username"] == session["username"]:
899 raise EngineException(
900 "You cannot delete your own login user ", http_code=HTTPStatus.CONFLICT
901 )
902 # TODO: Check that user is not logged in ? How? (Would require listing current tokens)
903
904 @staticmethod
905 def format_on_show(content):
906 """
907 Modifies the content of the role information to separate the role
908 metadata from the role definition.
909 """
910 project_role_mappings = []
911
912 if "projects" in content:
913 for project in content["projects"]:
914 for role in project["roles"]:
915 project_role_mappings.append(
916 {
917 "project": project["_id"],
918 "project_name": project["name"],
919 "role": role["_id"],
920 "role_name": role["name"],
921 }
922 )
923 del content["projects"]
924 content["project_role_mappings"] = project_role_mappings
925
926 return content
927
928 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
929 """
930 Creates a new entry into the authentication backend.
931
932 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
933
934 :param rollback: list to append created items at database in case a rollback may to be done
935 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
936 :param indata: data to be inserted
937 :param kwargs: used to override the indata descriptor
938 :param headers: http request headers
939 :return: _id: identity of the inserted data, operation _id (None)
940 """
941 try:
942 content = BaseTopic._remove_envelop(indata)
943
944 # Override descriptor with query string kwargs
945 BaseTopic._update_input_with_kwargs(content, kwargs)
946 content = self._validate_input_new(content, session["force"])
947 self.check_conflict_on_new(session, content)
948 # self.format_on_new(content, session["project_id"], make_public=session["public"])
949 now = time()
950 content["_admin"] = {"created": now, "modified": now}
951 prms = []
952 for prm in content.get("project_role_mappings", []):
953 proj = self.auth.get_project(prm["project"], not session["force"])
954 role = self.auth.get_role(prm["role"], not session["force"])
955 pid = proj["_id"] if proj else None
956 rid = role["_id"] if role else None
957 prl = {"project": pid, "role": rid}
958 if prl not in prms:
959 prms.append(prl)
960 content["project_role_mappings"] = prms
961 # _id = self.auth.create_user(content["username"], content["password"])["_id"]
962 _id = self.auth.create_user(content)["_id"]
963
964 rollback.append({"topic": self.topic, "_id": _id})
965 # del content["password"]
966 self._send_msg("created", content, not_send_msg=None)
967 return _id, None
968 except ValidationError as e:
969 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
970
971 def show(self, session, _id, filter_q=None, api_req=False):
972 """
973 Get complete information on an topic
974
975 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
976 :param _id: server internal id or username
977 :param filter_q: dict: query parameter
978 :param api_req: True if this call is serving an external API request. False if serving internal request.
979 :return: dictionary, raise exception if not found.
980 """
981 # Allow _id to be a name or uuid
982 filter_q = {"username": _id}
983 # users = self.auth.get_user_list(filter_q)
984 users = self.list(session, filter_q) # To allow default filtering (Bug 853)
985 if len(users) == 1:
986 return users[0]
987 elif len(users) > 1:
988 raise EngineException(
989 "Too many users found for '{}'".format(_id), HTTPStatus.CONFLICT
990 )
991 else:
992 raise EngineException(
993 "User '{}' not found".format(_id), HTTPStatus.NOT_FOUND
994 )
995
996 def edit(self, session, _id, indata=None, kwargs=None, content=None):
997 """
998 Updates an user entry.
999
1000 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1001 :param _id:
1002 :param indata: data to be inserted
1003 :param kwargs: used to override the indata descriptor
1004 :param content:
1005 :return: _id: identity of the inserted data.
1006 """
1007 indata = self._remove_envelop(indata)
1008
1009 # Override descriptor with query string kwargs
1010 if kwargs:
1011 BaseTopic._update_input_with_kwargs(indata, kwargs)
1012 try:
1013 if not content:
1014 content = self.show(session, _id)
1015 indata = self._validate_input_edit(indata, content, force=session["force"])
1016 content = self.check_conflict_on_edit(session, content, indata, _id=_id)
1017 # self.format_on_edit(content, indata)
1018
1019 if not (
1020 "password" in indata
1021 or "username" in indata
1022 or indata.get("remove_project_role_mappings")
1023 or indata.get("add_project_role_mappings")
1024 or indata.get("project_role_mappings")
1025 or indata.get("projects")
1026 or indata.get("add_projects")
1027 ):
1028 return _id
1029 if indata.get("project_role_mappings") and (
1030 indata.get("remove_project_role_mappings")
1031 or indata.get("add_project_role_mappings")
1032 ):
1033 raise EngineException(
1034 "Option 'project_role_mappings' is incompatible with 'add_project_role_mappings"
1035 "' or 'remove_project_role_mappings'",
1036 http_code=HTTPStatus.BAD_REQUEST,
1037 )
1038
1039 if indata.get("projects") or indata.get("add_projects"):
1040 role = self.auth.get_role_list({"name": "project_admin"})
1041 if not role:
1042 role = self.auth.get_role_list()
1043 if not role:
1044 raise AuthconnNotFoundException(
1045 "Can't find a default role for user '{}'".format(
1046 content["username"]
1047 )
1048 )
1049 rid = role[0]["_id"]
1050 if "add_project_role_mappings" not in indata:
1051 indata["add_project_role_mappings"] = []
1052 if "remove_project_role_mappings" not in indata:
1053 indata["remove_project_role_mappings"] = []
1054 if isinstance(indata.get("projects"), dict):
1055 # backward compatible
1056 for k, v in indata["projects"].items():
1057 if k.startswith("$") and v is None:
1058 indata["remove_project_role_mappings"].append(
1059 {"project": k[1:]}
1060 )
1061 elif k.startswith("$+"):
1062 indata["add_project_role_mappings"].append(
1063 {"project": v, "role": rid}
1064 )
1065 del indata["projects"]
1066 for proj in indata.get("projects", []) + indata.get("add_projects", []):
1067 indata["add_project_role_mappings"].append(
1068 {"project": proj, "role": rid}
1069 )
1070
1071 # user = self.show(session, _id) # Already in 'content'
1072 original_mapping = content["project_role_mappings"]
1073
1074 mappings_to_add = []
1075 mappings_to_remove = []
1076
1077 # remove
1078 for to_remove in indata.get("remove_project_role_mappings", ()):
1079 for mapping in original_mapping:
1080 if to_remove["project"] in (
1081 mapping["project"],
1082 mapping["project_name"],
1083 ):
1084 if not to_remove.get("role") or to_remove["role"] in (
1085 mapping["role"],
1086 mapping["role_name"],
1087 ):
1088 mappings_to_remove.append(mapping)
1089
1090 # add
1091 for to_add in indata.get("add_project_role_mappings", ()):
1092 for mapping in original_mapping:
1093 if to_add["project"] in (
1094 mapping["project"],
1095 mapping["project_name"],
1096 ) and to_add["role"] in (
1097 mapping["role"],
1098 mapping["role_name"],
1099 ):
1100
1101 if mapping in mappings_to_remove: # do not remove
1102 mappings_to_remove.remove(mapping)
1103 break # do not add, it is already at user
1104 else:
1105 pid = self.auth.get_project(to_add["project"])["_id"]
1106 rid = self.auth.get_role(to_add["role"])["_id"]
1107 mappings_to_add.append({"project": pid, "role": rid})
1108
1109 # set
1110 if indata.get("project_role_mappings"):
1111 for to_set in indata["project_role_mappings"]:
1112 for mapping in original_mapping:
1113 if to_set["project"] in (
1114 mapping["project"],
1115 mapping["project_name"],
1116 ) and to_set["role"] in (
1117 mapping["role"],
1118 mapping["role_name"],
1119 ):
1120 if mapping in mappings_to_remove: # do not remove
1121 mappings_to_remove.remove(mapping)
1122 break # do not add, it is already at user
1123 else:
1124 pid = self.auth.get_project(to_set["project"])["_id"]
1125 rid = self.auth.get_role(to_set["role"])["_id"]
1126 mappings_to_add.append({"project": pid, "role": rid})
1127 for mapping in original_mapping:
1128 for to_set in indata["project_role_mappings"]:
1129 if to_set["project"] in (
1130 mapping["project"],
1131 mapping["project_name"],
1132 ) and to_set["role"] in (
1133 mapping["role"],
1134 mapping["role_name"],
1135 ):
1136 break
1137 else:
1138 # delete
1139 if mapping not in mappings_to_remove: # do not remove
1140 mappings_to_remove.append(mapping)
1141
1142 self.auth.update_user(
1143 {
1144 "_id": _id,
1145 "username": indata.get("username"),
1146 "password": indata.get("password"),
1147 "add_project_role_mappings": mappings_to_add,
1148 "remove_project_role_mappings": mappings_to_remove,
1149 }
1150 )
1151 data_to_send = {"_id": _id, "changes": indata}
1152 self._send_msg("edited", data_to_send, not_send_msg=None)
1153
1154 # return _id
1155 except ValidationError as e:
1156 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1157
1158 def list(self, session, filter_q=None, api_req=False):
1159 """
1160 Get a list of the topic that matches a filter
1161 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1162 :param filter_q: filter of data to be applied
1163 :param api_req: True if this call is serving an external API request. False if serving internal request.
1164 :return: The list, it can be empty if no one match the filter.
1165 """
1166 user_list = self.auth.get_user_list(filter_q)
1167 if not session["allow_show_user_project_role"]:
1168 # Bug 853 - Default filtering
1169 user_list = [
1170 usr for usr in user_list if usr["username"] == session["username"]
1171 ]
1172 return user_list
1173
1174 def delete(self, session, _id, dry_run=False, not_send_msg=None):
1175 """
1176 Delete item by its internal _id
1177
1178 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1179 :param _id: server internal id
1180 :param force: indicates if deletion must be forced in case of conflict
1181 :param dry_run: make checking but do not delete
1182 :param not_send_msg: To not send message (False) or store content (list) instead
1183 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1184 """
1185 # Allow _id to be a name or uuid
1186 user = self.auth.get_user(_id)
1187 uid = user["_id"]
1188 self.check_conflict_on_del(session, uid, user)
1189 if not dry_run:
1190 v = self.auth.delete_user(uid)
1191 self._send_msg("deleted", user, not_send_msg=not_send_msg)
1192 return v
1193 return None
1194
1195
1196 class ProjectTopicAuth(ProjectTopic):
1197 # topic = "projects"
1198 topic_msg = "project"
1199 schema_new = project_new_schema
1200 schema_edit = project_edit_schema
1201
1202 def __init__(self, db, fs, msg, auth):
1203 ProjectTopic.__init__(self, db, fs, msg, auth)
1204 # self.auth = auth
1205
1206 def check_conflict_on_new(self, session, indata):
1207 """
1208 Check that the data to be inserted is valid
1209
1210 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1211 :param indata: data to be inserted
1212 :return: None or raises EngineException
1213 """
1214 project_name = indata.get("name")
1215 if is_valid_uuid(project_name):
1216 raise EngineException(
1217 "project name '{}' cannot have an uuid format".format(project_name),
1218 HTTPStatus.UNPROCESSABLE_ENTITY,
1219 )
1220
1221 project_list = self.auth.get_project_list(filter_q={"name": project_name})
1222
1223 if project_list:
1224 raise EngineException(
1225 "project '{}' exists".format(project_name), HTTPStatus.CONFLICT
1226 )
1227
1228 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
1229 """
1230 Check that the data to be edited/uploaded is valid
1231
1232 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1233 :param final_content: data once modified
1234 :param edit_content: incremental data that contains the modifications to apply
1235 :param _id: internal _id
1236 :return: None or raises EngineException
1237 """
1238
1239 project_name = edit_content.get("name")
1240 if project_name != final_content["name"]: # It is a true renaming
1241 if is_valid_uuid(project_name):
1242 raise EngineException(
1243 "project name '{}' cannot have an uuid format".format(project_name),
1244 HTTPStatus.UNPROCESSABLE_ENTITY,
1245 )
1246
1247 if final_content["name"] == "admin":
1248 raise EngineException(
1249 "You cannot rename project 'admin'", http_code=HTTPStatus.CONFLICT
1250 )
1251
1252 # Check that project name is not used, regardless keystone already checks this
1253 if project_name and self.auth.get_project_list(
1254 filter_q={"name": project_name}
1255 ):
1256 raise EngineException(
1257 "project '{}' is already used".format(project_name),
1258 HTTPStatus.CONFLICT,
1259 )
1260 return final_content
1261
1262 def check_conflict_on_del(self, session, _id, db_content):
1263 """
1264 Check if deletion can be done because of dependencies if it is not force. To override
1265
1266 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1267 :param _id: internal _id
1268 :param db_content: The database content of this item _id
1269 :return: None if ok or raises EngineException with the conflict
1270 """
1271
1272 def check_rw_projects(topic, title, id_field):
1273 for desc in self.db.get_list(topic):
1274 if (
1275 _id
1276 in desc["_admin"]["projects_read"]
1277 + desc["_admin"]["projects_write"]
1278 ):
1279 raise EngineException(
1280 "Project '{}' ({}) is being used by {} '{}'".format(
1281 db_content["name"], _id, title, desc[id_field]
1282 ),
1283 HTTPStatus.CONFLICT,
1284 )
1285
1286 if _id in session["project_id"]:
1287 raise EngineException(
1288 "You cannot delete your own project", http_code=HTTPStatus.CONFLICT
1289 )
1290
1291 if db_content["name"] == "admin":
1292 raise EngineException(
1293 "You cannot delete project 'admin'", http_code=HTTPStatus.CONFLICT
1294 )
1295
1296 # If any user is using this project, raise CONFLICT exception
1297 if not session["force"]:
1298 for user in self.auth.get_user_list():
1299 for prm in user.get("project_role_mappings"):
1300 if prm["project"] == _id:
1301 raise EngineException(
1302 "Project '{}' ({}) is being used by user '{}'".format(
1303 db_content["name"], _id, user["username"]
1304 ),
1305 HTTPStatus.CONFLICT,
1306 )
1307
1308 # If any VNFD, NSD, NST, PDU, etc. is using this project, raise CONFLICT exception
1309 if not session["force"]:
1310 check_rw_projects("vnfds", "VNF Descriptor", "id")
1311 check_rw_projects("nsds", "NS Descriptor", "id")
1312 check_rw_projects("nsts", "NS Template", "id")
1313 check_rw_projects("pdus", "PDU Descriptor", "name")
1314
1315 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
1316 """
1317 Creates a new entry into the authentication backend.
1318
1319 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
1320
1321 :param rollback: list to append created items at database in case a rollback may to be done
1322 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1323 :param indata: data to be inserted
1324 :param kwargs: used to override the indata descriptor
1325 :param headers: http request headers
1326 :return: _id: identity of the inserted data, operation _id (None)
1327 """
1328 try:
1329 content = BaseTopic._remove_envelop(indata)
1330
1331 # Override descriptor with query string kwargs
1332 BaseTopic._update_input_with_kwargs(content, kwargs)
1333 content = self._validate_input_new(content, session["force"])
1334 self.check_conflict_on_new(session, content)
1335 self.format_on_new(
1336 content, project_id=session["project_id"], make_public=session["public"]
1337 )
1338 _id = self.auth.create_project(content)
1339 rollback.append({"topic": self.topic, "_id": _id})
1340 self._send_msg("created", content, not_send_msg=None)
1341 return _id, None
1342 except ValidationError as e:
1343 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1344
1345 def show(self, session, _id, filter_q=None, api_req=False):
1346 """
1347 Get complete information on an topic
1348
1349 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1350 :param _id: server internal id
1351 :param filter_q: dict: query parameter
1352 :param api_req: True if this call is serving an external API request. False if serving internal request.
1353 :return: dictionary, raise exception if not found.
1354 """
1355 # Allow _id to be a name or uuid
1356 filter_q = {self.id_field(self.topic, _id): _id}
1357 # projects = self.auth.get_project_list(filter_q=filter_q)
1358 projects = self.list(session, filter_q) # To allow default filtering (Bug 853)
1359 if len(projects) == 1:
1360 return projects[0]
1361 elif len(projects) > 1:
1362 raise EngineException("Too many projects found", HTTPStatus.CONFLICT)
1363 else:
1364 raise EngineException("Project not found", HTTPStatus.NOT_FOUND)
1365
1366 def list(self, session, filter_q=None, api_req=False):
1367 """
1368 Get a list of the topic that matches a filter
1369
1370 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1371 :param filter_q: filter of data to be applied
1372 :return: The list, it can be empty if no one match the filter.
1373 """
1374 project_list = self.auth.get_project_list(filter_q)
1375 if not session["allow_show_user_project_role"]:
1376 # Bug 853 - Default filtering
1377 user = self.auth.get_user(session["username"])
1378 projects = [prm["project"] for prm in user["project_role_mappings"]]
1379 project_list = [proj for proj in project_list if proj["_id"] in projects]
1380 return project_list
1381
1382 def delete(self, session, _id, dry_run=False, not_send_msg=None):
1383 """
1384 Delete item by its internal _id
1385
1386 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1387 :param _id: server internal id
1388 :param dry_run: make checking but do not delete
1389 :param not_send_msg: To not send message (False) or store content (list) instead
1390 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1391 """
1392 # Allow _id to be a name or uuid
1393 proj = self.auth.get_project(_id)
1394 pid = proj["_id"]
1395 self.check_conflict_on_del(session, pid, proj)
1396 if not dry_run:
1397 v = self.auth.delete_project(pid)
1398 self._send_msg("deleted", proj, not_send_msg=None)
1399 return v
1400 return None
1401
1402 def edit(self, session, _id, indata=None, kwargs=None, content=None):
1403 """
1404 Updates a project entry.
1405
1406 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1407 :param _id:
1408 :param indata: data to be inserted
1409 :param kwargs: used to override the indata descriptor
1410 :param content:
1411 :return: _id: identity of the inserted data.
1412 """
1413 indata = self._remove_envelop(indata)
1414
1415 # Override descriptor with query string kwargs
1416 if kwargs:
1417 BaseTopic._update_input_with_kwargs(indata, kwargs)
1418 try:
1419 if not content:
1420 content = self.show(session, _id)
1421 indata = self._validate_input_edit(indata, content, force=session["force"])
1422 content = self.check_conflict_on_edit(session, content, indata, _id=_id)
1423 self.format_on_edit(content, indata)
1424 content_original = copy.deepcopy(content)
1425 deep_update_rfc7396(content, indata)
1426 self.auth.update_project(content["_id"], content)
1427 proj_data = {"_id": _id, "changes": indata, "original": content_original}
1428 self._send_msg("edited", proj_data, not_send_msg=None)
1429 except ValidationError as e:
1430 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1431
1432
1433 class RoleTopicAuth(BaseTopic):
1434 topic = "roles"
1435 topic_msg = None # "roles"
1436 schema_new = roles_new_schema
1437 schema_edit = roles_edit_schema
1438 multiproject = False
1439
1440 def __init__(self, db, fs, msg, auth):
1441 BaseTopic.__init__(self, db, fs, msg, auth)
1442 # self.auth = auth
1443 self.operations = auth.role_permissions
1444 # self.topic = "roles_operations" if isinstance(auth, AuthconnKeystone) else "roles"
1445
1446 @staticmethod
1447 def validate_role_definition(operations, role_definitions):
1448 """
1449 Validates the role definition against the operations defined in
1450 the resources to operations files.
1451
1452 :param operations: operations list
1453 :param role_definitions: role definition to test
1454 :return: None if ok, raises ValidationError exception on error
1455 """
1456 if not role_definitions.get("permissions"):
1457 return
1458 ignore_fields = ["admin", "default"]
1459 for role_def in role_definitions["permissions"].keys():
1460 if role_def in ignore_fields:
1461 continue
1462 if role_def[-1] == ":":
1463 raise ValidationError("Operation cannot end with ':'")
1464
1465 match = next(
1466 (
1467 op
1468 for op in operations
1469 if op == role_def or op.startswith(role_def + ":")
1470 ),
1471 None,
1472 )
1473
1474 if not match:
1475 raise ValidationError("Invalid permission '{}'".format(role_def))
1476
1477 def _validate_input_new(self, input, force=False):
1478 """
1479 Validates input user content for a new entry.
1480
1481 :param input: user input content for the new topic
1482 :param force: may be used for being more tolerant
1483 :return: The same input content, or a changed version of it.
1484 """
1485 if self.schema_new:
1486 validate_input(input, self.schema_new)
1487 self.validate_role_definition(self.operations, input)
1488
1489 return input
1490
1491 def _validate_input_edit(self, input, content, force=False):
1492 """
1493 Validates input user content for updating an entry.
1494
1495 :param input: user input content for the new topic
1496 :param force: may be used for being more tolerant
1497 :return: The same input content, or a changed version of it.
1498 """
1499 if self.schema_edit:
1500 validate_input(input, self.schema_edit)
1501 self.validate_role_definition(self.operations, input)
1502
1503 return input
1504
1505 def check_conflict_on_new(self, session, indata):
1506 """
1507 Check that the data to be inserted is valid
1508
1509 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1510 :param indata: data to be inserted
1511 :return: None or raises EngineException
1512 """
1513 # check name is not uuid
1514 role_name = indata.get("name")
1515 if is_valid_uuid(role_name):
1516 raise EngineException(
1517 "role name '{}' cannot have an uuid format".format(role_name),
1518 HTTPStatus.UNPROCESSABLE_ENTITY,
1519 )
1520 # check name not exists
1521 name = indata["name"]
1522 # if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
1523 if self.auth.get_role_list({"name": name}):
1524 raise EngineException(
1525 "role name '{}' exists".format(name), HTTPStatus.CONFLICT
1526 )
1527
1528 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
1529 """
1530 Check that the data to be edited/uploaded is valid
1531
1532 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1533 :param final_content: data once modified
1534 :param edit_content: incremental data that contains the modifications to apply
1535 :param _id: internal _id
1536 :return: None or raises EngineException
1537 """
1538 if "default" not in final_content["permissions"]:
1539 final_content["permissions"]["default"] = False
1540 if "admin" not in final_content["permissions"]:
1541 final_content["permissions"]["admin"] = False
1542
1543 # check name is not uuid
1544 role_name = edit_content.get("name")
1545 if is_valid_uuid(role_name):
1546 raise EngineException(
1547 "role name '{}' cannot have an uuid format".format(role_name),
1548 HTTPStatus.UNPROCESSABLE_ENTITY,
1549 )
1550
1551 # Check renaming of admin roles
1552 role = self.auth.get_role(_id)
1553 if role["name"] in ["system_admin", "project_admin"]:
1554 raise EngineException(
1555 "You cannot rename role '{}'".format(role["name"]),
1556 http_code=HTTPStatus.FORBIDDEN,
1557 )
1558
1559 # check name not exists
1560 if "name" in edit_content:
1561 role_name = edit_content["name"]
1562 # if self.db.get_one(self.topic, {"name":role_name,"_id.ne":_id}, fail_on_empty=False, fail_on_more=False):
1563 roles = self.auth.get_role_list({"name": role_name})
1564 if roles and roles[0][BaseTopic.id_field("roles", _id)] != _id:
1565 raise EngineException(
1566 "role name '{}' exists".format(role_name), HTTPStatus.CONFLICT
1567 )
1568
1569 return final_content
1570
1571 def check_conflict_on_del(self, session, _id, db_content):
1572 """
1573 Check if deletion can be done because of dependencies if it is not force. To override
1574
1575 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1576 :param _id: internal _id
1577 :param db_content: The database content of this item _id
1578 :return: None if ok or raises EngineException with the conflict
1579 """
1580 role = self.auth.get_role(_id)
1581 if role["name"] in ["system_admin", "project_admin"]:
1582 raise EngineException(
1583 "You cannot delete role '{}'".format(role["name"]),
1584 http_code=HTTPStatus.FORBIDDEN,
1585 )
1586
1587 # If any user is using this role, raise CONFLICT exception
1588 if not session["force"]:
1589 for user in self.auth.get_user_list():
1590 for prm in user.get("project_role_mappings"):
1591 if prm["role"] == _id:
1592 raise EngineException(
1593 "Role '{}' ({}) is being used by user '{}'".format(
1594 role["name"], _id, user["username"]
1595 ),
1596 HTTPStatus.CONFLICT,
1597 )
1598
1599 @staticmethod
1600 def format_on_new(content, project_id=None, make_public=False): # TO BE REMOVED ?
1601 """
1602 Modifies content descriptor to include _admin
1603
1604 :param content: descriptor to be modified
1605 :param project_id: if included, it add project read/write permissions
1606 :param make_public: if included it is generated as public for reading.
1607 :return: None, but content is modified
1608 """
1609 now = time()
1610 if "_admin" not in content:
1611 content["_admin"] = {}
1612 if not content["_admin"].get("created"):
1613 content["_admin"]["created"] = now
1614 content["_admin"]["modified"] = now
1615
1616 if "permissions" not in content:
1617 content["permissions"] = {}
1618
1619 if "default" not in content["permissions"]:
1620 content["permissions"]["default"] = False
1621 if "admin" not in content["permissions"]:
1622 content["permissions"]["admin"] = False
1623
1624 @staticmethod
1625 def format_on_edit(final_content, edit_content):
1626 """
1627 Modifies final_content descriptor to include the modified date.
1628
1629 :param final_content: final descriptor generated
1630 :param edit_content: alterations to be include
1631 :return: None, but final_content is modified
1632 """
1633 if "_admin" in final_content:
1634 final_content["_admin"]["modified"] = time()
1635
1636 if "permissions" not in final_content:
1637 final_content["permissions"] = {}
1638
1639 if "default" not in final_content["permissions"]:
1640 final_content["permissions"]["default"] = False
1641 if "admin" not in final_content["permissions"]:
1642 final_content["permissions"]["admin"] = False
1643 return None
1644
1645 def show(self, session, _id, filter_q=None, api_req=False):
1646 """
1647 Get complete information on an topic
1648
1649 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1650 :param _id: server internal id
1651 :param filter_q: dict: query parameter
1652 :param api_req: True if this call is serving an external API request. False if serving internal request.
1653 :return: dictionary, raise exception if not found.
1654 """
1655 filter_q = {BaseTopic.id_field(self.topic, _id): _id}
1656 # roles = self.auth.get_role_list(filter_q)
1657 roles = self.list(session, filter_q) # To allow default filtering (Bug 853)
1658 if not roles:
1659 raise AuthconnNotFoundException(
1660 "Not found any role with filter {}".format(filter_q)
1661 )
1662 elif len(roles) > 1:
1663 raise AuthconnConflictException(
1664 "Found more than one role with filter {}".format(filter_q)
1665 )
1666 return roles[0]
1667
1668 def list(self, session, filter_q=None, api_req=False):
1669 """
1670 Get a list of the topic that matches a filter
1671
1672 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1673 :param filter_q: filter of data to be applied
1674 :return: The list, it can be empty if no one match the filter.
1675 """
1676 role_list = self.auth.get_role_list(filter_q)
1677 if not session["allow_show_user_project_role"]:
1678 # Bug 853 - Default filtering
1679 user = self.auth.get_user(session["username"])
1680 roles = [prm["role"] for prm in user["project_role_mappings"]]
1681 role_list = [role for role in role_list if role["_id"] in roles]
1682 return role_list
1683
1684 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
1685 """
1686 Creates a new entry into database.
1687
1688 :param rollback: list to append created items at database in case a rollback may to be done
1689 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1690 :param indata: data to be inserted
1691 :param kwargs: used to override the indata descriptor
1692 :param headers: http request headers
1693 :return: _id: identity of the inserted data, operation _id (None)
1694 """
1695 try:
1696 content = self._remove_envelop(indata)
1697
1698 # Override descriptor with query string kwargs
1699 self._update_input_with_kwargs(content, kwargs)
1700 content = self._validate_input_new(content, session["force"])
1701 self.check_conflict_on_new(session, content)
1702 self.format_on_new(
1703 content, project_id=session["project_id"], make_public=session["public"]
1704 )
1705 # role_name = content["name"]
1706 rid = self.auth.create_role(content)
1707 content["_id"] = rid
1708 # _id = self.db.create(self.topic, content)
1709 rollback.append({"topic": self.topic, "_id": rid})
1710 # self._send_msg("created", content, not_send_msg=not_send_msg)
1711 return rid, None
1712 except ValidationError as e:
1713 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1714
1715 def delete(self, session, _id, dry_run=False, not_send_msg=None):
1716 """
1717 Delete item by its internal _id
1718
1719 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1720 :param _id: server internal id
1721 :param dry_run: make checking but do not delete
1722 :param not_send_msg: To not send message (False) or store content (list) instead
1723 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1724 """
1725 filter_q = {BaseTopic.id_field(self.topic, _id): _id}
1726 roles = self.auth.get_role_list(filter_q)
1727 if not roles:
1728 raise AuthconnNotFoundException(
1729 "Not found any role with filter {}".format(filter_q)
1730 )
1731 elif len(roles) > 1:
1732 raise AuthconnConflictException(
1733 "Found more than one role with filter {}".format(filter_q)
1734 )
1735 rid = roles[0]["_id"]
1736 self.check_conflict_on_del(session, rid, None)
1737 # filter_q = {"_id": _id}
1738 # filter_q = {BaseTopic.id_field(self.topic, _id): _id} # To allow role addressing by name
1739 if not dry_run:
1740 v = self.auth.delete_role(rid)
1741 # v = self.db.del_one(self.topic, filter_q)
1742 return v
1743 return None
1744
1745 def edit(self, session, _id, indata=None, kwargs=None, content=None):
1746 """
1747 Updates a role entry.
1748
1749 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1750 :param _id:
1751 :param indata: data to be inserted
1752 :param kwargs: used to override the indata descriptor
1753 :param content:
1754 :return: _id: identity of the inserted data.
1755 """
1756 if kwargs:
1757 self._update_input_with_kwargs(indata, kwargs)
1758 try:
1759 if not content:
1760 content = self.show(session, _id)
1761 indata = self._validate_input_edit(indata, content, force=session["force"])
1762 deep_update_rfc7396(content, indata)
1763 content = self.check_conflict_on_edit(session, content, indata, _id=_id)
1764 self.format_on_edit(content, indata)
1765 self.auth.update_role(content)
1766 except ValidationError as e:
1767 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)