def on_post(self, external_project_id, **kwargs):
LOG.debug(u._('Start on_post for project-ID %s:...'),
external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipeline case, always use auth token user
creator_id = ctxt.user
self.quota_enforcer.enforce(project)
new_ca = cert_resources.create_subordinate_ca(
project_model=project,
name=data.get('name'),
description=data.get('description'),
subject_dn=data.get('subject_dn'),
parent_ca_ref=data.get('parent_ca_ref'),
creator_id=creator_id)
url = hrefs.convert_certificate_authority_to_href(new_ca.id)
LOG.debug(u._('URI to sub-CA is %s'), url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a sub CA for project: %s'),
external_project_id)
return {'ca_ref': url}
def validate_stored_key_rsa_container(project_id, container_ref, req):
try:
container_id = hrefs.get_container_id_from_ref(container_ref)
except Exception:
reason = u._("Bad Container Reference {ref}").format(
ref=container_ref
)
raise exception.InvalidContainer(reason=reason)
container_repo = repo.get_container_repository()
container = container_repo.get_container_by_id(entity_id=container_id,
suppress_exception=True)
if not container:
reason = u._("Container Not Found")
raise exception.InvalidContainer(reason=reason)
if container.type != 'rsa':
reason = u._("Container Wrong Type")
raise exception.InvalidContainer(reason=reason)
ctxt = controllers._get_barbican_context(req)
inst = controllers.containers.ContainerController(container)
controllers._do_enforce_rbac(inst, req,
controllers.containers.CONTAINER_GET,
ctxt)
def on_put(self, external_project_id, **kwargs):
body = api.load_body(pecan.request,
validator=self.type_order_validator)
project = res.get_or_create_project(external_project_id)
order_type = body.get('type')
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt and ctxt.request_id:
request_id = ctxt.request_id
if self.order.type != order_type:
order_cannot_modify_order_type()
if models.OrderType.CERTIFICATE != self.order.type:
_order_update_not_supported_for_type(order_type)
if models.States.PENDING != self.order.status:
_order_cannot_be_updated_if_not_pending(self.order.status)
updated_meta = body.get('meta')
validators.validate_ca_id(project.id, updated_meta)
# TODO(chellygel): Put 'meta' into a separate order association
# entity.
self.queue.update_order(order_id=self.order.id,
project_id=external_project_id,
updated_meta=updated_meta,
request_id=request_id)
def validate_stored_key_rsa_container(project_id, container_ref, req):
try:
container_id = hrefs.get_container_id_from_ref(container_ref)
except Exception:
reason = u._("Bad Container Reference {ref}").format(
ref=container_ref
)
raise exception.InvalidContainer(reason=reason)
container_repo = repo.get_container_repository()
container = container_repo.get_container_by_id(entity_id=container_id,
suppress_exception=True)
if not container:
reason = u._("Container Not Found")
raise exception.InvalidContainer(reason=reason)
if container.type != 'rsa':
reason = u._("Container Wrong Type")
raise exception.InvalidContainer(reason=reason)
ctxt = controllers._get_barbican_context(req)
inst = controllers.containers.ContainerController(container)
controllers._do_enforce_rbac(inst, req,
controllers.containers.CONTAINER_GET,
ctxt)
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...', external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
transport_key_needed = data.get('transport_key_needed',
'false').lower() == 'true'
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
new_secret, transport_key_model = plugin.store_secret(
data.get('payload'),
data.get('payload_content_type',
'application/octet-stream'),
data.get('payload_content_encoding'),
data, None, project,
transport_key_needed=transport_key_needed,
transport_key_id=data.get('transport_key_id'))
url = hrefs.convert_secret_to_href(new_secret.id)
LOG.debug('URI to secret is %s', url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a secret for project: %s'),
external_project_id)
if transport_key_model is not None:
tkey_url = hrefs.convert_transport_key_to_href(
transport_key_model.id)
return {'secret_ref': url, 'transport_key_ref': tkey_url}
else:
return {'secret_ref': url}
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...', external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipeline case, always use auth token user
creator_id = ctxt.user
self.quota_enforcer.enforce(project)
new_ca = cert_resources.create_subordinate_ca(
project_model=project,
name=data.get('name'),
description=data.get('description'),
subject_dn=data.get('subject_dn'),
parent_ca_ref=data.get('parent_ca_ref'),
creator_id=creator_id
)
url = hrefs.convert_certificate_authority_to_href(new_ca.id)
LOG.debug('URI to sub-CA is %s', url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a sub CA for project: %s'),
external_project_id)
return {'ca_ref': url}
def on_put(self, external_project_id, **kwargs):
body = api.load_body(pecan.request,
validator=self.type_order_validator)
project = res.get_or_create_project(external_project_id)
order_type = body.get('type')
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt and ctxt.request_id:
request_id = ctxt.request_id
if self.order.type != order_type:
order_cannot_modify_order_type()
if models.OrderType.CERTIFICATE != self.order.type:
_order_update_not_supported_for_type(order_type)
if models.States.PENDING != self.order.status:
_order_cannot_be_updated_if_not_pending(self.order.status)
updated_meta = body.get('meta')
validators.validate_ca_id(project.id, updated_meta)
# TODO(chellygel): Put 'meta' into a separate order association
# entity.
self.queue.update_order(order_id=self.order.id,
project_id=external_project_id,
updated_meta=updated_meta,
request_id=request_id)
def on_get(self, external_project_id, **kw):
def secret_fields(field):
return putil.mime_types.augment_fields_with_content_types(field)
LOG.debug('Start secrets on_get '
'for project-ID %s:', external_project_id)
name = kw.get('name', '')
if name:
name = parse.unquote_plus(name)
bits = kw.get('bits', 0)
try:
bits = int(bits)
except ValueError:
# as per Github issue 171, if bits is invalid then
# the default should be used.
bits = 0
ctxt = controllers._get_barbican_context(pecan.request)
user_id = None
if ctxt:
user_id = ctxt.user
result = self.secret_repo.get_by_create_date(
external_project_id,
offset_arg=kw.get('offset', 0),
limit_arg=kw.get('limit', None),
name=name,
alg=kw.get('alg'),
mode=kw.get('mode'),
bits=bits,
suppress_exception=True,
acl_only=kw.get('acl_only', None),
user_id=user_id
)
secrets, offset, limit, total = result
if not secrets:
secrets_resp_overall = {'secrets': [],
'total': total}
else:
secrets_resp = [
hrefs.convert_to_hrefs(secret_fields(s))
for s in secrets
]
secrets_resp_overall = hrefs.add_nav_hrefs(
'secrets', offset, limit, total,
{'secrets': secrets_resp}
)
secrets_resp_overall.update({'total': total})
LOG.info(u._LI('Retrieved secret list for project: %s'),
external_project_id)
return secrets_resp_overall
def on_get(self, external_project_id, **kw):
def secret_fields(field):
return putil.mime_types.augment_fields_with_content_types(field)
LOG.debug('Start secrets on_get '
'for project-ID %s:', external_project_id)
name = kw.get('name', '')
if name:
name = parse.unquote_plus(name)
bits = kw.get('bits', 0)
try:
bits = int(bits)
except ValueError:
# as per Github issue 171, if bits is invalid then
# the default should be used.
bits = 0
ctxt = controllers._get_barbican_context(pecan.request)
user_id = None
if ctxt:
user_id = ctxt.user
result = self.secret_repo.get_by_create_date(
external_project_id,
offset_arg=kw.get('offset', 0),
limit_arg=kw.get('limit', None),
name=name,
alg=kw.get('alg'),
mode=kw.get('mode'),
bits=bits,
suppress_exception=True,
acl_only=kw.get('acl_only', None),
user_id=user_id
)
secrets, offset, limit, total = result
if not secrets:
secrets_resp_overall = {'secrets': [],
'total': total}
else:
secrets_resp = [
hrefs.convert_to_hrefs(secret_fields(s))
for s in secrets
]
secrets_resp_overall = hrefs.add_nav_hrefs(
'secrets', offset, limit, total,
{'secrets': secrets_resp}
)
secrets_resp_overall.update({'total': total})
LOG.info(u._LI('Retrieved secret list for project: %s'),
external_project_id)
return secrets_resp_overall
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
body = api.load_body(pecan.request,
validator=self.type_order_validator)
order_type = body.get('type')
order_meta = body.get('meta')
request_type = order_meta.get('request_type')
LOG.debug('Processing order type %(order_type)s,'
' request type %(request_type)s' % {
'order_type': order_type,
'request_type': request_type
})
if order_type == models.OrderType.CERTIFICATE:
msg = _DEPRECATION_MSG % "Certificate Order Resource"
versionutils.report_deprecated_feature(LOG, msg)
validators.validate_ca_id(project.id, body.get('meta'))
if request_type == 'stored-key':
container_ref = order_meta.get('container_ref')
validators.validate_stored_key_rsa_container(
external_project_id, container_ref, pecan.request)
self.quota_enforcer.enforce(project)
new_order = models.Order()
new_order.meta = body.get('meta')
new_order.type = order_type
new_order.project_id = project.id
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt:
new_order.creator_id = ctxt.user
request_id = ctxt.request_id
self.order_repo.create_from(new_order)
# Grab our id before commit due to obj expiration from sqlalchemy
order_id = new_order.id
# Force commit to avoid async issues with the workers
repo.commit()
self.queue.process_type_order(order_id=order_id,
project_id=external_project_id,
request_id=request_id)
url = hrefs.convert_order_to_href(order_id)
pecan.response.status = 202
pecan.response.headers['Location'] = url
return {'order_ref': url}
def on_post(self, external_project_id):
ctxt = controllers._get_barbican_context(pecan.request)
data = api.load_body(pecan.request)
project = res.get_or_create_project(external_project_id)
self.quota_enforcer.enforce(project)
response = None
response = plugin.do_attestation(data, external_project_id, False,
ctxt)
if response is None:
_quote_not_found()
return response
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
body = api.load_body(pecan.request,
validator=self.type_order_validator)
order_type = body.get('type')
order_meta = body.get('meta')
request_type = order_meta.get('request_type')
LOG.debug('Processing order type %s, request type %s',
order_type, request_type)
if order_type == models.OrderType.CERTIFICATE:
validators.validate_ca_id(project.id, body.get('meta'))
if request_type == 'stored-key':
container_ref = order_meta.get('container_ref')
validators.validate_stored_key_rsa_container(
external_project_id,
container_ref, pecan.request)
self.quota_enforcer.enforce(project)
new_order = models.Order()
new_order.meta = body.get('meta')
new_order.type = order_type
new_order.project_id = project.id
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt:
new_order.creator_id = ctxt.user
request_id = ctxt.request_id
self.order_repo.create_from(new_order)
# Grab our id before commit due to obj expiration from sqlalchemy
order_id = new_order.id
# Force commit to avoid async issues with the workers
repo.commit()
self.queue.process_type_order(order_id=order_id,
project_id=external_project_id,
request_id=request_id)
url = hrefs.convert_order_to_href(order_id)
pecan.response.status = 202
pecan.response.headers['Location'] = url
return {'order_ref': url}
def _lookup(self, order_id, *remainder):
# NOTE(jaosorior): It's worth noting that even though this section
# actually does a lookup in the database regardless of the RBAC policy
# check, the execution only gets here if authentication of the user was
# previously successful.
controllers.assert_is_valid_uuid_from_uri(order_id)
ctx = controllers._get_barbican_context(pecan.request)
order = self.order_repo.get(entity_id=order_id,
external_project_id=ctx.project,
suppress_exception=True)
if not order:
_order_not_found()
return OrderController(order, self.order_repo), remainder
def _lookup(self, order_id, *remainder):
# NOTE(jaosorior): It's worth noting that even though this section
# actually does a lookup in the database regardless of the RBAC policy
# check, the execution only gets here if authentication of the user was
# previously successful.
ctx = controllers._get_barbican_context(pecan.request)
order = self.order_repo.get(entity_id=order_id,
external_project_id=ctx.project_id,
suppress_exception=True)
if not order:
_order_not_found()
return OrderController(order, self.order_repo), remainder
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
body = api.load_body(pecan.request,
validator=self.type_order_validator)
order_type = body.get('type')
order_meta = body.get('meta')
request_type = order_meta.get('request_type')
LOG.debug('Processing order type %(order_type)s,'
' request type %(request_type)s' % {
'order_type': order_type,
'request_type': request_type
})
self.quota_enforcer.enforce(project)
new_order = models.Order()
new_order.meta = body.get('meta')
new_order.type = order_type
new_order.project_id = project.id
request_id = None
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt:
new_order.creator_id = ctxt.user
request_id = ctxt.request_id
self.order_repo.create_from(new_order)
# Grab our id before commit due to obj expiration from sqlalchemy
order_id = new_order.id
# Force commit to avoid async issues with the workers
repo.commit()
self.queue.process_type_order(order_id=order_id,
project_id=external_project_id,
request_id=request_id)
url = hrefs.convert_order_to_href(order_id)
pecan.response.status = 202
pecan.response.headers['Location'] = url
return {'order_ref': url}
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
self.quota_enforcer.enforce(project)
LOG.debug('Start on_post...%s', data)
new_container = models.Container(data)
new_container.project_id = project.id
# TODO(hgedikli): performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(
entity_id=secret_ref.secret_id,
external_project_id=external_project_id,
suppress_exception=True)
if not secret:
# This only partially localizes the error message and
# doesn't localize secret_ref.name.
pecan.abort(
404,
u._("Secret provided for '{secret_name}' doesn't "
"exist.").format(secret_name=secret_ref.name)
)
self.container_repo.create_from(new_container)
url = hrefs.convert_container_to_href(new_container.id)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a container for project: %s'),
external_project_id)
return {'container_ref': url}
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...',
external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
self.quota_enforcer.enforce(project)
transport_key_needed = data.get('transport_key_needed',
'false').lower() == 'true'
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
secret_model = models.Secret(data)
new_secret, transport_key_model = plugin.store_secret(
unencrypted_raw=data.get('payload'),
content_type_raw=data.get('payload_content_type',
'application/octet-stream'),
content_encoding=data.get('payload_content_encoding'),
secret_model=secret_model,
project_model=project,
transport_key_needed=transport_key_needed,
transport_key_id=data.get('transport_key_id'))
url = hrefs.convert_secret_to_href(new_secret.id)
LOG.debug('URI to secret is %s', url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info('Created a secret for project: %s',
external_project_id)
if transport_key_model is not None:
tkey_url = hrefs.convert_transport_key_to_href(
transport_key_model.id)
return {'secret_ref': url, 'transport_key_ref': tkey_url}
else:
return {'secret_ref': url}
def on_post(self, external_project_id, **kwargs):
project = res.get_or_create_project(external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
self.quota_enforcer.enforce(project)
LOG.debug('Start on_post...%s', data)
new_container = models.Container(data)
new_container.project_id = project.id
# TODO(hgedikli): performance optimizations
for secret_ref in new_container.container_secrets:
secret = self.secret_repo.get(
entity_id=secret_ref.secret_id,
external_project_id=external_project_id,
suppress_exception=True)
if not secret:
# This only partially localizes the error message and
# doesn't localize secret_ref.name.
pecan.abort(
404,
u._("Secret provided for '{secret_name}' doesn't "
"exist.").format(secret_name=secret_ref.name)
)
self.container_repo.create_from(new_container)
url = hrefs.convert_container_to_href(new_container.id)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info(u._LI('Created a container for project: %s'),
external_project_id)
return {'container_ref': url}
def on_get(self, external_project_id, **kw):
no_consumers = versions.is_supported(pecan.request, max_version='1.0')
# NOTE(xek): consumers are being introduced in 1.1
def secret_fields(field):
resp = putil.mime_types.augment_fields_with_content_types(field)
if no_consumers:
del resp['consumers']
return resp
LOG.debug('Start secrets on_get '
'for project-ID %s:', external_project_id)
name = kw.get('name', '')
if name:
name = parse.unquote_plus(name)
bits = kw.get('bits', 0)
try:
bits = int(bits)
except ValueError:
# as per Github issue 171, if bits is invalid then
# the default should be used.
bits = 0
for date_filter in 'created', 'updated', 'expiration':
if kw.get(date_filter) and not self._is_valid_date_filter(
kw.get(date_filter)):
_bad_query_string_parameters()
if kw.get('sort') and not self._is_valid_sorting(kw.get('sort')):
_bad_query_string_parameters()
ctxt = controllers._get_barbican_context(pecan.request)
user_id = None
if ctxt:
user_id = ctxt.user
result = self.secret_repo.get_secret_list(
external_project_id,
offset_arg=kw.get('offset', 0),
limit_arg=kw.get('limit'),
name=name,
alg=kw.get('alg'),
mode=kw.get('mode'),
bits=bits,
secret_type=kw.get('secret_type'),
suppress_exception=True,
acl_only=kw.get('acl_only'),
user_id=user_id,
created=kw.get('created'),
updated=kw.get('updated'),
expiration=kw.get('expiration'),
sort=kw.get('sort'))
secrets, offset, limit, total = result
if not secrets:
secrets_resp_overall = {'secrets': [], 'total': total}
else:
secrets_resp = [
hrefs.convert_to_hrefs(secret_fields(s)) for s in secrets
]
secrets_resp_overall = hrefs.add_nav_hrefs(
'secrets', offset, limit, total, {'secrets': secrets_resp})
secrets_resp_overall.update({'total': total})
LOG.info('Retrieved secret list for project: %s', external_project_id)
return secrets_resp_overall