def validate_ca_id(project_id, order_meta): ca_id = order_meta.get('ca_id') if not ca_id: return ca_repo = repo.get_ca_repository() ca = ca_repo.get(ca_id, suppress_exception=True) if not ca: raise exception.InvalidCAID(ca_id=ca_id) if ca.project_id and ca.project_id != project_id: raise exception.UnauthorizedSubCA() project_ca_repo = repo.get_project_ca_repository() project_cas, offset, limit, total = project_ca_repo.get_by_create_date( project_id=project_id, suppress_exception=True ) if total < 1: return for project_ca in project_cas: if ca.id == project_ca.ca_id: return raise exception.CANotDefinedForProject( ca_id=ca_id, project_id=project_id)
def add_to_project(self, external_project_id): if pecan.request.method != 'POST': pecan.abort(405) LOG.debug("== Saving CA %s to external_project_id %s", self.ca.id, external_project_id) project_model = res.get_or_create_project(external_project_id) # CA must be a base CA or a subCA owned by this project if (self.ca.project_id is not None and self.ca.project_id != project_model.id): raise excep.UnauthorizedSubCA() project_cas = project_model.cas num_cas = len(project_cas) for project_ca in project_cas: if project_ca.ca_id == self.ca.id: # project already added return project_ca = models.ProjectCertificateAuthority( project_model.id, self.ca.id) self.project_ca_repo.create_from(project_ca) if num_cas == 0: # set first project CA to be the preferred one preferred_ca = models.PreferredCertificateAuthority( project_model.id, self.ca.id) self.preferred_ca_repo.create_from(preferred_ca)
def test_should_raise_delete_not_authorized(self, mocked_task): self.create_cas() mocked_task.side_effect = exception.UnauthorizedSubCA() resp = self.app.delete('/cas/' + self.subca.id, expect_errors=True) mocked_task.assert_called_once_with(self.project_id, self.subca) self.assertEqual(403, resp.status_int)
def delete_subordinate_ca(external_project_id, ca): """Deletes a subordinate CA and any related artifacts :param external_project_id: external project ID :param ca: class:`models.CertificateAuthority` to be deleted :return: None """ # TODO(alee) See if the checks below can be moved to the RBAC code # Check that this CA is a subCA if ca.project_id is None: raise excep.CannotDeleteBaseCA() # Check that the user's project owns this subCA project = res.get_or_create_project(external_project_id) if ca.project_id != project.id: raise excep.UnauthorizedSubCA() project_ca_repo = repos.get_project_ca_repository() (project_cas, _, _, _) = project_ca_repo.get_by_create_date(project_id=project.id, ca_id=ca.id, suppress_exception=True) preferred_ca_repo = repos.get_preferred_ca_repository() (preferred_cas, _, _, _) = preferred_ca_repo.get_by_create_date(project_id=project.id, ca_id=ca.id, suppress_exception=True) # Can not delete a project preferred CA, if other project CAs exist. One # of those needs to be designated as the preferred CA first. if project_cas and preferred_cas and not is_last_project_ca(project.id): raise excep.CannotDeletePreferredCA() # Remove the CA as preferred if preferred_cas: preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id, external_project_id) # Remove the CA from project list if project_cas: project_ca_repo.delete_entity_by_id(project_cas[0].id, external_project_id) # Delete the CA entry from plugin cert_plugin = cert.CertificatePluginManager().get_plugin_by_name( ca.plugin_name) cert_plugin.delete_ca(ca.plugin_ca_id) # Finally, delete the CA entity from the CA repository ca_repo = repos.get_ca_repository() ca_repo.delete_entity_by_id(entity_id=ca.id, external_project_id=external_project_id)
def create_subordinate_ca(project_model, name, description, subject_dn, parent_ca_ref, creator_id): """Create a subordinate CA :param name - name of the subordinate CA :param: description - description of the subordinate CA :param: subject_dn - subject DN of the subordinate CA :param: parent_ca_ref - Barbican URL reference to the parent CA :param: creator_id - id for creator of the subordinate CA :return: :class models.CertificateAuthority model object for new sub CA """ # check that the parent ref exists and is accessible parent_ca_id = hrefs.get_ca_id_from_ref(parent_ca_ref) ca_repo = repos.get_ca_repository() parent_ca = ca_repo.get(entity_id=parent_ca_id, suppress_exception=True) if not parent_ca: raise excep.InvalidParentCA(parent_ca_ref=parent_ca_ref) # Parent CA must be a base CA or a subCA owned by this project if (parent_ca.project_id is not None and parent_ca.project_id != project_model.id): raise excep.UnauthorizedSubCA() # get the parent plugin, raises CertPluginNotFound if missing cert_plugin = cert.CertificatePluginManager().get_plugin_by_name( parent_ca.plugin_name) # confirm that the plugin supports creating subordinate CAs if not cert_plugin.supports_create_ca(): raise excep.SubCAsNotSupported() # make call to create the subordinate ca create_ca_dto = cert.CACreateDTO( name=name, description=description, subject_dn=subject_dn, parent_ca_id=parent_ca.plugin_ca_id) new_ca_dict = cert_plugin.create_ca(create_ca_dto) if not new_ca_dict: raise excep.SubCANotCreated(name=name) # create and store the subordinate CA as a new certificate authority object new_ca_dict['plugin_name'] = parent_ca.plugin_name new_ca_dict['creator_id'] = creator_id new_ca_dict['project_id'] = project_model.id new_ca = models.CertificateAuthority(new_ca_dict) ca_repo.create_from(new_ca) return new_ca