From dd94fa2f41471bf47487416ed4a5c37208e8e8cc Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 12 Sep 2022 14:39:11 +0200 Subject: [PATCH] Change the unique properties of secret consumers This makes the resource_id unique together with service and resource_type (in addition to secret_id). Additionaly the auto-generated alembic migration also adds the missing foreign key for project_id. Change-Id: I4b266782638a4f79357df2b1fe26ea3427479abf --- barbican/api/controllers/consumers.py | 4 +- ...2d7f1ff_update_secret_consumers_unique_.py | 49 +++++++++++++++++++ barbican/model/models.py | 3 +- barbican/model/repositories.py | 7 ++- 4 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py diff --git a/barbican/api/controllers/consumers.py b/barbican/api/controllers/consumers.py index 037d67d6d..84983d437 100644 --- a/barbican/api/controllers/consumers.py +++ b/barbican/api/controllers/consumers.py @@ -353,6 +353,8 @@ class SecretConsumersController(controllers.ACLMixin): consumer = self.consumer_repo.get_by_values( self.secret_id, + data["service"], + data["resource_type"], data["resource_id"], suppress_exception=True ) @@ -374,7 +376,7 @@ class SecretConsumersController(controllers.ACLMixin): _consumer_not_found() ret_data = self._return_secret_data(self.secret_id) - LOG.info('Deleted a consumer for project: %s', + LOG.info('Deleted a secret consumer for project: %s', external_project_id) return ret_data diff --git a/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py b/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py new file mode 100644 index 000000000..aaf1ca156 --- /dev/null +++ b/barbican/model/migration/alembic_migrations/versions/8c74e2d7f1ff_update_secret_consumers_unique_.py @@ -0,0 +1,49 @@ +# Copyright 2022 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +"""Update secret consumers unique constraint to mach the updated spec + +Revision ID: 8c74e2d7f1ff +Revises: 0f8c192a061f +Create Date: 2022-09-12 13:03:26.428642 + +""" + +# revision identifiers, used by Alembic. +revision = '8c74e2d7f1ff' +down_revision = '0f8c192a061f' + +from alembic import op +import sqlalchemy as sa + + +def upgrade(): + with op.batch_alter_table('secret_consumer_metadata') as batch_op: + batch_op.alter_column('project_id', + existing_type=sa.VARCHAR(length=36), + nullable=True) + batch_op.drop_constraint( + '_secret_consumer_resource_uc', type_='unique') + batch_op.create_unique_constraint( + constraint_name='_secret_consumer_resource_uc', + columns=['secret_id', 'service', 'resource_type', 'resource_id']) + batch_op.create_index( + index_name=op.f('ix_secret_consumer_metadata_project_id'), + columns=['project_id'], + unique=False) + batch_op.create_foreign_key(constraint_name=op.f('fk_project_id'), + referent_table='projects', + local_cols=['project_id'], + remote_cols=['id']) diff --git a/barbican/model/models.py b/barbican/model/models.py index 7a7b761c4..d0f5a6983 100644 --- a/barbican/model/models.py +++ b/barbican/model/models.py @@ -1528,7 +1528,8 @@ class SecretConsumerMetadatum(BASE, SoftDeleteMixIn, ModelBase): __table_args__ = ( sa.UniqueConstraint( - "secret_id", "resource_id", name="_secret_consumer_resource_uc" + "secret_id", "service", "resource_type", "resource_id", + name="_secret_consumer_resource_uc" ), ) diff --git a/barbican/model/repositories.py b/barbican/model/repositories.py index deb5cc23e..1c95cb7a4 100644 --- a/barbican/model/repositories.py +++ b/barbican/model/repositories.py @@ -2507,7 +2507,8 @@ class SecretConsumerRepo(BaseRepo): return entities, offset, limit, total - def get_by_values(self, secret_id, resource_id, suppress_exception=False, + def get_by_values(self, secret_id, service, resource_type, resource_id, + suppress_exception=False, show_deleted=False, session=None): session = self.get_session(session) @@ -2515,6 +2516,8 @@ class SecretConsumerRepo(BaseRepo): query = session.query(models.SecretConsumerMetadatum) query = query.filter_by( secret_id=secret_id, + service=service, + resource_type=resource_type, resource_id=resource_id, ) @@ -2547,6 +2550,8 @@ class SecretConsumerRepo(BaseRepo): # Get the existing entry and reuse it by clearing the deleted flags existing_consumer = self.get_by_values( new_consumer.secret_id, + new_consumer.service, + new_consumer.resource_type, new_consumer.resource_id, show_deleted=True )