openstack/barbican
Code Issues Proposed changes

Merge "Implement OVO for Barbican [1]"

Browse Source
This commit is contained in:
Zuul 2018-06-04 15:51:59 +00:00 committed by Gerrit Code Review
commit c75924017f
10 changed files with 628 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
barbican/objects/encrypted_datum.py Normal file
View File

@ -0,0 +1,39 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_versionedobjects import base as object_base
from barbican.model import models
from barbican.model import repositories as repo
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class EncryptedDatum(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'content_type': fields.StringField(nullable=True, default=None),
'secret_id': fields.StringField(),
'kek_id': fields.StringField(),
'cypher_text': fields.StringField(nullable=True, default=None),
'kek_meta_extended': fields.StringField(nullable=True, default=None),
'kek_meta_project': fields.ObjectField('KEKDatum',
nullable=True, default=None),
'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
}
db_model = models.EncryptedDatum
db_repo = repo.get_encrypted_datum_repository()
synthetic_fields = ['kek_meta_project']

46
barbican/objects/kekdatum.py Normal file
View File

@ -0,0 +1,46 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_versionedobjects import base as object_base
from barbican.model import models
from barbican.model import repositories as repo
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class KEKDatum(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'plugin_name': fields.StringField(nullable=True, default=None),
'kek_label': fields.StringField(nullable=True, default=None),
'project_id': fields.StringField(nullable=True, default=None),
'active': fields.BooleanField(default=True),
'bind_completed': fields.BooleanField(default=False),
'algorithm': fields.StringField(nullable=True, default=None),
'bit_length': fields.IntegerField(nullable=True, default=None),
'mode': fields.StringField(nullable=True, default=None),
'plugin_meta': fields.StringField(nullable=True, default=None)
}
db_model = models.KEKDatum
db_repo = repo.get_kek_datum_repository()
@classmethod
def find_or_create_kek_datum(cls, project, plugin_name,
suppress_exception=False, session=None):
kek_datum_db = cls.db_repo.find_or_create_kek_datum(
project, plugin_name, suppress_exception, session)
return cls()._from_db_object(kek_datum_db)

38
barbican/objects/project.py Normal file
View File

@ -0,0 +1,38 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_versionedobjects import base as object_base
from barbican.model import models
from barbican.model import repositories as repo
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class Project(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'external_id': fields.StringField(nullable=True, default=None),
}
db_model = models.Project
db_repo = repo.get_project_repository()
@classmethod
def find_by_external_project_id(cls, external_project_id,
suppress_exception=False, session=None):
project_db = cls.db_repo.find_by_external_project_id(
external_project_id, suppress_exception, session)
return cls()._from_db_object(project_db)

80
barbican/objects/secret.py Normal file
View File

@ -0,0 +1,80 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_versionedobjects import base as object_base
from barbican.common import utils
from barbican.model import models
from barbican.model import repositories as repo
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class Secret(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
"""This class represents Secret object"""
fields = {
'name': fields.StringField(nullable=True),
'secret_type': fields.StringField(nullable=True,
default=utils.SECRET_TYPE_OPAQUE),
'expiration': fields.DateTimeField(nullable=True, default=None),
'algorithm': fields.StringField(nullable=True, default=None),
'bit_length': fields.IntegerField(nullable=True, default=None),
'mode': fields.StringField(nullable=True, default=None),
'creator_id': fields.StringField(nullable=True, default=None),
'project_id': fields.StringField(nullable=True, default=None),
'encrypted_data': fields.ListOfObjectsField('EncryptedDatum',
default=list(),
nullable=True),
'secret_acls': fields.ListOfObjectsField('SecretACL',
default=list(),
nullable=True),
'secret_store_metadata':
fields.DictOfObjectsField('SecretStoreMetadatum', default=dict(),
nullable=True),
'secret_user_metadata': fields.DictOfObjectsField(
'SecretUserMetadatum',
default=dict(),
nullable=True),
'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
}
db_model = models.Secret
db_repo = repo.get_secret_repository()
synthetic_fields = ['encrypted_data', 'secret_acls',
'secret_store_metadata', 'secret_user_metadata']
@classmethod
def get_secret_list(cls, external_project_id,
offset_arg=None, limit_arg=None,
name=None, alg=None, mode=None,
bits=0, secret_type=None, suppress_exception=False,
session=None, acl_only=None, user_id=None,
created=None, updated=None, expiration=None,
sort=None):
secrets_db, offset, limit, total = cls.db_repo.get_secret_list(
external_project_id, offset_arg, limit_arg, name, alg, mode, bits,
secret_type, suppress_exception, session, acl_only, user_id,
created, updated, expiration, sort)
secrets_object = [cls()._from_db_object(secret_db)
for secret_db in secrets_db]
return secrets_object, offset, limit, total
@classmethod
def get_secret_by_id(cls, entity_id, suppress_exception=False,
session=None):
secret_db = cls.db_repo.get_secret_by_id(
entity_id, suppress_exception, session)
return cls()._from_db_object(secret_db)

169
barbican/objects/secret_acl.py Normal file
View File

@ -0,0 +1,169 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_utils import timeutils
from oslo_versionedobjects import base as object_base
from barbican.common import exception
from barbican import i18n as u
from barbican.model import models
from barbican.model import repositories as repos
from barbican.objects import base
from barbican.objects import fields
from barbican.objects import secret_acl_user
@object_base.VersionedObjectRegistry.register
class SecretACL(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'secret_id': fields.StringField(),
'operation': fields.StringField(),
'project_access': fields.BooleanField(default=True),
'acl_users': fields.ListOfObjectsField('SecretACLUser',
default=list()),
'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
}
db_model = models.SecretACL
db_repo = repos.get_secret_acl_repository()
synthetic_fields = ['acl_users']
def _validate_fields(self, change_fields):
msg = u._("Must supply non-None {0} argument for SecretACL entry.")
if change_fields.get('secret_id') is None:
raise exception.MissingArgumentError(msg.format("secret_id"))
if change_fields.get('operation') is None:
raise exception.MissingArgumentError(msg.format("operation"))
def _get_db_entity(self, user_ids=None):
return self.db_model(user_ids=user_ids)
def create(self, session=None, user_ids=None):
change_fields = self._get_changed_persistent_fields()
self._validate_fields(change_fields)
db_entity = self._get_db_entity(user_ids=user_ids)
db_entity.update(change_fields)
db_entity = self.db_repo.create_from(db_entity, session=session)
self._from_db_object(db_entity)
def delete(self, session):
entity_id = self.id
self.db_repo.delete_entity_by_id(
entity_id=entity_id, external_project_id=None, session=session)
@classmethod
def get_by_secret_id(cls, secret_id, session=None):
secret_acls_db = cls.db_repo.get_by_secret_id(
secret_id, session=session)
secret_acls_obj = [cls()._from_db_object(secret_acl_db)
for secret_acl_db in secret_acls_db]
return secret_acls_obj
@classmethod
def create_or_replace_from_model(cls, secret, secret_acl,
user_ids=None, session=None):
"""Create or replace Secret and SecretACL
:param secret: an instance of Secret model
:param secret_acl: an instance of SecretACL object
:param user_ids:
:param session: a session to connect with database
It is used during converting from model to OVO. It will be removed
after Secret resource is implemented OVO.
"""
secret.updated_at = timeutils.utcnow()
secret_acl.updated_at = timeutils.utcnow()
secret.save(session=session)
if secret_acl.id:
secret_acl.save(session=session)
else:
secret_acl.create(session=session)
cls._create_or_replace_acl_users(secret_acl=secret_acl,
user_ids=user_ids,
session=session)
@classmethod
def _create_or_replace_acl_users(cls, secret_acl, user_ids, session=None):
"""Create or replace acl_user
:param secret_acl: an instance of OVO
:param user_ids: id of users
:param session: a session to connect with database
"""
if user_ids is None:
return
user_ids = set(user_ids)
now = timeutils.utcnow()
secret_acl.updated_at = now
for acl_user in secret_acl.acl_users:
if acl_user.user_id in user_ids: # input user_id already exists
acl_user.updated_at = now
acl_user.save(session=session)
user_ids.remove(acl_user.user_id)
else:
acl_user.delete(session=session)
for user_id in user_ids:
acl_user = secret_acl_user.SecretACLUser(acl_id=secret_acl.id,
user_id=user_id)
acl_user.create(session=session)
if secret_acl.id:
secret_acl.save(session=session)
else:
secret_acl.create(session=session)
@classmethod
def create_or_replace_from(cls, secret, secret_acl, user_ids=None):
# TODO(namnh):
# I will update this function after Secret resource is implemented.
pass
@classmethod
def delete_acls_for_secret_model(cls, secret, session=None):
"""Delete acl in Secret
:param secret: an instance of Secret model
:param session: a session to connect with database
Used during converting Model to OVO. It will be removed in the near
future.
"""
cls.db_repo.delete_acls_for_secret(secret, session)
@classmethod
def delete_acls_for_secret(cls, secret, session=None):
"""Delete acl in a secret.
:param secret: an instance of Secret OVO
:param session: a session to connect with database
This function will be using after Secret resource is implemented OVO.
"""
session = cls.get_session(session=session)
for entity in secret.secret_acls:
entity.delete(session=session)
@classmethod
def get_count(cls, secret_id, session=None):
return cls.db_repo.get_count(secret_id, session=session)

46
barbican/objects/secret_acl_user.py Normal file
View File

@ -0,0 +1,46 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_versionedobjects import base as object_base
from barbican.common import exception
from barbican import i18n as u
from barbican.model import models
from barbican.model import repositories as repos
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class SecretACLUser(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'acl_id': fields.StringField(),
'user_id': fields.StringField(),
'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
}
db_model = models.SecretACLUser
db_repo = repos.get_secret_acl_user_repository()
def _validate_fields(self, change_fields):
if change_fields.get('user_id') is None:
msg = u._(
"Must supply non-None {0} argument for SecretACLUser entry.")
raise exception.MissingArgumentError(msg.format("user_id"))
def delete(self, session):
entity_id = self.id
self.db_repo.delete_entity_by_id(
entity_id=entity_id, external_project_id=None, session=session)

59
barbican/objects/secret_store_metadatum.py Normal file
View File

@ -0,0 +1,59 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_utils import timeutils
from oslo_versionedobjects import base as object_base
from barbican.common import exception
from barbican import i18n as u
from barbican.model import models
from barbican.model import repositories as repo
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class SecretStoreMetadatum(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'key': fields.StringField(),
'value': fields.StringField(),
'secret_id': fields.StringField()
}
db_model = models.SecretStoreMetadatum
db_repo = repo.get_secret_meta_repository()
def _validate_fields(self, change_fields):
msg = u._("Must supply non-None {0} argument "
"for SecretStoreMetadatum entry.")
if change_fields.get('key') is None:
raise exception.MissingArgumentError(msg.format('key'))
if change_fields.get('value') is None:
raise exception.MissingArgumentError(msg.format('value'))
@classmethod
def save(cls, metadata, secret_obj):
"""Saves the specified metadata for the secret."""
now = timeutils.utcnow()
for k, v in metadata.items():
meta_obj = cls(key=k, value=v)
meta_obj.updated_at = now
meta_obj.secret_id = secret_obj.id
meta_obj.create()
@classmethod
def get_metadata_for_secret(cls, secret_id):
return cls.db_repo.get_metadata_for_secret(secret_id)

41
barbican/objects/secret_stores.py Normal file
View File

@ -0,0 +1,41 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_versionedobjects import base as object_base
from barbican.model import models
from barbican.model import repositories as repos
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class SecretStores(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'store_plugin': fields.StringField(),
'crypto_plugin': fields.StringField(nullable=True),
'global_default': fields.BooleanField(default=False),
'name': fields.StringField(),
'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
}
db_model = models.SecretStores
db_repo = repos.get_secret_stores_repository()
@classmethod
def get_all(cls, session=None):
secret_stores_db = cls.db_repo.get_all(session)
secret_stores_obj = [cls()._from_db_object(secret_store_db) for
secret_store_db in secret_stores_db]
return secret_stores_obj

49
barbican/objects/secret_user_metadatum.py Normal file
View File

@ -0,0 +1,49 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_versionedobjects import base as object_base
from barbican.model import models
from barbican.model import repositories as repo
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class SecretUserMetadatum(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'key': fields.StringField(),
'value': fields.StringField(),
'secret_id': fields.StringField(),
}
db_model = models.SecretStoreMetadatum
db_repo = repo.get_secret_user_meta_repository()
@classmethod
def create_replace_user_metadata(cls, secret_id, metadata):
cls.db_repo.create_replace_user_metadata(secret_id, metadata)
@classmethod
def get_metadata_for_secret(cls, secret_id):
return cls.db_repo.get_metadata_for_secret(secret_id)
@classmethod
def create_replace_user_metadatum(cls, secret_id, key, value):
cls.db_repo.create_replace_user_metadatum(secret_id, key, value)
@classmethod
def delete_metadatum(cls, secret_id, key):
cls.db_repo.delete_metadatum(secret_id, key)

61
barbican/objects/transport_key.py Normal file
View File

@ -0,0 +1,61 @@
# Copyright 2018 Fujitsu.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_versionedobjects import base as object_base
from barbican.common import exception
from barbican import i18n as u
from barbican.model import models
from barbican.model import repositories as repo
from barbican.objects import base
from barbican.objects import fields
@object_base.VersionedObjectRegistry.register
class TransportKey(base.BarbicanObject, base.BarbicanPersistentObject,
object_base.VersionedObjectDictCompat):
fields = {
'plugin_name': fields.StringField(),
'transport_key': fields.StringField(),
'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
}
db_model = models.TransportKey
db_repo = repo.get_transport_key_repository()
def _validate_fields(self, change_fields):
msg = u._("Must supply non-None {0} argument for TransportKey entry.")
if change_fields.get('plugin_name') is None:
raise exception.MissingArgumentError(msg.format("plugin_name"))
if change_fields.get('transport_key') is None:
raise exception.MissingArgumentError(msg.format("transport_key"))
@classmethod
def get_by_create_date(cls, plugin_name=None,
offset_arg=None, limit_arg=None,
suppress_exception=False, session=None):
transport_keys_db, offset, limit, total = \
cls.db_repo.get_by_create_date(plugin_name, offset_arg, limit_arg,
suppress_exception, session)
transport_keys_obj = [cls()._from_db_object(transport_key)
for transport_key in transport_keys_db]
return transport_keys_obj, offset, limit, total
@classmethod
def get_latest_transport_key(cls, plugin_name, suppress_exception=False,
session=None):
transport_key_db = cls.db_repo.get_latest_transport_key(
plugin_name, suppress_exception, session)
return cls()._from_db_object(transport_key_db)