def _init_memory_db_setup(self):
# using in-memory sqlalchemy database, sqlite, instead of simulating
# data via mocks to verify transaction behavior (like rollback when
# error occurs in middle of delete project entities logic). This also
# helps in verifying that project_entities related query is defined
# correctly.
self.opt_in_group(None, sql_connection=self.IN_MEM_DB_CONN_STRING)
self.project_id1 = uuid.uuid4().hex
self.project_id2 = uuid.uuid4().hex
rep._MAKER = None
rep._ENGINE = None
rep.configure_db()
self.repos = rep.Repositories(
tenant_repo=None, tenant_secret_repo=None, secret_repo=None,
datum_repo=None, kek_repo=None, secret_meta_repo=None,
order_repo=None, order_plugin_meta_repo=None,
transport_key_repo=None, container_repo=None,
container_secret_repo=None)
self.project1_data = c_resources.get_or_create_tenant(
self.project_id1, self.repos.tenant_repo)
self.assertIsNotNone(self.project1_data)
self.engine = rep.get_engine()
self.project2_data = c_resources.get_or_create_tenant(
self.project_id2, self.repos.tenant_repo)
self.assertIsNotNone(self.project2_data)
def on_post(self, req, resp, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
body = api.load_body(req, resp, self.validator)
LOG.debug('Start on_post...{0}'.format(body))
if 'secret' not in body:
_secret_not_in_order(req, resp)
secret_info = body['secret']
name = secret_info['name']
LOG.debug('Secret to create is {0}'.format(name))
new_order = models.Order()
new_order.secret_name = secret_info['name']
new_order.secret_algorithm = secret_info.get('algorithm', None)
new_order.secret_bit_length = secret_info.get('bit_length', None)
new_order.secret_cypher_type = secret_info.get('cypher_type', None)
new_order.secret_mime_type = secret_info['mime_type']
new_order.secret_expiration = secret_info.get('expiration', None)
new_order.tenant_id = tenant.id
self.order_repo.create_from(new_order)
# Send to workers to process.
self.queue.process_order(order_id=new_order.id,
keystone_id=keystone_id)
resp.status = falcon.HTTP_202
resp.set_header('Location',
'/{0}/orders/{1}'.format(keystone_id, new_order.id))
url = convert_order_to_href(keystone_id, new_order.id)
resp.body = json.dumps({'order_ref': url})
def on_post(self, req, resp, keystone_id):
LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))
data = api.load_body(req, resp, self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
try:
new_secret = res.create_secret(data, tenant, self.crypto_manager,
self.secret_repo,
self.tenant_secret_repo,
self.datum_repo)
except em.CryptoMimeTypeNotSupportedException as cmtnse:
LOG.exception('Secret creation failed - mime-type not supported')
_secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
except exception.NoDataToProcess:
LOG.exception('No secret data to process')
_secret_plain_text_empty(req, resp)
except exception.LimitExceeded:
LOG.exception('Secret data too big to process')
_secret_data_too_large(req, resp)
except Exception as e:
LOG.exception('Secret creation failed - unknown')
_general_failure('Secret creation failed - unknown', req, resp)
resp.status = falcon.HTTP_201
resp.set_header('Location', '/{0}/secrets/{1}'.format(keystone_id,
new_secret.id))
url = convert_secret_to_href(keystone_id, new_secret.id)
LOG.debug('URI to secret is {0}'.format(url))
resp.body = json.dumps({'secret_ref': url})
def on_get(self, req, resp, keystone_id, secret_id):
secret = self.repo.get(entity_id=secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
resp.status = falcon.HTTP_200
if not req.accept or req.accept == 'application/json' \
or req.accept == '*/*':
# Metadata-only response, no decryption necessary.
resp.set_header('Content-Type', 'application/json')
secret_fields = augment_fields_with_content_types(secret)
resp.body = json.dumps(convert_to_hrefs(keystone_id,
secret_fields),
default=json_handler)
else:
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
resp.set_header('Content-Type', req.accept)
try:
resp.body = self.crypto_manager.decrypt(
req.accept, secret, tenant)
except em.CryptoAcceptNotSupportedException as canse:
LOG.exception('Secret decryption failed - '
'accept not supported')
_get_accept_not_supported(canse.accept, req, resp)
except em.CryptoNoSecretOrDataException as cnsode:
LOG.exception('Secret information of type {0} not '
'found for decryption.'.format(cnsode.mime_type))
_get_secret_info_not_found(cnsode.mime_type, req, resp)
except Exception as e:
LOG.exception('Secret decryption failed - unknown')
_failed_to_decrypt_data(req, resp)
def on_post(self, req, resp, keystone_id):
LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))
data = api.load_body(req, resp, self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
try:
new_secret = res.create_secret(data, tenant, self.crypto_manager,
self.secret_repo,
self.tenant_secret_repo,
self.datum_repo)
except em.CryptoMimeTypeNotSupportedException as cmtnse:
LOG.exception('Secret creation failed - mime-type not supported')
_secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
except exception.NoDataToProcess:
LOG.exception('No secret data to process')
_secret_plain_text_empty(req, resp)
except exception.LimitExceeded:
LOG.exception('Secret data too big to process')
_secret_data_too_large(req, resp)
except Exception as e:
LOG.exception('Secret creation failed - unknown')
_general_failure('Secret creation failed - unknown', req, resp)
resp.status = falcon.HTTP_201
resp.set_header('Location',
'/{0}/secrets/{1}'.format(keystone_id, new_secret.id))
url = convert_secret_to_href(keystone_id, new_secret.id)
LOG.debug('URI to secret is {0}'.format(url))
resp.body = json.dumps({'secret_ref': url})
def on_post(self, keystone_id, **kwargs):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
body = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...{0}'.format(body))
if 'secret' not in body:
_secret_not_in_order()
secret_info = body['secret']
name = secret_info.get('name')
LOG.debug('Secret to create is {0}'.format(name))
new_order = models.Order()
new_order.secret_name = secret_info.get('name')
new_order.secret_algorithm = secret_info.get('algorithm')
new_order.secret_bit_length = secret_info.get('bit_length', 0)
new_order.secret_mode = secret_info.get('mode')
new_order.secret_payload_content_type = secret_info.get(
'payload_content_type')
new_order.secret_expiration = secret_info.get('expiration')
new_order.tenant_id = tenant.id
self.order_repo.create_from(new_order)
# Send to workers to process.
self.queue.process_order(order_id=new_order.id,
keystone_id=keystone_id)
pecan.response.status = 202
pecan.response.headers['Location'] = '/{0}/orders/{1}'.format(
keystone_id, new_order.id
)
url = hrefs.convert_order_to_href(keystone_id, new_order.id)
return {'order_ref': url}
def on_post(self, req, resp, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(req, resp, self.validator)
LOG.debug('Start on_post...{0}'.format(data))
new_container = models.Container(data)
new_container.tenant_id = tenant.id
#TODO: (hgedikli) performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
api.abort(falcon.HTTP_404,
u._("Secret provided for '%s'"
" doesn't exist." % secret_ref.name),
req, resp)
self.container_repo.create_from(new_container)
resp.status = falcon.HTTP_202
resp.set_header('Location',
'/{0}/containers/{1}'.format(keystone_id,
new_container.id))
url = convert_container_to_href(keystone_id, new_container.id)
resp.body = json.dumps({'container_ref': url})
def on_put(self, req, resp, keystone_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type, req, resp)
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
if secret.encrypted_data:
_secret_already_has_data(req, resp)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
payload = None
content_type = req.content_type
content_encoding = req.get_header('Content-Encoding')
try:
payload = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
except IOError:
api.abort(falcon.HTTP_500, 'Read Error')
res.create_encrypted_datum(secret,
payload,
content_type,
content_encoding,
tenant,
self.crypto_manager,
self.datum_repo,
self.kek_repo)
resp.status = falcon.HTTP_200
def on_get(self, req, resp, keystone_id, secret_id):
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
resp.status = falcon.HTTP_200
if is_json_request_accept(req):
# Metadata-only response, no decryption necessary.
resp.set_header('Content-Type', 'application/json')
secret_fields = mime_types.augment_fields_with_content_types(
secret)
resp.body = json.dumps(convert_to_hrefs(keystone_id,
secret_fields),
default=json_handler)
else:
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
resp.set_header('Content-Type', req.accept)
resp.body = self.crypto_manager \
.decrypt(req.accept,
secret,
tenant)
def on_get(self, req, resp, keystone_id, secret_id):
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
resp.status = falcon.HTTP_200
if is_json_request_accept(req):
# Metadata-only response, no decryption necessary.
resp.set_header('Content-Type', 'application/json')
secret_fields = mime_types.augment_fields_with_content_types(
secret)
resp.body = json.dumps(convert_to_hrefs(keystone_id,
secret_fields),
default=json_handler)
else:
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
resp.set_header('Content-Type', req.accept)
resp.body = self.crypto_manager \
.decrypt(req.accept,
secret,
tenant)
def on_put(self, keystone_id, **kwargs):
if not pecan.request.content_type or \
pecan.request.content_type == 'application/json':
pecan.abort(
415,
u._("Content-Type of '{0}' is not supported for PUT.").format(
pecan.request.content_type
)
)
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
secret_model = self.repos.secret_repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret_model:
_secret_not_found()
if secret_model.encrypted_data:
_secret_already_has_data()
tenant_model = res.get_or_create_tenant(keystone_id,
self.repos.tenant_repo)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(payload, content_type,
content_encoding, secret_model.to_dict_fields,
secret_model, tenant_model, self.repos)
def on_post(self, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...{0}'.format(data))
new_container = models.Container(data)
new_container.tenant_id = tenant.id
#TODO(hgedikli): performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
# This only partially localizes the error message and
# doesn't localize secret_ref.name.
pecan.abort(
404,
u._("Secret provided for '{0}' doesn't"
" exist.").format(secret_ref.name))
self.container_repo.create_from(new_container)
pecan.response.status = 202
pecan.response.headers['Location'] = '/{0}/containers/{1}'.format(
keystone_id, new_container.id)
url = controllers.hrefs.convert_container_to_href(
keystone_id, new_container.id)
return {'container_ref': url}
def on_post(self, req, resp, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(req, resp, self.validator)
LOG.debug('Start on_post...{0}'.format(data))
new_container = models.Container(data)
new_container.tenant_id = tenant.id
#TODO: (hgedikli) performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
api.abort(falcon.HTTP_404,
u._("Secret provided for '%s'"
" doesn't exist." % secret_ref.name),
req, resp)
self.container_repo.create_from(new_container)
resp.status = falcon.HTTP_202
resp.set_header('Location',
'/{0}/containers/{1}'.format(keystone_id,
new_container.id))
url = convert_container_to_href(keystone_id, new_container.id)
resp.body = json.dumps({'container_ref': url})
def on_put(self, req, resp, keystone_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type, req, resp)
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
if secret.encrypted_data:
_secret_already_has_data(req, resp)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
payload = None
content_type = req.content_type
content_encoding = req.get_header('Content-Encoding')
try:
payload = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
except IOError:
api.abort(falcon.HTTP_500, 'Read Error')
res.create_encrypted_datum(secret,
payload,
content_type,
content_encoding,
tenant,
self.crypto_manager,
self.datum_repo,
self.kek_repo)
resp.status = falcon.HTTP_200
def on_post(self, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
body = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...{0}'.format(body))
if 'secret' not in body:
_secret_not_in_order()
secret_info = body['secret']
name = secret_info.get('name')
LOG.debug('Secret to create is {0}'.format(name))
new_order = models.Order()
new_order.secret_name = secret_info.get('name')
new_order.secret_algorithm = secret_info.get('algorithm')
new_order.secret_bit_length = secret_info.get('bit_length', 0)
new_order.secret_mode = secret_info.get('mode')
new_order.secret_payload_content_type = secret_info.get(
'payload_content_type')
new_order.secret_expiration = secret_info.get('expiration')
new_order.tenant_id = tenant.id
self.order_repo.create_from(new_order)
# Send to workers to process.
self.queue.process_order(order_id=new_order.id,
keystone_id=keystone_id)
pecan.response.status = 202
pecan.response.headers['Location'] = '/{0}/orders/{1}'.format(
keystone_id, new_order.id)
url = hrefs.convert_order_to_href(keystone_id, new_order.id)
return {'order_ref': url}
def on_post(self, keystone_id, **kwargs):
LOG.debug('Start on_post for tenant-ID %s:...', keystone_id)
data = api.load_body(pecan.request, validator=self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.repos.tenant_repo)
transport_key_needed = data.get('transport_key_needed',
'false').lower() == 'true'
new_secret, transport_key_model = plugin.store_secret(
data.get('payload'),
data.get('payload_content_type',
'application/octet-stream'),
data.get('payload_content_encoding'),
data, None, tenant,
self.repos,
transport_key_needed=transport_key_needed,
transport_key_id=data.get('transport_key_id'))
pecan.response.status = 201
pecan.response.headers['Location'] = '/secrets/{0}'.format(
new_secret.id
)
url = hrefs.convert_secret_to_href(new_secret.id)
LOG.debug('URI to secret is %s', url)
if transport_key_model is not None:
tkey_url = hrefs.convert_transport_key_to_href(
transport_key_model.id)
return {'secret_ref': url, 'transport_key_ref': tkey_url}
else:
return {'secret_ref': url}
def on_get(self, req, resp, keystone_id, secret_id):
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
resp.status = falcon.HTTP_200
if not req.accept or req.accept == 'application/json' \
or req.accept == '*/*':
# Metadata-only response, no decryption necessary.
resp.set_header('Content-Type', 'application/json')
secret_fields = augment_fields_with_content_types(secret)
resp.body = json.dumps(convert_to_hrefs(keystone_id,
secret_fields),
default=json_handler)
else:
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
resp.set_header('Content-Type', req.accept)
try:
resp.body = self.crypto_manager.decrypt(req.accept, secret,
tenant)
except em.CryptoAcceptNotSupportedException as canse:
LOG.exception('Secret decryption failed - '
'accept not supported')
_get_accept_not_supported(canse.accept, req, resp)
except em.CryptoNoSecretOrDataException as cnsode:
LOG.exception('Secret information of type {0} not '
'found for decryption.'.format(cnsode.mime_type))
_get_secret_info_not_found(cnsode.mime_type, req, resp)
except Exception as e:
LOG.exception('Secret decryption failed - unknown')
_failed_to_decrypt_data(req, resp)
def on_put(self, keystone_id):
if not pecan.request.content_type or \
pecan.request.content_type == 'application/json':
pecan.abort(
415,
u._("Content-Type of '{0}' is not supported for PUT.").format(
pecan.request.content_type
)
)
secret = self.repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found()
if secret.encrypted_data:
_secret_already_has_data()
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
res.create_encrypted_datum(secret,
pecan.request.body,
content_type,
content_encoding,
tenant,
self.crypto_manager,
self.datum_repo,
self.kek_repo)
def on_post(self, req, resp, keystone_id):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
body = api.load_body(req, resp, self.validator)
LOG.debug('Start on_post...{0}'.format(body))
if 'secret' not in body:
_secret_not_in_order(req, resp)
secret_info = body['secret']
name = secret_info.get('name')
LOG.debug('Secret to create is {0}'.format(name))
new_order = models.Order()
new_order.secret_name = secret_info.get('name')
new_order.secret_algorithm = secret_info.get('algorithm')
new_order.secret_bit_length = secret_info.get('bit_length', 0)
new_order.secret_mode = secret_info.get('mode')
new_order.secret_payload_content_type = secret_info.get(
'payload_content_type')
new_order.secret_expiration = secret_info.get('expiration')
new_order.tenant_id = tenant.id
self.order_repo.create_from(new_order)
# Send to workers to process.
self.queue.process_order(order_id=new_order.id,
keystone_id=keystone_id)
resp.status = falcon.HTTP_202
resp.set_header('Location', '/{0}/orders/{1}'.format(keystone_id,
new_order.id))
url = convert_order_to_href(keystone_id, new_order.id)
resp.body = json.dumps({'order_ref': url})
def on_post(self, keystone_id, **kwargs):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', data)
new_container = models.Container(data)
new_container.tenant_id = tenant.id
#TODO(hgedikli): performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
# This only partially localizes the error message and
# doesn't localize secret_ref.name.
pecan.abort(404, u._("Secret provided for '{0}' doesn't"
" exist.").format(secret_ref.name))
self.container_repo.create_from(new_container)
pecan.response.status = 201
pecan.response.headers['Location'] = '/{0}/containers/{1}'.format(
keystone_id, new_container.id
)
url = controllers.hrefs.convert_container_to_href(new_container.id)
return {'container_ref': url}
def on_put(self, keystone_id, **kwargs):
if not pecan.request.content_type or \
pecan.request.content_type == 'application/json':
pecan.abort(
415,
u._("Content-Type of '{0}' is not supported for PUT.").format(
pecan.request.content_type
)
)
secret = self.repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found()
if secret.encrypted_data:
_secret_already_has_data()
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
res.create_encrypted_datum(secret,
pecan.request.body,
content_type,
content_encoding,
tenant,
self.crypto_manager,
self.datum_repo,
self.kek_repo)
def on_post(self, req, resp, tenant_id):
LOG.debug('Start on_post for tenant-ID {0}:'.format(tenant_id))
data = load_body(req)
tenant = get_or_create_tenant(tenant_id, self.tenant_repo)
new_secret = create_secret(data, tenant, self.crypto_manager,
self.secret_repo, self.tenant_secret_repo,
self.datum_repo)
resp.status = falcon.HTTP_202
resp.set_header('Location', '/{0}/secrets/{1}'.format(tenant_id,
new_secret.id))
url = convert_secret_to_href(tenant_id, new_secret.id)
LOG.debug('URI to secret is {0}'.format(url))
resp.body = json.dumps({'secret_ref': url})
def on_get(self, req, resp, tenant_id, secret_id):
secret = self.repo.get(entity_id=secret_id, suppress_exception=True)
if not secret:
_secret_not_found()
resp.status = falcon.HTTP_200
if not req.accept or req.accept == 'application/json':
# Metadata-only response, no decryption necessary.
resp.set_header('Content-Type', 'application/json')
resp.body = json.dumps(augment_fields_with_content_types(secret),
default=json_handler)
else:
tenant = get_or_create_tenant(tenant_id, self.tenant_repo)
resp.set_header('Content-Type', req.accept)
resp.body = self.crypto_manager.decrypt(req.accept, secret, tenant)
def on_post(self, req, resp, keystone_id):
LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))
data = api.load_body(req, resp, self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
new_secret = res.create_secret(data, tenant, self.crypto_manager,
self.secret_repo,
self.tenant_secret_repo,
self.datum_repo,
self.kek_repo)
resp.status = falcon.HTTP_201
resp.set_header('Location', '/{0}/secrets/{1}'.format(keystone_id,
new_secret.id))
url = convert_secret_to_href(keystone_id, new_secret.id)
LOG.debug('URI to secret is {0}'.format(url))
resp.body = json.dumps({'secret_ref': url})
def on_post(self, keystone_id, **kwargs):
LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))
data = api.load_body(pecan.request, validator=self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
new_secret = res.create_secret(data, tenant, self.crypto_manager,
self.secret_repo,
self.tenant_secret_repo,
self.datum_repo,
self.kek_repo)
pecan.response.status = 201
pecan.response.headers['Location'] = '/{0}/secrets/{1}'.format(
keystone_id, new_secret.id
)
url = hrefs.convert_secret_to_href(keystone_id, new_secret.id)
LOG.debug('URI to secret is {0}'.format(url))
return {'secret_ref': url}
def on_post(self, keystone_id):
LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))
data = api.load_body(pecan.request, validator=self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
new_secret = res.create_secret(data, tenant, self.crypto_manager,
self.secret_repo,
self.tenant_secret_repo,
self.datum_repo,
self.kek_repo)
pecan.response.status = 201
pecan.response.headers['Location'] = '/{0}/secrets/{1}'.format(
keystone_id, new_secret.id
)
url = hrefs.convert_secret_to_href(keystone_id, new_secret.id)
LOG.debug('URI to secret is {0}'.format(url))
return {'secret_ref': url}
def on_put(self, req, resp, keystone_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type, req, resp)
secret = self.repo.get(entity_id=secret_id, keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
if secret.mime_type != req.content_type:
_client_content_mismatch_to_secret(secret.mime_type,
req.content_type, req, resp)
if secret.encrypted_data:
_secret_already_has_data(req, resp)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
try:
plain_text = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
except IOError:
api.abort(falcon.HTTP_500, 'Read Error')
resp.status = falcon.HTTP_200
try:
res.create_encrypted_datum(secret,
plain_text,
tenant,
self.crypto_manager,
self.tenant_secret_repo,
self.datum_repo)
except em.CryptoMimeTypeNotSupportedException as cmtnse:
LOG.exception('Secret creation failed - mime-type not supported')
_secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
except exception.NoDataToProcess:
LOG.exception('No secret data to process')
_secret_plain_text_empty(req, resp)
except exception.LimitExceeded:
LOG.exception('Secret data too big to process')
_secret_data_too_large(req, resp)
except Exception as e:
LOG.exception('Secret creation failed - unknown')
_failed_to_create_encrypted_datum(req, resp)
def on_put(self, req, resp, keystone_id, secret_id):
if not req.content_type or req.content_type == 'application/json':
_put_accept_incorrect(req.content_type, req, resp)
secret = self.repo.get(entity_id=secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found(req, resp)
if secret.mime_type != req.content_type:
_client_content_mismatch_to_secret(secret.mime_type,
req.content_type, req, resp)
if secret.encrypted_data:
_secret_already_has_data(req, resp)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
try:
plain_text = req.stream.read(api.MAX_BYTES_REQUEST_INPUT_ACCEPTED)
except IOError:
api.abort(falcon.HTTP_500, 'Read Error')
resp.status = falcon.HTTP_200
try:
res.create_encrypted_datum(secret, plain_text, tenant,
self.crypto_manager,
self.tenant_secret_repo,
self.datum_repo)
except em.CryptoMimeTypeNotSupportedException as cmtnse:
LOG.exception('Secret creation failed - mime-type not supported')
_secret_mime_type_not_supported(cmtnse.mime_type, req, resp)
except exception.NoDataToProcess:
LOG.exception('No secret data to process')
_secret_plain_text_empty(req, resp)
except exception.LimitExceeded:
LOG.exception('Secret data too big to process')
_secret_data_too_large(req, resp)
except Exception as e:
LOG.exception('Secret creation failed - unknown')
_failed_to_create_encrypted_datum(req, resp)
def index(self, keystone_id, **kwargs):
secret = self.repos.secret_repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found()
if controllers.is_json_request_accept(pecan.request):
# Metadata-only response, no secret retrieval is necessary.
pecan.override_template('json', 'application/json')
secret_fields = putil.mime_types.augment_fields_with_content_types(
secret)
transport_key_needed = kwargs.get('transport_key_needed',
'false').lower() == 'true'
if transport_key_needed:
transport_key_id = plugin.get_transport_key_id_for_retrieval(
secret)
if transport_key_id is not None:
secret_fields['transport_key_id'] = transport_key_id
return hrefs.convert_to_hrefs(secret_fields)
else:
tenant = res.get_or_create_tenant(keystone_id,
self.repos.tenant_repo)
pecan.override_template('', pecan.request.accept.header_value)
transport_key = None
twsk = kwargs.get('trans_wrapped_session_key', None)
if twsk is not None:
transport_key_id = kwargs.get('transport_key_id', None)
if transport_key_id is None:
_request_has_twsk_but_no_transport_key_id()
transport_key_model = self.repos.transport_key_repo.get(
entity_id=transport_key_id,
suppress_exception=True)
transport_key = transport_key_model.transport_key
return plugin.get_secret(pecan.request.accept.header_value,
secret,
tenant,
self.repos,
twsk,
transport_key)
def on_post(self, keystone_id, **kwargs):
LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))
data = api.load_body(pecan.request, validator=self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.repos.tenant_repo)
new_secret = plugin.store_secret(data.get('payload'),
data.get('payload_content_type',
'application/octet-stream'),
data.get('payload_content_encoding'),
data, None, tenant,
self.repos)
pecan.response.status = 201
pecan.response.headers['Location'] = '/{0}/secrets/{1}'.format(
keystone_id, new_secret.id
)
url = hrefs.convert_secret_to_href(keystone_id, new_secret.id)
LOG.debug('URI to secret is {0}'.format(url))
return {'secret_ref': url}
def on_post(self, keystone_id, **kwargs):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', data)
try:
self.container_repo.get(self.container_id, keystone_id)
except exception.NotFound:
controllers.containers.container_not_found()
new_consumer = models.ContainerConsumerMetadatum(self.container_id,
data)
new_consumer.tenant_id = tenant.id
self.consumer_repo.create_from(new_consumer)
pecan.response.headers['Location'] = '/{0}/containers/{1}/consumers' \
.format(keystone_id, new_consumer.container_id)
return self._return_container_data(self.container_id, keystone_id)
def on_post(self, req, resp, keystone_id):
LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))
data = api.load_body(req, resp, self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
new_verification = models.Verification(data)
new_verification.tenant_id = tenant.id
self.verification_repo.create_from(new_verification)
# Send to workers to process.
self.queue.process_verification(verification_id=new_verification.id,
keystone_id=keystone_id)
resp.status = falcon.HTTP_202
resp.set_header('Location',
'/{0}/verifications/{1}'.format(keystone_id,
new_verification.id))
url = convert_verification_to_href(keystone_id, new_verification.id)
LOG.debug('URI to verification is {0}'.format(url))
resp.body = json.dumps({'verification_ref': url})
def _handle_order(self, order):
"""
Either creates a secret item here, or else begins the extended
process of creating a secret (such as for SSL certificate
generation.
"""
LOG.debug("Handling order for secret type of {0}..."
.format(order.secret_mime_type))
order_info = order.to_dict_fields()
secret_info = order_info['secret']
# Create Secret
tenant = get_or_create_tenant(order.tenant_id, self.tenant_repo)
new_secret = create_secret(secret_info, tenant,
self.crypto_manager, self.secret_repo,
self.tenant_secret_repo, self.datum_repo,
ok_to_generate=True)
order.secret_id = new_secret.id
LOG.debug("...done creating order's secret.")
def on_post(self, req, resp, keystone_id):
LOG.debug('Start on_post for tenant-ID {0}:...'.format(keystone_id))
data = api.load_body(req, resp, self.validator)
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
new_verification = models.Verification(data)
new_verification.tenant_id = tenant.id
self.verification_repo.create_from(new_verification)
# Send to workers to process.
self.queue.process_verification(verification_id=new_verification.id,
keystone_id=keystone_id)
resp.status = falcon.HTTP_202
resp.set_header('Location',
'/{0}/verifications/{1}'.format(keystone_id,
new_verification.id))
url = convert_verification_to_href(keystone_id, new_verification.id)
LOG.debug('URI to verification is {0}'.format(url))
resp.body = json.dumps({'verification_ref': url})
def index(self, keystone_id):
secret = self.repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found()
if controllers.is_json_request_accept(pecan.request):
# Metadata-only response, no decryption necessary.
pecan.override_template('json', 'application/json')
secret_fields = mime_types.augment_fields_with_content_types(
secret)
return hrefs.convert_to_hrefs(keystone_id, secret_fields)
else:
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
pecan.override_template('', pecan.request.accept.header_value)
return self.crypto_manager.decrypt(
pecan.request.accept.header_value,
secret,
tenant
)
def index(self, keystone_id):
secret = self.repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret:
_secret_not_found()
if controllers.is_json_request_accept(pecan.request):
# Metadata-only response, no decryption necessary.
pecan.override_template('json', 'application/json')
secret_fields = mime_types.augment_fields_with_content_types(
secret)
return hrefs.convert_to_hrefs(keystone_id, secret_fields)
else:
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
pecan.override_template('', pecan.request.accept.header_value)
return self.crypto_manager.decrypt(
pecan.request.accept.header_value,
secret,
tenant
)
def on_post(self, keystone_id, **kwargs):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
body = api.load_body(pecan.request,
validator=self.type_order_validator)
order_type = body.get('type')
LOG.debug('Processing order type %s', order_type)
new_order = models.Order()
new_order.meta = body.get('meta')
new_order.type = order_type
new_order.tenant_id = tenant.id
self.order_repo.create_from(new_order)
self.queue.process_type_order(order_id=new_order.id,
keystone_id=keystone_id)
pecan.response.status = 202
pecan.response.headers['Location'] = '/{0}/orders/{1}'.format(
keystone_id, new_order.id
)
url = hrefs.convert_order_to_href(new_order.id)
return {'order_ref': url}
def on_post(self, keystone_id, **kwargs):
tenant = res.get_or_create_tenant(keystone_id, self.tenant_repo)
#Note(atiwari): trying to preserve backward compatibility
#This will be removed as part of bug1335171
raw_body = pecan.request.body
order_type = None
if raw_body:
order_type = json.loads(raw_body).get('type')
if order_type:
body = api.load_body(pecan.request,
validator=self.type_order_validator)
LOG.debug('Processing order type %s', order_type)
new_order = models.Order()
new_order.meta = body.get('meta')
new_order.type = order_type
#TODO(john-wood-w) These are required attributes currently, but
# will eventually be removed once we drop the legacy orders
# request.
new_order.secret_name = 'N/A'
new_order.secret_algorithm = 'N/A'
new_order.secret_bit_length = 0
new_order.secret_mode = 'N/A'
new_order.secret_payload_content_type = 'N/A'
else:
body = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_post...%s', body)
if 'secret' not in body:
_secret_not_in_order()
secret_info = body['secret']
name = secret_info.get('name')
LOG.debug('Secret to create is %s', name)
new_order = models.Order()
new_order.secret_name = secret_info.get('name')
new_order.secret_algorithm = secret_info.get('algorithm')
new_order.secret_bit_length = secret_info.get('bit_length', 0)
new_order.secret_mode = secret_info.get('mode')
new_order.secret_payload_content_type = secret_info.get(
'payload_content_type')
new_order.secret_expiration = secret_info.get('expiration')
new_order.tenant_id = tenant.id
self.order_repo.create_from(new_order)
# Send to workers to process.
#TODO(atiwari) - bug 1335171
if order_type:
self.queue.process_type_order(order_id=new_order.id,
keystone_id=keystone_id)
else:
self.queue.process_order(order_id=new_order.id,
keystone_id=keystone_id)
pecan.response.status = 202
pecan.response.headers['Location'] = '/{0}/orders/{1}'.format(
keystone_id, new_order.id
)
url = hrefs.convert_order_to_href(new_order.id)
return {'order_ref': url}