From d2b7016f133be019d3e34c6109f632e0df9d6375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es=20de=20Medeiros?= Date: Fri, 30 Aug 2019 15:22:26 +0200 Subject: [PATCH] Add SecretConsumerMetadatum object MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch is part of a series to implement the Secret Consumers spec: https://specs.openstack.org/openstack/barbican-specs/specs/train/secret-consumers.html Change-Id: I5bbd2bf83f70dc7937255777353fd1f6370574e8 Signed-off-by: Moisés Guimarães de Medeiros --- barbican/objects/__init__.py | 3 + barbican/objects/secret.py | 7 +- barbican/objects/secret_consumer_metadatum.py | 142 ++++++++++++++++++ 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 barbican/objects/secret_consumer_metadatum.py diff --git a/barbican/objects/__init__.py b/barbican/objects/__init__.py index e0662e71d..e88c21b91 100644 --- a/barbican/objects/__init__.py +++ b/barbican/objects/__init__.py @@ -28,6 +28,7 @@ from barbican.objects import project_quotas from barbican.objects import project_secret_store from barbican.objects import secret from barbican.objects import secret_acl +from barbican.objects import secret_consumer_metadatum from barbican.objects import secret_store_metadatum from barbican.objects import secret_stores from barbican.objects import secret_user_metadatum @@ -54,6 +55,7 @@ SecretACL = secret_acl.SecretACL SecretStores = secret_stores.SecretStores SecretUserMetadatum = secret_user_metadatum.SecretUserMetadatum SecretStoreMetadatum = secret_store_metadatum.SecretStoreMetadatum +SecretConsumerMetadatum = secret_consumer_metadatum.SecretConsumerMetadatum __all__ = ( States, @@ -76,5 +78,6 @@ __all__ = ( SecretStores, SecretUserMetadatum, SecretStoreMetadatum, + SecretConsumerMetadatum, TransportKey, ) diff --git a/barbican/objects/secret.py b/barbican/objects/secret.py index d5069d1b7..026505607 100644 --- a/barbican/objects/secret.py +++ b/barbican/objects/secret.py @@ -48,13 +48,18 @@ class Secret(base.BarbicanObject, base.BarbicanPersistentObject, 'SecretUserMetadatum', default=dict(), nullable=True), + 'consumers': fields.ListOfObjectsField('SecretConsumerMetadatum', + default=list(), + nullable=True), + 'status': fields.StringField(nullable=True, default=base.States.ACTIVE) } db_model = models.Secret db_repo = repo.get_secret_repository() synthetic_fields = ['encrypted_data', 'secret_acls', - 'secret_store_metadata', 'secret_user_metadata'] + 'secret_store_metadata', 'secret_user_metadata', + 'consumers'] @classmethod def get_secret_list(cls, external_project_id, diff --git a/barbican/objects/secret_consumer_metadatum.py b/barbican/objects/secret_consumer_metadatum.py new file mode 100644 index 000000000..aea64ecc6 --- /dev/null +++ b/barbican/objects/secret_consumer_metadatum.py @@ -0,0 +1,142 @@ +# Copyright (c) 2019 Red Hat, inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_db import exception as db_exc +from oslo_utils import timeutils +from oslo_versionedobjects import base as object_base + +from barbican.common import utils +from barbican.model import models +from barbican.model import repositories as repos +from barbican.objects import base +from barbican.objects import fields + +LOG = utils.getLogger(__name__) + + +@object_base.VersionedObjectRegistry.register +class SecretConsumerMetadatum(base.BarbicanObject, + base.BarbicanPersistentObject, + object_base.VersionedObjectDictCompat): + fields = { + 'secret_id': fields.StringField(nullable=False), + 'project_id': fields.StringField(nullable=False, default=None), + 'service': fields.StringField(nullable=True, default=None), + 'resource_type': fields.StringField(nullable=True, default=None), + 'resource_id': fields.StringField(nullable=True, default=None), + } + + db_model = models.SecretConsumerMetadatum + db_repo = repos.get_secret_consumer_repository() + + @classmethod + def get_by_secret_id(cls, secret_id, offset_arg=None, limit_arg=None, + suppress_exception=False, session=None): + entities_db, offset, limit, total = \ + cls.db_repo.get_by_secret_id( + secret_id, offset_arg, limit_arg, + suppress_exception, session) + entities = [cls()._from_db_object(entity_db) for entity_db in + entities_db] + return entities, offset, limit, total + + @classmethod + def get_by_resource_id(cls, resource_id, offset_arg=None, limit_arg=None, + suppress_exception=False, session=None): + entities_db, offset, limit, total = \ + cls.db_repo.get_by_resource_id( + resource_id, offset_arg, limit_arg, + suppress_exception, session) + entities = [cls()._from_db_object(entity_db) for entity_db in + entities_db] + return entities, offset, limit, total + + @classmethod + def get_by_values(cls, secret_id, resource_id, suppress_exception=False, + show_deleted=False, session=None): + consumer_db = cls.db_repo.get_by_values(secret_id, + resource_id, + suppress_exception, + show_deleted, + session) + return cls()._from_db_object(consumer_db) + + @classmethod + def create_or_update_from_model(cls, new_consumer, + secret, session=None): + """Create or update secret + + :param new_consumer: a instance of SecretConsumerMetadatum model + :param secret: a instance of Secret OVO + :param session: a session to connect with database + :return: None + + It is used during converting from model to OVO. It will be removed + after Secret resource is implemented OVO. + """ + session = cls.get_session(session=session) + try: + secret.updated_at = timeutils.utcnow() + secret.save(session=session) + new_consumer.save(session=session) + except db_exc.DBDuplicateEntry: + session.rollback() # We know consumer already exists. + + # This operation is idempotent, so log this and move on + LOG.debug( + "Consumer with resource_id %s already exists for secret %s...", + new_consumer.resource_id, new_consumer.secret_id + ) + # Get the existing entry and reuse it by clearing the deleted flags + existing_consumer = cls.get_by_values( + new_consumer.secret_id, + new_consumer.resource_id, + show_deleted=True + ) + existing_consumer.deleted = False + existing_consumer.deleted_at = None + # We are not concerned about timing here -- set only, no reads + existing_consumer.save(session=session) + + @classmethod + def create_or_update_from(cls, new_consumer, secret, session=None): + """Create or update secret + + :param new_consumer: a instance of SecretConsumerMetadatum OVO + :param secret: a instance of Secret OVO + :param session: a session to connect with database + :return: None + """ + session = cls.get_session(session=session) + try: + secret.updated_at = timeutils.utcnow() + secret.consumers.append(new_consumer) + secret.save(session=session) + except db_exc.DBDuplicateEntry: + session.rollback() # We know consumer already exists. + + # This operation is idempotent, so log this and move on + LOG.debug( + "Consumer with resource_id %s already exists for secret %s...", + new_consumer.resource_id, new_consumer.secret_id + ) + # Get the existing entry and reuse it by clearing the deleted flags + existing_consumer = cls.get_by_values( + new_consumer.secret_id, + new_consumer.resource_id, + show_deleted=True + ) + existing_consumer.deleted = False + existing_consumer.deleted_at = None + # We are not concerned about timing here -- set only, no reads + existing_consumer.save(session=session)