def check_credential_exists(ec2credential, credential_table, session):
credential = session.query(credential_table).filter_by(
id=utils.hash_access_key(ec2credential.access)).first()
if credential is None:
return False
blob = utils.get_blob_from_credential(credential)
# check if credential with same access key but different
# secret key already exists in credential table.
# If exists raise an exception
if blob['secret'] != ec2credential.secret:
msg = _('Credential %(access)s already exists with different secret'
' in %(table)s table')
message = msg % {
'access': ec2credential.access,
'table': credential_table.name
}
raise exception.Conflict(type='credential', details=message)
# check if credential with same access and secret key but
# associated with a different project exists. If exists raise
# an exception
elif credential.project_id is not None and (credential.project_id !=
ec2credential.tenant_id):
msg = _('Credential %(access)s already exists with different project'
' in %(table)s table')
message = msg % {
'access': ec2credential.access,
'table': credential_table.name
}
raise exception.Conflict(type='credential', details=message)
# if credential with same access and secret key and not associated
# with any projects already exists in the credential table, then
# return true.
else:
return True
def create_user(self, user_id, user):
user['name'] = clean.user_name(user['name'])
try:
self.get_user(user_id)
except exception.UserNotFound:
pass
else:
msg = 'Duplicate ID, %s.' % user_id
raise exception.Conflict(type='user', details=msg)
try:
self.get_user_by_name(user['name'], user['domain_id'])
except exception.UserNotFound:
pass
else:
msg = 'Duplicate name, %s.' % user['name']
raise exception.Conflict(type='user', details=msg)
user = utils.hash_user_password(user)
new_user = user.copy()
new_user.setdefault('groups', [])
self.db.set('user-%s' % user_id, new_user)
self.db.set('user_name-%s' % new_user['name'], new_user)
user_list = set(self.db.get('user_list', []))
user_list.add(user_id)
self.db.set('user_list', list(user_list))
return identity.filter_user(new_user)
def create_user(self, user_id, user):
user['name'] = clean.user_name(user['name'])
try:
self.get_user(user_id)
except exception.UserNotFound:
pass
else:
msg = 'Duplicate ID, %s.' % user_id
raise exception.Conflict(type='user', details=msg)
try:
self.get_user_by_name(user['name'])
except exception.UserNotFound:
pass
else:
msg = 'Duplicate name, %s.' % user['name']
raise exception.Conflict(type='user', details=msg)
user = _ensure_hashed_password(user)
self.db.set('user-%s' % user_id, user)
self.db.set('user_name-%s' % user['name'], user)
user_list = set(self.db.get('user_list', []))
user_list.add(user_id)
self.db.set('user_list', list(user_list))
return user
def create_role(self, role_id, role):
self.role.check_allow_create()
try:
self.get_role(role_id)
except exception.NotFound: # nosec
# The call to self.get_role() raises this exception when a role
# with the given ID doesn't exist. This was done to ensure that
# a role with the new role's ID doesn't already exist. As such this
# exception is expected to happen in the normal case. The abnormal
# case would be if the role does already exist. So this exception
# is expected to be ignored and there's no security issue with
# ignoring it.
pass
else:
msg = _('Duplicate ID, %s.') % role_id
raise exception.Conflict(type='role', details=msg)
try:
self.role.get_by_name(role['name'])
except exception.NotFound: # nosec
# The call to self.role.get_by_name() raises this exception when a
# role with the given name doesn't exist. This was done to ensure
# that a role with the new role's name doesn't already exist. As
# such this exception is expected to happen in the normal case. The
# abnormal case would be if a role with the same name does already
# exist. So this exception is expected to be ignored and there's no
# security issue with ignoring it.
pass
else:
msg = _('Duplicate name, %s.') % role['name']
raise exception.Conflict(type='role', details=msg)
return self.role.create(role)
def create_user(self, user_id, user):
try:
self.get_user(user_id)
except exception.UserNotFound:
pass
else:
msg = _('Duplicate ID, %s.') % user_id
raise exception.Conflict(type='user', details=msg)
try:
self.get_user_by_name(user['name'], user['domain_id'])
except exception.UserNotFound:
pass
else:
msg = _('Duplicate name, %s.') % user['name']
raise exception.Conflict(type='user', details=msg)
user = utils.hash_user_password(user)
new_user = user.copy()
new_user.setdefault('groups', [])
self.db.set('user-%s' % user_id, new_user)
domain_id = user['domain_id']
user_name_key = self._calc_user_name_key(new_user['name'], domain_id)
self.db.set(user_name_key, new_user)
self._user_id_to_domain_id.notify_user_created(user_id, domain_id)
user_list = set(self.db.get('user_list', []))
user_list.add(user_id)
self.db.set('user_list', list(user_list))
return identity.filter_user(new_user)
def create_role(self, role_id, role):
if self.get_role(role_id):
msg = 'Duplicate ID, %s.' % role_id
raise exception.Conflict(type='role', details=msg)
if self.role.get_by_name(role['name']):
msg = 'Duplicate name, %s.' % role['name']
raise exception.Conflict(type='role', details=msg)
return self.role.create(role)
def create_tenant(self, tenant_id, tenant):
if self.get_tenant(tenant_id):
msg = 'Duplicate ID, %s.' % tenant_id
raise exception.Conflict(type='tenant', details=msg)
if self.get_tenant_by_name(tenant['name']):
msg = 'Duplicate name, %s.' % tenant['name']
raise exception.Conflict(type='tenant', details=msg)
self.db.set('tenant-%s' % tenant_id, tenant)
self.db.set('tenant_name-%s' % tenant['name'], tenant)
return tenant
def wrapper(*args, **kwargs):
try:
return method(*args, **kwargs)
except db_exception.DBDuplicateEntry as e:
raise exception.Conflict(type=conflict_type, details=str(e))
except db_exception.DBError as e:
# TODO(blk-u): inspecting inner_exception breaks encapsulation;
# oslo.db should provide exception we need.
if isinstance(e.inner_exception, IntegrityError):
raise exception.Conflict(type=conflict_type,
details=str(e))
raise
def affirm_unique(self, values):
if values['name'] is not None:
entity = self.get_by_name(values['name'])
if entity is not None:
raise exception.Conflict(type=self.options_name,
details='Duplicate name, %s.' %
values['name'])
if values['id'] is not None:
entity = self.get(values['id'])
if entity is not None:
raise exception.Conflict(type=self.options_name,
details='Duplicate ID, %s.' %
values['id'])
def create_role(self, role_id, role):
role_ref = self.get_role(role_id)
if role_ref:
msg = 'Duplicate ID, %s.' % role_id
raise exception.Conflict(type='role', details=msg)
role_refs = self.list_roles()
for role_ref in role_refs:
if role['name'] == role_ref['name']:
msg = 'Duplicate name, %s.' % role['name']
raise exception.Conflict(type='role', details=msg)
self.db.set('role-%s' % role_id, role)
role_list = set(self.db.get('role_list', []))
role_list.add(role_id)
self.db.set('role_list', list(role_list))
return role
def update(self, id, values):
if values['id'] != id:
raise exception.ValidationError('Cannot change user ID')
try:
old_obj = self.get(id)
except exception.NotFound:
raise exception.UserNotFound(user_id=id)
if old_obj.get('name') != values['name']:
raise exception.Conflict('Cannot change user name')
try:
new_tenant = values['tenant_id']
except KeyError:
pass
else:
if old_obj.get('tenant_id') != new_tenant:
if old_obj['tenant_id']:
self.tenant_api.remove_user(old_obj['tenant_id'], id)
if new_tenant:
self.tenant_api.add_user(new_tenant, id)
values = utils.hash_ldap_user_password(values)
if self.enabled_mask:
values['enabled_nomask'] = old_obj['enabled_nomask']
self.mask_enabled_attribute(values)
super(UserApi, self).update(id, values, old_obj)
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
self.identity_api.get_user(user_id)
session = self.get_session()
self._get_project(session, tenant_id)
self._get_role(session, role_id)
try:
metadata_ref = self._get_metadata(user_id, tenant_id)
is_new = False
except exception.MetadataNotFound:
metadata_ref = {}
is_new = True
try:
metadata_ref['roles'] = self._add_role_to_role_dicts(
role_id, False, metadata_ref.get('roles', []),
allow_existing=False)
except KeyError:
msg = ('User %s already has role %s in tenant %s'
% (user_id, role_id, tenant_id))
raise exception.Conflict(type='role grant', details=msg)
if is_new:
self._create_metadata(user_id, tenant_id, metadata_ref)
else:
self._update_metadata(user_id, tenant_id, metadata_ref)
def update(self, role_id, role):
try:
old_name = self.get_by_name(role['name'])
raise exception.Conflict(_('Cannot duplicate name %s') % old_name)
except exception.NotFound:
pass
return super(RoleApi, self).update(role_id, role)
def _check_unified_limit_unique(self,
unified_limit,
is_registered_limit=True):
# Ensure the new created or updated unified limit won't break the
# current reference between registered limit and limit. i.e. We should
# ensure that there is no duplicate entry.
hints = driver_hints.Hints()
if is_registered_limit:
hints.add_filter('service_id', unified_limit['service_id'])
hints.add_filter('resource_name', unified_limit['resource_name'])
hints.add_filter('region_id', unified_limit.get('region_id'))
with sql.session_for_read() as session:
query = session.query(RegisteredLimitModel)
unified_limits = sql.filter_limit_query(
RegisteredLimitModel, query, hints).all()
else:
hints.add_filter('registered_limit_id',
unified_limit['registered_limit_id'])
is_project_limit = (True
if unified_limit.get('project_id') else False)
if is_project_limit:
hints.add_filter('project_id', unified_limit['project_id'])
else:
hints.add_filter('domain_id', unified_limit['domain_id'])
with sql.session_for_read() as session:
query = session.query(LimitModel)
unified_limits = sql.filter_limit_query(
LimitModel, query, hints).all()
if unified_limits:
msg = _('Duplicate entry')
limit_type = 'registered_limit' if is_registered_limit else 'limit'
raise exception.Conflict(type=limit_type, details=msg)
def wrapper(*args, **kwargs):
try:
return method(*args, **kwargs)
except db_exception.DBDuplicateEntry as e:
# LOG the exception for debug purposes, do not send the
# exception details out with the raised Conflict exception
# as it can contain raw SQL.
LOG.debug(_conflict_msg, {
'conflict_type': conflict_type,
'details': six.text_type(e)
})
raise exception.Conflict(type=conflict_type,
details=_('Duplicate Entry'))
except db_exception.DBError as e:
# TODO(blk-u): inspecting inner_exception breaks encapsulation;
# oslo.db should provide exception we need.
if isinstance(e.inner_exception, IntegrityError):
# LOG the exception for debug purposes, do not send the
# exception details out with the raised Conflict exception
# as it can contain raw SQL.
LOG.debug(
_conflict_msg, {
'conflict_type': conflict_type,
'details': six.text_type(e)
})
# NOTE(morganfainberg): This is really a case where the SQL
# failed to store the data. This is not something that the
# user has done wrong. Example would be a ForeignKey is
# missing; the code that is executed before reaching the
# SQL writing to the DB should catch the issue.
raise exception.UnexpectedError(
_('An unexpected error occurred when trying to '
'store %s') % conflict_type)
raise
def _check_unified_limit_without_region(self,
unified_limit,
is_registered_limit=True):
hints = driver_hints.Hints()
hints.add_filter('service_id', unified_limit['service_id'])
hints.add_filter('resource_name', unified_limit['resource_name'])
hints.add_filter('region_id', None)
if not is_registered_limit:
# For limit, we should ensure:
# 1. there is no duplicate entry.
# 2. there is a registered limit reference.
reference_hints = copy.deepcopy(hints)
hints.add_filter('project_id', unified_limit['project_id'])
with sql.session_for_read() as session:
unified_limits = session.query(LimitModel)
unified_limits = sql.filter_limit_query(
LimitModel, unified_limits, hints)
with sql.session_for_read() as session:
registered_limits = session.query(RegisteredLimitModel)
registered_limits = sql.filter_limit_query(
RegisteredLimitModel, registered_limits, reference_hints)
if not registered_limits.all():
raise exception.NoLimitReference
else:
# For registered limit, we should just ensure that there is no
# duplicate entry.
with sql.session_for_read() as session:
unified_limits = session.query(RegisteredLimitModel)
unified_limits = sql.filter_limit_query(
RegisteredLimitModel, unified_limits, hints)
if unified_limits.all():
msg = _('Duplicate entry')
limit_type = 'registered_limit' if is_registered_limit else 'limit'
raise exception.Conflict(type=limit_type, details=msg)
def create_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
session = self.get_session()
self._get_role(session, role_id)
if domain_id:
self._get_domain(session, domain_id)
if project_id:
self._get_project(session, project_id)
if project_id and inherited_to_projects:
msg = _('Inherited roles can only be assigned to domains')
raise exception.Conflict(type='role grant', details=msg)
try:
metadata_ref = self._get_metadata(user_id, project_id,
domain_id, group_id)
is_new = False
except exception.MetadataNotFound:
metadata_ref = {}
is_new = True
metadata_ref['roles'] = self._add_role_to_role_dicts(
role_id, inherited_to_projects, metadata_ref.get('roles', []))
if is_new:
self._create_metadata(user_id, project_id, metadata_ref,
domain_id, group_id)
else:
self._update_metadata(user_id, project_id, metadata_ref,
domain_id, group_id)
def add_member(self, member_dn, member_list_dn):
"""Add member to the member list.
:param member_dn: DN of member to be added.
:param member_list_dn: DN of group to which the
member will be added.
:raises: exception.Conflict: If the user was already a member.
self.NotFound: If the group entry didn't exist.
"""
conn = self.get_connection()
try:
mod = (ldap.MOD_ADD, self.member_attribute, member_dn)
conn.modify_s(member_list_dn, [mod])
except ldap.TYPE_OR_VALUE_EXISTS:
raise exception.Conflict(
_('Member %(member)s is already a member'
' of group %(group)s') % {
'member': member_dn,
'group': member_list_dn
})
except ldap.NO_SUCH_OBJECT:
raise self._not_found(member_list_dn)
finally:
conn.unbind_s()
def add_user(self, role_id, role_dn, user_dn, user_id, tenant_id=None):
conn = self.get_connection()
try:
conn.modify_s(role_dn, [(ldap.MOD_ADD,
self.member_attribute, user_dn)])
except ldap.TYPE_OR_VALUE_EXISTS:
msg = (_('User %(user_id)s already has role %(role_id)s in '
'tenant %(tenant_id)s') %
dict(user_id=user_id, role_id=role_id, tenant_id=tenant_id))
raise exception.Conflict(type='role grant', details=msg)
except ldap.NO_SUCH_OBJECT:
if tenant_id is None or self.get(role_id) is None:
raise Exception(_("Role %s not found") % (role_id,))
attrs = [('objectClass', [self.object_class]),
(self.member_attribute, [user_dn])]
if self.use_dumb_member:
attrs[1][1].append(self.dumb_member)
try:
conn.add_s(role_dn, attrs)
except Exception as inst:
raise inst
finally:
conn.unbind_s()
def add_user(self, role_id, user_id, tenant_id=None):
role_dn = self._subrole_id_to_dn(role_id, tenant_id)
conn = self.get_connection()
user_dn = self.user_api._id_to_dn(user_id)
try:
conn.modify_s(role_dn,
[(ldap.MOD_ADD, self.member_attribute, user_dn)])
except ldap.TYPE_OR_VALUE_EXISTS:
msg = ('User %s already has role %s in tenant %s' %
(user_id, role_id, tenant_id))
raise exception.Conflict(type='role grant', details=msg)
except ldap.NO_SUCH_OBJECT:
if tenant_id is None or self.get(role_id) is None:
raise Exception(_("Role %s not found") % (role_id, ))
attrs = [('objectClass', [self.object_class]),
(self.member_attribute, [user_dn])]
if self.use_dumb_member:
attrs[1][1].append(self.dumb_member)
try:
conn.add_s(role_dn, attrs)
except Exception as inst:
raise inst
return UserRoleAssociation(role_id=role_id,
user_id=user_id,
tenant_id=tenant_id)
def create_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
self.get_role(role_id)
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_project(project_id)
if project_id and inherited_to_projects:
msg = _('Inherited roles can only be assigned to domains')
raise exception.Conflict(type='role grant', details=msg)
try:
metadata_ref = self._get_metadata(user_id, project_id,
domain_id, group_id)
except exception.MetadataNotFound:
metadata_ref = {}
if user_id is None:
metadata_ref['roles'] = self._add_role_to_group_and_project(
group_id, project_id, role_id)
else:
metadata_ref['roles'] = self.add_role_to_user_and_project(
user_id, project_id, role_id)
def create_region(self, region_ref, initiator=None):
# Check duplicate ID
try:
self.get_region(region_ref['id'])
except exception.RegionNotFound: # nosec
# A region with the same id doesn't exist already, good.
pass
else:
msg = _('Duplicate ID, %s.') % region_ref['id']
raise exception.Conflict(type='region', details=msg)
# NOTE(lbragstad,dstanek): The description column of the region
# database cannot be null. So if the user doesn't pass in a
# description or passes in a null description then set it to an
# empty string.
if region_ref.get('description') is None:
region_ref['description'] = ''
try:
ret = self.driver.create_region(region_ref)
except exception.NotFound:
parent_region_id = region_ref.get('parent_region_id')
raise exception.RegionNotFound(region_id=parent_region_id)
notifications.Audit.created(self._REGION, ret['id'], initiator)
COMPUTED_CATALOG_REGION.invalidate()
return ret
def create_role(self, role_id, role):
try:
self.get_role(role_id)
except exception.NotFound:
pass
else:
msg = 'Duplicate ID, %s.' % role_id
raise exception.Conflict(type='role', details=msg)
try:
self.role.get_by_name(role['name'])
except exception.NotFound:
pass
else:
msg = 'Duplicate name, %s.' % role['name']
raise exception.Conflict(type='role', details=msg)
return self.role.create(role)
def add_user(self, user_dn, group_id, user_id):
group_ref = self.get(group_id)
group_dn = group_ref['dn']
try:
super(GroupApi, self).add_member(user_dn, group_dn)
except exception.Conflict:
raise exception.Conflict(_(
'User %(user_id)s is already a member of group %(group_id)s') %
{'user_id': user_id, 'group_id': group_id})
def wrapper(*args, **kwargs):
try:
return method(*args, **kwargs)
except db_exception.DBDuplicateEntry as e:
# LOG the exception for debug purposes, do not send the
# exception details out with the raised Conflict exception
# as it can contain raw SQL.
LOG.debug(_conflict_msg, {'conflict_type': conflict_type,
'details': e})
name = None
field = None
domain_id = None
# First element is unnecessary for extracting name and causes
# object not iterable error. Remove it.
params = args[1:]
# We want to store the duplicate objects name in the error
# message for the user. If name is not available we use the id.
for arg in params:
if isinstance(arg, dict):
if 'name' in arg:
field = 'name'
name = arg['name']
elif 'id' in arg:
field = 'ID'
name = arg['id']
if 'domain_id' in arg:
domain_id = arg['domain_id']
msg = _('Duplicate entry')
if name and domain_id:
msg = _('Duplicate entry found with %(field)s %(name)s '
'at domain ID %(domain_id)s') % {
'field': field, 'name': name, 'domain_id': domain_id}
elif name:
msg = _('Duplicate entry found with %(field)s '
'%(name)s') % {'field': field, 'name': name}
elif domain_id:
msg = (_('Duplicate entry at domain ID %s') % domain_id)
raise exception.Conflict(type=conflict_type,
details=msg)
except db_exception.DBError as e:
# TODO(blk-u): inspecting inner_exception breaks encapsulation;
# oslo_db should provide exception we need.
if isinstance(e.inner_exception, IntegrityError):
# LOG the exception for debug purposes, do not send the
# exception details out with the raised Conflict exception
# as it can contain raw SQL.
LOG.debug(_conflict_msg, {'conflict_type': conflict_type,
'details': e})
# NOTE(morganfainberg): This is really a case where the SQL
# failed to store the data. This is not something that the
# user has done wrong. Example would be a ForeignKey is
# missing; the code that is executed before reaching the
# SQL writing to the DB should catch the issue.
raise exception.UnexpectedError(
_('An unexpected error occurred when trying to '
'store %s') % conflict_type)
raise
def update(self, role_id, role):
if role['id'] != role_id:
raise exception.ValidationError('Cannot change role ID')
try:
old_name = self.get_by_name(role['name'])
raise exception.Conflict('Cannot duplicate name %s' % old_name)
except exception.NotFound:
pass
return super(RoleApi, self).update(role_id, role)
def create_role(self, role_id, role):
try:
self.get_role(role_id)
except exception.RoleNotFound:
pass
else:
msg = 'Duplicate ID, %s.' % role_id
raise exception.Conflict(type='role', details=msg)
for role_ref in self.list_roles():
if role['name'] == role_ref['name']:
msg = 'Duplicate name, %s.' % role['name']
raise exception.Conflict(type='role', details=msg)
self.db.set('role-%s' % role_id, role)
role_list = set(self.db.get('role_list', []))
role_list.add(role_id)
self.db.set('role_list', list(role_list))
return role
def update_user(self, user_id, user):
self.user.check_allow_update()
old_obj = self.user.get(user_id)
if 'name' in user and old_obj.get('name') != user['name']:
raise exception.Conflict(_('Cannot change user name'))
if self.user.enabled_mask:
self.user.mask_enabled_attribute(user)
self.user.update(user_id, user, old_obj)
return self.user.get_filtered(user_id)
def add_user(self, user_id, group_id):
conn = self.get_connection()
try:
conn.modify_s(self._id_to_dn(group_id),
[(ldap.MOD_ADD, self.member_attribute,
self.user_api._id_to_dn(user_id))])
except ldap.TYPE_OR_VALUE_EXISTS:
msg = _('User %s is already a member of group %s' %
(user_id, group_id))
raise exception.Conflict(msg)
def affirm_unique(self, values):
if values.get('name') is not None:
try:
self.get_by_name(values['name'])
except exception.NotFound:
pass
else:
raise exception.Conflict(type=self.options_name,
details=_('Duplicate name, %s.') %
values['name'])
if values.get('id') is not None:
try:
self.get(values['id'])
except exception.NotFound:
pass
else:
raise exception.Conflict(type=self.options_name,
details=_('Duplicate ID, %s.') %
values['id'])