Change the unique properties of secret consumers

This makes the resource_id unique together with service and resource_type (in addition to secret_id). Additionaly the auto-generated alembic migration also adds the missing foreign key for project_id. Change-Id: I4b266782638a4f79357df2b1fe26ea3427479abf
2022-09-12 14:39:11 +02:00 · 2022-09-12 14:39:11 +02:00 · dd94fa2f41
commit dd94fa2f41
parent d8ffdf91e5
4 changed files with 60 additions and 3 deletions
--- a/barbican/api/controllers/consumers.py
+++ b/barbican/api/controllers/consumers.py
@ -353,6 +353,8 @@ class SecretConsumersController(controllers.ACLMixin):
        consumer = self.consumer_repo.get_by_values(
            self.secret_id,
            data["service"],
            data["resource_type"],
            data["resource_id"],
            suppress_exception=True
        )
@ -374,7 +376,7 @@ class SecretConsumersController(controllers.ACLMixin):
            _consumer_not_found()
        ret_data = self._return_secret_data(self.secret_id)
-        LOG.info('Deleted a consumer for project: %s',
+        LOG.info('Deleted a secret consumer for project: %s',
                 external_project_id)
        return ret_data
--- a/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py
+++ b/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py
@ -0,0 +1,49 @@
 # Copyright 2022 OpenStack Foundation
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 #
 """Update secret consumers unique constraint to mach the updated spec
 Revision ID: 8c74e2d7f1ff
 Revises: 0f8c192a061f
 Create Date: 2022-09-12 13:03:26.428642
 """
 # revision identifiers, used by Alembic.
 revision = '8c74e2d7f1ff'
 down_revision = '0f8c192a061f'
 from alembic import op
 import sqlalchemy as sa
 def upgrade():
    with op.batch_alter_table('secret_consumer_metadata') as batch_op:
        batch_op.alter_column('project_id',
                              existing_type=sa.VARCHAR(length=36),
                              nullable=True)
        batch_op.drop_constraint(
            '_secret_consumer_resource_uc', type_='unique')
        batch_op.create_unique_constraint(
            constraint_name='_secret_consumer_resource_uc',
            columns=['secret_id', 'service', 'resource_type', 'resource_id'])
        batch_op.create_index(
            index_name=op.f('ix_secret_consumer_metadata_project_id'),
            columns=['project_id'],
            unique=False)
        batch_op.create_foreign_key(constraint_name=op.f('fk_project_id'),
                                    referent_table='projects',
                                    local_cols=['project_id'],
                                    remote_cols=['id'])
--- a/barbican/model/models.py
+++ b/barbican/model/models.py
@ -1528,7 +1528,8 @@ class SecretConsumerMetadatum(BASE, SoftDeleteMixIn, ModelBase):
    __table_args__ = (
        sa.UniqueConstraint(
-            "secret_id", "resource_id", name="_secret_consumer_resource_uc"
+            "secret_id", "service", "resource_type", "resource_id",
            name="_secret_consumer_resource_uc"
        ),
    )
--- a/barbican/model/repositories.py
+++ b/barbican/model/repositories.py
@ -2507,7 +2507,8 @@ class SecretConsumerRepo(BaseRepo):
        return entities, offset, limit, total
-    def get_by_values(self, secret_id, resource_id, suppress_exception=False,
+    def get_by_values(self, secret_id, service, resource_type, resource_id,
                      suppress_exception=False,
                      show_deleted=False, session=None):
        session = self.get_session(session)
@ -2515,6 +2516,8 @@ class SecretConsumerRepo(BaseRepo):
            query = session.query(models.SecretConsumerMetadatum)
            query = query.filter_by(
                secret_id=secret_id,
                service=service,
                resource_type=resource_type,
                resource_id=resource_id,
            )
@ -2547,6 +2550,8 @@ class SecretConsumerRepo(BaseRepo):
            # Get the existing entry and reuse it by clearing the deleted flags
            existing_consumer = self.get_by_values(
                new_consumer.secret_id,
                new_consumer.service,
                new_consumer.resource_type,
                new_consumer.resource_id,
                show_deleted=True
            )