def validate_ca_id(project_id, order_meta): ca_id = order_meta.get('ca_id') if not ca_id: return ca_repo = repo.get_ca_repository() ca = ca_repo.get(ca_id, suppress_exception=True) if not ca: raise exception.InvalidCAID(ca_id=ca_id) project_ca_repo = repo.get_project_ca_repository() project_cas, offset, limit, total = project_ca_repo.get_by_create_date( project_id=project_id, suppress_exception=True ) if total < 1: return for project_ca in project_cas: if ca.id == project_ca.ca_id: return raise exception.CANotDefinedForProject( ca_id=ca_id, project_id=project_id)
def create_project_cert_authority(certificate_authority=None, session=None): project_cert_authority = models.ProjectCertificateAuthority( ca_id=certificate_authority.id, project_id=certificate_authority.project_id) project_cert_repo = repositories.get_project_ca_repository() project_cert_repo.create_from(project_cert_authority, session=session) return project_cert_authority
def __init__(self, ca): LOG.debug('=== Creating CertificateAuthorityController ===') self.ca = ca self.ca_repo = repo.get_ca_repository() self.project_ca_repo = repo.get_project_ca_repository() self.preferred_ca_repo = repo.get_preferred_ca_repository() self.project_repo = repo.get_project_repository()
def validate_ca_id(project_id, order_meta): ca_id = order_meta.get('ca_id') if not ca_id: return ca_repo = repo.get_ca_repository() ca = ca_repo.get(ca_id, suppress_exception=True) if not ca: raise exception.InvalidCAID(ca_id=ca_id) if ca.project_id and ca.project_id != project_id: raise exception.UnauthorizedSubCA() project_ca_repo = repo.get_project_ca_repository() project_cas, offset, limit, total = project_ca_repo.get_by_create_date( project_id=project_id, suppress_exception=True ) if total < 1: return for project_ca in project_cas: if ca.id == project_ca.ca_id: return raise exception.CANotDefinedForProject( ca_id=ca_id, project_id=project_id)
def __init__(self): LOG.debug('Creating CertificateAuthoritiesController') self.ca_repo = repo.get_ca_repository() self.project_ca_repo = repo.get_project_ca_repository() self.preferred_ca_repo = repo.get_preferred_ca_repository() self.project_repo = repo.get_project_repository() self.validator = None
def __init__(self): LOG.debug('Creating CertificateAuthoritiesController') self.ca_repo = repo.get_ca_repository() self.project_ca_repo = repo.get_project_ca_repository() self.preferred_ca_repo = repo.get_preferred_ca_repository() self.project_repo = repo.get_project_repository() self.validator = validators.NewCAValidator() self.quota_enforcer = quota.QuotaEnforcer('cas', self.ca_repo) # Populate the CA table at start up cert_resources.refresh_certificate_resources()
def is_last_project_ca(project_id): """Returns True iff project has exactly one project CA :param project_id: internal project ID :return: Boolean """ project_ca_repo = repos.get_project_ca_repository() _, _, _, total = project_ca_repo.get_by_create_date( project_id=project_id, suppress_exception=True) return total == 1
def is_last_project_ca(project_id): """Returns True iff project has exactly one project CA :param project_id: internal project ID :return: Boolean """ project_ca_repo = repos.get_project_ca_repository() _, _, _, total = project_ca_repo.get_by_create_date( project_id=project_id, suppress_exception=True ) return total == 1
def delete_subordinate_ca(external_project_id, ca): """Deletes a subordinate CA and any related artifacts :param external_project_id: external project ID :param ca: class:`models.CertificateAuthority` to be deleted :return: None """ # TODO(alee) See if the checks below can be moved to the RBAC code # Check that this CA is a subCA if ca.project_id is None: raise excep.CannotDeleteBaseCA() # Check that the user's project owns this subCA project = res.get_or_create_project(external_project_id) if ca.project_id != project.id: raise excep.UnauthorizedSubCA() project_ca_repo = repos.get_project_ca_repository() (project_cas, _, _, _) = project_ca_repo.get_by_create_date(project_id=project.id, ca_id=ca.id, suppress_exception=True) preferred_ca_repo = repos.get_preferred_ca_repository() (preferred_cas, _, _, _) = preferred_ca_repo.get_by_create_date(project_id=project.id, ca_id=ca.id, suppress_exception=True) # Can not delete a project preferred CA, if other project CAs exist. One # of those needs to be designated as the preferred CA first. if project_cas and preferred_cas and not is_last_project_ca(project.id): raise excep.CannotDeletePreferredCA() # Remove the CA as preferred if preferred_cas: preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id, external_project_id) # Remove the CA from project list if project_cas: project_ca_repo.delete_entity_by_id(project_cas[0].id, external_project_id) # Delete the CA entry from plugin cert_plugin = cert.CertificatePluginManager().get_plugin_by_name( ca.plugin_name) cert_plugin.delete_ca(ca.plugin_ca_id) # Finally, delete the CA entity from the CA repository ca_repo = repos.get_ca_repository() ca_repo.delete_entity_by_id(entity_id=ca.id, external_project_id=external_project_id)
def delete_subordinate_ca(external_project_id, ca): """Deletes a subordinate CA and any related artifacts :param external_project_id: external project ID :param ca: class:`models.CertificateAuthority` to be deleted :return: None """ # TODO(alee) See if the checks below can be moved to the RBAC code # Check that this CA is a subCA if ca.project_id is None: raise excep.CannotDeleteBaseCA() # Check that the user's project owns this subCA project = res.get_or_create_project(external_project_id) if ca.project_id != project.id: raise excep.UnauthorizedSubCA() project_ca_repo = repos.get_project_ca_repository() (project_cas, _, _, _) = project_ca_repo.get_by_create_date( project_id=project.id, ca_id=ca.id, suppress_exception=True) preferred_ca_repo = repos.get_preferred_ca_repository() (preferred_cas, _, _, _) = preferred_ca_repo.get_by_create_date( project_id=project.id, ca_id=ca.id, suppress_exception=True) # Can not delete a project preferred CA, if other project CAs exist. One # of those needs to be designated as the preferred CA first. if project_cas and preferred_cas and not is_last_project_ca(project.id): raise excep.CannotDeletePreferredCA() # Remove the CA as preferred if preferred_cas: preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id, external_project_id) # Remove the CA from project list if project_cas: project_ca_repo.delete_entity_by_id(project_cas[0].id, external_project_id) # Delete the CA entry from plugin cert_plugin = cert.CertificatePluginManager().get_plugin_by_name( ca.plugin_name) cert_plugin.delete_ca(ca.plugin_ca_id) # Finally, delete the CA entity from the CA repository ca_repo = repos.get_ca_repository() ca_repo.delete_entity_by_id( entity_id=ca.id, external_project_id=external_project_id)
import os import uuid import mock from barbican.common import resources from barbican.model import models from barbican.model import repositories from barbican.tests.api.controllers import test_acls from barbican.tests.api import test_resources_policy as test_policy from barbican.tests import utils order_repo = repositories.get_order_repository() project_repo = repositories.get_project_repository() ca_repo = repositories.get_ca_repository() project_ca_repo = repositories.get_project_ca_repository() container_repo = repositories.get_container_repository() generic_key_meta = { 'name': 'secretname', 'algorithm': 'AES', 'bit_length': 256, 'mode': 'cbc', 'payload_content_type': 'application/octet-stream' } class WhenCreatingOrdersUsingOrdersResource(utils.BarbicanAPIBaseTestCase): def test_can_create_a_new_order(self): resp, order_uuid = create_order(self.app, order_type='key',
from barbican.common import exception as excep from barbican.common import hrefs from barbican.common import resources as res from barbican.model import models from barbican.model import repositories from barbican.plugin.interface import certificate_manager as cert_man from barbican.plugin.interface import secret_store from barbican.tasks import certificate_resources as cert_res from barbican.tasks import common from barbican.tests import database_utils from barbican.tests import utils container_repo = repositories.get_container_repository() secret_repo = repositories.get_secret_repository() ca_repo = repositories.get_ca_repository() project_ca_repo = repositories.get_project_ca_repository() preferred_ca_repo = repositories.get_preferred_ca_repository() project_repo = repositories.get_project_repository() order_repo = repositories.get_order_repository() class WhenPerformingPrivateOperations(utils.BaseTestCase, utils.MockModelRepositoryMixin): """Tests private methods within certificate_resources.py.""" def setUp(self): super(WhenPerformingPrivateOperations, self).setUp() self.order_plugin_meta_repo = mock.MagicMock() self.setup_order_plugin_meta_repository_mock( self.order_plugin_meta_repo) self.order_barbican_meta_repo = mock.MagicMock()