Example #1
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug(u._('Start on_post for project-ID %s:...'),
                  external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(external_project_id)

        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipeline case, always use auth token user
            creator_id = ctxt.user

        self.quota_enforcer.enforce(project)

        new_ca = cert_resources.create_subordinate_ca(
            project_model=project,
            name=data.get('name'),
            description=data.get('description'),
            subject_dn=data.get('subject_dn'),
            parent_ca_ref=data.get('parent_ca_ref'),
            creator_id=creator_id)

        url = hrefs.convert_certificate_authority_to_href(new_ca.id)
        LOG.debug(u._('URI to sub-CA is %s'), url)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url

        LOG.info(u._LI('Created a sub CA for project: %s'),
                 external_project_id)

        return {'ca_ref': url}
Example #2
0
def validate_stored_key_rsa_container(project_id, container_ref, req):
        try:
            container_id = hrefs.get_container_id_from_ref(container_ref)
        except Exception:
            reason = u._("Bad Container Reference {ref}").format(
                ref=container_ref
            )
            raise exception.InvalidContainer(reason=reason)

        container_repo = repo.get_container_repository()

        container = container_repo.get_container_by_id(entity_id=container_id,
                                                       suppress_exception=True)
        if not container:
            reason = u._("Container Not Found")
            raise exception.InvalidContainer(reason=reason)

        if container.type != 'rsa':
            reason = u._("Container Wrong Type")
            raise exception.InvalidContainer(reason=reason)

        ctxt = controllers._get_barbican_context(req)
        inst = controllers.containers.ContainerController(container)
        controllers._do_enforce_rbac(inst, req,
                                     controllers.containers.CONTAINER_GET,
                                     ctxt)
Example #3
0
    def on_put(self, external_project_id, **kwargs):
        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        project = res.get_or_create_project(external_project_id)
        order_type = body.get('type')

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt and ctxt.request_id:
            request_id = ctxt.request_id

        if self.order.type != order_type:
            order_cannot_modify_order_type()

        if models.OrderType.CERTIFICATE != self.order.type:
            _order_update_not_supported_for_type(order_type)

        if models.States.PENDING != self.order.status:
            _order_cannot_be_updated_if_not_pending(self.order.status)

        updated_meta = body.get('meta')
        validators.validate_ca_id(project.id, updated_meta)

        # TODO(chellygel): Put 'meta' into a separate order association
        # entity.
        self.queue.update_order(order_id=self.order.id,
                                project_id=external_project_id,
                                updated_meta=updated_meta,
                                request_id=request_id)
Example #4
0
def validate_stored_key_rsa_container(project_id, container_ref, req):
        try:
            container_id = hrefs.get_container_id_from_ref(container_ref)
        except Exception:
            reason = u._("Bad Container Reference {ref}").format(
                ref=container_ref
            )
            raise exception.InvalidContainer(reason=reason)

        container_repo = repo.get_container_repository()

        container = container_repo.get_container_by_id(entity_id=container_id,
                                                       suppress_exception=True)
        if not container:
            reason = u._("Container Not Found")
            raise exception.InvalidContainer(reason=reason)

        if container.type != 'rsa':
            reason = u._("Container Wrong Type")
            raise exception.InvalidContainer(reason=reason)

        ctxt = controllers._get_barbican_context(req)
        inst = controllers.containers.ContainerController(container)
        controllers._do_enforce_rbac(inst, req,
                                     controllers.containers.CONTAINER_GET,
                                     ctxt)
Example #5
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug('Start on_post for project-ID %s:...', external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(external_project_id)

        transport_key_needed = data.get('transport_key_needed',
                                        'false').lower() == 'true'
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipleline case, always use auth token user
            data['creator_id'] = ctxt.user

        new_secret, transport_key_model = plugin.store_secret(
            data.get('payload'),
            data.get('payload_content_type',
                     'application/octet-stream'),
            data.get('payload_content_encoding'),
            data, None, project,
            transport_key_needed=transport_key_needed,
            transport_key_id=data.get('transport_key_id'))

        url = hrefs.convert_secret_to_href(new_secret.id)
        LOG.debug('URI to secret is %s', url)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url

        LOG.info(u._LI('Created a secret for project: %s'),
                 external_project_id)
        if transport_key_model is not None:
            tkey_url = hrefs.convert_transport_key_to_href(
                transport_key_model.id)
            return {'secret_ref': url, 'transport_key_ref': tkey_url}
        else:
            return {'secret_ref': url}
Example #6
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug('Start on_post for project-ID %s:...', external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(external_project_id)

        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipeline case, always use auth token user
            creator_id = ctxt.user

        self.quota_enforcer.enforce(project)

        new_ca = cert_resources.create_subordinate_ca(
            project_model=project,
            name=data.get('name'),
            description=data.get('description'),
            subject_dn=data.get('subject_dn'),
            parent_ca_ref=data.get('parent_ca_ref'),
            creator_id=creator_id
        )

        url = hrefs.convert_certificate_authority_to_href(new_ca.id)
        LOG.debug('URI to sub-CA is %s', url)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url

        LOG.info(u._LI('Created a sub CA for project: %s'),
                 external_project_id)

        return {'ca_ref': url}
Example #7
0
    def on_put(self, external_project_id, **kwargs):
        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        project = res.get_or_create_project(external_project_id)
        order_type = body.get('type')

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt and ctxt.request_id:
            request_id = ctxt.request_id

        if self.order.type != order_type:
            order_cannot_modify_order_type()

        if models.OrderType.CERTIFICATE != self.order.type:
            _order_update_not_supported_for_type(order_type)

        if models.States.PENDING != self.order.status:
            _order_cannot_be_updated_if_not_pending(self.order.status)

        updated_meta = body.get('meta')
        validators.validate_ca_id(project.id, updated_meta)

        # TODO(chellygel): Put 'meta' into a separate order association
        # entity.
        self.queue.update_order(order_id=self.order.id,
                                project_id=external_project_id,
                                updated_meta=updated_meta,
                                request_id=request_id)
Example #8
0
    def on_get(self, external_project_id, **kw):
        def secret_fields(field):
            return putil.mime_types.augment_fields_with_content_types(field)

        LOG.debug('Start secrets on_get '
                  'for project-ID %s:', external_project_id)

        name = kw.get('name', '')
        if name:
            name = parse.unquote_plus(name)

        bits = kw.get('bits', 0)
        try:
            bits = int(bits)
        except ValueError:
            # as per Github issue 171, if bits is invalid then
            # the default should be used.
            bits = 0

        ctxt = controllers._get_barbican_context(pecan.request)
        user_id = None
        if ctxt:
            user_id = ctxt.user

        result = self.secret_repo.get_by_create_date(
            external_project_id,
            offset_arg=kw.get('offset', 0),
            limit_arg=kw.get('limit', None),
            name=name,
            alg=kw.get('alg'),
            mode=kw.get('mode'),
            bits=bits,
            suppress_exception=True,
            acl_only=kw.get('acl_only', None),
            user_id=user_id
        )

        secrets, offset, limit, total = result

        if not secrets:
            secrets_resp_overall = {'secrets': [],
                                    'total': total}
        else:
            secrets_resp = [
                hrefs.convert_to_hrefs(secret_fields(s))
                for s in secrets
            ]
            secrets_resp_overall = hrefs.add_nav_hrefs(
                'secrets', offset, limit, total,
                {'secrets': secrets_resp}
            )
            secrets_resp_overall.update({'total': total})

        LOG.info(u._LI('Retrieved secret list for project: %s'),
                 external_project_id)
        return secrets_resp_overall
Example #9
0
    def on_get(self, external_project_id, **kw):
        def secret_fields(field):
            return putil.mime_types.augment_fields_with_content_types(field)

        LOG.debug('Start secrets on_get '
                  'for project-ID %s:', external_project_id)

        name = kw.get('name', '')
        if name:
            name = parse.unquote_plus(name)

        bits = kw.get('bits', 0)
        try:
            bits = int(bits)
        except ValueError:
            # as per Github issue 171, if bits is invalid then
            # the default should be used.
            bits = 0

        ctxt = controllers._get_barbican_context(pecan.request)
        user_id = None
        if ctxt:
            user_id = ctxt.user

        result = self.secret_repo.get_by_create_date(
            external_project_id,
            offset_arg=kw.get('offset', 0),
            limit_arg=kw.get('limit', None),
            name=name,
            alg=kw.get('alg'),
            mode=kw.get('mode'),
            bits=bits,
            suppress_exception=True,
            acl_only=kw.get('acl_only', None),
            user_id=user_id
        )

        secrets, offset, limit, total = result

        if not secrets:
            secrets_resp_overall = {'secrets': [],
                                    'total': total}
        else:
            secrets_resp = [
                hrefs.convert_to_hrefs(secret_fields(s))
                for s in secrets
            ]
            secrets_resp_overall = hrefs.add_nav_hrefs(
                'secrets', offset, limit, total,
                {'secrets': secrets_resp}
            )
            secrets_resp_overall.update({'total': total})

        LOG.info(u._LI('Retrieved secret list for project: %s'),
                 external_project_id)
        return secrets_resp_overall
Example #10
0
    def on_post(self, external_project_id, **kwargs):
        project = res.get_or_create_project(external_project_id)

        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        order_type = body.get('type')
        order_meta = body.get('meta')
        request_type = order_meta.get('request_type')

        LOG.debug('Processing order type %(order_type)s,'
                  ' request type %(request_type)s' % {
                      'order_type': order_type,
                      'request_type': request_type
                  })

        if order_type == models.OrderType.CERTIFICATE:
            msg = _DEPRECATION_MSG % "Certificate Order Resource"
            versionutils.report_deprecated_feature(LOG, msg)
            validators.validate_ca_id(project.id, body.get('meta'))
            if request_type == 'stored-key':
                container_ref = order_meta.get('container_ref')
                validators.validate_stored_key_rsa_container(
                    external_project_id, container_ref, pecan.request)

        self.quota_enforcer.enforce(project)

        new_order = models.Order()
        new_order.meta = body.get('meta')
        new_order.type = order_type
        new_order.project_id = project.id

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:
            new_order.creator_id = ctxt.user
            request_id = ctxt.request_id

        self.order_repo.create_from(new_order)

        # Grab our id before commit due to obj expiration from sqlalchemy
        order_id = new_order.id

        # Force commit to avoid async issues with the workers
        repo.commit()

        self.queue.process_type_order(order_id=order_id,
                                      project_id=external_project_id,
                                      request_id=request_id)

        url = hrefs.convert_order_to_href(order_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = url

        return {'order_ref': url}
Example #11
0
 def on_post(self, external_project_id):
     ctxt = controllers._get_barbican_context(pecan.request)
     data = api.load_body(pecan.request)
     project = res.get_or_create_project(external_project_id)
     self.quota_enforcer.enforce(project)
     response = None
     response = plugin.do_attestation(data, external_project_id, False,
                                      ctxt)
     if response is None:
         _quote_not_found()
     return response
Example #12
0
    def on_post(self, external_project_id, **kwargs):
        project = res.get_or_create_project(external_project_id)

        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        order_type = body.get('type')
        order_meta = body.get('meta')
        request_type = order_meta.get('request_type')

        LOG.debug('Processing order type %s, request type %s',
                  order_type, request_type)

        if order_type == models.OrderType.CERTIFICATE:
            validators.validate_ca_id(project.id, body.get('meta'))
            if request_type == 'stored-key':
                container_ref = order_meta.get('container_ref')
                validators.validate_stored_key_rsa_container(
                    external_project_id,
                    container_ref, pecan.request)

        self.quota_enforcer.enforce(project)

        new_order = models.Order()
        new_order.meta = body.get('meta')
        new_order.type = order_type
        new_order.project_id = project.id

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:
            new_order.creator_id = ctxt.user
            request_id = ctxt.request_id

        self.order_repo.create_from(new_order)

        # Grab our id before commit due to obj expiration from sqlalchemy
        order_id = new_order.id

        # Force commit to avoid async issues with the workers
        repo.commit()

        self.queue.process_type_order(order_id=order_id,
                                      project_id=external_project_id,
                                      request_id=request_id)

        url = hrefs.convert_order_to_href(order_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = url

        return {'order_ref': url}
Example #13
0
    def _lookup(self, order_id, *remainder):
        # NOTE(jaosorior): It's worth noting that even though this section
        # actually does a lookup in the database regardless of the RBAC policy
        # check, the execution only gets here if authentication of the user was
        # previously successful.
        controllers.assert_is_valid_uuid_from_uri(order_id)
        ctx = controllers._get_barbican_context(pecan.request)

        order = self.order_repo.get(entity_id=order_id,
                                    external_project_id=ctx.project,
                                    suppress_exception=True)
        if not order:
            _order_not_found()

        return OrderController(order, self.order_repo), remainder
Example #14
0
    def _lookup(self, order_id, *remainder):
        # NOTE(jaosorior): It's worth noting that even though this section
        # actually does a lookup in the database regardless of the RBAC policy
        # check, the execution only gets here if authentication of the user was
        # previously successful.

        ctx = controllers._get_barbican_context(pecan.request)

        order = self.order_repo.get(entity_id=order_id,
                                    external_project_id=ctx.project_id,
                                    suppress_exception=True)
        if not order:
            _order_not_found()

        return OrderController(order, self.order_repo), remainder
Example #15
0
    def on_post(self, external_project_id, **kwargs):
        project = res.get_or_create_project(external_project_id)

        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        order_type = body.get('type')
        order_meta = body.get('meta')
        request_type = order_meta.get('request_type')

        LOG.debug('Processing order type %(order_type)s,'
                  ' request type %(request_type)s' % {
                      'order_type': order_type,
                      'request_type': request_type
                  })

        self.quota_enforcer.enforce(project)

        new_order = models.Order()
        new_order.meta = body.get('meta')
        new_order.type = order_type
        new_order.project_id = project.id

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:
            new_order.creator_id = ctxt.user
            request_id = ctxt.request_id

        self.order_repo.create_from(new_order)

        # Grab our id before commit due to obj expiration from sqlalchemy
        order_id = new_order.id

        # Force commit to avoid async issues with the workers
        repo.commit()

        self.queue.process_type_order(order_id=order_id,
                                      project_id=external_project_id,
                                      request_id=request_id)

        url = hrefs.convert_order_to_href(order_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = url

        return {'order_ref': url}
Example #16
0
    def on_post(self, external_project_id, **kwargs):

        project = res.get_or_create_project(external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipleline case, always use auth token user
            data['creator_id'] = ctxt.user

        self.quota_enforcer.enforce(project)

        LOG.debug('Start on_post...%s', data)

        new_container = models.Container(data)
        new_container.project_id = project.id

        # TODO(hgedikli): performance optimizations
        for secret_ref in new_container.container_secrets:
            secret = self.secret_repo.get(
                entity_id=secret_ref.secret_id,
                external_project_id=external_project_id,
                suppress_exception=True)
            if not secret:
                # This only partially localizes the error message and
                # doesn't localize secret_ref.name.
                pecan.abort(
                    404,
                    u._("Secret provided for '{secret_name}' doesn't "
                        "exist.").format(secret_name=secret_ref.name)
                )

        self.container_repo.create_from(new_container)

        url = hrefs.convert_container_to_href(new_container.id)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url
        LOG.info(u._LI('Created a container for project: %s'),
                 external_project_id)

        return {'container_ref': url}
Example #17
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug('Start on_post for project-ID %s:...',
                  external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(external_project_id)

        self.quota_enforcer.enforce(project)

        transport_key_needed = data.get('transport_key_needed',
                                        'false').lower() == 'true'
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipleline case, always use auth token user
            data['creator_id'] = ctxt.user

        secret_model = models.Secret(data)

        new_secret, transport_key_model = plugin.store_secret(
            unencrypted_raw=data.get('payload'),
            content_type_raw=data.get('payload_content_type',
                                      'application/octet-stream'),
            content_encoding=data.get('payload_content_encoding'),
            secret_model=secret_model,
            project_model=project,
            transport_key_needed=transport_key_needed,
            transport_key_id=data.get('transport_key_id'))

        url = hrefs.convert_secret_to_href(new_secret.id)
        LOG.debug('URI to secret is %s', url)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url

        LOG.info('Created a secret for project: %s',
                 external_project_id)
        if transport_key_model is not None:
            tkey_url = hrefs.convert_transport_key_to_href(
                transport_key_model.id)
            return {'secret_ref': url, 'transport_key_ref': tkey_url}
        else:
            return {'secret_ref': url}
Example #18
0
    def on_post(self, external_project_id, **kwargs):

        project = res.get_or_create_project(external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipleline case, always use auth token user
            data['creator_id'] = ctxt.user

        self.quota_enforcer.enforce(project)

        LOG.debug('Start on_post...%s', data)

        new_container = models.Container(data)
        new_container.project_id = project.id

        # TODO(hgedikli): performance optimizations
        for secret_ref in new_container.container_secrets:
            secret = self.secret_repo.get(
                entity_id=secret_ref.secret_id,
                external_project_id=external_project_id,
                suppress_exception=True)
            if not secret:
                # This only partially localizes the error message and
                # doesn't localize secret_ref.name.
                pecan.abort(
                    404,
                    u._("Secret provided for '{secret_name}' doesn't "
                        "exist.").format(secret_name=secret_ref.name)
                )

        self.container_repo.create_from(new_container)

        url = hrefs.convert_container_to_href(new_container.id)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url
        LOG.info(u._LI('Created a container for project: %s'),
                 external_project_id)

        return {'container_ref': url}
Example #19
0
    def on_get(self, external_project_id, **kw):
        no_consumers = versions.is_supported(pecan.request, max_version='1.0')

        # NOTE(xek): consumers are being introduced in 1.1

        def secret_fields(field):
            resp = putil.mime_types.augment_fields_with_content_types(field)
            if no_consumers:
                del resp['consumers']
            return resp

        LOG.debug('Start secrets on_get '
                  'for project-ID %s:', external_project_id)

        name = kw.get('name', '')
        if name:
            name = parse.unquote_plus(name)

        bits = kw.get('bits', 0)
        try:
            bits = int(bits)
        except ValueError:
            # as per Github issue 171, if bits is invalid then
            # the default should be used.
            bits = 0

        for date_filter in 'created', 'updated', 'expiration':
            if kw.get(date_filter) and not self._is_valid_date_filter(
                    kw.get(date_filter)):
                _bad_query_string_parameters()
        if kw.get('sort') and not self._is_valid_sorting(kw.get('sort')):
            _bad_query_string_parameters()

        ctxt = controllers._get_barbican_context(pecan.request)
        user_id = None
        if ctxt:
            user_id = ctxt.user

        result = self.secret_repo.get_secret_list(
            external_project_id,
            offset_arg=kw.get('offset', 0),
            limit_arg=kw.get('limit'),
            name=name,
            alg=kw.get('alg'),
            mode=kw.get('mode'),
            bits=bits,
            secret_type=kw.get('secret_type'),
            suppress_exception=True,
            acl_only=kw.get('acl_only'),
            user_id=user_id,
            created=kw.get('created'),
            updated=kw.get('updated'),
            expiration=kw.get('expiration'),
            sort=kw.get('sort'))

        secrets, offset, limit, total = result

        if not secrets:
            secrets_resp_overall = {'secrets': [], 'total': total}
        else:
            secrets_resp = [
                hrefs.convert_to_hrefs(secret_fields(s)) for s in secrets
            ]
            secrets_resp_overall = hrefs.add_nav_hrefs(
                'secrets', offset, limit, total, {'secrets': secrets_resp})
            secrets_resp_overall.update({'total': total})

        LOG.info('Retrieved secret list for project: %s', external_project_id)
        return secrets_resp_overall