Add SecretConsumerMetadatum object

This patch is part of a series to implement the Secret Consumers spec: https://specs.openstack.org/openstack/barbican-specs/specs/train/secret-consumers.html Change-Id: I5bbd2bf83f70dc7937255777353fd1f6370574e8 Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
2019-08-30 15:22:26 +02:00 · 2019-08-30 15:22:26 +02:00 · d2b7016f13
commit d2b7016f13
parent 2f9dfa68cb
3 changed files with 151 additions and 1 deletions
--- a/barbican/objects/init.py
+++ b/barbican/objects/init.py
@ -28,6 +28,7 @@ from barbican.objects import project_quotas
 from barbican.objects import project_secret_store
 from barbican.objects import secret
 from barbican.objects import secret_acl
+from barbican.objects import secret_consumer_metadatum
 from barbican.objects import secret_store_metadatum
 from barbican.objects import secret_stores
 from barbican.objects import secret_user_metadatum
@ -54,6 +55,7 @@ SecretACL = secret_acl.SecretACL
 SecretStores = secret_stores.SecretStores
 SecretUserMetadatum = secret_user_metadatum.SecretUserMetadatum
 SecretStoreMetadatum = secret_store_metadatum.SecretStoreMetadatum
+SecretConsumerMetadatum = secret_consumer_metadatum.SecretConsumerMetadatum

 __all__ = (
    States,
@ -76,5 +78,6 @@ __all__ = (
    SecretStores,
    SecretUserMetadatum,
    SecretStoreMetadatum,
+    SecretConsumerMetadatum,
    TransportKey,
 )
--- a/barbican/objects/secret.py
+++ b/barbican/objects/secret.py
@ -48,13 +48,18 @@ class Secret(base.BarbicanObject, base.BarbicanPersistentObject,
            'SecretUserMetadatum',
            default=dict(),
            nullable=True),
+        'consumers': fields.ListOfObjectsField('SecretConsumerMetadatum',
+                                               default=list(),
+                                               nullable=True),
+
        'status': fields.StringField(nullable=True, default=base.States.ACTIVE)
    }

    db_model = models.Secret
    db_repo = repo.get_secret_repository()
    synthetic_fields = ['encrypted_data', 'secret_acls',
-                        'secret_store_metadata', 'secret_user_metadata']
+                        'secret_store_metadata', 'secret_user_metadata',
+                        'consumers']

    @classmethod
    def get_secret_list(cls, external_project_id,
--- a/barbican/objects/secret_consumer_metadatum.py
+++ b/barbican/objects/secret_consumer_metadatum.py
@ -0,0 +1,142 @@
+#    Copyright (c) 2019 Red Hat, inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_db import exception as db_exc
+from oslo_utils import timeutils
+from oslo_versionedobjects import base as object_base
+
+from barbican.common import utils
+from barbican.model import models
+from barbican.model import repositories as repos
+from barbican.objects import base
+from barbican.objects import fields
+
+LOG = utils.getLogger(__name__)
+
+
+@object_base.VersionedObjectRegistry.register
+class SecretConsumerMetadatum(base.BarbicanObject,
+                              base.BarbicanPersistentObject,
+                              object_base.VersionedObjectDictCompat):
+    fields = {
+        'secret_id': fields.StringField(nullable=False),
+        'project_id': fields.StringField(nullable=False, default=None),
+        'service': fields.StringField(nullable=True, default=None),
+        'resource_type': fields.StringField(nullable=True, default=None),
+        'resource_id': fields.StringField(nullable=True, default=None),
+    }
+
+    db_model = models.SecretConsumerMetadatum
+    db_repo = repos.get_secret_consumer_repository()
+
+    @classmethod
+    def get_by_secret_id(cls, secret_id, offset_arg=None, limit_arg=None,
+                         suppress_exception=False, session=None):
+        entities_db, offset, limit, total = \
+            cls.db_repo.get_by_secret_id(
+                secret_id, offset_arg, limit_arg,
+                suppress_exception, session)
+        entities = [cls()._from_db_object(entity_db) for entity_db in
+                    entities_db]
+        return entities, offset, limit, total
+
+    @classmethod
+    def get_by_resource_id(cls, resource_id, offset_arg=None, limit_arg=None,
+                           suppress_exception=False, session=None):
+        entities_db, offset, limit, total = \
+            cls.db_repo.get_by_resource_id(
+                resource_id, offset_arg, limit_arg,
+                suppress_exception, session)
+        entities = [cls()._from_db_object(entity_db) for entity_db in
+                    entities_db]
+        return entities, offset, limit, total
+
+    @classmethod
+    def get_by_values(cls, secret_id, resource_id, suppress_exception=False,
+                      show_deleted=False, session=None):
+        consumer_db = cls.db_repo.get_by_values(secret_id,
+                                                resource_id,
+                                                suppress_exception,
+                                                show_deleted,
+                                                session)
+        return cls()._from_db_object(consumer_db)
+
+    @classmethod
+    def create_or_update_from_model(cls, new_consumer,
+                                    secret, session=None):
+        """Create or update secret
+
+        :param new_consumer: a instance of SecretConsumerMetadatum model
+        :param secret: a instance of Secret OVO
+        :param session: a session to connect with database
+        :return: None
+
+        It is used during converting from model to OVO. It will be removed
+        after Secret resource is implemented OVO.
+        """
+        session = cls.get_session(session=session)
+        try:
+            secret.updated_at = timeutils.utcnow()
+            secret.save(session=session)
+            new_consumer.save(session=session)
+        except db_exc.DBDuplicateEntry:
+            session.rollback()  # We know consumer already exists.
+
+            # This operation is idempotent, so log this and move on
+            LOG.debug(
+                "Consumer with resource_id %s already exists for secret %s...",
+                new_consumer.resource_id, new_consumer.secret_id
+            )
+            # Get the existing entry and reuse it by clearing the deleted flags
+            existing_consumer = cls.get_by_values(
+                new_consumer.secret_id,
+                new_consumer.resource_id,
+                show_deleted=True
+            )
+            existing_consumer.deleted = False
+            existing_consumer.deleted_at = None
+            # We are not concerned about timing here -- set only, no reads
+            existing_consumer.save(session=session)
+
+    @classmethod
+    def create_or_update_from(cls, new_consumer, secret, session=None):
+        """Create or update secret
+
+        :param new_consumer: a instance of SecretConsumerMetadatum OVO
+        :param secret: a instance of Secret OVO
+        :param session: a session to connect with database
+        :return: None
+        """
+        session = cls.get_session(session=session)
+        try:
+            secret.updated_at = timeutils.utcnow()
+            secret.consumers.append(new_consumer)
+            secret.save(session=session)
+        except db_exc.DBDuplicateEntry:
+            session.rollback()  # We know consumer already exists.
+
+            # This operation is idempotent, so log this and move on
+            LOG.debug(
+                "Consumer with resource_id %s already exists for secret %s...",
+                new_consumer.resource_id, new_consumer.secret_id
+            )
+            # Get the existing entry and reuse it by clearing the deleted flags
+            existing_consumer = cls.get_by_values(
+                new_consumer.secret_id,
+                new_consumer.resource_id,
+                show_deleted=True
+            )
+            existing_consumer.deleted = False
+            existing_consumer.deleted_at = None
+            # We are not concerned about timing here -- set only, no reads
+            existing_consumer.save(session=session)