Change the unique properties of secret consumers

This makes the resource_id unique together with service and resource_type (in addition to secret_id). Additionaly the auto-generated alembic migration also adds the missing foreign key for project_id. Change-Id: I4b266782638a4f79357df2b1fe26ea3427479abf
2022-09-12 14:39:11 +02:00 · 2022-09-12 14:39:11 +02:00 · dd94fa2f41
commit dd94fa2f41
parent d8ffdf91e5
4 changed files with 60 additions and 3 deletions
--- a/barbican/api/controllers/consumers.py
+++ b/barbican/api/controllers/consumers.py
@ -353,6 +353,8 @@ class SecretConsumersController(controllers.ACLMixin):

        consumer = self.consumer_repo.get_by_values(
            self.secret_id,
+            data["service"],
+            data["resource_type"],
            data["resource_id"],
            suppress_exception=True
        )
@ -374,7 +376,7 @@ class SecretConsumersController(controllers.ACLMixin):
            _consumer_not_found()

        ret_data = self._return_secret_data(self.secret_id)
-        LOG.info('Deleted a consumer for project: %s',
+        LOG.info('Deleted a secret consumer for project: %s',
                 external_project_id)
        return ret_data

--- a/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py
+++ b/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py
@ -0,0 +1,49 @@
+# Copyright 2022 OpenStack Foundation
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+
+"""Update secret consumers unique constraint to mach the updated spec
+
+Revision ID: 8c74e2d7f1ff
+Revises: 0f8c192a061f
+Create Date: 2022-09-12 13:03:26.428642
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '8c74e2d7f1ff'
+down_revision = '0f8c192a061f'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    with op.batch_alter_table('secret_consumer_metadata') as batch_op:
+        batch_op.alter_column('project_id',
+                              existing_type=sa.VARCHAR(length=36),
+                              nullable=True)
+        batch_op.drop_constraint(
+            '_secret_consumer_resource_uc', type_='unique')
+        batch_op.create_unique_constraint(
+            constraint_name='_secret_consumer_resource_uc',
+            columns=['secret_id', 'service', 'resource_type', 'resource_id'])
+        batch_op.create_index(
+            index_name=op.f('ix_secret_consumer_metadata_project_id'),
+            columns=['project_id'],
+            unique=False)
+        batch_op.create_foreign_key(constraint_name=op.f('fk_project_id'),
+                                    referent_table='projects',
+                                    local_cols=['project_id'],
+                                    remote_cols=['id'])
--- a/barbican/model/models.py
+++ b/barbican/model/models.py
@ -1528,7 +1528,8 @@ class SecretConsumerMetadatum(BASE, SoftDeleteMixIn, ModelBase):

    __table_args__ = (
        sa.UniqueConstraint(
-            "secret_id", "resource_id", name="_secret_consumer_resource_uc"
+            "secret_id", "service", "resource_type", "resource_id",
+            name="_secret_consumer_resource_uc"
        ),
    )

--- a/barbican/model/repositories.py
+++ b/barbican/model/repositories.py
@ -2507,7 +2507,8 @@ class SecretConsumerRepo(BaseRepo):

        return entities, offset, limit, total

-    def get_by_values(self, secret_id, resource_id, suppress_exception=False,
+    def get_by_values(self, secret_id, service, resource_type, resource_id,
+                      suppress_exception=False,
                      show_deleted=False, session=None):
        session = self.get_session(session)

@ -2515,6 +2516,8 @@ class SecretConsumerRepo(BaseRepo):
            query = session.query(models.SecretConsumerMetadatum)
            query = query.filter_by(
                secret_id=secret_id,
+                service=service,
+                resource_type=resource_type,
                resource_id=resource_id,
            )

@ -2547,6 +2550,8 @@ class SecretConsumerRepo(BaseRepo):
            # Get the existing entry and reuse it by clearing the deleted flags
            existing_consumer = self.get_by_values(
                new_consumer.secret_id,
+                new_consumer.service,
+                new_consumer.resource_type,
                new_consumer.resource_id,
                show_deleted=True
            )