def handle_cleanup(self, project, project_id=None, resource_type=None,
operation_type=None):
"""Cleans up Barbican resources needed for Keystone project delete.
:param project: Barbican project entity which is retrieved by project
id available in Keystone notification.
:param project_id: project identifier as present in Keystone
notification.
:param resource_type: type of resource updated as part of Keystone
notification e.g. Keystone project, domain, user etc.
:param operation_type: type of operation (created, updated, deleted
etc.) performed on Keystone resource.
"""
if project is None:
LOG.info(u._LI('No action is needed as there are no Barbican '
'resources present for Keystone '
'project_id=%s'), project_id)
return
# barbican entities use projects table 'id' field as foreign key.
# Delete apis are using that id to lookup related entities and not
# keystone project id which requires additional project table join.
project_id = project.id
rep.delete_all_project_resources(project_id)
# reached here means there is no error so log the successful
# cleanup log entry.
LOG.info(u._LI('Successfully completed Barbican resources cleanup for '
'Keystone project_id=%s'), project_id)
def wrapper(method_self, *args, **kwargs):
result = fn(method_self, *args, **kwargs)
retry_rpc_method = schedule_order_retry_tasks(fn, result, *args, **kwargs)
if retry_rpc_method:
LOG.info(u._LI("Scheduled RPC method for retry: '%s'"), retry_rpc_method)
else:
LOG.info(u._LI("Task '%s' did not have to be retried"), find_function_name(fn, if_no_name="???"))
def _check_retry_tasks(self):
"""Periodically check to see if tasks need to be scheduled.
:return: Return the number of seconds to wait before invoking this
method again.
"""
LOG.info(u._LI("Processing scheduled retry tasks:"))
# Retrieve tasks to retry.
entities, _, _, total = self.order_retry_repo.get_by_create_date(
only_at_or_before_this_date=datetime.datetime.utcnow(),
suppress_exception=True)
# Create RPC tasks for each retry task found.
if total > 0:
for task in entities:
self._enqueue_task(task)
# Return the next delay before this method is invoked again.
check_again_in_seconds = _compute_next_periodic_interval()
LOG.info(
u._LI("Done processing '%(total)s' tasks, will check again in "
"'%(next)s' seconds."),
{
'total': total,
'next': check_again_in_seconds
}
)
return check_again_in_seconds
def handle_cleanup(self, project, project_id=None, resource_type=None,
operation_type=None):
"""Cleans up Barbican resources needed for Keystone project delete.
:param project: Barbican project entity which is retrieved by project
id available in Keystone notification.
:param project_id: project identifier as present in Keystone
notification.
:param resource_type: type of resource updated as part of Keystone
notification e.g. Keystone project, domain, user etc.
:param operation_type: type of operation (created, updated, deleted
etc.) performed on Keystone resource.
"""
if project is None:
LOG.info(u._LI('No action is needed as there are no Barbican '
'resources present for Keystone '
'project_id=%s'), project_id)
return
# barbican entities use projects table 'id' field as foreign key.
# Delete apis are using that id to lookup related entities and not
# keystone project id which requires additional project table join.
project_id = project.id
rep.delete_all_project_resources(project_id)
# reached here means there is no error so log the successful
# cleanup log entry.
LOG.info(u._LI('Successfully completed Barbican resources cleanup for '
'Keystone project_id=%s'), project_id)
def wrapper(*args, **kwargs):
fn_name = find_function_name(fn, if_no_name='???')
if not queue.is_server_side():
# Non-server mode directly invokes tasks.
fn(*args, **kwargs)
LOG.info(u._LI("Completed worker task: '%s'"), fn_name)
else:
# Manage session/transaction.
try:
fn(*args, **kwargs)
repositories.commit()
LOG.info(u._LI("Completed worker task (post-commit): '%s'"),
fn_name)
except Exception:
"""NOTE: Wrapped functions must process with care!
Exceptions that reach here will revert the entire transaction,
including any updates made to entities such as setting error
codes and error messages.
"""
LOG.exception(
u._LE("Problem seen processing worker task: '%s'"),
fn_name)
repositories.rollback()
finally:
repositories.clear()
def wrapper(*args, **kwargs):
fn_name = getattr(fn, '__name__', '????')
if not queue.is_server_side():
# Non-server mode directly invokes tasks.
fn(*args, **kwargs)
LOG.info(u._LI("Completed worker task: '%s'"), fn_name)
else:
# Manage session/transaction.
try:
fn(*args, **kwargs)
repositories.commit()
LOG.info(u._LI("Completed worker task: '%s'"), fn_name)
except Exception:
"""NOTE: Wrapped functions must process with care!
Exceptions that reach here will revert the entire transaction,
including any updates made to entities such as setting error
codes and error messages.
"""
LOG.exception(
u._LE("Problem seen processing worker task: '%s'"),
fn_name
)
repositories.rollback()
finally:
repositories.clear()
def main():
try:
config.setup_remote_pydev_debug()
CONF = config.CONF
CONF(sys.argv[1:],
project='barbican',
version=version.version_info.version_string)
# Import and configure logging.
log.setup(CONF, 'barbican')
LOG = log.getLogger(__name__)
LOG.info(u._LI("Booting up Barbican Keystone listener node..."))
# Queuing initialization
queue.init(CONF)
if getattr(getattr(CONF, queue.KS_NOTIFICATIONS_GRP_NAME), 'enable'):
service.launch(CONF, keystone_listener.MessageServer(CONF)).wait()
else:
LOG.info(
u._LI("Exiting as Barbican Keystone listener"
" is not enabled..."))
except RuntimeError as e:
fail(1, e)
def wrapper(method_self, *args, **kwargs):
result = fn(method_self, *args, **kwargs)
retry_rpc_method = schedule_order_retry_tasks(fn, result, *args,
**kwargs)
if retry_rpc_method:
LOG.info(u._LI("Scheduled RPC method for retry: '%s'"),
retry_rpc_method)
else:
LOG.info(u._LI("Task '%s' did not have to be retried"),
find_function_name(fn, if_no_name='???'))
def on_delete(self, external_project_id, **kwargs):
LOG.debug('=== ProjectQuotasController DELETE ===')
try:
self.quota_driver.delete_project_quotas(self.passed_project_id)
except exception.NotFound:
LOG.info(u._LI('Delete Project Quotas - Project not found'))
_project_quotas_not_found()
else:
LOG.info(u._LI('Delete Project Quotas'))
pecan.response.status = 204
def on_delete(self, external_project_id, **kwargs):
LOG.debug('=== ProjectQuotasController DELETE ===')
try:
self.quota_driver.delete_project_quotas(self.passed_project_id)
except exception.NotFound:
LOG.info(u._LI('Delete Project Quotas - Project not found'))
_project_quotas_not_found()
else:
LOG.info(u._LI('Delete Project Quotas'))
pecan.response.status = 204
def _auto_generate_tables(engine, tables):
if tables and 'alembic_version' in tables:
# Upgrade the database to the latest version.
LOG.info(u._LI('Updating schema to latest version'))
commands.upgrade()
else:
# Create database tables from our models.
LOG.info(u._LI('Auto-creating barbican registry DB'))
models.register_models(engine)
# Sync the alembic version 'head' with current models.
commands.stamp()
def on_get(self):
body = {
'v1': 'current',
'build': version.__version__
}
LOG.info(u._LI('Retrieved version'))
return body
def _check_retry_tasks(self):
"""Periodically check to see if tasks need to be scheduled.
:return: Return the number of seconds to wait before invoking this
method again.
"""
total_tasks_processed = 0
try:
total_tasks_processed = self._process_retry_tasks()
except Exception:
LOG.exception(
u._LE("Problem seen processing scheduled retry tasks")
)
# Return the next delay before this method is invoked again.
check_again_in_seconds = _compute_next_periodic_interval()
LOG.info(
u._LI("Done processing '%(total)s' tasks, will check again in "
"'%(next)s' seconds."),
{
'total': total_tasks_processed,
'next': check_again_in_seconds
}
)
return check_again_in_seconds
def on_delete(self, external_project_id, **kwargs):
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_delete...%s', data)
project = self.project_repo.find_by_external_project_id(
external_project_id, suppress_exception=True)
if not project:
_consumer_not_found()
consumer = self.consumer_repo.get_by_values(self.container_id,
data["name"],
data["URL"],
suppress_exception=True)
if not consumer:
_consumer_not_found()
LOG.debug("Found consumer: %s", consumer)
container = self._get_container(self.container_id)
owner_of_consumer = consumer.project_id == project.id
owner_of_container = container.project.external_id \
== external_project_id
if not owner_of_consumer and not owner_of_container:
_consumer_ownership_mismatch()
try:
self.consumer_repo.delete_entity_by_id(consumer.id,
external_project_id)
except exception.NotFound:
LOG.exception(u._LE('Problem deleting consumer'))
_consumer_not_found()
ret_data = self._return_container_data(self.container_id)
LOG.info(u._LI('Deleted a consumer for project: %s'),
external_project_id)
return ret_data
def on_get(self, external_project_id, **kw):
LOG.debug('Start consumers on_get '
'for container-ID %s:', self.container_id)
result = self.consumer_repo.get_by_container_id(
self.container_id,
offset_arg=kw.get('offset', 0),
limit_arg=kw.get('limit'),
suppress_exception=True)
consumers, offset, limit, total = result
if not consumers:
resp_ctrs_overall = {'consumers': [], 'total': total}
else:
resp_ctrs = [
hrefs.convert_to_hrefs(c.to_dict_fields()) for c in consumers
]
consumer_path = "containers/{container_id}/consumers".format(
container_id=self.container_id)
resp_ctrs_overall = hrefs.add_nav_hrefs(consumer_path, offset,
limit, total,
{'consumers': resp_ctrs})
resp_ctrs_overall.update({'total': total})
LOG.info(u._LI('Retrieved a consumer list for project: %s'),
external_project_id)
return resp_ctrs_overall
def on_get(self, project_id, **kw):
LOG.debug('Start containers on_get for project-ID %s:', project_id)
result = self.container_repo.get_by_create_date(
project_id,
offset_arg=kw.get('offset', 0),
limit_arg=kw.get('limit', None),
suppress_exception=True
)
containers, offset, limit, total = result
if not containers:
resp_ctrs_overall = {'containers': [], 'total': total}
else:
resp_ctrs = [
hrefs.convert_to_hrefs(c.to_dict_fields())
for c in containers
]
for ctr in resp_ctrs:
for secret_ref in ctr.get('secret_refs', []):
hrefs.convert_to_hrefs(secret_ref)
resp_ctrs_overall = hrefs.add_nav_hrefs(
'containers',
offset,
limit,
total,
{'containers': resp_ctrs}
)
resp_ctrs_overall.update({'total': total})
LOG.info(u._LI('Retrieved container list for project: %s'), project_id)
return resp_ctrs_overall
def on_delete(self, external_project_id, **kwargs):
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug(data)
consumer = self.consumer_repo.get_by_values(
self.container_id,
data["name"],
data["URL"],
suppress_exception=True
)
if not consumer:
_consumer_not_found()
LOG.debug("Found consumer: %s", consumer)
try:
self.consumer_repo.delete_entity_by_id(consumer.id,
external_project_id)
except exception.NotFound:
LOG.exception(u._LE('Problem deleting consumer'))
_consumer_not_found()
ret_data = self._return_container_data(
self.container_id,
external_project_id
)
LOG.info(u._LI('Deleted a consumer for project: %s'),
external_project_id)
return ret_data
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', data)
try:
container = self.container_repo.get(self.container_id,
external_project_id)
except exception.NotFound:
controllers.containers.container_not_found()
new_consumer = models.ContainerConsumerMetadatum(self.container_id,
data)
new_consumer.project_id = project.id
self.consumer_repo.create_or_update_from(new_consumer, container)
url = hrefs.convert_consumer_to_href(new_consumer.container_id)
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a consumer for project: %s'),
external_project_id)
return self._return_container_data(self.container_id,
external_project_id)
def cleanup_unassociated_projects():
"""Clean up unassociated projects.
This looks for projects that have no children entries on the dependent
tables and removes them.
"""
LOG.debug("Cleaning up unassociated projects")
session = repo.get_session()
project_children_tables = [models.Order,
models.KEKDatum,
models.Secret,
models.ContainerConsumerMetadatum,
models.Container,
models.PreferredCertificateAuthority,
models.CertificateAuthority,
models.ProjectCertificateAuthority,
models.ProjectQuotas]
children_names = map(lambda child: child.__name__, project_children_tables)
LOG.debug("Children tables for Project table being checked: %s",
str(children_names))
sub_query = session.query(models.Project.id)
for model in project_children_tables:
sub_query = sub_query.outerjoin(model,
models.Project.id == model.project_id)
sub_query = sub_query.filter(model.id == None) # nopep8
sub_query = sub_query.subquery()
sub_query = sa_sql.select([sub_query])
query = session.query(models.Project)
query = query.filter(models.Project.id.in_(sub_query))
delete_count = query.delete(synchronize_session='fetch')
LOG.info(u._LI("Cleaned up %(delete_count)s entries for "
"%(project_name)s") %
{'delete_count': str(delete_count),
'project_name': models.Project.__name__})
return delete_count
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...', external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
transport_key_needed = data.get('transport_key_needed',
'false').lower() == 'true'
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
new_secret, transport_key_model = plugin.store_secret(
data.get('payload'),
data.get('payload_content_type',
'application/octet-stream'),
data.get('payload_content_encoding'),
data, None, project,
transport_key_needed=transport_key_needed,
transport_key_id=data.get('transport_key_id'))
url = hrefs.convert_secret_to_href(new_secret.id)
LOG.debug('URI to secret is %s', url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a secret for project: %s'),
external_project_id)
if transport_key_model is not None:
tkey_url = hrefs.convert_transport_key_to_href(
transport_key_model.id)
return {'secret_ref': url, 'transport_key_ref': tkey_url}
else:
return {'secret_ref': url}
def on_delete(self, external_project_id, **kwargs):
"""Handles removing a secret reference from an existing container."""
data = api.load_body(pecan.request, validator=self.validator)
name = data.get('name')
secret_ref = data.get('secret_ref')
secret_id = hrefs.get_secret_id_from_ref(secret_ref)
secret = self.secret_repo.get(
entity_id=secret_id,
external_project_id=external_project_id,
suppress_exception=True)
if not secret:
pecan.abort(404, u._("Secret '{secret_name}' with reference "
"'{secret_ref}' doesn't exist.").format(
secret_name=name, secret_ref=secret_ref))
found_container_secrets = list(
filter(lambda cs: cs.secret_id == secret_id and cs.name == name,
self.container.container_secrets)
)
if not found_container_secrets:
pecan.abort(404, u._('Secret provided is not in the container'))
for container_secret in found_container_secrets:
self.container_secret_repo.delete_entity_by_id(
container_secret.id, external_project_id)
pecan.response.status = 204
LOG.info(u._LI('Deleted container secret for project: %s'),
external_project_id)
def soft_delete_expired_secrets(threshold_date):
"""Soft deletes secrets that are past expiration date.
The expired secrets and its children are marked for deletion.
ACLs are soft deleted and then purged from the database.
:param threshold_date: secrets that have expired past this date
will be soft deleted
:returns: the sum of soft deleted entries and hard deleted acl entries
"""
# Note: sqllite does not support multiple table updates so
# several db updates are used instead
LOG.debug('Soft deleting expired secrets older than: %s',
str(threshold_date))
update_count = _soft_delete_expired_secrets(threshold_date)
children_count, acl_total = _soft_delete_expired_secret_children(
threshold_date)
update_count += children_count
LOG.info(u._LI("Soft deleted %(update_count)s entries due to secret "
"expiration and %(acl_total)s secret acl entries "
"were removed from the database") %
{'update_count': update_count,
'acl_total': acl_total})
return update_count + acl_total
def _check_retry_tasks(self):
"""Periodically check to see if tasks need to be scheduled.
:return: Return the number of seconds to wait before invoking this
method again.
"""
total_tasks_processed = 0
try:
total_tasks_processed = self._process_retry_tasks()
except Exception:
LOG.exception(
u._LE("Problem seen processing scheduled retry tasks")
)
# Return the next delay before this method is invoked again.
check_again_in_seconds = _compute_next_periodic_interval()
LOG.info(
u._LI("Done processing '%(total)s' tasks, will check again in "
"'%(next)s' seconds."),
{
'total': total_tasks_processed,
'next': check_again_in_seconds
}
)
return check_again_in_seconds
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...', external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipeline case, always use auth token user
creator_id = ctxt.user
self.quota_enforcer.enforce(project)
new_ca = cert_resources.create_subordinate_ca(
project_model=project,
name=data.get('name'),
description=data.get('description'),
subject_dn=data.get('subject_dn'),
parent_ca_ref=data.get('parent_ca_ref'),
creator_id=creator_id
)
url = hrefs.convert_certificate_authority_to_href(new_ca.id)
LOG.debug('URI to sub-CA is %s', url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a sub CA for project: %s'),
external_project_id)
return {'ca_ref': url}
def process_response(self, resp):
resp.headers['x-openstack-request-id'] = resp.request.request_id
LOG.info('%s: %s - %s %s', u._LI('Processed request'),
resp.status, resp.request.method, resp.request.url)
return resp
def on_post(self, external_project_id, **kwargs):
LOG.debug(u._('Start on_post for project-ID %s:...'),
external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipeline case, always use auth token user
creator_id = ctxt.user
self.quota_enforcer.enforce(project)
new_ca = cert_resources.create_subordinate_ca(
project_model=project,
name=data.get('name'),
description=data.get('description'),
subject_dn=data.get('subject_dn'),
parent_ca_ref=data.get('parent_ca_ref'),
creator_id=creator_id)
url = hrefs.convert_certificate_authority_to_href(new_ca.id)
LOG.debug(u._('URI to sub-CA is %s'), url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a sub CA for project: %s'),
external_project_id)
return {'ca_ref': url}
def on_delete(self, external_project_id, **kwargs):
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug(data)
consumer = self.consumer_repo.get_by_values(
self.container_id,
data["name"],
data["URL"],
suppress_exception=True
)
if not consumer:
_consumer_not_found()
LOG.debug("Found consumer: %s", consumer)
try:
self.consumer_repo.delete_entity_by_id(consumer.id,
external_project_id)
except exception.NotFound:
LOG.exception(u._LE('Problem deleting consumer'))
_consumer_not_found()
ret_data = self._return_container_data(
self.container_id,
external_project_id
)
LOG.info(u._LI('Deleted a consumer for project: %s'),
external_project_id)
return ret_data
def on_delete(self, external_project_id, **kwargs):
"""Handles removing a secret reference from an existing container."""
data = api.load_body(pecan.request, validator=self.validator)
name = data.get('name')
secret_ref = data.get('secret_ref')
secret_id = hrefs.get_secret_id_from_ref(secret_ref)
secret = self.secret_repo.get(
entity_id=secret_id,
external_project_id=external_project_id,
suppress_exception=True)
if not secret:
pecan.abort(404, u._("Secret '{secret_name}' with reference "
"'{secret_ref}' doesn't exist.").format(
secret_name=name, secret_ref=secret_ref))
found_container_secrets = list(
filter(lambda cs: cs.secret_id == secret_id and cs.name == name,
self.container.container_secrets)
)
if not found_container_secrets:
pecan.abort(404, u._('Secret provided is not in the container'))
for container_secret in found_container_secrets:
self.container_secret_repo.delete_entity_by_id(
container_secret.id, external_project_id)
pecan.response.status = 204
LOG.info(u._LI('Deleted container secret for project: %s'),
external_project_id)
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type
or pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type))
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if self.secret.encrypted_data or self.secret.secret_store_metadata:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(unencrypted_raw=payload,
content_type_raw=content_type,
content_encoding=content_encoding,
secret_model=self.secret,
project_model=project_model,
transport_key_id=transport_key_id)
LOG.info(u._LI('Updated secret for project: %s'), external_project_id)
def create_main_app(global_config, **local_conf):
"""uWSGI factory method for the Barbican-API application."""
# Queuing initialization
queue.init(CONF, is_server_side=False)
# Configure oslo logging and configuration services.
log.setup(CONF, 'barbican')
config.setup_remote_pydev_debug()
# Initializing the database engine and session factory before the app
# starts ensures we don't lose requests due to lazy initialiation of db
# connections.
repositories.setup_database_engine_and_factory()
# Setup app with transactional hook enabled
wsgi_app = build_wsgi_app(transactional=True)
if newrelic_loaded:
wsgi_app = newrelic.agent.WSGIApplicationWrapper(wsgi_app)
LOG = log.getLogger(__name__)
LOG.info(u._LI('Barbican app created and initialized'))
return wsgi_app
def on_get(self, project_id, **kw):
LOG.debug('Start containers on_get for project-ID %s:', project_id)
result = self.container_repo.get_by_create_date(
project_id,
offset_arg=kw.get('offset', 0),
limit_arg=kw.get('limit', None),
name_arg=kw.get('name', None),
suppress_exception=True)
containers, offset, limit, total = result
if not containers:
resp_ctrs_overall = {'containers': [], 'total': total}
else:
resp_ctrs = [
hrefs.convert_to_hrefs(c.to_dict_fields()) for c in containers
]
for ctr in resp_ctrs:
for secret_ref in ctr.get('secret_refs', []):
hrefs.convert_to_hrefs(secret_ref)
resp_ctrs_overall = hrefs.add_nav_hrefs('containers', offset,
limit, total,
{'containers': resp_ctrs})
resp_ctrs_overall.update({'total': total})
LOG.info(u._LI('Retrieved container list for project: %s'), project_id)
return resp_ctrs_overall
def _get_engine(engine):
if not engine:
connection = CONF.sql_connection
if not connection:
raise exception.BarbicanException(
u._('No SQL connection configured'))
# TODO(jfwood):
# connection_dict = sqlalchemy.engine.url.make_url(_CONNECTION)
engine_args = {
'pool_recycle': CONF.sql_idle_timeout,
'echo': False,
'convert_unicode': True
}
try:
engine = _create_engine(connection, **engine_args)
engine.connect()
except Exception as err:
msg = u._("Error configuring registry database with supplied "
"sql_connection. Got error: {error}").format(error=err)
LOG.exception(msg)
raise exception.BarbicanException(msg)
if CONF.db_auto_create:
meta = sqlalchemy.MetaData()
meta.reflect(bind=engine)
tables = meta.tables
_auto_generate_tables(engine, tables)
else:
LOG.info(u._LI('Not auto-creating barbican registry DB'))
return engine
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', data)
try:
container = self.container_repo.get(self.container_id,
external_project_id)
except exception.NotFound:
controllers.containers.container_not_found()
self.quota_enforcer.enforce(project)
new_consumer = models.ContainerConsumerMetadatum(self.container_id,
data)
new_consumer.project_id = project.id
self.consumer_repo.create_or_update_from(new_consumer, container)
url = hrefs.convert_consumer_to_href(new_consumer.container_id)
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a consumer for project: %s'),
external_project_id)
return self._return_container_data(self.container_id,
external_project_id)
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type or
pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type)
)
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if self.secret.encrypted_data or self.secret.secret_store_metadata:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(
unencrypted_raw=payload,
content_type_raw=content_type,
content_encoding=content_encoding,
secret_model=self.secret,
project_model=project_model,
transport_key_id=transport_key_id)
LOG.info(u._LI('Updated secret for project: %s'), external_project_id)
def check_certificate_status(self, context, order_id, project_id):
"""Check the status of a certificate order."""
LOG.info(
u._LI("Processing check certificate status on order: order ID is "
"'%s'"), order_id)
check_cert_order = resources.CheckCertificateStatusOrder()
return check_cert_order.process_and_suppress_exceptions(
order_id, project_id)
def update_order(self, context, order_id, project_id, updated_meta):
"""Update Order."""
LOG.info(
u._LI("Processing update order: order ID is '%s'"),
order_id
)
return resources.UpdateOrder().process_and_suppress_exceptions(
order_id, project_id, updated_meta)
def wrapper(method_self, *args, **kwargs):
result = fn(method_self, *args, **kwargs)
retry_rpc_method = schedule_order_retry_tasks(
fn, result, *args, **kwargs)
if retry_rpc_method:
LOG.info(
u._LI("Scheduled RPC method for retry: '%s'"),
retry_rpc_method)
def process_type_order(self, context, order_id, project_id, request_id):
"""Process TypeOrder."""
message = u._LI(
"Processing type order: "
"order ID is '%(order)s' and request ID is '%(request)s'")
LOG.info(message, {'order': order_id, 'request': request_id})
return resources.BeginTypeOrder().process_and_suppress_exceptions(
order_id, project_id)
def process_type_order(self, context, order_id, project_id):
"""Process TypeOrder."""
LOG.info(
u._LI("Processing type order: order ID is '%s'"),
order_id
)
return resources.BeginTypeOrder().process_and_suppress_exceptions(
order_id, project_id)
def process_type_order(self, context, order_id, project_id, request_id):
"""Process TypeOrder."""
message = u._LI(
"Processing type order: "
"order ID is '%(order)s' and request ID is '%(request)s'"
)
LOG.info(message, {'order': order_id, 'request': request_id})
return resources.BeginTypeOrder().process_and_suppress_exceptions(
order_id, project_id)
def payload(self, external_project_id, **kwargs):
if pecan.request.method != 'GET':
pecan.abort(405)
resp = self._on_get_secret_payload(self.secret, external_project_id,
**kwargs)
LOG.info(u._LI('Retrieved secret payload for project: %s'),
external_project_id)
return resp
def on_put(self, external_project_id, **kwargs):
LOG.debug('=== ProjectQuotasController PUT ===')
if not pecan.request.body:
raise exception.NoDataToProcess()
api.load_body(pecan.request, validator=self.validator)
self.quota_driver.set_project_quotas(self.passed_project_id,
kwargs['project_quotas'])
LOG.info(u._LI('Put Project Quotas'))
pecan.response.status = 204
def update_order(self, context, order_id, project_id, updated_meta,
request_id):
"""Update Order."""
message = u._LI(
"Processing update order: "
"order ID is '%(order)s' and request ID is '%(request)s'")
LOG.info(message, {'order': order_id, 'request': request_id})
return resources.UpdateOrder().process_and_suppress_exceptions(
order_id, project_id, updated_meta)
def on_get(self, external_project_id):
dict_fields = self.container.to_dict_fields()
for secret_ref in dict_fields['secret_refs']:
hrefs.convert_to_hrefs(secret_ref)
LOG.info(u._LI('Retrieved container for project: %s'),
external_project_id)
return hrefs.convert_to_hrefs(hrefs.convert_to_hrefs(dict_fields))
def on_get(self, external_project_id, **kw):
def secret_fields(field):
return putil.mime_types.augment_fields_with_content_types(field)
LOG.debug('Start secrets on_get '
'for project-ID %s:', external_project_id)
name = kw.get('name', '')
if name:
name = parse.unquote_plus(name)
bits = kw.get('bits', 0)
try:
bits = int(bits)
except ValueError:
# as per Github issue 171, if bits is invalid then
# the default should be used.
bits = 0
ctxt = controllers._get_barbican_context(pecan.request)
user_id = None
if ctxt:
user_id = ctxt.user
result = self.secret_repo.get_by_create_date(
external_project_id,
offset_arg=kw.get('offset', 0),
limit_arg=kw.get('limit', None),
name=name,
alg=kw.get('alg'),
mode=kw.get('mode'),
bits=bits,
suppress_exception=True,
acl_only=kw.get('acl_only', None),
user_id=user_id
)
secrets, offset, limit, total = result
if not secrets:
secrets_resp_overall = {'secrets': [],
'total': total}
else:
secrets_resp = [
hrefs.convert_to_hrefs(secret_fields(s))
for s in secrets
]
secrets_resp_overall = hrefs.add_nav_hrefs(
'secrets', offset, limit, total,
{'secrets': secrets_resp}
)
secrets_resp_overall.update({'total': total})
LOG.info(u._LI('Retrieved secret list for project: %s'),
external_project_id)
return secrets_resp_overall
def on_get(self, external_project_id, **kw):
def secret_fields(field):
return putil.mime_types.augment_fields_with_content_types(field)
LOG.debug('Start secrets on_get '
'for project-ID %s:', external_project_id)
name = kw.get('name', '')
if name:
name = parse.unquote_plus(name)
bits = kw.get('bits', 0)
try:
bits = int(bits)
except ValueError:
# as per Github issue 171, if bits is invalid then
# the default should be used.
bits = 0
ctxt = controllers._get_barbican_context(pecan.request)
user_id = None
if ctxt:
user_id = ctxt.user
result = self.secret_repo.get_by_create_date(
external_project_id,
offset_arg=kw.get('offset', 0),
limit_arg=kw.get('limit', None),
name=name,
alg=kw.get('alg'),
mode=kw.get('mode'),
bits=bits,
suppress_exception=True,
acl_only=kw.get('acl_only', None),
user_id=user_id
)
secrets, offset, limit, total = result
if not secrets:
secrets_resp_overall = {'secrets': [],
'total': total}
else:
secrets_resp = [
hrefs.convert_to_hrefs(secret_fields(s))
for s in secrets
]
secrets_resp_overall = hrefs.add_nav_hrefs(
'secrets', offset, limit, total,
{'secrets': secrets_resp}
)
secrets_resp_overall.update({'total': total})
LOG.info(u._LI('Retrieved secret list for project: %s'),
external_project_id)
return secrets_resp_overall
def update_order(self, context, order_id, project_id,
updated_meta, request_id):
"""Update Order."""
message = u._LI(
"Processing update order: "
"order ID is '%(order)s' and request ID is '%(request)s'"
)
LOG.info(message, {'order': order_id, 'request': request_id})
return resources.UpdateOrder().process_and_suppress_exceptions(
order_id, project_id, updated_meta)
def process_response(self, resp):
request_id = resp.request.headers.get('x-openstack-request-id')
if not request_id:
request_id = b'req-{0}'.format(str(uuid.uuid4()))
resp.headers['x-openstack-request-id'] = request_id
LOG.info('%s | %s: %s - %s %s', request_id, u._LI('Processed request'),
resp.status, resp.request.method, resp.request.url)
return resp
def check_certificate_status(self, context, order_id, project_id):
"""Check the status of a certificate order."""
LOG.info(
u._LI("Processing check certificate status on order: order ID is "
"'%s'"),
order_id
)
check_cert_order = resources.CheckCertificateStatusOrder()
return check_cert_order.process_and_suppress_exceptions(
order_id, project_id)
def on_put(self, external_project_id, **kwargs):
LOG.debug('=== ProjectQuotasController PUT ===')
if not pecan.request.body:
raise exception.NoDataToProcess()
api.load_body(pecan.request,
validator=self.validator)
self.quota_driver.set_project_quotas(self.passed_project_id,
kwargs['project_quotas'])
LOG.info(u._LI('Put Project Quotas'))
pecan.response.status = 204
def process_response(self, resp):
resp.headers['x-openstack-request-id'] = resp.request.request_id
LOG.info(
u._LI('Processed request: %(status)s - %(method)s %(url)s'), {
"status": resp.status,
"method": resp.request.method,
"url": resp.request.url
})
return resp
def payload(self, external_project_id, **kwargs):
if pecan.request.method != 'GET':
pecan.abort(405)
resp = self._on_get_secret_payload(self.secret,
external_project_id,
**kwargs)
LOG.info(u._LI('Retrieved secret payload for project: %s'),
external_project_id)
return resp
def notify_certificate_is_ready(
self, project_id, order_ref, container_ref):
"""Notify that a certificate has been generated and is ready to use.
:param project_id: Project ID associated with this certificate
:param order_ref: HATEOS reference URI to the submitted Barbican Order
:param container_ref: HATEOS reference URI to the Container storing
the certificate
:returns: None
"""
LOG.info(u._LI('Invoking notify_certificate_is_ready()'))
def check_certificate_status(self, context, order_id, project_id,
request_id):
"""Check the status of a certificate order."""
message = u._LI(
"Processing check certificate status on order: "
"order ID is '%(order)s' and request ID is '%(request)s'")
LOG.info(message, {'order': order_id, 'request': request_id})
check_cert_order = resources.CheckCertificateStatusOrder()
return check_cert_order.process_and_suppress_exceptions(
order_id, project_id)
def on_get(self, external_project_id):
dict_fields = self.container.to_dict_fields()
for secret_ref in dict_fields['secret_refs']:
hrefs.convert_to_hrefs(secret_ref)
LOG.info(u._LI('Retrieved container for project: %s'),
external_project_id)
return hrefs.convert_to_hrefs(
hrefs.convert_to_hrefs(dict_fields)
)
def _process_retry_tasks(self):
"""Scan for and then re-queue tasks that are ready to retry."""
LOG.info(u._LI("Processing scheduled retry tasks:"))
# Retrieve tasks to retry.
entities, total = self._retrieve_tasks()
# Create RPC tasks for each retry task found.
for task in entities:
self._enqueue_task(task)
return total
def notify_ca_is_unavailable(
self, project_id, order_ref, error_msg, retry_in_msec):
"""Notify that the certificate authority (CA) isn't available.
:param project_id: Project ID associated with this order
:param order_ref: HATEOS reference URI to the submitted Barbican Order
:param error_msg: Error message if it is available
:param retry_in_msec: Delay before attempting to talk to the CA again.
If this is 0, then no attempt will be made.
:returns: None
"""
LOG.info(u._LI('Invoking notify_ca_is_unavailable()'))
def check_certificate_status(self, context, order_id,
project_id, request_id):
"""Check the status of a certificate order."""
message = u._LI(
"Processing check certificate status on order: "
"order ID is '%(order)s' and request ID is '%(request)s'"
)
LOG.info(message, {'order': order_id, 'request': request_id})
check_cert_order = resources.CheckCertificateStatusOrder()
return check_cert_order.process_and_suppress_exceptions(
order_id, project_id)
