def validate_ca_id(project_id, order_meta):
ca_id = order_meta.get('ca_id')
if not ca_id:
return
ca_repo = repo.get_ca_repository()
ca = ca_repo.get(ca_id, suppress_exception=True)
if not ca:
raise exception.InvalidCAID(ca_id=ca_id)
if ca.project_id and ca.project_id != project_id:
raise exception.UnauthorizedSubCA()
project_ca_repo = repo.get_project_ca_repository()
project_cas, offset, limit, total = project_ca_repo.get_by_create_date(
project_id=project_id,
suppress_exception=True
)
if total < 1:
return
for project_ca in project_cas:
if ca.id == project_ca.ca_id:
return
raise exception.CANotDefinedForProject(
ca_id=ca_id,
project_id=project_id)
def add_to_project(self, external_project_id):
if pecan.request.method != 'POST':
pecan.abort(405)
LOG.debug("== Saving CA %s to external_project_id %s", self.ca.id,
external_project_id)
project_model = res.get_or_create_project(external_project_id)
# CA must be a base CA or a subCA owned by this project
if (self.ca.project_id is not None
and self.ca.project_id != project_model.id):
raise excep.UnauthorizedSubCA()
project_cas = project_model.cas
num_cas = len(project_cas)
for project_ca in project_cas:
if project_ca.ca_id == self.ca.id:
# project already added
return
project_ca = models.ProjectCertificateAuthority(
project_model.id, self.ca.id)
self.project_ca_repo.create_from(project_ca)
if num_cas == 0:
# set first project CA to be the preferred one
preferred_ca = models.PreferredCertificateAuthority(
project_model.id, self.ca.id)
self.preferred_ca_repo.create_from(preferred_ca)
def test_should_raise_delete_not_authorized(self, mocked_task):
self.create_cas()
mocked_task.side_effect = exception.UnauthorizedSubCA()
resp = self.app.delete('/cas/' + self.subca.id,
expect_errors=True)
mocked_task.assert_called_once_with(self.project_id,
self.subca)
self.assertEqual(403, resp.status_int)
def delete_subordinate_ca(external_project_id, ca):
"""Deletes a subordinate CA and any related artifacts
:param external_project_id: external project ID
:param ca: class:`models.CertificateAuthority` to be deleted
:return: None
"""
# TODO(alee) See if the checks below can be moved to the RBAC code
# Check that this CA is a subCA
if ca.project_id is None:
raise excep.CannotDeleteBaseCA()
# Check that the user's project owns this subCA
project = res.get_or_create_project(external_project_id)
if ca.project_id != project.id:
raise excep.UnauthorizedSubCA()
project_ca_repo = repos.get_project_ca_repository()
(project_cas, _, _,
_) = project_ca_repo.get_by_create_date(project_id=project.id,
ca_id=ca.id,
suppress_exception=True)
preferred_ca_repo = repos.get_preferred_ca_repository()
(preferred_cas, _, _,
_) = preferred_ca_repo.get_by_create_date(project_id=project.id,
ca_id=ca.id,
suppress_exception=True)
# Can not delete a project preferred CA, if other project CAs exist. One
# of those needs to be designated as the preferred CA first.
if project_cas and preferred_cas and not is_last_project_ca(project.id):
raise excep.CannotDeletePreferredCA()
# Remove the CA as preferred
if preferred_cas:
preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id,
external_project_id)
# Remove the CA from project list
if project_cas:
project_ca_repo.delete_entity_by_id(project_cas[0].id,
external_project_id)
# Delete the CA entry from plugin
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
ca.plugin_name)
cert_plugin.delete_ca(ca.plugin_ca_id)
# Finally, delete the CA entity from the CA repository
ca_repo = repos.get_ca_repository()
ca_repo.delete_entity_by_id(entity_id=ca.id,
external_project_id=external_project_id)
def create_subordinate_ca(project_model, name, description, subject_dn,
parent_ca_ref, creator_id):
"""Create a subordinate CA
:param name - name of the subordinate CA
:param: description - description of the subordinate CA
:param: subject_dn - subject DN of the subordinate CA
:param: parent_ca_ref - Barbican URL reference to the parent CA
:param: creator_id - id for creator of the subordinate CA
:return: :class models.CertificateAuthority model object for new sub CA
"""
# check that the parent ref exists and is accessible
parent_ca_id = hrefs.get_ca_id_from_ref(parent_ca_ref)
ca_repo = repos.get_ca_repository()
parent_ca = ca_repo.get(entity_id=parent_ca_id, suppress_exception=True)
if not parent_ca:
raise excep.InvalidParentCA(parent_ca_ref=parent_ca_ref)
# Parent CA must be a base CA or a subCA owned by this project
if (parent_ca.project_id is not None and
parent_ca.project_id != project_model.id):
raise excep.UnauthorizedSubCA()
# get the parent plugin, raises CertPluginNotFound if missing
cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
parent_ca.plugin_name)
# confirm that the plugin supports creating subordinate CAs
if not cert_plugin.supports_create_ca():
raise excep.SubCAsNotSupported()
# make call to create the subordinate ca
create_ca_dto = cert.CACreateDTO(
name=name,
description=description,
subject_dn=subject_dn,
parent_ca_id=parent_ca.plugin_ca_id)
new_ca_dict = cert_plugin.create_ca(create_ca_dto)
if not new_ca_dict:
raise excep.SubCANotCreated(name=name)
# create and store the subordinate CA as a new certificate authority object
new_ca_dict['plugin_name'] = parent_ca.plugin_name
new_ca_dict['creator_id'] = creator_id
new_ca_dict['project_id'] = project_model.id
new_ca = models.CertificateAuthority(new_ca_dict)
ca_repo.create_from(new_ca)
return new_ca