projects / osm / NBI.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix bug 732
[osm/NBI.git] / osm_nbi / admin_topics.py
1 # -*- coding: utf-8 -*-
2
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
12 # implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 # import logging
17 from uuid import uuid4
18 from hashlib import sha256
19 from http import HTTPStatus
20 from time import time
21 from validation import user_new_schema, user_edit_schema, project_new_schema, project_edit_schema
22 from validation import vim_account_new_schema, vim_account_edit_schema, sdn_new_schema, sdn_edit_schema
23 from validation import wim_account_new_schema, wim_account_edit_schema, roles_new_schema, roles_edit_schema
24 from validation import validate_input
25 from validation import ValidationError
26 from validation import is_valid_uuid # To check that User/Project Names don't look like UUIDs
27 from base_topic import BaseTopic, EngineException
28
29 __author__ = "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30
31
32 class UserTopic(BaseTopic):
33 topic = "users"
34 topic_msg = "users"
35 schema_new = user_new_schema
36 schema_edit = user_edit_schema
37 multiproject = False
38
39 def __init__(self, db, fs, msg):
40 BaseTopic.__init__(self, db, fs, msg)
41
42 @staticmethod
43 def _get_project_filter(session):
44 """
45 Generates a filter dictionary for querying database users.
46 Current policy is admin can show all, non admin, only its own user.
47 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
48 :return:
49 """
50 if session["admin"]: # allows all
51 return {}
52 else:
53 return {"username": session["username"]}
54
55 def check_conflict_on_new(self, session, indata):
56 # check username not exists
57 if self.db.get_one(self.topic, {"username": indata.get("username")}, fail_on_empty=False, fail_on_more=False):
58 raise EngineException("username '{}' exists".format(indata["username"]), HTTPStatus.CONFLICT)
59 # check projects
60 if not session["force"]:
61 for p in indata.get("projects"):
62 # To allow project addressing by Name as well as ID
63 if not self.db.get_one("projects", {BaseTopic.id_field("projects", p): p}, fail_on_empty=False,
64 fail_on_more=False):
65 raise EngineException("project '{}' does not exist".format(p), HTTPStatus.CONFLICT)
66
67 def check_conflict_on_del(self, session, _id, db_content):
68 """
69 Check if deletion can be done because of dependencies if it is not force. To override
70 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
71 :param _id: internal _id
72 :param db_content: The database content of this item _id
73 :return: None if ok or raises EngineException with the conflict
74 """
75 if _id == session["username"]:
76 raise EngineException("You cannot delete your own user", http_code=HTTPStatus.CONFLICT)
77
78 @staticmethod
79 def format_on_new(content, project_id=None, make_public=False):
80 BaseTopic.format_on_new(content, make_public=False)
81 # Removed so that the UUID is kept, to allow User Name modification
82 # content["_id"] = content["username"]
83 salt = uuid4().hex
84 content["_admin"]["salt"] = salt
85 if content.get("password"):
86 content["password"] = sha256(content["password"].encode('utf-8') + salt.encode('utf-8')).hexdigest()
87 if content.get("project_role_mappings"):
88 projects = [mapping[0] for mapping in content["project_role_mappings"]]
89
90 if content.get("projects"):
91 content["projects"] += projects
92 else:
93 content["projects"] = projects
94
95 @staticmethod
96 def format_on_edit(final_content, edit_content):
97 BaseTopic.format_on_edit(final_content, edit_content)
98 if edit_content.get("password"):
99 salt = uuid4().hex
100 final_content["_admin"]["salt"] = salt
101 final_content["password"] = sha256(edit_content["password"].encode('utf-8') +
102 salt.encode('utf-8')).hexdigest()
103
104 def edit(self, session, _id, indata=None, kwargs=None, content=None):
105 if not session["admin"]:
106 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
107 # Names that look like UUIDs are not allowed
108 name = (indata if indata else kwargs).get("username")
109 if is_valid_uuid(name):
110 raise EngineException("Usernames that look like UUIDs are not allowed",
111 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
112 return BaseTopic.edit(self, session, _id, indata=indata, kwargs=kwargs, content=content)
113
114 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
115 if not session["admin"]:
116 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
117 # Names that look like UUIDs are not allowed
118 name = indata["username"] if indata else kwargs["username"]
119 if is_valid_uuid(name):
120 raise EngineException("Usernames that look like UUIDs are not allowed",
121 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
122 return BaseTopic.new(self, rollback, session, indata=indata, kwargs=kwargs, headers=headers)
123
124
125 class ProjectTopic(BaseTopic):
126 topic = "projects"
127 topic_msg = "projects"
128 schema_new = project_new_schema
129 schema_edit = project_edit_schema
130 multiproject = False
131
132 def __init__(self, db, fs, msg):
133 BaseTopic.__init__(self, db, fs, msg)
134
135 @staticmethod
136 def _get_project_filter(session):
137 """
138 Generates a filter dictionary for querying database users.
139 Current policy is admin can show all, non admin, only its own user.
140 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
141 :return:
142 """
143 if session["admin"]: # allows all
144 return {}
145 else:
146 return {"_id.cont": session["project_id"]}
147
148 def check_conflict_on_new(self, session, indata):
149 if not indata.get("name"):
150 raise EngineException("missing 'name'")
151 # check name not exists
152 if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
153 raise EngineException("name '{}' exists".format(indata["name"]), HTTPStatus.CONFLICT)
154
155 @staticmethod
156 def format_on_new(content, project_id=None, make_public=False):
157 BaseTopic.format_on_new(content, None)
158 # Removed so that the UUID is kept, to allow Project Name modification
159 # content["_id"] = content["name"]
160
161 def check_conflict_on_del(self, session, _id, db_content):
162 """
163 Check if deletion can be done because of dependencies if it is not force. To override
164 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
165 :param _id: internal _id
166 :param db_content: The database content of this item _id
167 :return: None if ok or raises EngineException with the conflict
168 """
169 if _id in session["project_id"]:
170 raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
171 if session["force"]:
172 return
173 _filter = {"projects": _id}
174 if self.db.get_list("users", _filter):
175 raise EngineException("There is some USER that contains this project", http_code=HTTPStatus.CONFLICT)
176
177 def edit(self, session, _id, indata=None, kwargs=None, content=None):
178 if not session["admin"]:
179 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
180 # Names that look like UUIDs are not allowed
181 name = (indata if indata else kwargs).get("name")
182 if is_valid_uuid(name):
183 raise EngineException("Project names that look like UUIDs are not allowed",
184 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
185 return BaseTopic.edit(self, session, _id, indata=indata, kwargs=kwargs, content=content)
186
187 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
188 if not session["admin"]:
189 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
190 # Names that look like UUIDs are not allowed
191 name = indata["name"] if indata else kwargs["name"]
192 if is_valid_uuid(name):
193 raise EngineException("Project names that look like UUIDs are not allowed",
194 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
195 return BaseTopic.new(self, rollback, session, indata=indata, kwargs=kwargs, headers=headers)
196
197
198 class VimAccountTopic(BaseTopic):
199 topic = "vim_accounts"
200 topic_msg = "vim_account"
201 schema_new = vim_account_new_schema
202 schema_edit = vim_account_edit_schema
203 vim_config_encrypted = ("admin_password", "nsx_password", "vcenter_password")
204 multiproject = True
205
206 def __init__(self, db, fs, msg):
207 BaseTopic.__init__(self, db, fs, msg)
208
209 def check_conflict_on_new(self, session, indata):
210 self.check_unique_name(session, indata["name"], _id=None)
211
212 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
213 if not session["force"] and edit_content.get("name"):
214 self.check_unique_name(session, edit_content["name"], _id=_id)
215
216 # encrypt passwords
217 schema_version = final_content.get("schema_version")
218 if schema_version:
219 if edit_content.get("vim_password"):
220 final_content["vim_password"] = self.db.encrypt(edit_content["vim_password"],
221 schema_version=schema_version, salt=_id)
222 if edit_content.get("config"):
223 for p in self.vim_config_encrypted:
224 if edit_content["config"].get(p):
225 final_content["config"][p] = self.db.encrypt(edit_content["config"][p],
226 schema_version=schema_version, salt=_id)
227
228 def format_on_new(self, content, project_id=None, make_public=False):
229 BaseTopic.format_on_new(content, project_id=project_id, make_public=make_public)
230 content["schema_version"] = schema_version = "1.1"
231
232 # encrypt passwords
233 if content.get("vim_password"):
234 content["vim_password"] = self.db.encrypt(content["vim_password"], schema_version=schema_version,
235 salt=content["_id"])
236 if content.get("config"):
237 for p in self.vim_config_encrypted:
238 if content["config"].get(p):
239 content["config"][p] = self.db.encrypt(content["config"][p], schema_version=schema_version,
240 salt=content["_id"])
241
242 content["_admin"]["operationalState"] = "PROCESSING"
243
244 def delete(self, session, _id, dry_run=False):
245 """
246 Delete item by its internal _id
247 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
248 :param _id: server internal id
249 :param dry_run: make checking but do not delete
250 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
251 """
252 # TODO add admin to filter, validate rights
253 if dry_run or session["force"]: # delete completely
254 return BaseTopic.delete(self, session, _id, dry_run)
255 else: # if not, sent to kafka
256 v = BaseTopic.delete(self, session, _id, dry_run=True)
257 self.db.set_one("vim_accounts", {"_id": _id}, {"_admin.to_delete": True}) # TODO change status
258 self._send_msg("delete", {"_id": _id})
259 return v # TODO indicate an offline operation to return 202 ACCEPTED
260
261
262 class WimAccountTopic(BaseTopic):
263 topic = "wim_accounts"
264 topic_msg = "wim_account"
265 schema_new = wim_account_new_schema
266 schema_edit = wim_account_edit_schema
267 multiproject = True
268 wim_config_encrypted = ()
269
270 def __init__(self, db, fs, msg):
271 BaseTopic.__init__(self, db, fs, msg)
272
273 def check_conflict_on_new(self, session, indata):
274 self.check_unique_name(session, indata["name"], _id=None)
275
276 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
277 if not session["force"] and edit_content.get("name"):
278 self.check_unique_name(session, edit_content["name"], _id=_id)
279
280 # encrypt passwords
281 schema_version = final_content.get("schema_version")
282 if schema_version:
283 if edit_content.get("wim_password"):
284 final_content["wim_password"] = self.db.encrypt(edit_content["wim_password"],
285 schema_version=schema_version, salt=_id)
286 if edit_content.get("config"):
287 for p in self.wim_config_encrypted:
288 if edit_content["config"].get(p):
289 final_content["config"][p] = self.db.encrypt(edit_content["config"][p],
290 schema_version=schema_version, salt=_id)
291
292 def format_on_new(self, content, project_id=None, make_public=False):
293 BaseTopic.format_on_new(content, project_id=project_id, make_public=make_public)
294 content["schema_version"] = schema_version = "1.1"
295
296 # encrypt passwords
297 if content.get("wim_password"):
298 content["wim_password"] = self.db.encrypt(content["wim_password"], schema_version=schema_version,
299 salt=content["_id"])
300 if content.get("config"):
301 for p in self.wim_config_encrypted:
302 if content["config"].get(p):
303 content["config"][p] = self.db.encrypt(content["config"][p], schema_version=schema_version,
304 salt=content["_id"])
305
306 content["_admin"]["operationalState"] = "PROCESSING"
307
308 def delete(self, session, _id, dry_run=False):
309 """
310 Delete item by its internal _id
311 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
312 :param _id: server internal id
313 :param dry_run: make checking but do not delete
314 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
315 """
316 # TODO add admin to filter, validate rights
317 if dry_run or session["force"]: # delete completely
318 return BaseTopic.delete(self, session, _id, dry_run)
319 else: # if not, sent to kafka
320 v = BaseTopic.delete(self, session, _id, dry_run=True)
321 self.db.set_one("wim_accounts", {"_id": _id}, {"_admin.to_delete": True}) # TODO change status
322 self._send_msg("delete", {"_id": _id})
323 return v # TODO indicate an offline operation to return 202 ACCEPTED
324
325
326 class SdnTopic(BaseTopic):
327 topic = "sdns"
328 topic_msg = "sdn"
329 schema_new = sdn_new_schema
330 schema_edit = sdn_edit_schema
331 multiproject = True
332
333 def __init__(self, db, fs, msg):
334 BaseTopic.__init__(self, db, fs, msg)
335
336 def check_conflict_on_new(self, session, indata):
337 self.check_unique_name(session, indata["name"], _id=None)
338
339 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
340 if not session["force"] and edit_content.get("name"):
341 self.check_unique_name(session, edit_content["name"], _id=_id)
342
343 # encrypt passwords
344 schema_version = final_content.get("schema_version")
345 if schema_version and edit_content.get("password"):
346 final_content["password"] = self.db.encrypt(edit_content["password"], schema_version=schema_version,
347 salt=_id)
348
349 def format_on_new(self, content, project_id=None, make_public=False):
350 BaseTopic.format_on_new(content, project_id=project_id, make_public=make_public)
351 content["schema_version"] = schema_version = "1.1"
352 # encrypt passwords
353 if content.get("password"):
354 content["password"] = self.db.encrypt(content["password"], schema_version=schema_version,
355 salt=content["_id"])
356
357 content["_admin"]["operationalState"] = "PROCESSING"
358
359 def delete(self, session, _id, dry_run=False):
360 """
361 Delete item by its internal _id
362 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
363 :param _id: server internal id
364 :param dry_run: make checking but do not delete
365 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
366 """
367 if dry_run or session["force"]: # delete completely
368 return BaseTopic.delete(self, session, _id, dry_run)
369 else: # if not sent to kafka
370 v = BaseTopic.delete(self, session, _id, dry_run=True)
371 self.db.set_one("sdns", {"_id": _id}, {"_admin.to_delete": True}) # TODO change status
372 self._send_msg("delete", {"_id": _id})
373 return v # TODO indicate an offline operation to return 202 ACCEPTED
374
375
376 class UserTopicAuth(UserTopic):
377 # topic = "users"
378 # topic_msg = "users"
379 schema_new = user_new_schema
380 schema_edit = user_edit_schema
381
382 def __init__(self, db, fs, msg, auth):
383 UserTopic.__init__(self, db, fs, msg)
384 self.auth = auth
385
386 def check_conflict_on_new(self, session, indata):
387 """
388 Check that the data to be inserted is valid
389
390 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
391 :param indata: data to be inserted
392 :return: None or raises EngineException
393 """
394 username = indata.get("username")
395 user_list = list(map(lambda x: x["username"], self.auth.get_user_list()))
396
397 if "projects" in indata.keys():
398 raise EngineException("Format invalid: the keyword \"projects\" is not allowed for Keystone",
399 HTTPStatus.BAD_REQUEST)
400
401 if username in user_list:
402 raise EngineException("username '{}' exists".format(username), HTTPStatus.CONFLICT)
403
404 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
405 """
406 Check that the data to be edited/uploaded is valid
407
408 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
409 :param final_content: data once modified
410 :param edit_content: incremental data that contains the modifications to apply
411 :param _id: internal _id
412 :return: None or raises EngineException
413 """
414 users = self.auth.get_user_list()
415 admin_user = [user for user in users if user["username"] == "admin"][0]
416
417 if _id == admin_user["_id"] and "project_role_mappings" in edit_content.keys():
418 elem = {
419 "project": "admin",
420 "role": "system_admin"
421 }
422 if elem not in edit_content:
423 raise EngineException("You cannot remove system_admin role from admin user",
424 http_code=HTTPStatus.FORBIDDEN)
425
426 def check_conflict_on_del(self, session, _id, db_content):
427 """
428 Check if deletion can be done because of dependencies if it is not force. To override
429 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
430 :param _id: internal _id
431 :param db_content: The database content of this item _id
432 :return: None if ok or raises EngineException with the conflict
433 """
434 if _id == session["username"]:
435 raise EngineException("You cannot delete your own user", http_code=HTTPStatus.CONFLICT)
436
437 @staticmethod
438 def format_on_new(content, project_id=None, make_public=False):
439 """
440 Modifies content descriptor to include _id.
441
442 NOTE: No password salt required because the authentication backend
443 should handle these security concerns.
444
445 :param content: descriptor to be modified
446 :param make_public: if included it is generated as public for reading.
447 :return: None, but content is modified
448 """
449 BaseTopic.format_on_new(content, make_public=False)
450 content["_id"] = content["username"]
451 content["password"] = content["password"]
452
453 @staticmethod
454 def format_on_edit(final_content, edit_content):
455 """
456 Modifies final_content descriptor to include the modified date.
457
458 NOTE: No password salt required because the authentication backend
459 should handle these security concerns.
460
461 :param final_content: final descriptor generated
462 :param edit_content: alterations to be include
463 :return: None, but final_content is modified
464 """
465 BaseTopic.format_on_edit(final_content, edit_content)
466 if "password" in edit_content:
467 final_content["password"] = edit_content["password"]
468 else:
469 final_content["project_role_mappings"] = edit_content["project_role_mappings"]
470
471 @staticmethod
472 def format_on_show(content):
473 """
474 Modifies the content of the role information to separate the role
475 metadata from the role definition.
476 """
477 project_role_mappings = []
478
479 for project in content["projects"]:
480 for role in project["roles"]:
481 project_role_mappings.append({"project": project["_id"], "role": role["_id"]})
482
483 del content["projects"]
484 content["project_role_mappings"] = project_role_mappings
485
486 return content
487
488 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
489 """
490 Creates a new entry into the authentication backend.
491
492 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
493
494 :param rollback: list to append created items at database in case a rollback may to be done
495 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
496 :param indata: data to be inserted
497 :param kwargs: used to override the indata descriptor
498 :param headers: http request headers
499 :return: _id: identity of the inserted data.
500 """
501 try:
502 content = BaseTopic._remove_envelop(indata)
503
504 # Override descriptor with query string kwargs
505 BaseTopic._update_input_with_kwargs(content, kwargs)
506 content = self._validate_input_new(content, session["force"])
507 self.check_conflict_on_new(session, content)
508 self.format_on_new(content, session["project_id"], make_public=session["public"])
509 _id = self.auth.create_user(content["username"], content["password"])["_id"]
510
511 for mapping in content["project_role_mappings"]:
512 self.auth.assign_role_to_user(_id, mapping["project"], mapping["role"])
513
514 rollback.append({"topic": self.topic, "_id": _id})
515 del content["password"]
516 # self._send_msg("create", content)
517 return _id
518 except ValidationError as e:
519 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
520
521 def show(self, session, _id):
522 """
523 Get complete information on an topic
524
525 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
526 :param _id: server internal id
527 :return: dictionary, raise exception if not found.
528 """
529 users = [user for user in self.auth.get_user_list() if user["_id"] == _id]
530
531 if len(users) == 1:
532 return self.format_on_show(users[0])
533 elif len(users) > 1:
534 raise EngineException("Too many users found", HTTPStatus.CONFLICT)
535 else:
536 raise EngineException("User not found", HTTPStatus.NOT_FOUND)
537
538 def edit(self, session, _id, indata=None, kwargs=None, content=None):
539 """
540 Updates an user entry.
541
542 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
543 :param _id:
544 :param indata: data to be inserted
545 :param kwargs: used to override the indata descriptor
546 :param content:
547 :return: _id: identity of the inserted data.
548 """
549 indata = self._remove_envelop(indata)
550
551 # Override descriptor with query string kwargs
552 if kwargs:
553 BaseTopic._update_input_with_kwargs(indata, kwargs)
554 try:
555 indata = self._validate_input_edit(indata, force=session["force"])
556
557 if not content:
558 content = self.show(session, _id)
559 self.check_conflict_on_edit(session, content, indata, _id=_id)
560 self.format_on_edit(content, indata)
561
562 if "password" in content:
563 self.auth.change_password(content["username"], content["password"])
564 else:
565 user = self.show(session, _id)
566 original_mapping = user["project_role_mappings"]
567 edit_mapping = content["project_role_mappings"]
568
569 mappings_to_remove = [mapping for mapping in original_mapping
570 if mapping not in edit_mapping]
571
572 mappings_to_add = [mapping for mapping in edit_mapping
573 if mapping not in original_mapping]
574
575 for mapping in mappings_to_remove:
576 self.auth.remove_role_from_user(
577 _id,
578 mapping["project"],
579 mapping["role"]
580 )
581
582 for mapping in mappings_to_add:
583 self.auth.assign_role_to_user(
584 _id,
585 mapping["project"],
586 mapping["role"]
587 )
588
589 return content["_id"]
590 except ValidationError as e:
591 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
592
593 def list(self, session, filter_q=None):
594 """
595 Get a list of the topic that matches a filter
596 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
597 :param filter_q: filter of data to be applied
598 :return: The list, it can be empty if no one match the filter.
599 """
600 if not filter_q:
601 filter_q = {}
602
603 users = [self.format_on_show(user) for user in self.auth.get_user_list(filter_q)]
604
605 return users
606
607 def delete(self, session, _id, dry_run=False):
608 """
609 Delete item by its internal _id
610
611 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
612 :param _id: server internal id
613 :param force: indicates if deletion must be forced in case of conflict
614 :param dry_run: make checking but do not delete
615 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
616 """
617 self.check_conflict_on_del(session, _id, None)
618 if not dry_run:
619 v = self.auth.delete_user(_id)
620 return v
621 return None
622
623
624 class ProjectTopicAuth(ProjectTopic):
625 # topic = "projects"
626 # topic_msg = "projects"
627 schema_new = project_new_schema
628 schema_edit = project_edit_schema
629
630 def __init__(self, db, fs, msg, auth):
631 ProjectTopic.__init__(self, db, fs, msg)
632 self.auth = auth
633
634 def check_conflict_on_new(self, session, indata):
635 """
636 Check that the data to be inserted is valid
637
638 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
639 :param indata: data to be inserted
640 :return: None or raises EngineException
641 """
642 project = indata.get("name")
643 project_list = list(map(lambda x: x["name"], self.auth.get_project_list()))
644
645 if project in project_list:
646 raise EngineException("project '{}' exists".format(project), HTTPStatus.CONFLICT)
647
648 def check_conflict_on_del(self, session, _id, db_content):
649 """
650 Check if deletion can be done because of dependencies if it is not force. To override
651
652 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
653 :param _id: internal _id
654 :param db_content: The database content of this item _id
655 :return: None if ok or raises EngineException with the conflict
656 """
657 projects = self.auth.get_project_list()
658 current_project = [project for project in projects
659 if project["name"] == session["project_id"]][0]
660
661 if _id == current_project["_id"]:
662 raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
663
664 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
665 """
666 Creates a new entry into the authentication backend.
667
668 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
669
670 :param rollback: list to append created items at database in case a rollback may to be done
671 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
672 :param indata: data to be inserted
673 :param kwargs: used to override the indata descriptor
674 :param headers: http request headers
675 :return: _id: identity of the inserted data.
676 """
677 try:
678 content = BaseTopic._remove_envelop(indata)
679
680 # Override descriptor with query string kwargs
681 BaseTopic._update_input_with_kwargs(content, kwargs)
682 content = self._validate_input_new(content, session["force"])
683 self.check_conflict_on_new(session, content)
684 self.format_on_new(content, project_id=session["project_id"], make_public=session["public"])
685 _id = self.auth.create_project(content["name"])
686 rollback.append({"topic": self.topic, "_id": _id})
687 # self._send_msg("create", content)
688 return _id
689 except ValidationError as e:
690 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
691
692 def show(self, session, _id):
693 """
694 Get complete information on an topic
695
696 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
697 :param _id: server internal id
698 :return: dictionary, raise exception if not found.
699 """
700 projects = [project for project in self.auth.get_project_list() if project["_id"] == _id]
701
702 if len(projects) == 1:
703 return projects[0]
704 elif len(projects) > 1:
705 raise EngineException("Too many projects found", HTTPStatus.CONFLICT)
706 else:
707 raise EngineException("Project not found", HTTPStatus.NOT_FOUND)
708
709 def list(self, session, filter_q=None):
710 """
711 Get a list of the topic that matches a filter
712
713 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
714 :param filter_q: filter of data to be applied
715 :return: The list, it can be empty if no one match the filter.
716 """
717 if not filter_q:
718 filter_q = {}
719
720 return self.auth.get_project_list(filter_q)
721
722 def delete(self, session, _id, dry_run=False):
723 """
724 Delete item by its internal _id
725
726 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
727 :param _id: server internal id
728 :param dry_run: make checking but do not delete
729 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
730 """
731 self.check_conflict_on_del(session, _id, None)
732 if not dry_run:
733 v = self.auth.delete_project(_id)
734 return v
735 return None
736
737
738 class RoleTopicAuth(BaseTopic):
739 topic = "roles_operations"
740 topic_msg = "roles"
741 schema_new = roles_new_schema
742 schema_edit = roles_edit_schema
743 multiproject = False
744
745 def __init__(self, db, fs, msg, auth, ops):
746 BaseTopic.__init__(self, db, fs, msg)
747 self.auth = auth
748 self.operations = ops
749
750 @staticmethod
751 def validate_role_definition(operations, role_definitions):
752 """
753 Validates the role definition against the operations defined in
754 the resources to operations files.
755
756 :param operations: operations list
757 :param role_definitions: role definition to test
758 :return: None if ok, raises ValidationError exception on error
759 """
760 ignore_fields = ["_id", "_admin", "name"]
761 for role_def in role_definitions.keys():
762 if role_def in ignore_fields:
763 continue
764 if role_def == ".":
765 if isinstance(role_definitions[role_def], bool):
766 continue
767 else:
768 raise ValidationError("Operation authorization \".\" should be True/False.")
769 if role_def[-1] == ".":
770 raise ValidationError("Operation cannot end with \".\"")
771
772 role_def_matches = [op for op in operations if op.startswith(role_def)]
773
774 if len(role_def_matches) == 0:
775 raise ValidationError("No matching operation found.")
776
777 if not isinstance(role_definitions[role_def], bool):
778 raise ValidationError("Operation authorization {} should be True/False.".format(role_def))
779
780 def _validate_input_new(self, input, force=False):
781 """
782 Validates input user content for a new entry.
783
784 :param input: user input content for the new topic
785 :param force: may be used for being more tolerant
786 :return: The same input content, or a changed version of it.
787 """
788 if self.schema_new:
789 validate_input(input, self.schema_new)
790 self.validate_role_definition(self.operations, input)
791
792 return input
793
794 def _validate_input_edit(self, input, force=False):
795 """
796 Validates input user content for updating an entry.
797
798 :param input: user input content for the new topic
799 :param force: may be used for being more tolerant
800 :return: The same input content, or a changed version of it.
801 """
802 if self.schema_edit:
803 validate_input(input, self.schema_edit)
804 self.validate_role_definition(self.operations, input)
805
806 return input
807
808 def check_conflict_on_new(self, session, indata):
809 """
810 Check that the data to be inserted is valid
811
812 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
813 :param indata: data to be inserted
814 :return: None or raises EngineException
815 """
816 role = indata.get("name")
817 role_list = list(map(lambda x: x["name"], self.auth.get_role_list()))
818
819 if role in role_list:
820 raise EngineException("role '{}' exists".format(role), HTTPStatus.CONFLICT)
821
822 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
823 """
824 Check that the data to be edited/uploaded is valid
825
826 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
827 :param final_content: data once modified
828 :param edit_content: incremental data that contains the modifications to apply
829 :param _id: internal _id
830 :return: None or raises EngineException
831 """
832 roles = self.auth.get_role_list()
833 system_admin_role = [role for role in roles
834 if roles["name"] == "system_admin"][0]
835
836 if _id == system_admin_role["_id"]:
837 raise EngineException("You cannot edit system_admin role", http_code=HTTPStatus.FORBIDDEN)
838
839 def check_conflict_on_del(self, session, _id, db_content):
840 """
841 Check if deletion can be done because of dependencies if it is not force. To override
842
843 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
844 :param _id: internal _id
845 :param db_content: The database content of this item _id
846 :return: None if ok or raises EngineException with the conflict
847 """
848 roles = self.auth.get_role_list()
849 system_admin_role = [role for role in roles
850 if roles["name"] == "system_admin"][0]
851
852 if _id == system_admin_role["_id"]:
853 raise EngineException("You cannot delete system_admin role", http_code=HTTPStatus.FORBIDDEN)
854
855 @staticmethod
856 def format_on_new(content, project_id=None, make_public=False):
857 """
858 Modifies content descriptor to include _admin
859
860 :param content: descriptor to be modified
861 :param project_id: if included, it add project read/write permissions
862 :param make_public: if included it is generated as public for reading.
863 :return: None, but content is modified
864 """
865 now = time()
866 if "_admin" not in content:
867 content["_admin"] = {}
868 if not content["_admin"].get("created"):
869 content["_admin"]["created"] = now
870 content["_admin"]["modified"] = now
871
872 if ":" in content.keys():
873 content["root"] = content[":"]
874 del content[":"]
875
876 if "root" not in content.keys():
877 content["root"] = False
878
879 @staticmethod
880 def format_on_edit(final_content, edit_content):
881 """
882 Modifies final_content descriptor to include the modified date.
883
884 :param final_content: final descriptor generated
885 :param edit_content: alterations to be include
886 :return: None, but final_content is modified
887 """
888 final_content["_admin"]["modified"] = time()
889
890 ignore_fields = ["_id", "name", "_admin"]
891 delete_keys = [key for key in final_content.keys() if key not in ignore_fields]
892
893 for key in delete_keys:
894 del final_content[key]
895
896 # Saving the role definition
897 for role_def, value in edit_content.items():
898 final_content[role_def] = value
899
900 if ":" in final_content.keys():
901 final_content["root"] = final_content[":"]
902 del final_content[":"]
903
904 if "root" not in final_content.keys():
905 final_content["root"] = False
906
907 @staticmethod
908 def format_on_show(content):
909 """
910 Modifies the content of the role information to separate the role
911 metadata from the role definition. Eases the reading process of the
912 role definition.
913
914 :param definition: role definition to be processed
915 """
916 content["_id"] = str(content["_id"])
917
918 def show(self, session, _id):
919 """
920 Get complete information on an topic
921
922 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
923 :param _id: server internal id
924 :return: dictionary, raise exception if not found.
925 """
926 filter_db = {"_id": _id}
927
928 role = self.db.get_one(self.topic, filter_db)
929 new_role = dict(role)
930 self.format_on_show(new_role)
931
932 return new_role
933
934 def list(self, session, filter_q=None):
935 """
936 Get a list of the topic that matches a filter
937
938 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
939 :param filter_q: filter of data to be applied
940 :return: The list, it can be empty if no one match the filter.
941 """
942 if not filter_q:
943 filter_q = {}
944
945 if ":" in filter_q:
946 filter_q["root"] = filter_q[":"]
947
948 for key in filter_q.keys():
949 if key == "name":
950 continue
951 filter_q[key] = filter_q[key] in ["True", "true"]
952
953 roles = self.db.get_list(self.topic, filter_q)
954 new_roles = []
955
956 for role in roles:
957 new_role = dict(role)
958 self.format_on_show(new_role)
959 new_roles.append(new_role)
960
961 return new_roles
962
963 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
964 """
965 Creates a new entry into database.
966
967 :param rollback: list to append created items at database in case a rollback may to be done
968 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
969 :param indata: data to be inserted
970 :param kwargs: used to override the indata descriptor
971 :param headers: http request headers
972 :return: _id: identity of the inserted data.
973 """
974 try:
975 content = BaseTopic._remove_envelop(indata)
976
977 # Override descriptor with query string kwargs
978 BaseTopic._update_input_with_kwargs(content, kwargs)
979 content = self._validate_input_new(content, session["force"])
980 self.check_conflict_on_new(session, content)
981 self.format_on_new(content, project_id=session["project_id"], make_public=session["public"])
982 role_name = content["name"]
983 role = self.auth.create_role(role_name)
984 content["_id"] = role["_id"]
985 _id = self.db.create(self.topic, content)
986 rollback.append({"topic": self.topic, "_id": _id})
987 # self._send_msg("create", content)
988 return _id
989 except ValidationError as e:
990 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
991
992 def delete(self, session, _id, dry_run=False):
993 """
994 Delete item by its internal _id
995
996 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
997 :param _id: server internal id
998 :param dry_run: make checking but do not delete
999 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1000 """
1001 self.check_conflict_on_del(session, _id, None)
1002 filter_q = {"_id": _id}
1003 if not dry_run:
1004 self.auth.delete_role(_id)
1005 v = self.db.del_one(self.topic, filter_q)
1006 return v
1007 return None
1008
1009 def edit(self, session, _id, indata=None, kwargs=None, content=None):
1010 """
1011 Updates a role entry.
1012
1013 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1014 :param _id:
1015 :param indata: data to be inserted
1016 :param kwargs: used to override the indata descriptor
1017 :param content:
1018 :return: _id: identity of the inserted data.
1019 """
1020 indata = self._remove_envelop(indata)
1021
1022 # Override descriptor with query string kwargs
1023 if kwargs:
1024 self._update_input_with_kwargs(indata, kwargs)
1025 try:
1026 indata = self._validate_input_edit(indata, force=session["force"])
1027
1028 if not content:
1029 content = self.show(session, _id)
1030 self.check_conflict_on_edit(session, content, indata, _id=_id)
1031 self.format_on_edit(content, indata)
1032 self.db.replace(self.topic, _id, content)
1033 return id
1034 except ValidationError as e:
1035 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)