projects / osm / NBI.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fix bug 734 allow NSD primitive actions
[osm/NBI.git] / osm_nbi / admin_topics.py
1 # -*- coding: utf-8 -*-
2
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
12 # implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 # import logging
17 from uuid import uuid4
18 from hashlib import sha256
19 from http import HTTPStatus
20 from time import time
21 from validation import user_new_schema, user_edit_schema, project_new_schema, project_edit_schema
22 from validation import vim_account_new_schema, vim_account_edit_schema, sdn_new_schema, sdn_edit_schema
23 from validation import wim_account_new_schema, wim_account_edit_schema, roles_new_schema, roles_edit_schema
24 from validation import validate_input
25 from validation import ValidationError
26 from validation import is_valid_uuid # To check that User/Project Names don't look like UUIDs
27 from base_topic import BaseTopic, EngineException
28
29 __author__ = "Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30
31
32 class UserTopic(BaseTopic):
33 topic = "users"
34 topic_msg = "users"
35 schema_new = user_new_schema
36 schema_edit = user_edit_schema
37 multiproject = False
38
39 def __init__(self, db, fs, msg):
40 BaseTopic.__init__(self, db, fs, msg)
41
42 @staticmethod
43 def _get_project_filter(session):
44 """
45 Generates a filter dictionary for querying database users.
46 Current policy is admin can show all, non admin, only its own user.
47 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
48 :return:
49 """
50 if session["admin"]: # allows all
51 return {}
52 else:
53 return {"username": session["username"]}
54
55 def check_conflict_on_new(self, session, indata):
56 # check username not exists
57 if self.db.get_one(self.topic, {"username": indata.get("username")}, fail_on_empty=False, fail_on_more=False):
58 raise EngineException("username '{}' exists".format(indata["username"]), HTTPStatus.CONFLICT)
59 # check projects
60 if not session["force"]:
61 for p in indata.get("projects"):
62 # To allow project addressing by Name as well as ID
63 if not self.db.get_one("projects", {BaseTopic.id_field("projects", p): p}, fail_on_empty=False,
64 fail_on_more=False):
65 raise EngineException("project '{}' does not exist".format(p), HTTPStatus.CONFLICT)
66
67 def check_conflict_on_del(self, session, _id, db_content):
68 """
69 Check if deletion can be done because of dependencies if it is not force. To override
70 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
71 :param _id: internal _id
72 :param db_content: The database content of this item _id
73 :return: None if ok or raises EngineException with the conflict
74 """
75 if _id == session["username"]:
76 raise EngineException("You cannot delete your own user", http_code=HTTPStatus.CONFLICT)
77
78 @staticmethod
79 def format_on_new(content, project_id=None, make_public=False):
80 BaseTopic.format_on_new(content, make_public=False)
81 # Removed so that the UUID is kept, to allow User Name modification
82 # content["_id"] = content["username"]
83 salt = uuid4().hex
84 content["_admin"]["salt"] = salt
85 if content.get("password"):
86 content["password"] = sha256(content["password"].encode('utf-8') + salt.encode('utf-8')).hexdigest()
87 if content.get("project_role_mappings"):
88 projects = [mapping[0] for mapping in content["project_role_mappings"]]
89
90 if content.get("projects"):
91 content["projects"] += projects
92 else:
93 content["projects"] = projects
94
95 @staticmethod
96 def format_on_edit(final_content, edit_content):
97 BaseTopic.format_on_edit(final_content, edit_content)
98 if edit_content.get("password"):
99 salt = uuid4().hex
100 final_content["_admin"]["salt"] = salt
101 final_content["password"] = sha256(edit_content["password"].encode('utf-8') +
102 salt.encode('utf-8')).hexdigest()
103
104 def edit(self, session, _id, indata=None, kwargs=None, content=None):
105 if not session["admin"]:
106 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
107 # Names that look like UUIDs are not allowed
108 name = (indata if indata else kwargs).get("username")
109 if is_valid_uuid(name):
110 raise EngineException("Usernames that look like UUIDs are not allowed",
111 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
112 return BaseTopic.edit(self, session, _id, indata=indata, kwargs=kwargs, content=content)
113
114 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
115 if not session["admin"]:
116 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
117 # Names that look like UUIDs are not allowed
118 name = indata["username"] if indata else kwargs["username"]
119 if is_valid_uuid(name):
120 raise EngineException("Usernames that look like UUIDs are not allowed",
121 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
122 return BaseTopic.new(self, rollback, session, indata=indata, kwargs=kwargs, headers=headers)
123
124
125 class ProjectTopic(BaseTopic):
126 topic = "projects"
127 topic_msg = "projects"
128 schema_new = project_new_schema
129 schema_edit = project_edit_schema
130 multiproject = False
131
132 def __init__(self, db, fs, msg):
133 BaseTopic.__init__(self, db, fs, msg)
134
135 @staticmethod
136 def _get_project_filter(session):
137 """
138 Generates a filter dictionary for querying database users.
139 Current policy is admin can show all, non admin, only its own user.
140 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
141 :return:
142 """
143 if session["admin"]: # allows all
144 return {}
145 else:
146 return {"_id.cont": session["project_id"]}
147
148 def check_conflict_on_new(self, session, indata):
149 if not indata.get("name"):
150 raise EngineException("missing 'name'")
151 # check name not exists
152 if self.db.get_one(self.topic, {"name": indata.get("name")}, fail_on_empty=False, fail_on_more=False):
153 raise EngineException("name '{}' exists".format(indata["name"]), HTTPStatus.CONFLICT)
154
155 @staticmethod
156 def format_on_new(content, project_id=None, make_public=False):
157 BaseTopic.format_on_new(content, None)
158 # Removed so that the UUID is kept, to allow Project Name modification
159 # content["_id"] = content["name"]
160
161 def check_conflict_on_del(self, session, _id, db_content):
162 """
163 Check if deletion can be done because of dependencies if it is not force. To override
164 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
165 :param _id: internal _id
166 :param db_content: The database content of this item _id
167 :return: None if ok or raises EngineException with the conflict
168 """
169 if _id in session["project_id"]:
170 raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
171 if session["force"]:
172 return
173 _filter = {"projects": _id}
174 if self.db.get_list("users", _filter):
175 raise EngineException("There is some USER that contains this project", http_code=HTTPStatus.CONFLICT)
176
177 def edit(self, session, _id, indata=None, kwargs=None, content=None):
178 if not session["admin"]:
179 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
180 # Names that look like UUIDs are not allowed
181 name = (indata if indata else kwargs).get("name")
182 if is_valid_uuid(name):
183 raise EngineException("Project names that look like UUIDs are not allowed",
184 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
185 return BaseTopic.edit(self, session, _id, indata=indata, kwargs=kwargs, content=content)
186
187 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
188 if not session["admin"]:
189 raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
190 # Names that look like UUIDs are not allowed
191 name = indata["name"] if indata else kwargs["name"]
192 if is_valid_uuid(name):
193 raise EngineException("Project names that look like UUIDs are not allowed",
194 http_code=HTTPStatus.UNPROCESSABLE_ENTITY)
195 return BaseTopic.new(self, rollback, session, indata=indata, kwargs=kwargs, headers=headers)
196
197
198 class VimAccountTopic(BaseTopic):
199 topic = "vim_accounts"
200 topic_msg = "vim_account"
201 schema_new = vim_account_new_schema
202 schema_edit = vim_account_edit_schema
203 vim_config_encrypted = ("admin_password", "nsx_password", "vcenter_password")
204 multiproject = True
205
206 def __init__(self, db, fs, msg):
207 BaseTopic.__init__(self, db, fs, msg)
208
209 def check_conflict_on_new(self, session, indata):
210 self.check_unique_name(session, indata["name"], _id=None)
211
212 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
213 if not session["force"] and edit_content.get("name"):
214 self.check_unique_name(session, edit_content["name"], _id=_id)
215
216 # encrypt passwords
217 schema_version = final_content.get("schema_version")
218 if schema_version:
219 if edit_content.get("vim_password"):
220 final_content["vim_password"] = self.db.encrypt(edit_content["vim_password"],
221 schema_version=schema_version, salt=_id)
222 if edit_content.get("config"):
223 for p in self.vim_config_encrypted:
224 if edit_content["config"].get(p):
225 final_content["config"][p] = self.db.encrypt(edit_content["config"][p],
226 schema_version=schema_version, salt=_id)
227
228 def format_on_new(self, content, project_id=None, make_public=False):
229 BaseTopic.format_on_new(content, project_id=project_id, make_public=make_public)
230 content["schema_version"] = schema_version = "1.1"
231
232 # encrypt passwords
233 if content.get("vim_password"):
234 content["vim_password"] = self.db.encrypt(content["vim_password"], schema_version=schema_version,
235 salt=content["_id"])
236 if content.get("config"):
237 for p in self.vim_config_encrypted:
238 if content["config"].get(p):
239 content["config"][p] = self.db.encrypt(content["config"][p], schema_version=schema_version,
240 salt=content["_id"])
241
242 content["_admin"]["operationalState"] = "PROCESSING"
243
244 def delete(self, session, _id, dry_run=False):
245 """
246 Delete item by its internal _id
247 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
248 :param _id: server internal id
249 :param dry_run: make checking but do not delete
250 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
251 """
252 # TODO add admin to filter, validate rights
253 if dry_run or session["force"]: # delete completely
254 return BaseTopic.delete(self, session, _id, dry_run)
255 else: # if not, sent to kafka
256 v = BaseTopic.delete(self, session, _id, dry_run=True)
257 self.db.set_one("vim_accounts", {"_id": _id}, {"_admin.to_delete": True}) # TODO change status
258 self._send_msg("delete", {"_id": _id})
259 return v # TODO indicate an offline operation to return 202 ACCEPTED
260
261
262 class WimAccountTopic(BaseTopic):
263 topic = "wim_accounts"
264 topic_msg = "wim_account"
265 schema_new = wim_account_new_schema
266 schema_edit = wim_account_edit_schema
267 multiproject = True
268 wim_config_encrypted = ()
269
270 def __init__(self, db, fs, msg):
271 BaseTopic.__init__(self, db, fs, msg)
272
273 def check_conflict_on_new(self, session, indata):
274 self.check_unique_name(session, indata["name"], _id=None)
275
276 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
277 if not session["force"] and edit_content.get("name"):
278 self.check_unique_name(session, edit_content["name"], _id=_id)
279
280 # encrypt passwords
281 schema_version = final_content.get("schema_version")
282 if schema_version:
283 if edit_content.get("wim_password"):
284 final_content["wim_password"] = self.db.encrypt(edit_content["wim_password"],
285 schema_version=schema_version, salt=_id)
286 if edit_content.get("config"):
287 for p in self.wim_config_encrypted:
288 if edit_content["config"].get(p):
289 final_content["config"][p] = self.db.encrypt(edit_content["config"][p],
290 schema_version=schema_version, salt=_id)
291
292 def format_on_new(self, content, project_id=None, make_public=False):
293 BaseTopic.format_on_new(content, project_id=project_id, make_public=make_public)
294 content["schema_version"] = schema_version = "1.1"
295
296 # encrypt passwords
297 if content.get("wim_password"):
298 content["wim_password"] = self.db.encrypt(content["wim_password"], schema_version=schema_version,
299 salt=content["_id"])
300 if content.get("config"):
301 for p in self.wim_config_encrypted:
302 if content["config"].get(p):
303 content["config"][p] = self.db.encrypt(content["config"][p], schema_version=schema_version,
304 salt=content["_id"])
305
306 content["_admin"]["operationalState"] = "PROCESSING"
307
308 def delete(self, session, _id, dry_run=False):
309 """
310 Delete item by its internal _id
311 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
312 :param _id: server internal id
313 :param dry_run: make checking but do not delete
314 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
315 """
316 # TODO add admin to filter, validate rights
317 if dry_run or session["force"]: # delete completely
318 return BaseTopic.delete(self, session, _id, dry_run)
319 else: # if not, sent to kafka
320 v = BaseTopic.delete(self, session, _id, dry_run=True)
321 self.db.set_one("wim_accounts", {"_id": _id}, {"_admin.to_delete": True}) # TODO change status
322 self._send_msg("delete", {"_id": _id})
323 return v # TODO indicate an offline operation to return 202 ACCEPTED
324
325
326 class SdnTopic(BaseTopic):
327 topic = "sdns"
328 topic_msg = "sdn"
329 schema_new = sdn_new_schema
330 schema_edit = sdn_edit_schema
331 multiproject = True
332
333 def __init__(self, db, fs, msg):
334 BaseTopic.__init__(self, db, fs, msg)
335
336 def check_conflict_on_new(self, session, indata):
337 self.check_unique_name(session, indata["name"], _id=None)
338
339 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
340 if not session["force"] and edit_content.get("name"):
341 self.check_unique_name(session, edit_content["name"], _id=_id)
342
343 # encrypt passwords
344 schema_version = final_content.get("schema_version")
345 if schema_version and edit_content.get("password"):
346 final_content["password"] = self.db.encrypt(edit_content["password"], schema_version=schema_version,
347 salt=_id)
348
349 def format_on_new(self, content, project_id=None, make_public=False):
350 BaseTopic.format_on_new(content, project_id=project_id, make_public=make_public)
351 content["schema_version"] = schema_version = "1.1"
352 # encrypt passwords
353 if content.get("password"):
354 content["password"] = self.db.encrypt(content["password"], schema_version=schema_version,
355 salt=content["_id"])
356
357 content["_admin"]["operationalState"] = "PROCESSING"
358
359 def delete(self, session, _id, dry_run=False):
360 """
361 Delete item by its internal _id
362 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
363 :param _id: server internal id
364 :param dry_run: make checking but do not delete
365 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
366 """
367 if dry_run or session["force"]: # delete completely
368 return BaseTopic.delete(self, session, _id, dry_run)
369 else: # if not sent to kafka
370 v = BaseTopic.delete(self, session, _id, dry_run=True)
371 self.db.set_one("sdns", {"_id": _id}, {"_admin.to_delete": True}) # TODO change status
372 self._send_msg("delete", {"_id": _id})
373 return v # TODO indicate an offline operation to return 202 ACCEPTED
374
375
376 class UserTopicAuth(UserTopic):
377 # topic = "users"
378 # topic_msg = "users"
379 schema_new = user_new_schema
380 schema_edit = user_edit_schema
381
382 def __init__(self, db, fs, msg, auth):
383 UserTopic.__init__(self, db, fs, msg)
384 self.auth = auth
385
386 def check_conflict_on_new(self, session, indata):
387 """
388 Check that the data to be inserted is valid
389
390 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
391 :param indata: data to be inserted
392 :return: None or raises EngineException
393 """
394 username = indata.get("username")
395 user_list = list(map(lambda x: x["username"], self.auth.get_user_list()))
396
397 if "projects" in indata.keys():
398 raise EngineException("Format invalid: the keyword \"projects\" is not allowed for Keystone",
399 HTTPStatus.BAD_REQUEST)
400
401 if username in user_list:
402 raise EngineException("username '{}' exists".format(username), HTTPStatus.CONFLICT)
403
404 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
405 """
406 Check that the data to be edited/uploaded is valid
407
408 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
409 :param final_content: data once modified
410 :param edit_content: incremental data that contains the modifications to apply
411 :param _id: internal _id
412 :return: None or raises EngineException
413 """
414 users = self.auth.get_user_list()
415 admin_user = [user for user in users if user["name"] == "admin"][0]
416
417 if _id == admin_user["_id"] and edit_content["project_role_mappings"]:
418 elem = {
419 "project": "admin",
420 "role": "system_admin"
421 }
422 if elem not in edit_content:
423 raise EngineException("You cannot remove system_admin role from admin user",
424 http_code=HTTPStatus.FORBIDDEN)
425
426 def check_conflict_on_del(self, session, _id, db_content):
427 """
428 Check if deletion can be done because of dependencies if it is not force. To override
429 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
430 :param _id: internal _id
431 :param db_content: The database content of this item _id
432 :return: None if ok or raises EngineException with the conflict
433 """
434 if _id == session["username"]:
435 raise EngineException("You cannot delete your own user", http_code=HTTPStatus.CONFLICT)
436
437 @staticmethod
438 def format_on_new(content, project_id=None, make_public=False):
439 """
440 Modifies content descriptor to include _id.
441
442 NOTE: No password salt required because the authentication backend
443 should handle these security concerns.
444
445 :param content: descriptor to be modified
446 :param make_public: if included it is generated as public for reading.
447 :return: None, but content is modified
448 """
449 BaseTopic.format_on_new(content, make_public=False)
450 content["_id"] = content["username"]
451 content["password"] = content["password"]
452
453 @staticmethod
454 def format_on_edit(final_content, edit_content):
455 """
456 Modifies final_content descriptor to include the modified date.
457
458 NOTE: No password salt required because the authentication backend
459 should handle these security concerns.
460
461 :param final_content: final descriptor generated
462 :param edit_content: alterations to be include
463 :return: None, but final_content is modified
464 """
465 BaseTopic.format_on_edit(final_content, edit_content)
466 if "password" in edit_content:
467 final_content["password"] = edit_content["password"]
468 else:
469 final_content["project_role_mappings"] = edit_content["project_role_mappings"]
470
471 @staticmethod
472 def format_on_show(content):
473 """
474 Modifies the content of the role information to separate the role
475 metadata from the role definition.
476 """
477 project_role_mappings = []
478
479 for project in content["projects"]:
480 for role in project["roles"]:
481 project_role_mappings.append({"project": project, "role": role})
482
483 del content["projects"]
484 content["project_role_mappings"] = project_role_mappings
485
486 return content
487
488 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
489 """
490 Creates a new entry into the authentication backend.
491
492 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
493
494 :param rollback: list to append created items at database in case a rollback may to be done
495 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
496 :param indata: data to be inserted
497 :param kwargs: used to override the indata descriptor
498 :param headers: http request headers
499 :return: _id: identity of the inserted data.
500 """
501 try:
502 content = BaseTopic._remove_envelop(indata)
503
504 # Override descriptor with query string kwargs
505 BaseTopic._update_input_with_kwargs(content, kwargs)
506 content = self._validate_input_new(content, session["force"])
507 self.check_conflict_on_new(session, content)
508 self.format_on_new(content, session["project_id"], make_public=session["public"])
509 _id = self.auth.create_user(content["username"], content["password"])
510 rollback.append({"topic": self.topic, "_id": _id})
511 del content["password"]
512 # self._send_msg("create", content)
513 return _id
514 except ValidationError as e:
515 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
516
517 def show(self, session, _id):
518 """
519 Get complete information on an topic
520
521 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
522 :param _id: server internal id
523 :return: dictionary, raise exception if not found.
524 """
525 users = [user for user in self.auth.get_user_list() if user["_id"] == _id]
526
527 if len(users) == 1:
528 return self.format_on_show(users[0])
529 elif len(users) > 1:
530 raise EngineException("Too many users found", HTTPStatus.CONFLICT)
531 else:
532 raise EngineException("User not found", HTTPStatus.NOT_FOUND)
533
534 def edit(self, session, _id, indata=None, kwargs=None, content=None):
535 """
536 Updates an user entry.
537
538 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
539 :param _id:
540 :param indata: data to be inserted
541 :param kwargs: used to override the indata descriptor
542 :param content:
543 :return: _id: identity of the inserted data.
544 """
545 indata = self._remove_envelop(indata)
546
547 # Override descriptor with query string kwargs
548 if kwargs:
549 BaseTopic._update_input_with_kwargs(indata, kwargs)
550 try:
551 indata = self._validate_input_edit(indata, force=session["force"])
552
553 if not content:
554 content = self.show(session, _id)
555 self.check_conflict_on_edit(session, content, indata, _id=_id)
556 self.format_on_edit(content, indata)
557
558 if "password" in content:
559 self.auth.change_password(content["name"], content["password"])
560 else:
561 user = self.show(session, _id)
562 original_mapping = user["project_role_mappings"]
563 edit_mapping = content["project_role_mappings"]
564
565 mappings_to_remove = [mapping for mapping in original_mapping
566 if mapping not in edit_mapping]
567
568 mappings_to_add = [mapping for mapping in edit_mapping
569 if mapping not in original_mapping]
570
571 for mapping in mappings_to_remove:
572 self.auth.remove_role_from_user(
573 user["name"],
574 mapping["project"],
575 mapping["role"]
576 )
577
578 for mapping in mappings_to_add:
579 self.auth.assign_role_to_user(
580 user["name"],
581 mapping["project"],
582 mapping["role"]
583 )
584
585 return content["_id"]
586 except ValidationError as e:
587 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
588
589 def list(self, session, filter_q=None):
590 """
591 Get a list of the topic that matches a filter
592 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
593 :param filter_q: filter of data to be applied
594 :return: The list, it can be empty if no one match the filter.
595 """
596 if not filter_q:
597 filter_q = {}
598
599 users = [self.format_on_show(user) for user in self.auth.get_user_list(filter_q)]
600
601 return users
602
603 def delete(self, session, _id, dry_run=False):
604 """
605 Delete item by its internal _id
606
607 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
608 :param _id: server internal id
609 :param force: indicates if deletion must be forced in case of conflict
610 :param dry_run: make checking but do not delete
611 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
612 """
613 self.check_conflict_on_del(session, _id, None)
614 if not dry_run:
615 v = self.auth.delete_user(_id)
616 return v
617 return None
618
619
620 class ProjectTopicAuth(ProjectTopic):
621 # topic = "projects"
622 # topic_msg = "projects"
623 # schema_new = project_new_schema
624 # schema_edit = project_edit_schema
625
626 def __init__(self, db, fs, msg, auth):
627 ProjectTopic.__init__(self, db, fs, msg)
628 self.auth = auth
629
630 def check_conflict_on_new(self, session, indata):
631 """
632 Check that the data to be inserted is valid
633
634 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
635 :param indata: data to be inserted
636 :return: None or raises EngineException
637 """
638 project = indata.get("name")
639 project_list = list(map(lambda x: x["name"], self.auth.get_project_list()))
640
641 if project in project_list:
642 raise EngineException("project '{}' exists".format(project), HTTPStatus.CONFLICT)
643
644 def check_conflict_on_del(self, session, _id, db_content):
645 """
646 Check if deletion can be done because of dependencies if it is not force. To override
647
648 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
649 :param _id: internal _id
650 :param db_content: The database content of this item _id
651 :return: None if ok or raises EngineException with the conflict
652 """
653 projects = self.auth.get_project_list()
654 current_project = [project for project in projects
655 if project["name"] == session["project_id"]][0]
656
657 if _id == current_project["_id"]:
658 raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
659
660 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
661 """
662 Creates a new entry into the authentication backend.
663
664 NOTE: Overrides BaseTopic functionality because it doesn't require access to database.
665
666 :param rollback: list to append created items at database in case a rollback may to be done
667 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
668 :param indata: data to be inserted
669 :param kwargs: used to override the indata descriptor
670 :param headers: http request headers
671 :return: _id: identity of the inserted data.
672 """
673 try:
674 content = BaseTopic._remove_envelop(indata)
675
676 # Override descriptor with query string kwargs
677 BaseTopic._update_input_with_kwargs(content, kwargs)
678 content = self._validate_input_new(content, session["force"])
679 self.check_conflict_on_new(session, content)
680 self.format_on_new(content, project_id=session["project_id"], make_public=session["public"])
681 _id = self.auth.create_project(content["name"])
682 rollback.append({"topic": self.topic, "_id": _id})
683 # self._send_msg("create", content)
684 return _id
685 except ValidationError as e:
686 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
687
688 def show(self, session, _id):
689 """
690 Get complete information on an topic
691
692 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
693 :param _id: server internal id
694 :return: dictionary, raise exception if not found.
695 """
696 projects = [project for project in self.auth.get_project_list() if project["_id"] == _id]
697
698 if len(projects) == 1:
699 return projects[0]
700 elif len(projects) > 1:
701 raise EngineException("Too many projects found", HTTPStatus.CONFLICT)
702 else:
703 raise EngineException("Project not found", HTTPStatus.NOT_FOUND)
704
705 def list(self, session, filter_q=None):
706 """
707 Get a list of the topic that matches a filter
708
709 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
710 :param filter_q: filter of data to be applied
711 :return: The list, it can be empty if no one match the filter.
712 """
713 if not filter_q:
714 filter_q = {}
715
716 return self.auth.get_project_list(filter_q)
717
718 def delete(self, session, _id, dry_run=False):
719 """
720 Delete item by its internal _id
721
722 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
723 :param _id: server internal id
724 :param dry_run: make checking but do not delete
725 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
726 """
727 self.check_conflict_on_del(session, _id, None)
728 if not dry_run:
729 v = self.auth.delete_project(_id)
730 return v
731 return None
732
733
734 class RoleTopicAuth(BaseTopic):
735 topic = "roles_operations"
736 topic_msg = "roles"
737 schema_new = roles_new_schema
738 schema_edit = roles_edit_schema
739 multiproject = False
740
741 def __init__(self, db, fs, msg, auth, ops):
742 BaseTopic.__init__(self, db, fs, msg)
743 self.auth = auth
744 self.operations = ops
745
746 @staticmethod
747 def validate_role_definition(operations, role_definitions):
748 """
749 Validates the role definition against the operations defined in
750 the resources to operations files.
751
752 :param operations: operations list
753 :param role_definitions: role definition to test
754 :return: None if ok, raises ValidationError exception on error
755 """
756 ignore_fields = ["_id", "_admin", "name"]
757 for role_def in role_definitions.keys():
758 if role_def in ignore_fields:
759 continue
760 if role_def == ".":
761 if isinstance(role_definitions[role_def], bool):
762 continue
763 else:
764 raise ValidationError("Operation authorization \".\" should be True/False.")
765 if role_def[-1] == ".":
766 raise ValidationError("Operation cannot end with \".\"")
767
768 role_def_matches = [op for op in operations if op.startswith(role_def)]
769
770 if len(role_def_matches) == 0:
771 raise ValidationError("No matching operation found.")
772
773 if not isinstance(role_definitions[role_def], bool):
774 raise ValidationError("Operation authorization {} should be True/False.".format(role_def))
775
776 def _validate_input_new(self, input, force=False):
777 """
778 Validates input user content for a new entry.
779
780 :param input: user input content for the new topic
781 :param force: may be used for being more tolerant
782 :return: The same input content, or a changed version of it.
783 """
784 if self.schema_new:
785 validate_input(input, self.schema_new)
786 self.validate_role_definition(self.operations, input)
787
788 return input
789
790 def _validate_input_edit(self, input, force=False):
791 """
792 Validates input user content for updating an entry.
793
794 :param input: user input content for the new topic
795 :param force: may be used for being more tolerant
796 :return: The same input content, or a changed version of it.
797 """
798 if self.schema_edit:
799 validate_input(input, self.schema_edit)
800 self.validate_role_definition(self.operations, input)
801
802 return input
803
804 def check_conflict_on_new(self, session, indata):
805 """
806 Check that the data to be inserted is valid
807
808 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
809 :param indata: data to be inserted
810 :return: None or raises EngineException
811 """
812 role = indata.get("name")
813 role_list = list(map(lambda x: x["name"], self.auth.get_role_list()))
814
815 if role in role_list:
816 raise EngineException("role '{}' exists".format(role), HTTPStatus.CONFLICT)
817
818 def check_conflict_on_edit(self, session, final_content, edit_content, _id):
819 """
820 Check that the data to be edited/uploaded is valid
821
822 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
823 :param final_content: data once modified
824 :param edit_content: incremental data that contains the modifications to apply
825 :param _id: internal _id
826 :return: None or raises EngineException
827 """
828 roles = self.auth.get_role_list()
829 system_admin_role = [role for role in roles
830 if roles["name"] == "system_admin"][0]
831
832 if _id == system_admin_role["_id"]:
833 raise EngineException("You cannot edit system_admin role", http_code=HTTPStatus.FORBIDDEN)
834
835 def check_conflict_on_del(self, session, _id, db_content):
836 """
837 Check if deletion can be done because of dependencies if it is not force. To override
838
839 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
840 :param _id: internal _id
841 :param db_content: The database content of this item _id
842 :return: None if ok or raises EngineException with the conflict
843 """
844 roles = self.auth.get_role_list()
845 system_admin_role = [role for role in roles
846 if roles["name"] == "system_admin"][0]
847
848 if _id == system_admin_role["_id"]:
849 raise EngineException("You cannot delete system_admin role", http_code=HTTPStatus.FORBIDDEN)
850
851 @staticmethod
852 def format_on_new(content, project_id=None, make_public=False):
853 """
854 Modifies content descriptor to include _admin
855
856 :param content: descriptor to be modified
857 :param project_id: if included, it add project read/write permissions
858 :param make_public: if included it is generated as public for reading.
859 :return: None, but content is modified
860 """
861 now = time()
862 if "_admin" not in content:
863 content["_admin"] = {}
864 if not content["_admin"].get("created"):
865 content["_admin"]["created"] = now
866 content["_admin"]["modified"] = now
867
868 if "." in content.keys():
869 content["root"] = content["."]
870 del content["."]
871
872 if "root" not in content.keys():
873 content["root"] = False
874
875 ignore_fields = ["_id", "_admin", "name"]
876 content_keys = content.keys()
877 for role_def in content_keys:
878 if role_def in ignore_fields:
879 continue
880 content[role_def.replace(".", ":")] = content[role_def]
881 del content[role_def]
882
883 @staticmethod
884 def format_on_edit(final_content, edit_content):
885 """
886 Modifies final_content descriptor to include the modified date.
887
888 :param final_content: final descriptor generated
889 :param edit_content: alterations to be include
890 :return: None, but final_content is modified
891 """
892 final_content["_admin"]["modified"] = time()
893
894 ignore_fields = ["_id", "name", "_admin"]
895 delete_keys = [key for key in final_content.keys() if key not in ignore_fields]
896
897 for key in delete_keys:
898 del final_content[key]
899
900 # Saving the role definition
901 for role_def, value in edit_content.items():
902 final_content[role_def.replace(".", ":")] = value
903
904 if ":" in final_content.keys():
905 final_content["root"] = final_content[":"]
906 del final_content[":"]
907
908 if "root" not in final_content.keys():
909 final_content["root"] = False
910
911 @staticmethod
912 def format_on_show(content):
913 """
914 Modifies the content of the role information to separate the role
915 metadata from the role definition. Eases the reading process of the
916 role definition.
917
918 :param definition: role definition to be processed
919 """
920 content_keys = list(content.keys())
921
922 content["_id"] = str(content["_id"])
923
924 for key in content_keys:
925 if ":" in key:
926 content[key.replace(":", ".")] = content[key]
927 del content[key]
928
929 def show(self, session, _id):
930 """
931 Get complete information on an topic
932
933 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
934 :param _id: server internal id
935 :return: dictionary, raise exception if not found.
936 """
937 filter_db = {"_id": _id}
938
939 role = self.db.get_one(self.topic, filter_db)
940 new_role = dict(role)
941 self.format_on_show(new_role)
942
943 return new_role
944
945 def list(self, session, filter_q=None):
946 """
947 Get a list of the topic that matches a filter
948
949 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
950 :param filter_q: filter of data to be applied
951 :return: The list, it can be empty if no one match the filter.
952 """
953 if not filter_q:
954 filter_q = {}
955
956 if "root" in filter_q:
957 filter_q[":"] = filter_q["root"]
958 del filter_q["root"]
959
960 if len(filter_q) > 0:
961 keys = [key for key in filter_q.keys() if "." in key]
962
963 for key in keys:
964 filter_q[key.replace(".", ":")] = filter_q[key]
965 del filter_q[key]
966
967 roles = self.db.get_list(self.topic, filter_q)
968 new_roles = []
969
970 for role in roles:
971 new_role = dict(role)
972 self.format_on_show(new_role)
973 new_roles.append(new_role)
974
975 return new_roles
976
977 def new(self, rollback, session, indata=None, kwargs=None, headers=None):
978 """
979 Creates a new entry into database.
980
981 :param rollback: list to append created items at database in case a rollback may to be done
982 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
983 :param indata: data to be inserted
984 :param kwargs: used to override the indata descriptor
985 :param headers: http request headers
986 :return: _id: identity of the inserted data.
987 """
988 try:
989 content = BaseTopic._remove_envelop(indata)
990
991 # Override descriptor with query string kwargs
992 BaseTopic._update_input_with_kwargs(content, kwargs)
993 content = self._validate_input_new(content, session["force"])
994 self.check_conflict_on_new(session, content)
995 self.format_on_new(content, project_id=session["project_id"], make_public=session["public"])
996 role_name = content["name"]
997 role = self.auth.create_role(role_name)
998 content["_id"] = role["_id"]
999 _id = self.db.create(self.topic, content)
1000 rollback.append({"topic": self.topic, "_id": _id})
1001 # self._send_msg("create", content)
1002 return _id
1003 except ValidationError as e:
1004 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)
1005
1006 def delete(self, session, _id, dry_run=False):
1007 """
1008 Delete item by its internal _id
1009
1010 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1011 :param _id: server internal id
1012 :param dry_run: make checking but do not delete
1013 :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
1014 """
1015 self.check_conflict_on_del(session, _id, None)
1016 filter_q = {"_id": _id}
1017 if not dry_run:
1018 self.auth.delete_role(_id)
1019 v = self.db.del_one(self.topic, filter_q)
1020 return v
1021 return None
1022
1023 def edit(self, session, _id, indata=None, kwargs=None, content=None):
1024 """
1025 Updates a role entry.
1026
1027 :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
1028 :param _id:
1029 :param indata: data to be inserted
1030 :param kwargs: used to override the indata descriptor
1031 :param content:
1032 :return: _id: identity of the inserted data.
1033 """
1034 indata = self._remove_envelop(indata)
1035
1036 # Override descriptor with query string kwargs
1037 if kwargs:
1038 self._update_input_with_kwargs(indata, kwargs)
1039 try:
1040 indata = self._validate_input_edit(indata, force=session["force"])
1041
1042 if not content:
1043 content = self.show(session, _id)
1044 self.check_conflict_on_edit(session, content, indata, _id=_id)
1045 self.format_on_edit(content, indata)
1046 self.db.replace(self.topic, _id, content)
1047 return id
1048 except ValidationError as e:
1049 raise EngineException(e, HTTPStatus.UNPROCESSABLE_ENTITY)