Пример #1
0
    def _init_memory_db_setup(self):

        # Force a refresh of the singleton plugin manager for each test.
        manager._PLUGIN_MANAGER = None
        manager.CONF.set_override('enabled_crypto_plugins',
                                  'simple_crypto',
                                  group='crypto')

        self.project_id1 = uuid.uuid4().hex
        self.project_id2 = uuid.uuid4().hex

        self.repos = rep.Repositories(
            project_repo=None, project_secret_repo=None, secret_repo=None,
            datum_repo=None, kek_repo=None, secret_meta_repo=None,
            order_repo=None, order_plugin_meta_repo=None,
            transport_key_repo=None, container_repo=None,
            container_secret_repo=None)

        self.project1_data = c_resources.get_or_create_project(
            self.project_id1, self.repos.project_repo)
        self.assertIsNotNone(self.project1_data)

        self.project2_data = c_resources.get_or_create_project(
            self.project_id2, self.repos.project_repo)
        self.assertIsNotNone(self.project2_data)
Пример #2
0
    def get_global_default(self, external_project_id, **kw):
        LOG.debug('Start secret-stores get global default secret store')

        if not utils.is_multiple_backends_enabled():
            _multiple_backends_not_enabled()

        res.get_or_create_project(external_project_id)

        store = multiple_backends.get_global_default_secret_store()

        return convert_secret_store_to_response_format(store)
Пример #3
0
    def get_global_default(self, external_project_id, **kw):
        LOG.debug('Start secret-stores get global default secret store')

        if not utils.is_multiple_backends_enabled():
            _multiple_backends_not_enabled()

        res.get_or_create_project(external_project_id)

        store = multiple_backends.get_global_default_secret_store()

        return convert_secret_store_to_response_format(store)
Пример #4
0
    def on_post(self, external_project_id, **kwargs):

        project = res.get_or_create_project(external_project_id)
        data = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...%s', data)

        try:
            container = self.container_repo.get(self.container_id,
                                                external_project_id)
        except exception.NotFound:
            controllers.containers.container_not_found()

        new_consumer = models.ContainerConsumerMetadatum(self.container_id,
                                                         data)
        new_consumer.project_id = project.id
        self.consumer_repo.create_or_update_from(new_consumer, container)

        url = hrefs.convert_consumer_to_href(new_consumer.container_id)
        pecan.response.headers['Location'] = url

        LOG.info(u._LI('Created a consumer for project: %s'),
                 external_project_id)

        return self._return_container_data(self.container_id,
                                           external_project_id)
Пример #5
0
    def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
        """GET actual payload containing the secret."""

        # With ACL support, the user token project does not have to be same as
        # project associated with secret. The lookup project_id needs to be
        # derived from the secret's data considering authorization is already
        # done.
        external_project_id = secret.project.external_id
        project = res.get_or_create_project(external_project_id)

        # default to application/octet-stream if there is no Accept header
        accept_header = getattr(pecan.request.accept, 'header_value',
                                'application/octet-stream')
        pecan.override_template('', accept_header)

        # check if payload exists before proceeding
        if not secret.encrypted_data and not secret.secret_store_metadata:
            _secret_payload_not_found()

        twsk = kwargs.get('trans_wrapped_session_key', None)
        transport_key = None

        if twsk:
            transport_key = self._get_transport_key(
                kwargs.get('transport_key_id', None))

        return plugin.get_secret(accept_header,
                                 secret,
                                 project,
                                 twsk,
                                 transport_key)
Пример #6
0
    def on_get(self, external_project_id, **kw):
        LOG.debug('Start certificate_authorities on_get (limited)')

        plugin_name = kw.get('plugin_name')
        if plugin_name is not None:
            plugin_name = parse.unquote_plus(plugin_name)

        plugin_ca_id = kw.get('plugin_ca_id', None)
        if plugin_ca_id is not None:
            plugin_ca_id = parse.unquote_plus(plugin_ca_id)

        # refresh CA table, in case plugin entries have expired
        cert_resources.refresh_certificate_resources()

        project_model = res.get_or_create_project(external_project_id)

        if self._project_cas_defined(project_model.id):
            cas, offset, limit, total = self._get_subcas_and_project_cas(
                offset=kw.get('offset', 0),
                limit=kw.get('limit', None),
                plugin_name=plugin_name,
                plugin_ca_id=plugin_ca_id,
                project_id=project_model.id)
        else:
            cas, offset, limit, total = self._get_subcas_and_root_cas(
                offset=kw.get('offset', 0),
                limit=kw.get('limit', None),
                plugin_name=plugin_name,
                plugin_ca_id=plugin_ca_id,
                project_id=project_model.id)

        return self._display_cas(cas, offset, limit, total)
Пример #7
0
    def on_put(self, external_project_id, **kwargs):
        if (not pecan.request.content_type or
                pecan.request.content_type == 'application/json'):
            pecan.abort(
                415,
                u._("Content-Type of '{content_type}' is not supported for "
                    "PUT.").format(content_type=pecan.request.content_type)
            )

        transport_key_id = kwargs.get('transport_key_id')

        payload = pecan.request.body
        if not payload:
            raise exception.NoDataToProcess()
        if validators.secret_too_big(payload):
            raise exception.LimitExceeded()

        if self.secret.encrypted_data or self.secret.secret_store_metadata:
            _secret_already_has_data()

        project_model = res.get_or_create_project(external_project_id)
        content_type = pecan.request.content_type
        content_encoding = pecan.request.headers.get('Content-Encoding')

        plugin.store_secret(
            unencrypted_raw=payload,
            content_type_raw=content_type,
            content_encoding=content_encoding,
            secret_model=self.secret,
            project_model=project_model,
            transport_key_id=transport_key_id)
        LOG.info(u._LI('Updated secret for project: %s'), external_project_id)
Пример #8
0
    def add_to_project(self, external_project_id):
        if pecan.request.method != 'POST':
            pecan.abort(405)

        LOG.debug("== Saving CA %s to external_project_id %s",
                  self.ca.id, external_project_id)
        project_model = res.get_or_create_project(external_project_id)

        # CA must be a base CA or a subCA owned by this project
        if (self.ca.project_id is not None and
                self.ca.project_id != project_model.id):
            raise excep.UnauthorizedSubCA()

        project_cas = project_model.cas
        num_cas = len(project_cas)
        for project_ca in project_cas:
            if project_ca.ca_id == self.ca.id:
                # project already added
                return

        project_ca = models.ProjectCertificateAuthority(
            project_model.id, self.ca.id)
        self.project_ca_repo.create_from(project_ca)

        if num_cas == 0:
            # set first project CA to be the preferred one
            preferred_ca = models.PreferredCertificateAuthority(
                project_model.id, self.ca.id)
            self.preferred_ca_repo.create_from(preferred_ca)
Пример #9
0
    def on_put(self, external_project_id, **kwargs):
        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        project = res.get_or_create_project(external_project_id)
        order_type = body.get('type')

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt and ctxt.request_id:
            request_id = ctxt.request_id

        if self.order.type != order_type:
            order_cannot_modify_order_type()

        if models.OrderType.CERTIFICATE != self.order.type:
            _order_update_not_supported_for_type(order_type)

        if models.States.PENDING != self.order.status:
            _order_cannot_be_updated_if_not_pending(self.order.status)

        updated_meta = body.get('meta')
        validators.validate_ca_id(project.id, updated_meta)

        # TODO(chellygel): Put 'meta' into a separate order association
        # entity.
        self.queue.update_order(order_id=self.order.id,
                                project_id=external_project_id,
                                updated_meta=updated_meta,
                                request_id=request_id)
Пример #10
0
    def on_put(self, external_project_id, **kwargs):
        if (not pecan.request.content_type
                or pecan.request.content_type == 'application/json'):
            pecan.abort(
                415,
                u._("Content-Type of '{content_type}' is not supported for "
                    "PUT.").format(content_type=pecan.request.content_type))

        transport_key_id = kwargs.get('transport_key_id')

        payload = pecan.request.body
        if not payload:
            raise exception.NoDataToProcess()
        if validators.secret_too_big(payload):
            raise exception.LimitExceeded()

        if self.secret.encrypted_data or self.secret.secret_store_metadata:
            _secret_already_has_data()

        project_model = res.get_or_create_project(external_project_id)
        content_type = pecan.request.content_type
        content_encoding = pecan.request.headers.get('Content-Encoding')

        plugin.store_secret(unencrypted_raw=payload,
                            content_type_raw=content_type,
                            content_encoding=content_encoding,
                            secret_model=self.secret,
                            project_model=project_model,
                            transport_key_id=transport_key_id)
        LOG.info('Updated secret for project: %s', external_project_id)
Пример #11
0
    def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
        """GET actual payload containing the secret."""

        # With ACL support, the user token project does not have to be same as
        # project associated with secret. The lookup project_id needs to be
        # derived from the secret's data considering authorization is already
        # done.
        external_project_id = secret.project.external_id
        project = res.get_or_create_project(external_project_id)

        # default to application/octet-stream if there is no Accept header
        if (type(pecan.request.accept) is accept.NoHeaderType
                or not pecan.request.accept.header_value):
            accept_header = 'application/octet-stream'
        else:
            accept_header = pecan.request.accept.header_value
        pecan.override_template('', accept_header)

        # check if payload exists before proceeding
        if not secret.encrypted_data and not secret.secret_store_metadata:
            _secret_payload_not_found()

        twsk = kwargs.get('trans_wrapped_session_key', None)
        transport_key = None

        if twsk:
            transport_key = self._get_transport_key(
                kwargs.get('transport_key_id', None))

        return plugin.get_secret(accept_header, secret, project, twsk,
                                 transport_key)
Пример #12
0
    def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
        """GET actual payload containing the secret."""

        # With ACL support, the user token project does not have to be same as
        # project associated with secret. The lookup project_id needs to be
        # derived from the secret's data considering authorization is already
        # done.
        external_project_id = secret.project.external_id
        project = res.get_or_create_project(external_project_id)

        # default to application/octet-stream if there is no Accept header
        accept_header = getattr(pecan.request.accept, 'header_value',
                                'application/octet-stream')
        pecan.override_template('', accept_header)

        twsk = kwargs.get('trans_wrapped_session_key', None)
        transport_key = None

        if twsk:
            transport_key = self._get_transport_key(
                kwargs.get('transport_key_id', None))

        return plugin.get_secret(accept_header,
                                 secret,
                                 project,
                                 twsk,
                                 transport_key)
Пример #13
0
    def create_cas(self, set_project_cas=True):
        self.project = res.get_or_create_project(self.project_id)
        self.global_project = res.get_or_create_global_preferred_project()
        project_repo.save(self.project)
        self.project_ca_ids = []

        self.plugin_name = 'default_plugin'
        self.plugin_ca_id = 'default_plugin_ca_id_'
        self.ca_id = "id1"

        self.num_cas = 10
        self.offset = 2
        self.limit = 4
        self.params = {'offset': self.offset, 'limit': self.limit}

        self._do_create_cas(set_project_cas)

        # create subca for DELETE testing
        parsed_ca = {
            'plugin_name': self.plugin_name,
            'plugin_ca_id': self.plugin_ca_id + "subca 1",
            'name': self.plugin_name,
            'description': 'Sub CA for default plugin',
            'ca_signing_certificate': 'ZZZZZ' + "sub ca1",
            'intermediates': 'YYYYY' + "sub ca1",
            'project_id': self.project.id,
            'creator_id': 'user12345'
        }
        ca = models.CertificateAuthority(parsed_ca)
        ca_repo.create_from(ca)
        ca_repo.save(ca)
        self.subca = ca

        self.num_cas += 1
Пример #14
0
    def on_post(self, keystone_id, **kwargs):
        LOG.debug('Start on_post for project-ID %s:...', keystone_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(keystone_id,
                                            self.repos.project_repo)

        transport_key_needed = data.get('transport_key_needed',
                                        'false').lower() == 'true'

        new_secret, transport_key_model = plugin.store_secret(
            data.get('payload'),
            data.get('payload_content_type',
                     'application/octet-stream'),
            data.get('payload_content_encoding'),
            data, None, project,
            self.repos,
            transport_key_needed=transport_key_needed,
            transport_key_id=data.get('transport_key_id'))

        pecan.response.status = 201
        pecan.response.headers['Location'] = '/secrets/{0}'.format(
            new_secret.id
        )
        url = hrefs.convert_secret_to_href(new_secret.id)
        LOG.debug('URI to secret is %s', url)
        if transport_key_model is not None:
            tkey_url = hrefs.convert_transport_key_to_href(
                transport_key_model.id)
            return {'secret_ref': url, 'transport_key_ref': tkey_url}
        else:
            return {'secret_ref': url}
Пример #15
0
    def on_put(self, external_project_id, **kwargs):
        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        project = res.get_or_create_project(external_project_id)
        order_type = body.get('type')

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt and ctxt.request_id:
            request_id = ctxt.request_id

        if self.order.type != order_type:
            order_cannot_modify_order_type()

        if models.OrderType.CERTIFICATE != self.order.type:
            _order_update_not_supported_for_type(order_type)

        if models.States.PENDING != self.order.status:
            _order_cannot_be_updated_if_not_pending(self.order.status)

        updated_meta = body.get('meta')
        validators.validate_ca_id(project.id, updated_meta)

        # TODO(chellygel): Put 'meta' into a separate order association
        # entity.
        self.queue.update_order(order_id=self.order.id,
                                project_id=external_project_id,
                                updated_meta=updated_meta,
                                request_id=request_id)
Пример #16
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug('Start on_post for project-ID %s:...', external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(external_project_id)

        transport_key_needed = data.get('transport_key_needed',
                                        'false').lower() == 'true'
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipleline case, always use auth token user
            data['creator_id'] = ctxt.user

        new_secret, transport_key_model = plugin.store_secret(
            data.get('payload'),
            data.get('payload_content_type',
                     'application/octet-stream'),
            data.get('payload_content_encoding'),
            data, None, project,
            transport_key_needed=transport_key_needed,
            transport_key_id=data.get('transport_key_id'))

        url = hrefs.convert_secret_to_href(new_secret.id)
        LOG.debug('URI to secret is %s', url)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url

        LOG.info(u._LI('Created a secret for project: %s'),
                 external_project_id)
        if transport_key_model is not None:
            tkey_url = hrefs.convert_transport_key_to_href(
                transport_key_model.id)
            return {'secret_ref': url, 'transport_key_ref': tkey_url}
        else:
            return {'secret_ref': url}
Пример #17
0
    def set_preferred(self, external_project_id):
        if pecan.request.method != 'POST':
            pecan.abort(405)

        LOG.debug("== Setting preferred CA %s for project %s", self.ca.id,
                  external_project_id)

        project_model = res.get_or_create_project(external_project_id)

        (project_ca, __offset, __limit,
         __total) = (self.project_ca_repo.get_by_create_date(
             project_id=project_model.id,
             ca_id=self.ca.id,
             suppress_exception=True))
        if not project_ca:
            _requested_preferred_ca_not_a_project_ca()

        preferred_ca = self.preferred_ca_repo.get_project_entities(
            project_model.id)
        if preferred_ca is not None:
            self.preferred_ca_repo.update_preferred_ca(project_model.id,
                                                       self.ca)
        else:
            preferred_ca = models.PreferredCertificateAuthority(
                project_model.id, self.ca.id)
            self.preferred_ca_repo.create_from(preferred_ca)
Пример #18
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug('Start on_post for project-ID %s:...', external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(external_project_id)

        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipeline case, always use auth token user
            creator_id = ctxt.user

        self.quota_enforcer.enforce(project)

        new_ca = cert_resources.create_subordinate_ca(
            project_model=project,
            name=data.get('name'),
            description=data.get('description'),
            subject_dn=data.get('subject_dn'),
            parent_ca_ref=data.get('parent_ca_ref'),
            creator_id=creator_id
        )

        url = hrefs.convert_certificate_authority_to_href(new_ca.id)
        LOG.debug('URI to sub-CA is %s', url)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url

        LOG.info(u._LI('Created a sub CA for project: %s'),
                 external_project_id)

        return {'ca_ref': url}
Пример #19
0
    def set_preferred(self, external_project_id):
        if pecan.request.method != 'POST':
            pecan.abort(405)

        LOG.debug("== Setting preferred CA %s for project %s",
                  self.ca.id, external_project_id)

        project_model = res.get_or_create_project(external_project_id)

        (project_ca, __offset, __limit, __total) = (
            self.project_ca_repo.get_by_create_date(
                project_id=project_model.id,
                ca_id=self.ca.id,
                suppress_exception=True))
        if not project_ca:
            _requested_preferred_ca_not_a_project_ca()

        preferred_ca = self.preferred_ca_repo.get_project_entities(
            project_model.id)
        if preferred_ca is not None:
            self.preferred_ca_repo.update_preferred_ca(project_model.id,
                                                       self.ca)
        else:
            preferred_ca = models.PreferredCertificateAuthority(
                project_model.id, self.ca.id)
            self.preferred_ca_repo.create_from(preferred_ca)
Пример #20
0
    def on_get(self, external_project_id, **kw):
        LOG.debug('Start certificate_authorities on_get (limited)')

        plugin_name = kw.get('plugin_name')
        if plugin_name is not None:
            plugin_name = parse.unquote_plus(plugin_name)

        plugin_ca_id = kw.get('plugin_ca_id', None)
        if plugin_ca_id is not None:
            plugin_ca_id = parse.unquote_plus(plugin_ca_id)

        # refresh CA table, in case plugin entries have expired
        cert_resources.refresh_certificate_resources()

        project_model = res.get_or_create_project(external_project_id)

        if self._project_cas_defined(project_model.id):
            cas, offset, limit, total = self._get_subcas_and_project_cas(
                offset=kw.get('offset', 0),
                limit=kw.get('limit', None),
                plugin_name=plugin_name,
                plugin_ca_id=plugin_ca_id,
                project_id=project_model.id)
        else:
            cas, offset, limit, total = self._get_subcas_and_root_cas(
                offset=kw.get('offset', 0),
                limit=kw.get('limit', None),
                plugin_name=plugin_name,
                plugin_ca_id=plugin_ca_id,
                project_id=project_model.id)

        return self._display_cas(cas, offset, limit, total)
Пример #21
0
    def add_to_project(self, external_project_id):
        if pecan.request.method != 'POST':
            pecan.abort(405)

        LOG.debug("== Saving CA %s to external_project_id %s", self.ca.id,
                  external_project_id)
        project_model = res.get_or_create_project(external_project_id)

        # CA must be a base CA or a subCA owned by this project
        if (self.ca.project_id is not None
                and self.ca.project_id != project_model.id):
            raise excep.UnauthorizedSubCA()

        project_cas = project_model.cas
        num_cas = len(project_cas)
        for project_ca in project_cas:
            if project_ca.ca_id == self.ca.id:
                # project already added
                return

        project_ca = models.ProjectCertificateAuthority(
            project_model.id, self.ca.id)
        self.project_ca_repo.create_from(project_ca)

        if num_cas == 0:
            # set first project CA to be the preferred one
            preferred_ca = models.PreferredCertificateAuthority(
                project_model.id, self.ca.id)
            self.preferred_ca_repo.create_from(preferred_ca)
Пример #22
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug(u._('Start on_post for project-ID %s:...'),
                  external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(external_project_id)

        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipeline case, always use auth token user
            creator_id = ctxt.user

        self.quota_enforcer.enforce(project)

        new_ca = cert_resources.create_subordinate_ca(
            project_model=project,
            name=data.get('name'),
            description=data.get('description'),
            subject_dn=data.get('subject_dn'),
            parent_ca_ref=data.get('parent_ca_ref'),
            creator_id=creator_id)

        url = hrefs.convert_certificate_authority_to_href(new_ca.id)
        LOG.debug(u._('URI to sub-CA is %s'), url)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url

        LOG.info(u._LI('Created a sub CA for project: %s'),
                 external_project_id)

        return {'ca_ref': url}
Пример #23
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug('Start on_post for project-ID %s:...', external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        project = res.get_or_create_project(external_project_id,
                                            self.repos.project_repo)

        transport_key_needed = data.get('transport_key_needed',
                                        'false').lower() == 'true'

        new_secret, transport_key_model = plugin.store_secret(
            data.get('payload'),
            data.get('payload_content_type', 'application/octet-stream'),
            data.get('payload_content_encoding'),
            data,
            None,
            project,
            self.repos,
            transport_key_needed=transport_key_needed,
            transport_key_id=data.get('transport_key_id'))

        pecan.response.status = 201
        pecan.response.headers['Location'] = '/secrets/{0}'.format(
            new_secret.id)
        url = hrefs.convert_secret_to_href(new_secret.id)
        LOG.debug('URI to secret is %s', url)
        if transport_key_model is not None:
            tkey_url = hrefs.convert_transport_key_to_href(
                transport_key_model.id)
            return {'secret_ref': url, 'transport_key_ref': tkey_url}
        else:
            return {'secret_ref': url}
Пример #24
0
    def on_delete(self, external_project_id, **kwargs):
        data = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_delete...%s', data)
        project = res.get_or_create_project(external_project_id)

        consumer = self.consumer_repo.get_by_values(self.container_id,
                                                    data["name"],
                                                    data["URL"],
                                                    suppress_exception=True)
        if not consumer:
            _consumer_not_found()
        LOG.debug("Found container consumer: %s", consumer)

        owner_of_consumer = consumer.project_id == project.id
        owner_of_container = self.container.project.external_id \
            == external_project_id
        if not owner_of_consumer and not owner_of_container:
            _consumer_ownership_mismatch()

        try:
            self.consumer_repo.delete_entity_by_id(consumer.id,
                                                   external_project_id)
        except exception.NotFound:
            LOG.exception('Problem deleting container consumer')
            _consumer_not_found()

        ret_data = self._return_container_data()
        LOG.info('Deleted a container consumer for project: %s',
                 external_project_id)
        return ret_data
Пример #25
0
    def on_post(self, external_project_id, **kwargs):

        project = res.get_or_create_project(external_project_id)
        data = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...%s', data)

        try:
            container = self.container_repo.get(self.container_id,
                                                external_project_id)
        except exception.NotFound:
            controllers.containers.container_not_found()

        self.quota_enforcer.enforce(project)

        new_consumer = models.ContainerConsumerMetadatum(self.container_id,
                                                         data)
        new_consumer.project_id = project.id
        self.consumer_repo.create_or_update_from(new_consumer, container)

        url = hrefs.convert_consumer_to_href(new_consumer.container_id)
        pecan.response.headers['Location'] = url

        LOG.info(u._LI('Created a consumer for project: %s'),
                 external_project_id)

        return self._return_container_data(self.container_id,
                                           external_project_id)
Пример #26
0
    def on_post(self, keystone_id, **kwargs):

        project = res.get_or_create_project(keystone_id, self.project_repo)

        data = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...%s', data)

        new_container = models.Container(data)
        new_container.tenant_id = project.id

        # TODO(hgedikli): performance optimizations
        for secret_ref in new_container.container_secrets:
            secret = self.secret_repo.get(entity_id=secret_ref.secret_id,
                                          keystone_id=keystone_id,
                                          suppress_exception=True)
            if not secret:
                # This only partially localizes the error message and
                # doesn't localize secret_ref.name.
                pecan.abort(404, u._("Secret provided for '{0}' doesn't"
                                     " exist.").format(secret_ref.name))

        self.container_repo.create_from(new_container)

        pecan.response.status = 201
        pecan.response.headers['Location'] = '/containers/{0}'.format(
            new_container.id
        )
        url = hrefs.convert_container_to_href(new_container.id)
        return {'container_ref': url}
Пример #27
0
    def _init_memory_db_setup(self):

        # Force a refresh of the singleton plugin manager for each test.
        manager._PLUGIN_MANAGER = None
        manager.CONF.set_override('enabled_crypto_plugins', ['simple_crypto'],
                                  group='crypto')

        self.project_id1 = uuidutils.generate_uuid()
        self.project_id2 = uuidutils.generate_uuid(dashed=False)

        self.project1_data = c_resources.get_or_create_project(
            self.project_id1)
        self.assertIsNotNone(self.project1_data)

        self.project2_data = c_resources.get_or_create_project(
            self.project_id2)
        self.assertIsNotNone(self.project2_data)
Пример #28
0
    def _init_memory_db_setup(self):

        # Force a refresh of the singleton plugin manager for each test.
        manager._PLUGIN_MANAGER = None
        manager.CONF.set_override('enabled_crypto_plugins',
                                  ['simple_crypto'],
                                  group='crypto')

        self.project_id1 = uuidutils.generate_uuid()
        self.project_id2 = uuidutils.generate_uuid(dashed=False)

        self.project1_data = c_resources.get_or_create_project(
            self.project_id1)
        self.assertIsNotNone(self.project1_data)

        self.project2_data = c_resources.get_or_create_project(
            self.project_id2)
        self.assertIsNotNone(self.project2_data)
Пример #29
0
 def on_post(self, external_project_id):
     data = api.load_body(pecan.request)
     project = res.get_or_create_project(external_project_id)
     self.quota_enforcer.enforce(project)
     response = None
     response = plugin.do_attestation(data, external_project_id, True)
     if response is None:
         _quote_not_found()
     return response
Пример #30
0
    def on_get(self, external_project_id, **kw):
        LOG.debug('Start SecretStoresController on_get: listing secret '
                  'stores')
        if not utils.is_multiple_backends_enabled():
            _multiple_backends_not_enabled()

        res.get_or_create_project(external_project_id)

        secret_stores = self.secret_stores_repo.get_all()

        resp_list = []
        for store in secret_stores:
            item = convert_secret_store_to_response_format(store)
            resp_list.append(item)

        resp = {'secret_stores': resp_list}

        return resp
Пример #31
0
    def on_get(self, external_project_id, **kw):
        LOG.debug('Start SecretStoresController on_get: listing secret '
                  'stores')
        if not utils.is_multiple_backends_enabled():
            _multiple_backends_not_enabled()

        res.get_or_create_project(external_project_id)

        secret_stores = self.secret_stores_repo.get_all()

        resp_list = []
        for store in secret_stores:
            item = convert_secret_store_to_response_format(store)
            resp_list.append(item)

        resp = {'secret_stores': resp_list}

        return resp
Пример #32
0
    def set_project_quotas(self, external_project_id, parsed_project_quotas):
        """Create a new database entry, or update existing one

        :param external_project_id: ID of project whose quotas are to be set
        :param parsed_project_quotas: quota values to save in database
        :return: None
        """
        project = res.get_or_create_project(external_project_id)
        self.repo.create_or_update_by_project_id(project.id, parsed_project_quotas)
Пример #33
0
    def on_post(self, external_project_id, **kwargs):
        project = res.get_or_create_project(external_project_id)

        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        order_type = body.get('type')
        order_meta = body.get('meta')
        request_type = order_meta.get('request_type')

        LOG.debug('Processing order type %(order_type)s,'
                  ' request type %(request_type)s' % {
                      'order_type': order_type,
                      'request_type': request_type
                  })

        if order_type == models.OrderType.CERTIFICATE:
            msg = _DEPRECATION_MSG % "Certificate Order Resource"
            versionutils.report_deprecated_feature(LOG, msg)
            validators.validate_ca_id(project.id, body.get('meta'))
            if request_type == 'stored-key':
                container_ref = order_meta.get('container_ref')
                validators.validate_stored_key_rsa_container(
                    external_project_id, container_ref, pecan.request)

        self.quota_enforcer.enforce(project)

        new_order = models.Order()
        new_order.meta = body.get('meta')
        new_order.type = order_type
        new_order.project_id = project.id

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:
            new_order.creator_id = ctxt.user
            request_id = ctxt.request_id

        self.order_repo.create_from(new_order)

        # Grab our id before commit due to obj expiration from sqlalchemy
        order_id = new_order.id

        # Force commit to avoid async issues with the workers
        repo.commit()

        self.queue.process_type_order(order_id=order_id,
                                      project_id=external_project_id,
                                      request_id=request_id)

        url = hrefs.convert_order_to_href(order_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = url

        return {'order_ref': url}
Пример #34
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug('Start: Set project preferred secret-store for store '
                  'id %s', self.secret_store.id)

        project = res.get_or_create_project(external_project_id)

        self.proj_store_repo.create_or_update_for_project(project.id,
                                                          self.secret_store.id)

        pecan.response.status = 204
Пример #35
0
    def setUp(self):
        super(WhenCreatingSubordinateCAs, self).setUp()
        self.project = res.get_or_create_project('12345')
        self.project2 = res.get_or_create_project('56789')

        self.subject_name = "cn=subca1 signing certificate, o=example.com"
        self.creator_id = "user12345"
        self.name = "Subordinate CA #1"
        self.description = "This is a test subordinate CA"
        self.plugin_name = "dogtag_plugin"

        # create parent ca
        expiration = (datetime.datetime.utcnow() +
                      datetime.timedelta(minutes=10))
        parsed_ca = {
            'plugin_name': self.plugin_name,
            'plugin_ca_id': 'ca_master',
            'expiration': expiration.isoformat(),
            'name': 'Dogtag CA',
            'description': 'Master CA for Dogtag plugin',
            'ca_signing_certificate': 'XXXXX',
            'intermediates': 'YYYYY'
        }

        self.parent_ca = models.CertificateAuthority(parsed_ca)
        ca_repo.create_from(self.parent_ca)
        self.parent_ca_ref = 'https://localhost:6311/cas/' + self.parent_ca.id

        self.new_ca_dict = {
            'plugin_ca_id': 'ca_subordinate',
            'expiration': expiration.isoformat(),
            'name': 'Dogtag Subordinate CA',
            'description': 'Subordinate CA for Dogtag plugin',
            'ca_signing_certificate': 'XXXXX',
            'intermediates': 'YYYYY',
        }

        # mock plugin and calls to plugin
        self.cert_plugin = mock.MagicMock()
        self.cert_plugin.supports_create_ca.return_value = True
        self.cert_plugin.create_ca.return_value = self.new_ca_dict
        self._config_cert_plugin()
Пример #36
0
    def on_post(self, external_project_id, **kwargs):
        LOG.debug(
            'Start: Set project preferred secret-store for store '
            'id %s', self.secret_store.id)

        project = res.get_or_create_project(external_project_id)

        self.proj_store_repo.create_or_update_for_project(
            project.id, self.secret_store.id)

        pecan.response.status = 204
Пример #37
0
 def on_post(self, external_project_id):
     ctxt = controllers._get_barbican_context(pecan.request)
     data = api.load_body(pecan.request)
     project = res.get_or_create_project(external_project_id)
     self.quota_enforcer.enforce(project)
     response = None
     response = plugin.do_attestation(data, external_project_id, False,
                                      ctxt)
     if response is None:
         _quote_not_found()
     return response
Пример #38
0
def delete_subordinate_ca(external_project_id, ca):
    """Deletes a subordinate CA and any related artifacts

    :param external_project_id: external project ID
    :param ca: class:`models.CertificateAuthority` to be deleted
    :return: None
     """
    # TODO(alee) See if the checks below can be moved to the RBAC code

    # Check that this CA is a subCA
    if ca.project_id is None:
        raise excep.CannotDeleteBaseCA()

    # Check that the user's project owns this subCA
    project = res.get_or_create_project(external_project_id)
    if ca.project_id != project.id:
        raise excep.UnauthorizedSubCA()

    project_ca_repo = repos.get_project_ca_repository()
    (project_cas, _, _,
     _) = project_ca_repo.get_by_create_date(project_id=project.id,
                                             ca_id=ca.id,
                                             suppress_exception=True)

    preferred_ca_repo = repos.get_preferred_ca_repository()
    (preferred_cas, _, _,
     _) = preferred_ca_repo.get_by_create_date(project_id=project.id,
                                               ca_id=ca.id,
                                               suppress_exception=True)

    # Can not delete a project preferred CA, if other project CAs exist. One
    # of those needs to be designated as the preferred CA first.
    if project_cas and preferred_cas and not is_last_project_ca(project.id):
        raise excep.CannotDeletePreferredCA()

    # Remove the CA as preferred
    if preferred_cas:
        preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id,
                                              external_project_id)
    # Remove the CA from project list
    if project_cas:
        project_ca_repo.delete_entity_by_id(project_cas[0].id,
                                            external_project_id)

    # Delete the CA entry from plugin
    cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
        ca.plugin_name)
    cert_plugin.delete_ca(ca.plugin_ca_id)

    # Finally, delete the CA entity from the CA repository
    ca_repo = repos.get_ca_repository()
    ca_repo.delete_entity_by_id(entity_id=ca.id,
                                external_project_id=external_project_id)
Пример #39
0
    def preferred(self, external_project_id, **kw):
        LOG.debug('Start certificate_authorities get project preferred CA')

        project = res.get_or_create_project(external_project_id)

        pref_ca_id = cert_resources.get_project_preferred_ca_id(project.id)
        if not pref_ca_id:
            pecan.abort(404, u._("No preferred CA defined for this project"))

        return {
            'ca_ref': hrefs.convert_certificate_authority_to_href(pref_ca_id)
        }
Пример #40
0
    def setUp(self):
        super(WhenCreatingSubordinateCAs, self).setUp()
        self.project = res.get_or_create_project('12345')
        self.project2 = res.get_or_create_project('56789')

        self.subject_name = "cn=subca1 signing certificate, o=example.com"
        self.creator_id = "user12345"
        self.name = "Subordinate CA #1"
        self.description = "This is a test subordinate CA"
        self.plugin_name = "dogtag_plugin"

        # create parent ca
        expiration = (datetime.datetime.utcnow() +
                      datetime.timedelta(minutes=10))
        parsed_ca = {'plugin_name': self.plugin_name,
                     'plugin_ca_id': 'ca_master',
                     'expiration': expiration.isoformat(),
                     'name': 'Dogtag CA',
                     'description': 'Master CA for Dogtag plugin',
                     'ca_signing_certificate': 'XXXXX',
                     'intermediates': 'YYYYY'}

        self.parent_ca = models.CertificateAuthority(parsed_ca)
        ca_repo.create_from(self.parent_ca)
        self.parent_ca_ref = 'https://localhost:6311/cas/' + self.parent_ca.id

        self.new_ca_dict = {
            'plugin_ca_id': 'ca_subordinate',
            'expiration': expiration.isoformat(),
            'name': 'Dogtag Subordinate CA',
            'description': 'Subordinate CA for Dogtag plugin',
            'ca_signing_certificate': 'XXXXX',
            'intermediates': 'YYYYY',
        }

        # mock plugin and calls to plugin
        self.cert_plugin = mock.MagicMock()
        self.cert_plugin.supports_create_ca.return_value = True
        self.cert_plugin.create_ca.return_value = self.new_ca_dict
        self._config_cert_plugin()
Пример #41
0
    def on_post(self, external_project_id, **kwargs):
        project = res.get_or_create_project(external_project_id)

        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        order_type = body.get('type')
        order_meta = body.get('meta')
        request_type = order_meta.get('request_type')

        LOG.debug('Processing order type %s, request type %s',
                  order_type, request_type)

        if order_type == models.OrderType.CERTIFICATE:
            validators.validate_ca_id(project.id, body.get('meta'))
            if request_type == 'stored-key':
                container_ref = order_meta.get('container_ref')
                validators.validate_stored_key_rsa_container(
                    external_project_id,
                    container_ref, pecan.request)

        self.quota_enforcer.enforce(project)

        new_order = models.Order()
        new_order.meta = body.get('meta')
        new_order.type = order_type
        new_order.project_id = project.id

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:
            new_order.creator_id = ctxt.user
            request_id = ctxt.request_id

        self.order_repo.create_from(new_order)

        # Grab our id before commit due to obj expiration from sqlalchemy
        order_id = new_order.id

        # Force commit to avoid async issues with the workers
        repo.commit()

        self.queue.process_type_order(order_id=order_id,
                                      project_id=external_project_id,
                                      request_id=request_id)

        url = hrefs.convert_order_to_href(order_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = url

        return {'order_ref': url}
Пример #42
0
    def setUp(self):
        super(WhenCreatingCertificateOrders, self).setUp()
        self.certificate_meta = {
            'request': 'XXXXXX'
        }
        # Make sure we have a project
        self.project = resources.get_or_create_project(self.project_id)

        # Create CA's in the db
        self.available_ca_ids = []
        for i in range(2):
            ca_information = {
                'plugin_name': 'plugin_name',
                'plugin_ca_id': 'plugin_name ca_id1',
                'name': 'plugin name',
                'description': 'Master CA for default plugin',
                'ca_signing_certificate': 'XXXXX',
                'intermediates': 'YYYYY'
            }

            ca_model = models.CertificateAuthority(ca_information)
            ca = ca_repo.create_from(ca_model)
            self.available_ca_ids.append(ca.id)

        foreign_project = resources.get_or_create_project('foreign_project')
        foreign_ca_information = {
            'project_id': foreign_project.id,
            'plugin_name': 'plugin_name',
            'plugin_ca_id': 'plugin_name ca_id1',
            'name': 'plugin name',
            'description': 'Master CA for default plugin',
            'ca_signing_certificate': 'XXXXX',
            'intermediates': 'YYYYY'
        }
        foreign_ca_model = models.CertificateAuthority(foreign_ca_information)
        foreign_ca = ca_repo.create_from(foreign_ca_model)
        self.foreign_ca_id = foreign_ca.id

        repositories.commit()
Пример #43
0
    def preferred(self, external_project_id, **kw):
        LOG.debug('Start certificate_authorities get project preferred CA')

        project = res.get_or_create_project(external_project_id)

        pref_ca_id = cert_resources.get_project_preferred_ca_id(project.id)
        if not pref_ca_id:
            pecan.abort(404, u._("No preferred CA defined for this project"))

        return {
            'ca_ref':
                hrefs.convert_certificate_authority_to_href(pref_ca_id)
        }
Пример #44
0
    def set_project_quotas(self, external_project_id, parsed_project_quotas):
        """Create a new database entry, or update existing one

        :param external_project_id: ID of project whose quotas are to be set
        :param parsed_project_quotas: quota values to save in database
        :return: None
        """
        project = res.get_or_create_project(external_project_id)
        self.repo.create_or_update_by_project_id(project.id,
                                                 parsed_project_quotas)
        # commit to DB to avoid async issues if the enforcer is called from
        # another thread
        repo.commit()
Пример #45
0
    def set_project_quotas(self, external_project_id, parsed_project_quotas):
        """Create a new database entry, or update existing one

        :param external_project_id: ID of project whose quotas are to be set
        :param parsed_project_quotas: quota values to save in database
        :return: None
        """
        project = res.get_or_create_project(external_project_id)
        self.repo.create_or_update_by_project_id(project.id,
                                                 parsed_project_quotas)
        # commit to DB to avoid async issues if the enforcer is called from
        # another thread
        repo.commit()
Пример #46
0
def delete_subordinate_ca(external_project_id, ca):
    """Deletes a subordinate CA and any related artifacts

    :param external_project_id: external project ID
    :param ca: class:`models.CertificateAuthority` to be deleted
    :return: None
     """
    # TODO(alee) See if the checks below can be moved to the RBAC code

    # Check that this CA is a subCA
    if ca.project_id is None:
        raise excep.CannotDeleteBaseCA()

    # Check that the user's project owns this subCA
    project = res.get_or_create_project(external_project_id)
    if ca.project_id != project.id:
        raise excep.UnauthorizedSubCA()

    project_ca_repo = repos.get_project_ca_repository()
    (project_cas, _, _, _) = project_ca_repo.get_by_create_date(
        project_id=project.id, ca_id=ca.id,
        suppress_exception=True)

    preferred_ca_repo = repos.get_preferred_ca_repository()
    (preferred_cas, _, _, _) = preferred_ca_repo.get_by_create_date(
        project_id=project.id, ca_id=ca.id, suppress_exception=True)

    # Can not delete a project preferred CA, if other project CAs exist. One
    # of those needs to be designated as the preferred CA first.
    if project_cas and preferred_cas and not is_last_project_ca(project.id):
        raise excep.CannotDeletePreferredCA()

    # Remove the CA as preferred
    if preferred_cas:
        preferred_ca_repo.delete_entity_by_id(preferred_cas[0].id,
                                              external_project_id)
    # Remove the CA from project list
    if project_cas:
        project_ca_repo.delete_entity_by_id(project_cas[0].id,
                                            external_project_id)

    # Delete the CA entry from plugin
    cert_plugin = cert.CertificatePluginManager().get_plugin_by_name(
        ca.plugin_name)
    cert_plugin.delete_ca(ca.plugin_ca_id)

    # Finally, delete the CA entity from the CA repository
    ca_repo = repos.get_ca_repository()
    ca_repo.delete_entity_by_id(
        entity_id=ca.id,
        external_project_id=external_project_id)
Пример #47
0
    def setUp(self):
        super(WhenCreatingCertificateOrders, self).setUp()
        self.certificate_meta = {'request': 'XXXXXX'}
        # Make sure we have a project
        self.project = resources.get_or_create_project(self.project_id)

        # Create CA's in the db
        self.available_ca_ids = []
        for i in range(2):
            ca_information = {
                'plugin_name': 'plugin_name',
                'plugin_ca_id': 'plugin_name ca_id1',
                'name': 'plugin name',
                'description': 'Master CA for default plugin',
                'ca_signing_certificate': 'XXXXX',
                'intermediates': 'YYYYY'
            }

            ca_model = models.CertificateAuthority(ca_information)
            ca = ca_repo.create_from(ca_model)
            self.available_ca_ids.append(ca.id)

        foreign_project = resources.get_or_create_project('foreign_project')
        foreign_ca_information = {
            'project_id': foreign_project.id,
            'plugin_name': 'plugin_name',
            'plugin_ca_id': 'plugin_name ca_id1',
            'name': 'plugin name',
            'description': 'Master CA for default plugin',
            'ca_signing_certificate': 'XXXXX',
            'intermediates': 'YYYYY'
        }
        foreign_ca_model = models.CertificateAuthority(foreign_ca_information)
        foreign_ca = ca_repo.create_from(foreign_ca_model)
        self.foreign_ca_id = foreign_ca.id

        repositories.commit()
Пример #48
0
    def on_delete(self, external_project_id, **kw):
        LOG.debug('Start: Remove project preferred secret-store for store'
                  ' id %s', self.secret_store.id)

        project = res.get_or_create_project(external_project_id)

        project_store = self.proj_store_repo.get_secret_store_for_project(
            project.id, None, suppress_exception=True)
        if project_store is None:
            _preferred_secret_store_not_found()

        self.proj_store_repo.delete_entity_by_id(
            entity_id=project_store.id,
            external_project_id=external_project_id)
        pecan.response.status = 204
Пример #49
0
    def _on_get_secret_payload(self, secret, external_project_id, **kwargs):
        """GET actual payload containing the secret."""
        project = res.get_or_create_project(external_project_id,
                                            self.repos.project_repo)

        pecan.override_template('', pecan.request.accept.header_value)

        twsk = kwargs.get('trans_wrapped_session_key', None)
        transport_key = None

        if twsk:
            transport_key = self._get_transport_key(
                kwargs.get('transport_key_id', None))

        return plugin.get_secret(pecan.request.accept.header_value, secret,
                                 project, self.repos, twsk, transport_key)
Пример #50
0
    def remove_from_project(self, external_project_id):
        if pecan.request.method != 'POST':
            pecan.abort(405)

        LOG.debug("== Removing CA %s from project_external_id %s", self.ca.id,
                  external_project_id)

        project_model = res.get_or_create_project(external_project_id)
        (project_ca, __offset, __limit,
         __total) = (self.project_ca_repo.get_by_create_date(
             project_id=project_model.id,
             ca_id=self.ca.id,
             suppress_exception=True))

        if project_ca:
            self.project_ca_repo.delete_entity_by_id(project_ca[0].id, None)
Пример #51
0
    def on_delete(self, external_project_id, **kw):
        LOG.debug(
            'Start: Remove project preferred secret-store for store'
            ' id %s', self.secret_store.id)

        project = res.get_or_create_project(external_project_id)

        project_store = self.proj_store_repo.get_secret_store_for_project(
            project.id, None, suppress_exception=True)
        if project_store is None:
            _preferred_secret_store_not_found()

        self.proj_store_repo.delete_entity_by_id(
            entity_id=project_store.id,
            external_project_id=external_project_id)
        pecan.response.status = 204
Пример #52
0
    def get_preferred(self, external_project_id, **kw):
        LOG.debug('Start secret-stores get preferred secret store')

        if not utils.is_multiple_backends_enabled():
            _multiple_backends_not_enabled()

        project = res.get_or_create_project(external_project_id)

        project_store = self.proj_store_repo.get_secret_store_for_project(
            project.id, None, suppress_exception=True)

        if project_store is None:
            _preferred_secret_store_not_found()

        return convert_secret_store_to_response_format(
            project_store.secret_store)
Пример #53
0
    def get_preferred(self, external_project_id, **kw):
        LOG.debug('Start secret-stores get preferred secret store')

        if not utils.is_multiple_backends_enabled():
            _multiple_backends_not_enabled()

        project = res.get_or_create_project(external_project_id)

        project_store = self.proj_store_repo.get_secret_store_for_project(
            project.id, None, suppress_exception=True)

        if project_store is None:
            _preferred_secret_store_not_found()

        return convert_secret_store_to_response_format(
            project_store.secret_store)
Пример #54
0
    def on_post(self, external_project_id, **kwargs):
        project = res.get_or_create_project(external_project_id)

        body = api.load_body(pecan.request,
                             validator=self.type_order_validator)

        order_type = body.get('type')
        order_meta = body.get('meta')
        request_type = order_meta.get('request_type')

        LOG.debug('Processing order type %(order_type)s,'
                  ' request type %(request_type)s' % {
                      'order_type': order_type,
                      'request_type': request_type
                  })

        self.quota_enforcer.enforce(project)

        new_order = models.Order()
        new_order.meta = body.get('meta')
        new_order.type = order_type
        new_order.project_id = project.id

        request_id = None
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:
            new_order.creator_id = ctxt.user
            request_id = ctxt.request_id

        self.order_repo.create_from(new_order)

        # Grab our id before commit due to obj expiration from sqlalchemy
        order_id = new_order.id

        # Force commit to avoid async issues with the workers
        repo.commit()

        self.queue.process_type_order(order_id=order_id,
                                      project_id=external_project_id,
                                      request_id=request_id)

        url = hrefs.convert_order_to_href(order_id)

        pecan.response.status = 202
        pecan.response.headers['Location'] = url

        return {'order_ref': url}
Пример #55
0
    def remove_from_project(self, external_project_id):
        if pecan.request.method != 'POST':
            pecan.abort(405)

        LOG.debug("== Removing CA %s from project_external_id %s",
                  self.ca.id, external_project_id)

        project_model = res.get_or_create_project(external_project_id)
        (project_ca, __offset, __limit, __total) = (
            self.project_ca_repo.get_by_create_date(
                project_id=project_model.id,
                ca_id=self.ca.id,
                suppress_exception=True))

        if project_ca:
            self.project_ca_repo.delete_entity_by_id(
                project_ca[0].id,
                None)
Пример #56
0
    def set_preferred(self, external_project_id):
        if pecan.request.method != 'POST':
            pecan.abort(405)

        LOG.debug("== Setting preferred CA %s for project %s",
                  self.ca.id, external_project_id)

        project_model = res.get_or_create_project(external_project_id)

        (project_ca, __offset, __limit, __total) = (
            self.project_ca_repo.get_by_create_date(
                project_id=project_model.id,
                ca_id=self.ca.id,
                suppress_exception=True))
        if not project_ca:
            _requested_preferred_ca_not_a_project_ca()

        self.preferred_ca_repo.create_or_update_by_project_id(
            project_model.id, self.ca.id)
Пример #57
0
    def index(self, keystone_id, **kwargs):

        secret = self.repos.secret_repo.get(entity_id=self.secret_id,
                                            keystone_id=keystone_id,
                                            suppress_exception=True)
        if not secret:
            _secret_not_found()

        if controllers.is_json_request_accept(pecan.request):
            # Metadata-only response, no secret retrieval is necessary.
            pecan.override_template('json', 'application/json')
            secret_fields = putil.mime_types.augment_fields_with_content_types(
                secret)
            transport_key_needed = kwargs.get('transport_key_needed',
                                              'false').lower() == 'true'
            if transport_key_needed:
                transport_key_id = plugin.get_transport_key_id_for_retrieval(
                    secret)
                if transport_key_id is not None:
                    secret_fields['transport_key_id'] = transport_key_id
            return hrefs.convert_to_hrefs(secret_fields)
        else:
            project = res.get_or_create_project(keystone_id,
                                                self.repos.project_repo)
            pecan.override_template('', pecan.request.accept.header_value)
            transport_key = None
            twsk = kwargs.get('trans_wrapped_session_key', None)
            if twsk is not None:
                transport_key_id = kwargs.get('transport_key_id', None)
                if transport_key_id is None:
                    _request_has_twsk_but_no_transport_key_id()
                transport_key_model = self.repos.transport_key_repo.get(
                    entity_id=transport_key_id,
                    suppress_exception=True)
                transport_key = transport_key_model.transport_key

            return plugin.get_secret(pecan.request.accept.header_value,
                                     secret,
                                     project,
                                     self.repos,
                                     twsk,
                                     transport_key)
Пример #58
0
    def on_post(self, external_project_id, **kwargs):

        project = res.get_or_create_project(external_project_id)

        data = api.load_body(pecan.request, validator=self.validator)
        ctxt = controllers._get_barbican_context(pecan.request)
        if ctxt:  # in authenticated pipleline case, always use auth token user
            data['creator_id'] = ctxt.user

        self.quota_enforcer.enforce(project)

        LOG.debug('Start on_post...%s', data)

        new_container = models.Container(data)
        new_container.project_id = project.id

        # TODO(hgedikli): performance optimizations
        for secret_ref in new_container.container_secrets:
            secret = self.secret_repo.get(
                entity_id=secret_ref.secret_id,
                external_project_id=external_project_id,
                suppress_exception=True)
            if not secret:
                # This only partially localizes the error message and
                # doesn't localize secret_ref.name.
                pecan.abort(
                    404,
                    u._("Secret provided for '{secret_name}' doesn't "
                        "exist.").format(secret_name=secret_ref.name)
                )

        self.container_repo.create_from(new_container)

        url = hrefs.convert_container_to_href(new_container.id)

        pecan.response.status = 201
        pecan.response.headers['Location'] = url
        LOG.info(u._LI('Created a container for project: %s'),
                 external_project_id)

        return {'container_ref': url}
Пример #59
0
    def on_post(self, keystone_id, **kwargs):

        project = res.get_or_create_project(keystone_id, self.project_repo)
        data = api.load_body(pecan.request, validator=self.validator)
        LOG.debug('Start on_post...%s', data)

        try:
            container = self.container_repo.get(self.container_id, keystone_id)
        except exception.NotFound:
            controllers.containers.container_not_found()

        new_consumer = models.ContainerConsumerMetadatum(self.container_id,
                                                         data)
        new_consumer.tenant_id = project.id
        self.consumer_repo.create_from(new_consumer, container)

        pecan.response.headers['Location'] = (
            '/containers/{0}/consumers'.format(new_consumer.container_id)
        )

        return self._return_container_data(self.container_id, keystone_id)