Fix bug 742

[osm/NBI.git] / osm_nbi / admin_topics.py
diff --git a/osm_nbi/admin_topics.py b/osm_nbi/admin_topics.py

index 2bca416..76d4de8 100644 (file)
--- a/osm_nbi/admin_topics.py
+++ b/osm_nbi/admin_topics.py
@@ -64,7 +64,14 @@ class UserTopic(BaseTopic):
                                         fail_on_more=False):
                      raise EngineException("project '{}' does not exist".format(p), HTTPStatus.CONFLICT)
  
                                         fail_on_more=False):
                      raise EngineException("project '{}' does not exist".format(p), HTTPStatus.CONFLICT)
  
-    def check_conflict_on_del(self, session, _id):
+    def check_conflict_on_del(self, session, _id, db_content):
+        """
+        Check if deletion can be done because of dependencies if it is not force. To override
+        :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
+        :param _id: internal _id
+        :param db_content: The database content of this item _id
+        :return: None if ok or raises EngineException with the conflict
+        """
          if _id == session["username"]:
              raise EngineException("You cannot delete your own user", http_code=HTTPStatus.CONFLICT)
  
          if _id == session["username"]:
              raise EngineException("You cannot delete your own user", http_code=HTTPStatus.CONFLICT)
  
@@ -77,6 +84,13 @@ class UserTopic(BaseTopic):
          content["_admin"]["salt"] = salt
          if content.get("password"):
              content["password"] = sha256(content["password"].encode('utf-8') + salt.encode('utf-8')).hexdigest()
          content["_admin"]["salt"] = salt
          if content.get("password"):
              content["password"] = sha256(content["password"].encode('utf-8') + salt.encode('utf-8')).hexdigest()
+        if content.get("project_role_mappings"):
+            projects = [mapping[0] for mapping in content["project_role_mappings"]]
+
+            if content.get("projects"):
+                content["projects"] += projects
+            else:
+                content["projects"] = projects
  
      @staticmethod
      def format_on_edit(final_content, edit_content):
  
      @staticmethod
      def format_on_edit(final_content, edit_content):
@@ -144,7 +158,14 @@ class ProjectTopic(BaseTopic):
          # Removed so that the UUID is kept, to allow Project Name modification
          # content["_id"] = content["name"]
  
          # Removed so that the UUID is kept, to allow Project Name modification
          # content["_id"] = content["name"]
  
-    def check_conflict_on_del(self, session, _id):
+    def check_conflict_on_del(self, session, _id, db_content):
+        """
+        Check if deletion can be done because of dependencies if it is not force. To override
+        :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
+        :param _id: internal _id
+        :param db_content: The database content of this item _id
+        :return: None if ok or raises EngineException with the conflict
+        """
          if _id in session["project_id"]:
              raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
          if session["force"]:
          if _id in session["project_id"]:
              raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
          if session["force"]:
@@ -355,8 +376,8 @@ class SdnTopic(BaseTopic):
  class UserTopicAuth(UserTopic):
      # topic = "users"
      # topic_msg = "users"
  class UserTopicAuth(UserTopic):
      # topic = "users"
      # topic_msg = "users"
-    # schema_new = user_new_schema
-    # schema_edit = user_edit_schema
+    schema_new = user_new_schema
+    schema_edit = user_edit_schema
  
      def __init__(self, db, fs, msg, auth):
          UserTopic.__init__(self, db, fs, msg)
  
      def __init__(self, db, fs, msg, auth):
          UserTopic.__init__(self, db, fs, msg)
@@ -373,6 +394,10 @@ class UserTopicAuth(UserTopic):
          username = indata.get("username")
          user_list = list(map(lambda x: x["username"], self.auth.get_user_list()))
  
          username = indata.get("username")
          user_list = list(map(lambda x: x["username"], self.auth.get_user_list()))
  
+        if "projects" in indata.keys():
+            raise EngineException("Format invalid: the keyword \"projects\" is not allowed for Keystone", 
+                                  HTTPStatus.BAD_REQUEST)
+
          if username in user_list:
              raise EngineException("username '{}' exists".format(username), HTTPStatus.CONFLICT)
  
          if username in user_list:
              raise EngineException("username '{}' exists".format(username), HTTPStatus.CONFLICT)
  
@@ -387,23 +412,23 @@ class UserTopicAuth(UserTopic):
          :return: None or raises EngineException
          """
          users = self.auth.get_user_list()
          :return: None or raises EngineException
          """
          users = self.auth.get_user_list()
-        admin_user = [user for user in users if user["name"] == "admin"][0]
+        admin_user = [user for user in users if user["username"] == "admin"][0]
  
  
-        if _id == admin_user["_id"] and edit_content["project_role_mappings"]:
+        if _id == admin_user["_id"] and "project_role_mappings" in edit_content.keys():
              elem = {
                  "project": "admin",
                  "role": "system_admin"
              }
              if elem not in edit_content:
              elem = {
                  "project": "admin",
                  "role": "system_admin"
              }
              if elem not in edit_content:
-                raise EngineException("You cannot remove system_admin role from admin user", 
+                raise EngineException("You cannot remove system_admin role from admin user",
                                        http_code=HTTPStatus.FORBIDDEN)
  
                                        http_code=HTTPStatus.FORBIDDEN)
  
-    def check_conflict_on_del(self, session, _id):
+    def check_conflict_on_del(self, session, _id, db_content):
          """
          Check if deletion can be done because of dependencies if it is not force. To override
          """
          Check if deletion can be done because of dependencies if it is not force. To override
-
          :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
          :param _id: internal _id
          :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
          :param _id: internal _id
+        :param db_content: The database content of this item _id
          :return: None if ok or raises EngineException with the conflict
          """
          if _id == session["username"]:
          :return: None if ok or raises EngineException with the conflict
          """
          if _id == session["username"]:
@@ -443,6 +468,23 @@ class UserTopicAuth(UserTopic):
          else:
              final_content["project_role_mappings"] = edit_content["project_role_mappings"]
  
          else:
              final_content["project_role_mappings"] = edit_content["project_role_mappings"]
  
+    @staticmethod
+    def format_on_show(content):
+        """
+        Modifies the content of the role information to separate the role
+        metadata from the role definition.
+        """
+        project_role_mappings = []
+
+        for project in content["projects"]:
+            for role in project["roles"]:
+                project_role_mappings.append({"project": project["_id"], "role": role["_id"]})
+
+        del content["projects"]
+        content["project_role_mappings"] = project_role_mappings
+
+        return content
+
      def new(self, rollback, session, indata=None, kwargs=None, headers=None):
          """
          Creates a new entry into the authentication backend.
      def new(self, rollback, session, indata=None, kwargs=None, headers=None):
          """
          Creates a new entry into the authentication backend.
@@ -464,7 +506,12 @@ class UserTopicAuth(UserTopic):
              content = self._validate_input_new(content, session["force"])
              self.check_conflict_on_new(session, content)
              self.format_on_new(content, session["project_id"], make_public=session["public"])
              content = self._validate_input_new(content, session["force"])
              self.check_conflict_on_new(session, content)
              self.format_on_new(content, session["project_id"], make_public=session["public"])
-            _id = self.auth.create_user(content["username"], content["password"])
+            _id = self.auth.create_user(content["username"], content["password"])["_id"]
+
+            if "project_role_mappings" in content.keys():
+                for mapping in content["project_role_mappings"]:
+                    self.auth.assign_role_to_user(_id, mapping["project"], mapping["role"])
+
              rollback.append({"topic": self.topic, "_id": _id})
              del content["password"]
              # self._send_msg("create", content)
              rollback.append({"topic": self.topic, "_id": _id})
              del content["password"]
              # self._send_msg("create", content)
@@ -483,7 +530,7 @@ class UserTopicAuth(UserTopic):
          users = [user for user in self.auth.get_user_list() if user["_id"] == _id]
  
          if len(users) == 1:
          users = [user for user in self.auth.get_user_list() if user["_id"] == _id]
  
          if len(users) == 1:
-            return users[0]
+            return self.format_on_show(users[0])
          elif len(users) > 1:
              raise EngineException("Too many users found", HTTPStatus.CONFLICT)
          else:
          elif len(users) > 1:
              raise EngineException("Too many users found", HTTPStatus.CONFLICT)
          else:
@@ -514,36 +561,28 @@ class UserTopicAuth(UserTopic):
              self.format_on_edit(content, indata)
  
              if "password" in content:
              self.format_on_edit(content, indata)
  
              if "password" in content:
-                self.auth.change_password(content["name"], content["password"])
+                self.auth.change_password(content["username"], content["password"])
              else:
              else:
-                users = self.auth.get_user_list()
-                user = [user for user in users if user["_id"] == content["_id"]][0]
-                original_mapping = []
+                user = self.show(session, _id)
+                original_mapping = user["project_role_mappings"]
                  edit_mapping = content["project_role_mappings"]
  
                  edit_mapping = content["project_role_mappings"]
  
-                for project in user["projects"]:
-                    for role in project["roles"]:
-                        original_mapping += {
-                            "project": project["name"],
-                            "role": role["name"]
-                        }
-                
-                mappings_to_remove = [mapping for mapping in original_mapping 
+                mappings_to_remove = [mapping for mapping in original_mapping
                                        if mapping not in edit_mapping]
                                        if mapping not in edit_mapping]
-                
+
                  mappings_to_add = [mapping for mapping in edit_mapping
                                     if mapping not in original_mapping]
                  mappings_to_add = [mapping for mapping in edit_mapping
                                     if mapping not in original_mapping]
-                
+
                  for mapping in mappings_to_remove:
                      self.auth.remove_role_from_user(
                  for mapping in mappings_to_remove:
                      self.auth.remove_role_from_user(
-                        user["name"], 
+                        _id,
                          mapping["project"],
                          mapping["role"]
                      )
                          mapping["project"],
                          mapping["role"]
                      )
-                
+
                  for mapping in mappings_to_add:
                      self.auth.assign_role_to_user(
                  for mapping in mappings_to_add:
                      self.auth.assign_role_to_user(
-                        user["name"], 
+                        _id,
                          mapping["project"],
                          mapping["role"]
                      )
                          mapping["project"],
                          mapping["role"]
                      )
@@ -562,7 +601,9 @@ class UserTopicAuth(UserTopic):
          if not filter_q:
              filter_q = {}
  
          if not filter_q:
              filter_q = {}
  
-        return self.auth.get_user_list(filter_q)
+        users = [self.format_on_show(user) for user in self.auth.get_user_list(filter_q)]
+
+        return users
  
      def delete(self, session, _id, dry_run=False):
          """
  
      def delete(self, session, _id, dry_run=False):
          """
@@ -574,7 +615,7 @@ class UserTopicAuth(UserTopic):
          :param dry_run: make checking but do not delete
          :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
          """
          :param dry_run: make checking but do not delete
          :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
          """
-        self.check_conflict_on_del(session, _id)
+        self.check_conflict_on_del(session, _id, None)
          if not dry_run:
              v = self.auth.delete_user(_id)
              return v
          if not dry_run:
              v = self.auth.delete_user(_id)
              return v
@@ -584,8 +625,8 @@ class UserTopicAuth(UserTopic):
  class ProjectTopicAuth(ProjectTopic):
      # topic = "projects"
      # topic_msg = "projects"
  class ProjectTopicAuth(ProjectTopic):
      # topic = "projects"
      # topic_msg = "projects"
-    # schema_new = project_new_schema
-    # schema_edit = project_edit_schema
+    schema_new = project_new_schema
+    schema_edit = project_edit_schema
  
      def __init__(self, db, fs, msg, auth):
          ProjectTopic.__init__(self, db, fs, msg)
  
      def __init__(self, db, fs, msg, auth):
          ProjectTopic.__init__(self, db, fs, msg)
@@ -605,17 +646,18 @@ class ProjectTopicAuth(ProjectTopic):
          if project in project_list:
              raise EngineException("project '{}' exists".format(project), HTTPStatus.CONFLICT)
  
          if project in project_list:
              raise EngineException("project '{}' exists".format(project), HTTPStatus.CONFLICT)
  
-    def check_conflict_on_del(self, session, _id):
+    def check_conflict_on_del(self, session, _id, db_content):
          """
          Check if deletion can be done because of dependencies if it is not force. To override
  
          :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
          :param _id: internal _id
          """
          Check if deletion can be done because of dependencies if it is not force. To override
  
          :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
          :param _id: internal _id
+        :param db_content: The database content of this item _id
          :return: None if ok or raises EngineException with the conflict
          """
          projects = self.auth.get_project_list()
          current_project = [project for project in projects
          :return: None if ok or raises EngineException with the conflict
          """
          projects = self.auth.get_project_list()
          current_project = [project for project in projects
-                           if project["name"] == session["project_id"]][0]
+                           if project["name"] in session["project_id"]][0]
  
          if _id == current_project["_id"]:
              raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
  
          if _id == current_project["_id"]:
              raise EngineException("You cannot delete your own project", http_code=HTTPStatus.CONFLICT)
@@ -687,7 +729,7 @@ class ProjectTopicAuth(ProjectTopic):
          :param dry_run: make checking but do not delete
          :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
          """
          :param dry_run: make checking but do not delete
          :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
          """
-        self.check_conflict_on_del(session, _id)
+        self.check_conflict_on_del(session, _id, None)
          if not dry_run:
              v = self.auth.delete_project(_id)
              return v
          if not dry_run:
              v = self.auth.delete_project(_id)
              return v
@@ -716,17 +758,26 @@ class RoleTopicAuth(BaseTopic):
          :param role_definitions: role definition to test
          :return: None if ok, raises ValidationError exception on error
          """
          :param role_definitions: role definition to test
          :return: None if ok, raises ValidationError exception on error
          """
+        ignore_fields = ["_id", "_admin", "name"]
          for role_def in role_definitions.keys():
          for role_def in role_definitions.keys():
-            if role_def == ".":
+            if role_def in ignore_fields:
                  continue
                  continue
-            if role_def[-1] == ".":
+            if role_def == "root":
+                if isinstance(role_definitions[role_def], bool):
+                    continue
+                else:
+                    raise ValidationError("Operation authorization \".\" should be True/False.")
+            if role_def[-1] == ":":
                  raise ValidationError("Operation cannot end with \".\"")
                  raise ValidationError("Operation cannot end with \".\"")
-            
+
              role_def_matches = [op for op in operations if op.startswith(role_def)]
  
              if len(role_def_matches) == 0:
                  raise ValidationError("No matching operation found.")
  
              role_def_matches = [op for op in operations if op.startswith(role_def)]
  
              if len(role_def_matches) == 0:
                  raise ValidationError("No matching operation found.")
  
+            if not isinstance(role_definitions[role_def], bool):
+                raise ValidationError("Operation authorization {} should be True/False.".format(role_def))
+
      def _validate_input_new(self, input, force=False):
          """
          Validates input user content for a new entry.
      def _validate_input_new(self, input, force=False):
          """
          Validates input user content for a new entry.
@@ -737,8 +788,8 @@ class RoleTopicAuth(BaseTopic):
          """
          if self.schema_new:
              validate_input(input, self.schema_new)
          """
          if self.schema_new:
              validate_input(input, self.schema_new)
-        if "definition" in input and input["definition"]:
-            self.validate_role_definition(self.operations, input["definition"])
+            self.validate_role_definition(self.operations, input)
+
          return input
  
      def _validate_input_edit(self, input, force=False):
          return input
  
      def _validate_input_edit(self, input, force=False):
@@ -751,8 +802,8 @@ class RoleTopicAuth(BaseTopic):
          """
          if self.schema_edit:
              validate_input(input, self.schema_edit)
          """
          if self.schema_edit:
              validate_input(input, self.schema_edit)
-        if "definition" in input and input["definition"]:
-            self.validate_role_definition(self.operations, input["definition"])
+            self.validate_role_definition(self.operations, input)
+
          return input
  
      def check_conflict_on_new(self, session, indata):
          return input
  
      def check_conflict_on_new(self, session, indata):
@@ -781,22 +832,23 @@ class RoleTopicAuth(BaseTopic):
          """
          roles = self.auth.get_role_list()
          system_admin_role = [role for role in roles
          """
          roles = self.auth.get_role_list()
          system_admin_role = [role for role in roles
-                             if roles["name"] == "system_admin"][0]
+                             if role["name"] == "system_admin"][0]
  
          if _id == system_admin_role["_id"]:
              raise EngineException("You cannot edit system_admin role", http_code=HTTPStatus.FORBIDDEN)
  
  
          if _id == system_admin_role["_id"]:
              raise EngineException("You cannot edit system_admin role", http_code=HTTPStatus.FORBIDDEN)
  
-    def check_conflict_on_del(self, session, _id):
+    def check_conflict_on_del(self, session, _id, db_content):
          """
          Check if deletion can be done because of dependencies if it is not force. To override
  
          :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
          :param _id: internal _id
          """
          Check if deletion can be done because of dependencies if it is not force. To override
  
          :param session: contains "username", "admin", "force", "public", "project_id", "set_project"
          :param _id: internal _id
+        :param db_content: The database content of this item _id
          :return: None if ok or raises EngineException with the conflict
          """
          roles = self.auth.get_role_list()
          system_admin_role = [role for role in roles
          :return: None if ok or raises EngineException with the conflict
          """
          roles = self.auth.get_role_list()
          system_admin_role = [role for role in roles
-                             if roles["name"] == "system_admin"][0]
+                             if role["name"] == "system_admin"][0]
  
          if _id == system_admin_role["_id"]:
              raise EngineException("You cannot delete system_admin role", http_code=HTTPStatus.FORBIDDEN)
  
          if _id == system_admin_role["_id"]:
              raise EngineException("You cannot delete system_admin role", http_code=HTTPStatus.FORBIDDEN)
@@ -817,19 +869,13 @@ class RoleTopicAuth(BaseTopic):
          if not content["_admin"].get("created"):
              content["_admin"]["created"] = now
          content["_admin"]["modified"] = now
          if not content["_admin"].get("created"):
              content["_admin"]["created"] = now
          content["_admin"]["modified"] = now
-        content["root"] = False
  
  
-        # Saving the role definition
-        if "definition" in content and content["definition"]:
-            for role_def, value in content["definition"].items():
-                if role_def == ".":
-                    content["root"] = value
-                else:
-                    content[role_def.replace(".", ":")] = value
+        if ":" in content.keys():
+            content["root"] = content[":"]
+            del content[":"]
  
  
-        # Cleaning undesired values
-        if "definition" in content:
-            del content["definition"]
+        if "root" not in content.keys():
+            content["root"] = False
  
      @staticmethod
      def format_on_edit(final_content, edit_content):
  
      @staticmethod
      def format_on_edit(final_content, edit_content):
@@ -849,14 +895,14 @@ class RoleTopicAuth(BaseTopic):
              del final_content[key]
  
          # Saving the role definition
              del final_content[key]
  
          # Saving the role definition
-        if "definition" in edit_content and edit_content["definition"]:
-            for role_def, value in edit_content["definition"].items():
-                if role_def == ".":
-                    final_content["root"] = value
-                else:
-                    final_content[role_def.replace(".", ":")] = value
+        for role_def, value in edit_content.items():
+            final_content[role_def] = value
  
  
-        if "root" not in final_content:
+        if ":" in final_content.keys():
+            final_content["root"] = final_content[":"]
+            del final_content[":"]
+
+        if "root" not in final_content.keys():
              final_content["root"] = False
  
      @staticmethod
              final_content["root"] = False
  
      @staticmethod
@@ -868,21 +914,7 @@ class RoleTopicAuth(BaseTopic):
  
          :param definition: role definition to be processed
          """
  
          :param definition: role definition to be processed
          """
-        ignore_fields = ["_admin", "_id", "name", "root"]
-        content_keys = list(content.keys())
-        definition = dict(content)
-        
-        for key in content_keys:
-            if key in ignore_fields:
-                del definition[key]
-            if ":" not in key:
-                del content[key]
-                continue
-            definition[key.replace(":", ".")] = definition[key]
-            del definition[key]
-            del content[key]
-        
-        content["definition"] = definition
+        content["_id"] = str(content["_id"])
  
      def show(self, session, _id):
          """
  
      def show(self, session, _id):
          """
@@ -892,8 +924,7 @@ class RoleTopicAuth(BaseTopic):
          :param _id: server internal id
          :return: dictionary, raise exception if not found.
          """
          :param _id: server internal id
          :return: dictionary, raise exception if not found.
          """
-        filter_db = self._get_project_filter(session, write=False, show_all=True)
-        filter_db["_id"] = _id
+        filter_db = {"_id": _id}
  
          role = self.db.get_one(self.topic, filter_db)
          new_role = dict(role)
  
          role = self.db.get_one(self.topic, filter_db)
          new_role = dict(role)
@@ -912,6 +943,14 @@ class RoleTopicAuth(BaseTopic):
          if not filter_q:
              filter_q = {}
  
          if not filter_q:
              filter_q = {}
  
+        if ":" in filter_q:
+            filter_q["root"] = filter_q[":"]
+
+        for key in filter_q.keys():
+            if key == "name":
+                continue
+            filter_q[key] = filter_q[key] in ["True", "true"]
+
          roles = self.db.get_list(self.topic, filter_q)
          new_roles = []
  
          roles = self.db.get_list(self.topic, filter_q)
          new_roles = []
  
@@ -960,9 +999,8 @@ class RoleTopicAuth(BaseTopic):
          :param dry_run: make checking but do not delete
          :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
          """
          :param dry_run: make checking but do not delete
          :return: dictionary with deleted item _id. It raises EngineException on error: not found, conflict, ...
          """
-        self.check_conflict_on_del(session, _id)
-        filter_q = self._get_project_filter(session, write=True, show_all=True)
-        filter_q["_id"] = _id
+        self.check_conflict_on_del(session, _id, None)
+        filter_q = {"_id": _id}
          if not dry_run:
              self.auth.delete_role(_id)
              v = self.db.del_one(self.topic, filter_q)
          if not dry_run:
              self.auth.delete_role(_id)
              v = self.db.del_one(self.topic, filter_q)
@@ -984,7 +1022,7 @@ class RoleTopicAuth(BaseTopic):
  
          # Override descriptor with query string kwargs
          if kwargs:
  
          # Override descriptor with query string kwargs
          if kwargs:
-            BaseTopic._update_input_with_kwargs(indata, kwargs)
+            self._update_input_with_kwargs(indata, kwargs)
          try:
              indata = self._validate_input_edit(indata, force=session["force"])
  
          try:
              indata = self._validate_input_edit(indata, force=session["force"])