def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
schema.validate(json_data, self.schema)
except schema.ValidationError as e:
raise exception.InvalidObject(schema=schema_name,
reason=e.message,
property=get_invalid_property(e))
# Validate/normalize 'name'.
plugin_name = json_data.get('plugin_name', '').strip()
if not plugin_name:
raise exception.InvalidObject(
schema=schema_name,
reason=u._("plugin_name must be provided"),
property="plugin_name"
)
json_data['plugin_name'] = plugin_name
# Validate 'transport_key'.
transport_key = json_data.get('transport_key', '').strip()
if not transport_key:
raise exception.InvalidObject(
schema=schema_name,
reason=u._("transport_key must be provided"),
property="transport_key"
)
json_data['transport_key'] = transport_key
return json_data
def _assert_validity(self, valid_condition, schema_name, message,
property):
"""Assert that a certain condition is met.
:raises: InvalidObject exception if the condition is not met.
"""
if not valid_condition:
raise exception.InvalidObject(schema=schema_name, reason=message,
property=property)
def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
schema.validate(json_data, self.schema)
except schema.ValidationError as e:
raise exception.InvalidObject(schema=schema_name, reason=e.message,
property=get_invalid_property(e))
return json_data
def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
validate(json_data, self.schema)
except ValidationError as e:
raise exception.InvalidObject(schema=schema_name, reason=str(e))
# Validate/normalize 'name'.
name = json_data.get('name', '').strip()
if not name:
name = None
json_data['name'] = name
# Validate/convert 'expiration' if provided.
expiration = self._extract_expiration(json_data, schema_name)
if expiration:
# Verify not already expired.
utcnow = timeutils.utcnow()
if expiration <= utcnow:
raise exception.InvalidObject(schema=schema_name,
reason=_("'expiration' is "
"before current time"))
json_data['expiration'] = expiration
# Validate/convert 'plain_text' if provided.
if 'plain_text' in json_data:
plain_text = json_data['plain_text']
if secret_too_big(plain_text):
raise exception.LimitExceeded()
plain_text = plain_text.strip()
if not plain_text:
raise exception.InvalidObject(schema=schema_name,
reason=_("If 'plain_text' "
"specified, must be "
"non empty"))
json_data['plain_text'] = plain_text
# TODO: Add validation of 'mime_type' based on loaded plugins.
return json_data
def _validate_payload_by_content_encoding(self, payload_content_encoding,
payload, schema_name):
if payload_content_encoding == 'base64':
try:
base64.b64decode(payload)
except Exception:
LOG.exception("Problem parsing payload")
raise exception.InvalidObject(
schema=schema_name,
reason=u._("Invalid payload for payload_content_encoding"),
property="payload")
def _assert_schema_is_valid(self, json_data, schema_name):
"""Assert that the JSON structure is valid for the given schema.
:raises: InvalidObject exception if the data is not schema compliant.
"""
try:
schema.validate(json_data, self.schema)
except schema.ValidationError as e:
raise exception.InvalidObject(schema=schema_name,
reason=e.message,
property=get_invalid_property(e))
def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
validate(json_data, self.schema)
except ValidationError as e:
raise exception.InvalidObject(schema=schema_name, reason=str(e))
# If secret group is provided, validate it now.
if 'secret' in json_data:
secret = json_data['secret']
self.secret_validator.validate(secret, parent_schema=self.name)
if 'plain_text' in secret:
raise exception.InvalidObject(schema=schema_name,
reason=_("'plain_text' not "
"allowed for secret "
"generation"))
else:
raise exception.InvalidObject(schema=schema_name,
reason=_("'secret' attributes "
"are required"))
return json_data
def _extract_expiration(self, json_data, schema_name):
"""Extracts and returns the expiration date from the JSON data."""
expiration = None
expiration_raw = json_data.get('expiration', None)
if expiration_raw and expiration_raw.strip():
try:
expiration_tz = timeutils.parse_isotime(expiration_raw)
expiration = timeutils.normalize_time(expiration_tz)
except ValueError:
LOG.exception("Problem parsing expiration date")
raise exception.InvalidObject(schema=schema_name,
reason=_("Invalid date "
"for 'expiration'"))
return expiration
def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
schema.validate(json_data, self.schema)
except schema.ValidationError as e:
raise exception.InvalidObject(schema=schema_name,
reason=e.message,
property=get_invalid_property(e))
container_type = json_data.get('type')
secret_refs = json_data.get('secret_refs')
if secret_refs:
secret_refs_names = [secret_ref['name']
if 'name' in secret_ref else ''
for secret_ref in secret_refs]
if len(set(secret_refs_names)) != len(secret_refs):
raise exception.\
InvalidObject(schema=schema_name,
reason=_("Duplicate reference names"
" are not allowed"),
property="secret_refs")
if container_type == 'rsa':
supported_names = ('public_key',
'private_key',
'private_key_passphrase')
if self.contains_unsupported_names(secret_refs,
supported_names) or len(
secret_refs) > 3:
raise exception.\
InvalidObject(schema=schema_name,
reason=_("only 'private_key',"
" 'public_key'"
" and 'private_key_passphrase'"
" reference names are allowed"
" for RSA type"),
property="secret_refs")
return json_data
def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
schema.validate(json_data, self.schema)
except schema.ValidationError as e:
raise exception.InvalidObject(schema=schema_name,
reason=e.message,
property=get_invalid_property(e))
# Validate/normalize 'name'.
name = json_data.get('name', '').strip()
if not name:
name = None
json_data['name'] = name
# Validate/convert 'expiration' if provided.
expiration = self._extract_expiration(json_data, schema_name)
if expiration:
# Verify not already expired.
utcnow = timeutils.utcnow()
if expiration <= utcnow:
raise exception.InvalidObject(schema=schema_name,
reason=_("'expiration' is "
"before current time"),
property="expiration")
json_data['expiration'] = expiration
# Validate/convert 'payload' if provided.
if 'payload' in json_data:
content_type = json_data.get('payload_content_type')
if content_type is None:
raise exception.InvalidObject(
schema=schema_name,
reason=_("If 'payload' is supplied, 'payload_content_type'"
" must also be supplied."),
property="payload_content_type"
)
content_encoding = json_data.get('payload_content_encoding')
if content_type == 'application/octet-stream' and \
content_encoding is None:
raise exception.InvalidObject(
schema=schema_name,
reason=_("payload_content_encoding must be specified "
"when payload_content_type is application/"
"octet-stream."),
property="payload_content_encoding"
)
if content_type.startswith('text/plain') and \
content_encoding is not None:
raise exception.InvalidObject(
schema=schema_name,
reason=_("payload_content_encoding must not be specified "
"when payload_content_type is text/plain"),
property="payload_content_encoding"
)
payload = json_data['payload']
if secret_too_big(payload):
raise exception.LimitExceeded()
payload = payload.strip()
if not payload:
raise exception.InvalidObject(schema=schema_name,
reason=_("If 'payload' "
"specified, must be "
"non empty"),
property="payload")
json_data['payload'] = payload
elif 'payload_content_type' in json_data and \
parent_schema is None:
raise exception.InvalidObject(
schema=schema_name,
reason=_("payload must be provided "
"when payload_content_type is specified"),
property="payload"
)
return json_data
def validate(self, json_data, parent_schema=None):
schema_name = self._full_name(parent_schema)
try:
schema.validate(json_data, self.schema)
except schema.ValidationError as e:
raise exception.InvalidObject(schema=schema_name, reason=e.message,
property=get_invalid_property(e))
secret = json_data.get('secret')
if secret is None:
raise exception.InvalidObject(schema=schema_name,
reason=_("'secret' attributes "
"are required"),
property="secret")
# If secret group is provided, validate it now.
self.secret_validator.validate(secret, parent_schema=self.name)
if 'payload' in secret:
raise exception.InvalidObject(schema=schema_name,
reason=_("'payload' not "
"allowed for secret "
"generation"),
property="secret")
# Validation secret generation related fields.
# TODO: Invoke the crypto plugin for this purpose
if secret.get('payload_content_type') != 'application/octet-stream':
raise exception.UnsupportedField(field='payload_content_type',
schema=schema_name,
reason=_("Only 'application/oc"
"tet-stream' supported"))
if secret.get('mode', '').lower() != 'cbc':
raise exception.UnsupportedField(field="mode",
schema=schema_name,
reason=_("Only 'cbc' "
"supported"))
if secret.get('algorithm', '').lower() != 'aes':
raise exception.UnsupportedField(field="algorithm",
schema=schema_name,
reason=_("Only 'aes' "
"supported"))
# TODO(reaperhulk): Future API change will move from bit to byte_length
bit_length = int(secret.get('bit_length', 0))
if bit_length <= 0:
raise exception.UnsupportedField(field="bit_length",
schema=schema_name,
reason=_("Must have non-zero "
"positive bit_length "
"to generate secret"))
if bit_length % 8 != 0:
raise exception.UnsupportedField(field="bit_length",
schema=schema_name,
reason=_("Must be a positive "
"integer that is a "
"multiple of 8"))
return json_data
