def _get_applicable_plugins_for_type(manager, project_id, existing_plugin_name, plugin_type_field): plugins = [] plugin_dict = {ext.name: ext.obj for ext in manager.extensions if ext.obj} if utils.is_multiple_backends_enabled() and existing_plugin_name is None: proj_store_repo = db_repos.get_project_secret_store_repository() plugin_store = proj_store_repo.get_secret_store_for_project( project_id, None, suppress_exception=True) # If project specific store is not set, then use global default one. if not plugin_store: if manager.global_default_store_dict is None: # Need to cache data as dict instead of db object to be usable # across various request sqlalchemy sessions store_dict = get_global_default_secret_store().to_dict_fields() manager.global_default_store_dict = store_dict secret_store_data = manager.global_default_store_dict else: secret_store_data = plugin_store.secret_store.to_dict_fields() applicable_plugin_name = secret_store_data[plugin_type_field] if applicable_plugin_name in plugin_dict: plugins = [plugin_dict.get(applicable_plugin_name)] elif applicable_plugin_name: # applicable_plugin_name has value raise exception.MultipleStorePreferredPluginMissing( applicable_plugin_name) else: plugins = plugin_dict.values() return plugins
def _get_applicable_plugins_for_type(manager, project_id, existing_plugin_name, plugin_type_field): plugins = [] plugin_dict = {ext.name: ext.obj for ext in manager.extensions if ext.obj} if utils.is_multiple_backends_enabled() and existing_plugin_name is None: proj_store_repo = db_repos.get_project_secret_store_repository() plugin_store = proj_store_repo.get_secret_store_for_project( project_id, None, suppress_exception=True) # If project specific store is not set, then use global default one. if not plugin_store: if manager.global_default_store_dict is None: # Need to cache data as dict instead of db object to be usable # across various request sqlalchemy sessions store_dict = get_global_default_secret_store().to_dict_fields() manager.global_default_store_dict = store_dict secret_store_data = manager.global_default_store_dict else: secret_store_data = plugin_store.secret_store.to_dict_fields() applicable_plugin_name = secret_store_data[plugin_type_field] if applicable_plugin_name in plugin_dict: plugins = [plugin_dict.get(applicable_plugin_name)] elif applicable_plugin_name: # applicable_plugin_name has value raise exception.MultipleStorePreferredPluginMissing( applicable_plugin_name) else: plugins = plugin_dict.values() return plugins
def _create_project_store(self, project_id, secret_store_id): proj_store_repo = repositories.get_project_secret_store_repository() session = proj_store_repo.get_session() proj_model = models.ProjectSecretStore(project_id, secret_store_id) proj_s_store = proj_store_repo.create_from(proj_model, session) proj_s_store.save(session=session) return proj_s_store
def _create_project_store(self, project_id, secret_store_id): proj_store_repo = repos.get_project_secret_store_repository() session = proj_store_repo.get_session() proj_model = models.ProjectSecretStore(project_id, secret_store_id) proj_s_store = proj_store_repo.create_from(proj_model, session) proj_s_store.save(session=session) return proj_s_store
class ProjectSecretStore(base.BarbicanObject, base.BarbicanPersistentObject, object_base.VersionedObjectDictCompat): fields = { 'secret_store_id': fields.StringField(nullable=True, default=None), 'project_id': fields.StringField(nullable=True, default=None), 'secret_store': fields.ObjectField('SecretStores', nullable=True, default=None), 'project': fields.ObjectField('Project', nullable=True, default=None), 'status': fields.StringField(nullable=True, default=base.States.ACTIVE) } db_model = models.ProjectSecretStore db_repo = repos.get_project_secret_store_repository() synthetic_fields = ['secret_store', 'project'] def _validate_fields(self, change_fields): msg = u._("Must supply non-None {0} argument for ProjectSecretStore " " entry.") if not change_fields.get('project_id'): raise exception.MissingArgumentError(msg.format("project_id")) if not change_fields.get('secret_store_id'): raise exception.MissingArgumentError(msg.format("secret_store_id")) @classmethod def get_secret_store_for_project(cls, project_id, external_project_id, suppress_exception=False, session=None): pss_db = cls.db_repo.get_secret_store_for_project( project_id, external_project_id, suppress_exception, session) return cls()._from_db_object(pss_db) @classmethod def create_or_update_for_project(cls, project_id, secret_store_id, session=None): pss_db = cls.db_repo.create_or_update_for_project( project_id, secret_store_id, session) return cls()._from_db_object(pss_db) @classmethod def get_count_by_secret_store(cls, secret_store_id, session=None): number_pss = cls.db_repo.get_count_by_secret_store( secret_store_id, session) return number_pss
class ProjectSecretStore(base.BarbicanObject, base.BarbicanPersistentObject, object_base.VersionedObjectDictCompat): fields = { 'secret_store_id': fields.StringField(), 'project_id': fields.StringField(), 'secret_store': fields.ObjectField('SecretStores', nullable=True, default=None), 'project': fields.ObjectField('Project', nullable=True, default=None), 'status': fields.StringField(nullable=True, default=base.States.ACTIVE) } db_model = models.ProjectSecretStore db_repo = repos.get_project_secret_store_repository() synthetic_fields = ['secret_store', 'project'] @classmethod def get_secret_store_for_project(cls, project_id, external_project_id, suppress_exception=False, session=None): pss_db = cls.db_repo.get_secret_store_for_project( project_id, external_project_id, suppress_exception, session) return cls()._from_db_object(pss_db) @classmethod def create_or_update_for_project(cls, project_id, secret_store_id, session=None): pss_db = cls.db_repo.create_or_update_for_project( project_id, secret_store_id, session) return cls()._from_db_object(pss_db) @classmethod def get_count_by_secret_store(cls, secret_store_id, session=None): number_pss = cls.db_repo.get_count_by_secret_store( secret_store_id, session) return number_pss
def __init__(self, secret_store): LOG.debug('=== Creating PreferredSecretStoreController ===') self.secret_store = secret_store self.proj_store_repo = repo.get_project_secret_store_repository()
def __init__(self): LOG.debug('Creating SecretStoresController') self.secret_stores_repo = repo.get_secret_stores_repository() self.proj_store_repo = repo.get_project_secret_store_repository()
def __init__(self, secret_store): LOG.debug('=== Creating PreferredSecretStoreController ===') self.secret_store = secret_store self.proj_store_repo = repo.get_project_secret_store_repository()
def __init__(self): LOG.debug('Creating SecretStoresController') self.secret_stores_repo = repo.get_secret_stores_repository() self.proj_store_repo = repo.get_project_secret_store_repository()
def setUp(self): super(WhenTestingProjectSecretStore, self).setUp() self.secret_store_repo = repos.get_secret_stores_repository() self.proj_store_repo = repos.get_project_secret_store_repository()
def sync_secret_stores(secretstore_manager, crypto_manager=None): """Synchronize secret store plugin names between service conf and database This method reads secret and crypto store plugin name from service configuration and then synchronizes corresponding data maintained in database SecretStores table. Any new plugin name(s) added in service configuration is added as a new entry in SecretStores table. If global_default value is changed for existing plugins, then global_default flag is updated to reflect that change in database. If plugin name is removed from service configuration, then removal is possible as long as respective plugin names are NOT set as preferred secret store for a project. If it is used and plugin name is removed, then error is raised. This logic is intended to be invoked at server startup so any error raised here will result in critical failure. """ if not utils.is_multiple_backends_enabled(): return # doing local import to avoid circular dependency between manager and # current utils module from barbican.plugin.crypto import manager as cm secret_stores_repo = db_repos.get_secret_stores_repository() proj_store_repo = db_repos.get_project_secret_store_repository() if crypto_manager is None: crypto_manager = cm.get_manager() def get_friendly_name_dict(ext_manager): """Returns dict of plugin internal name and friendly name entries.""" names_dict = {} for ext in ext_manager.extensions: if ext.obj and hasattr(ext.obj, 'get_plugin_name'): names_dict[ext.name] = ext.obj.get_plugin_name() return names_dict ss_friendly_names = get_friendly_name_dict(secretstore_manager) crypto_friendly_names = get_friendly_name_dict(crypto_manager) # get existing secret stores data from database db_stores = secret_stores_repo.get_all() # read secret store data from service configuration conf_stores = [] for parsed_store in secretstore_manager.parsed_stores: crypto_plugin = parsed_store.crypto_plugin if not crypto_plugin: crypto_plugin = None if crypto_plugin: friendly_name = crypto_friendly_names.get(crypto_plugin) else: friendly_name = ss_friendly_names.get(parsed_store.store_plugin) conf_stores.append(db_models.SecretStores( name=friendly_name, store_plugin=parsed_store.store_plugin, crypto_plugin=crypto_plugin, global_default=parsed_store.global_default)) if db_stores: def fn_match(lh_store, rh_store): return (lh_store.store_plugin == rh_store.store_plugin and lh_store.crypto_plugin == rh_store.crypto_plugin) for conf_store in conf_stores: # find existing db entry for plugin using conf based plugin names db_store_match = next((db_store for db_store in db_stores if fn_match(conf_store, db_store)), None) if db_store_match: # update existing db entry if global default is changed now if db_store_match.global_default != conf_store.global_default: db_store_match.global_default = conf_store.global_default # persist flag change. db_store_match.save() # remove matches store from local list after processing db_stores.remove(db_store_match) else: # new conf entry as no match found in existing entries secret_stores_repo.create_from(conf_store) # entries still present in db list are no longer configured in service # configuration, so try to remove them provided there is no project # is using it as preferred secret store. for db_store in db_stores: if proj_store_repo.get_count_by_secret_store(db_store.id) == 0: secret_stores_repo.delete_entity_by_id(db_store.id, None) else: raise exception.MultipleStorePluginStillInUse(db_store.name) else: # initial setup case when there is no secret stores data in db for conf_store in conf_stores: secret_stores_repo.create_from(conf_store)
def setUp(self): super(WhenTestingProjectSecretStore, self).setUp() self.secret_store_repo = repos.get_secret_stores_repository() self.proj_store_repo = repos.get_project_secret_store_repository()
def sync_secret_stores(secretstore_manager, crypto_manager=None): """Synchronize secret store plugin names between service conf and database This method reads secret and crypto store plugin name from service configuration and then synchronizes corresponding data maintained in database SecretStores table. Any new plugin name(s) added in service configuration is added as a new entry in SecretStores table. If global_default value is changed for existing plugins, then global_default flag is updated to reflect that change in database. If plugin name is removed from service configuration, then removal is possible as long as respective plugin names are NOT set as preferred secret store for a project. If it is used and plugin name is removed, then error is raised. This logic is intended to be invoked at server startup so any error raised here will result in critical failure. """ if not utils.is_multiple_backends_enabled(): return # doing local import to avoid circular dependency between manager and # current utils module from barbican.plugin.crypto import manager as cm secret_stores_repo = db_repos.get_secret_stores_repository() proj_store_repo = db_repos.get_project_secret_store_repository() if crypto_manager is None: crypto_manager = cm.get_manager() def get_friendly_name_dict(ext_manager): """Returns dict of plugin internal name and friendly name entries.""" names_dict = {} for ext in ext_manager.extensions: if ext.obj and hasattr(ext.obj, 'get_plugin_name'): names_dict[ext.name] = ext.obj.get_plugin_name() return names_dict ss_friendly_names = get_friendly_name_dict(secretstore_manager) crypto_friendly_names = get_friendly_name_dict(crypto_manager) # get existing secret stores data from database db_stores = secret_stores_repo.get_all() # read secret store data from service configuration conf_stores = [] for parsed_store in secretstore_manager.parsed_stores: crypto_plugin = parsed_store.crypto_plugin if not crypto_plugin: crypto_plugin = None if crypto_plugin: friendly_name = crypto_friendly_names.get(crypto_plugin) else: friendly_name = ss_friendly_names.get(parsed_store.store_plugin) conf_stores.append( db_models.SecretStores(name=friendly_name, store_plugin=parsed_store.store_plugin, crypto_plugin=crypto_plugin, global_default=parsed_store.global_default)) if db_stores: def fn_match(lh_store, rh_store): return (lh_store.store_plugin == rh_store.store_plugin and lh_store.crypto_plugin == rh_store.crypto_plugin) for conf_store in conf_stores: # find existing db entry for plugin using conf based plugin names db_store_match = next( (db_store for db_store in db_stores if fn_match(conf_store, db_store)), None) if db_store_match: # update existing db entry if global default is changed now if db_store_match.global_default != conf_store.global_default: db_store_match.global_default = conf_store.global_default # persist flag change. db_store_match.save() # remove matches store from local list after processing db_stores.remove(db_store_match) else: # new conf entry as no match found in existing entries secret_stores_repo.create_from(conf_store) # entries still present in db list are no longer configured in service # configuration, so try to remove them provided there is no project # is using it as preferred secret store. for db_store in db_stores: if proj_store_repo.get_count_by_secret_store(db_store.id) == 0: secret_stores_repo.delete_entity_by_id(db_store.id, None) else: raise exception.MultipleStorePluginStillInUse(db_store.name) else: # initial setup case when there is no secret stores data in db for conf_store in conf_stores: secret_stores_repo.create_from(conf_store)