def _failed_to_create_encrypted_datum(req, resp):
"""
Throw exception we could not create an EncryptedDatum
record for the secret.
"""
api.abort(falcon.HTTP_400, _("Could not add secret data to Barbican."),
req, resp)
def on_put(self, req, resp, keystone_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type, req, resp)
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
if secret.encrypted_data:
_secret_already_has_data(req, resp)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
payload = None
content_type = req.content_type
content_encoding = req.get_header('Content-Encoding')
try:
payload = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
except IOError:
api.abort(falcon.HTTP_500, 'Read Error')
res.create_encrypted_datum(secret,
payload,
content_type,
content_encoding,
tenant,
self.crypto_manager,
self.datum_repo,
self.kek_repo)
resp.status = falcon.HTTP_200
def _failed_to_create_encrypted_datum(req, resp):
"""
Throw exception we could not create an EncryptedDatum
record for the secret.
"""
api.abort(falcon.HTTP_400,
_("Could not add secret data to Barbican."), req, resp)
def on_post(self, req, resp, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(req, resp, self.validator)
LOG.debug('Start on_post...{0}'.format(data))
new_container = models.Container(data)
new_container.tenant_id = tenant.id
#TODO: (hgedikli) performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
api.abort(falcon.HTTP_404,
u._("Secret provided for '%s'"
" doesn't exist." % secret_ref.name),
req, resp)
self.container_repo.create_from(new_container)
resp.status = falcon.HTTP_202
resp.set_header('Location',
'/{0}/containers/{1}'.format(keystone_id,
new_container.id))
url = convert_container_to_href(keystone_id, new_container.id)
resp.body = json.dumps({'container_ref': url})
def on_put(self, req, resp, keystone_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type, req, resp)
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
if secret.encrypted_data:
_secret_already_has_data(req, resp)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
payload = None
content_type = req.content_type
content_encoding = req.get_header('Content-Encoding')
try:
payload = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
except IOError:
api.abort(falcon.HTTP_500, 'Read Error')
res.create_encrypted_datum(secret,
payload,
content_type,
content_encoding,
tenant,
self.crypto_manager,
self.datum_repo,
self.kek_repo)
resp.status = falcon.HTTP_200
def on_post(self, req, resp, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(req, resp, self.validator)
LOG.debug('Start on_post...{0}'.format(data))
new_container = models.Container(data)
new_container.tenant_id = tenant.id
#TODO: (hgedikli) performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
api.abort(falcon.HTTP_404,
u._("Secret provided for '%s'"
" doesn't exist." % secret_ref.name),
req, resp)
self.container_repo.create_from(new_container)
resp.status = falcon.HTTP_202
resp.set_header('Location',
'/{0}/containers/{1}'.format(keystone_id,
new_container.id))
url = convert_container_to_href(keystone_id, new_container.id)
resp.body = json.dumps({'container_ref': url})
def on_put(self, req, resp, tenant_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type)
secret = self.repo.get(entity_id=secret_id, suppress_exception=True)
if not secret:
_secret_not_found()
if secret.mime_type != req.content_type:
_client_content_mismatch_to_secret()
if secret.encrypted_data:
_secret_already_has_data()
try:
plain_text = req.stream.read()
except IOError:
abort(falcon.HTTP_500, 'Read Error')
resp.status = falcon.HTTP_200
try:
create_encrypted_datum(secret, plain_text,
tenant_id,
self.tenant_secret_repo,
self.datum_repo)
except ValueError:
LOG.error('Problem creating an encrypted datum for the secret.',
exc_info=True)
_failed_to_create_encrypted_datum()
def _client_content_mismatch_to_secret(expected, actual, req, res):
"""
Throw exception indicating client content-type doesn't match
secret's mime-type.
"""
api.abort(falcon.HTTP_400,
_("Request content-type of '{0}' doesn't match "
"secret's of '{1}'.").format(actual, expected), req, res)
def _client_content_mismatch_to_secret(expected, actual, req, res):
"""
Throw exception indicating client content-type doesn't match
secret's mime-type.
"""
api.abort(
falcon.HTTP_400,
_("Request content-type of '{0}' doesn't match "
"secret's of '{1}'.").format(actual, expected), req, res)
def handler(inst, req, resp, *args, **kwargs):
try:
fn(inst, req, resp, *args, **kwargs)
except falcon.HTTPError as f:
LOG.exception('Falcon error seen')
raise f # Already converted to Falcon exception, just reraise
except Exception as e:
status, message = api.generate_safe_exception_message(
operation_name, e)
LOG.exception(message)
api.abort(status, message, req, resp)
def handler(inst, req, resp, *args, **kwargs):
try:
fn(inst, req, resp, *args, **kwargs)
except falcon.HTTPError as f:
LOG.exception('Falcon error seen')
raise f # Already converted to Falcon exception, just reraise
except Exception as e:
status, message = api.generate_safe_exception_message(
operation_name, e)
LOG.exception(message)
api.abort(status, message, req, resp)
def on_put(self, req, resp, keystone_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type, req, resp)
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
if secret.mime_type != req.content_type:
_client_content_mismatch_to_secret(secret.mime_type,
req.content_type, req, resp)
if secret.encrypted_data:
_secret_already_has_data(req, resp)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
try:
plain_text = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
except IOError:
api.abort(falcon.HTTP_500, 'Read Error')
resp.status = falcon.HTTP_200
try:
res.create_encrypted_datum(secret,
plain_text,
tenant,
self.crypto_manager,
self.tenant_secret_repo,
self.datum_repo)
except em.CryptoMimeTypeNotSupportedException as cmtnse:
LOG.exception('Secret creation failed - mime-type not supported')
_secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
except exception.NoDataToProcess:
LOG.exception('No secret data to process')
_secret_plain_text_empty(req, resp)
except exception.LimitExceeded:
LOG.exception('Secret data too big to process')
_secret_data_too_large(req, resp)
except Exception as e:
LOG.exception('Secret creation failed - unknown')
_failed_to_create_encrypted_datum(req, resp)
def on_put(self, req, resp, keystone_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type, req, resp)
secret = self.repo.get(entity_id=secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
if secret.mime_type != req.content_type:
_client_content_mismatch_to_secret(secret.mime_type,
req.content_type, req, resp)
if secret.encrypted_data:
_secret_already_has_data(req, resp)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
try:
plain_text = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
except IOError:
api.abort(falcon.HTTP_500, 'Read Error')
resp.status = falcon.HTTP_200
try:
res.create_encrypted_datum(secret, plain_text, tenant,
self.crypto_manager,
self.tenant_secret_repo,
self.datum_repo)
except em.CryptoMimeTypeNotSupportedException as cmtnse:
LOG.exception('Secret creation failed - mime-type not supported')
_secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
except exception.NoDataToProcess:
LOG.exception('No secret data to process')
_secret_plain_text_empty(req, resp)
except exception.LimitExceeded:
LOG.exception('Secret data too big to process')
_secret_data_too_large(req, resp)
except Exception as e:
LOG.exception('Secret creation failed - unknown')
_failed_to_create_encrypted_datum(req, resp)
def _verification_not_found(req, resp):
"""Throw exception indicating verification not found."""
api.abort(falcon.HTTP_404, u._('Not Found. Sorry but your verification '
'result is in '
'another castle.'), req, resp)
def _get_secret_info_not_found(mime_type, req, resp):
"""Throw exception indicating request's accept is not supported."""
api.abort(falcon.HTTP_404,
_("Secret information of type '{0}' not available for "
"decryption.").format(mime_type),
req, resp)
def _order_not_found(req, resp):
"""Throw exception indicating order not found."""
api.abort(falcon.HTTP_404, _('Unable to locate order.'), req, resp)
def _secret_create_failed(req, resp):
"""
Throw exception that secret creation attempt failed.
"""
api.abort(falcon.HTTP_500, _("Unabled to create secret."), req, resp)
def _container_not_found(req, resp):
"""Throw exception indicating container not found."""
api.abort(falcon.HTTP_404, u._('Not Found. Sorry but your container '
'is in '
'another castle.'), req, resp)
def _get_accept_not_supported(accept, req, resp):
"""Throw exception indicating request's accept is not supported."""
api.abort(falcon.HTTP_406,
_("Accept of '{0}' is not supported.").format(accept), req, resp)
def _put_accept_incorrect(ct, req, resp):
"""Throw exception indicating request content-type is not supported."""
api.abort(falcon.HTTP_415,
_("Content-Type of '{0}' is not supported.").format(ct), req,
resp)
def _order_not_found(req, resp):
"""Throw exception indicating order not found."""
api.abort(falcon.HTTP_404, _('Unable to locate order.'), req, resp)
def _secret_not_found(req, resp):
"""Throw exception indicating secret not found."""
api.abort(falcon.HTTP_404, _('Unable to locate secret.'), req, resp)
def _general_failure(message, req, resp):
"""Throw exception a general processing failure."""
api.abort(falcon.HTTP_500, _(message), req, resp)
def _secret_plain_text_empty(req, resp):
"""Throw exception indicating empty plain-text was supplied."""
api.abort(falcon.HTTP_400,
_("Could not add secret with empty 'plain_text'"), req, resp)
def _get_secret_info_not_found(mime_type, req, resp):
"""Throw exception indicating request's accept is not supported."""
api.abort(
falcon.HTTP_404,
_("Secret information of type '{0}' not available for "
"decryption.").format(mime_type), req, resp)
def _secret_not_found(req, resp):
"""Throw exception indicating secret not found."""
api.abort(falcon.HTTP_404, u._('Not Found. Sorry but your secret is in '
'another castle.'), req, resp)
def _secret_mime_type_not_supported(mt, req, resp):
"""Throw exception indicating secret mime-type is not supported."""
api.abort(falcon.HTTP_400,
_("Mime-type of '{0}' is not supported.").format(mt), req, resp)
def _secret_create_failed(req, resp):
"""
Throw exception that secret creation attempt failed.
"""
api.abort(falcon.HTTP_500, _("Unabled to create secret."), req, resp)
def _secret_already_has_data(req, resp):
"""
Throw exception that the secret already has data.
"""
api.abort(falcon.HTTP_409, _("Secret already has data, cannot modify it."),
req, resp)
def _failed_to_decrypt_data(req, resp):
"""Throw exception if failed to decrypt secret information."""
api.abort(falcon.HTTP_500,
_("Problem decrypting secret information."), req, resp)
def _secret_data_too_large(req, resp):
"""Throw exception indicating plain-text was too big."""
api.abort(falcon.HTTP_413,
_("Could not add secret data as it was too large"), req, resp)
def _general_failure(message, req, resp):
"""Throw exception a general processing failure."""
api.abort(falcon.HTTP_500, _(message), req, resp)
def _secret_plain_text_empty(req, resp):
"""Throw exception indicating empty plain-text was supplied."""
api.abort(falcon.HTTP_400,
_("Could not add secret with empty 'plain_text'"), req, resp)
def _secret_not_found(req, resp):
"""Throw exception indicating secret not found."""
api.abort(falcon.HTTP_404, _('Unable to locate secret.'), req, resp)
def _failed_to_decrypt_data(req, resp):
"""Throw exception if failed to decrypt secret information."""
api.abort(falcon.HTTP_500, _("Problem decrypting secret information."),
req, resp)
def _get_accept_not_supported(accept, req, resp):
"""Throw exception indicating request's accept is not supported."""
api.abort(falcon.HTTP_406,
_("Accept of '{0}' is not supported.").format(accept),
req, resp)
def _order_not_found(req, resp):
"""Throw exception indicating order not found."""
api.abort(falcon.HTTP_404, u._('Not Found. Sorry but your order is in '
'another castle.'), req, resp)
def _secret_mime_type_not_supported(mt, req, resp):
"""Throw exception indicating secret mime-type is not supported."""
api.abort(falcon.HTTP_400,
_("Mime-type of '{0}' is not supported.").format(mt), req, resp)
def _secret_already_has_data(req, resp):
"""Throw exception that the secret already has data."""
api.abort(falcon.HTTP_409,
u._("Secret already has data, cannot modify it."), req, resp)
def _secret_data_too_large(req, resp):
"""Throw exception indicating plain-text was too big."""
api.abort(falcon.HTTP_413,
_("Could not add secret data as it was too large"), req, resp)
def _authorization_failed(message, req, resp):
"""Throw exception that authorization failed."""
api.abort(falcon.HTTP_401, message, req, resp)
def _not_allowed(message, req, resp):
"""Throw exception for forbidden resource."""
api.abort(falcon.HTTP_403, message, req, resp)
def _secret_already_has_data():
"""
Throw exception that the secret already has data.
"""
abort(falcon.HTTP_409, _("Secret already has data, cannot modify it."))
def _verification_not_found(req, resp):
"""Throw exception indicating verification not found."""
api.abort(falcon.HTTP_404, u._('Not Found. Sorry but your verification '
'result is in '
'another castle.'), req, resp)
def _secret_not_in_order():
"""
Throw exception that secret information is not available in the order.
"""
abort(falcon.HTTP_400, _("Secret metadata expected but not received."))
def _authorization_failed(message, req, resp):
"""Throw exception that authorization failed."""
api.abort(falcon.HTTP_401, message, req, resp)
def _secret_not_in_order(req, resp):
"""
Throw exception that secret information is not available in the order.
"""
api.abort(falcon.HTTP_400, _("Secret metadata expected but not received."),
req, resp)
def _secret_not_found(req, resp):
"""Throw exception indicating secret not found."""
api.abort(falcon.HTTP_404, u._('Not Found. Sorry but your secret is in '
'another castle.'), req, resp)
def _secret_not_found():
"""Throw exception indicating secret not found."""
abort(falcon.HTTP_400, _('Unable to locate secret profile.'))
def _put_accept_incorrect(ct, req, resp):
"""Throw exception indicating request content-type is not supported."""
api.abort(falcon.HTTP_415,
u._("Content-Type of '{0}' is not "
"supported for PUT.").format(ct),
req, resp)
def _put_accept_incorrect(ct):
"""Throw exception indicating request content-type is not supported."""
abort(falcon.HTTP_415, _("Content-Type of '{0}' "
"is not supported.").format(ct))
def _secret_not_in_order(req, resp):
"""Throw exception that secret info is not available in the order."""
api.abort(falcon.HTTP_400,
u._("Secret metadata expected but not received."), req, resp)
def _client_content_mismatch_to_secret():
"""
Throw exception indicating client content-type doesn't match
secret's mime-type.
"""
abort(falcon.HTTP_400, _("Request content-type doesn't match secret's."))
