Add the ResourcePropertiesData object

Prepare for the future when both resources and events refer to
ResourcePropertiesData rather than store the data themselves.

Change-Id: I0c5aefa9d73e1281e6477d46fe181d8948aee71b

heat/db/sqlalchemy/api.py

@@ -433,6 +433,22 @@ def engine_get_all_locked_by_stack(context, stack_id):
     return set(i[0] for i in query.all())
 
 
+def resource_prop_data_create(context, values):
+    obj_ref = models.ResourcePropertiesData()
+    obj_ref.update(values)
+    obj_ref.save(context.session)
+    return obj_ref
+
+
+def resource_prop_data_get(context, resource_prop_data_id):
+    result = context.session.query(models.ResourcePropertiesData).get(
+        resource_prop_data_id)
+    if result is None:
+        raise exception.NotFound(
+            _('ResourcePropertiesData with id %s not found') % id)
+    return result
+
+
 def stack_get_by_name_and_owner_id(context, stack_name, owner_id):
     query = soft_delete_aware_query(
         context, models.Stack

heat/objects/resource_properties_data.py

@@ -0,0 +1,70 @@
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""ResourcePropertiesData object."""
+
+from oslo_config import cfg
+from oslo_serialization import jsonutils
+from oslo_versionedobjects import base
+from oslo_versionedobjects import fields
+
+from heat.common import crypt
+from heat.db.sqlalchemy import api as db_api
+from heat.objects import fields as heat_fields
+
+
+class ResourcePropertiesData(
+    base.VersionedObject,
+    base.VersionedObjectDictCompat,
+    base.ComparableVersionedObject,
+):
+    fields = {
+        'id': fields.IntegerField(),
+        'data': heat_fields.JsonField(nullable=True),
+        'created_at': fields.DateTimeField(read_only=True),
+        'updated_at': fields.DateTimeField(nullable=True),
+    }
+
+    @staticmethod
+    def _from_db_object(rpd, context, db_rpd, data_unencrypted=None):
+        # The data_unencrypted field allows us to avoid an extra
+        # decrypt operation, e.g. when called from create().
+        for field in rpd.fields:
+            rpd[field] = db_rpd[field]
+        if data_unencrypted:  # save a little (decryption) processing
+            rpd['data'] = data_unencrypted
+        elif db_rpd['encrypted'] and rpd['data'] is not None:
+            rpd['data'] = crypt.decrypted_dict(rpd['data'])
+
+        rpd.obj_reset_changes()
+        return rpd
+
+    @classmethod
+    def create(cls, context, data):
+        properties_data_encrypted, properties_data = \
+            ResourcePropertiesData.encrypt_properties_data(data)
+        values = {'encrypted': properties_data_encrypted,
+                  'data': properties_data}
+        db_obj = db_api.resource_prop_data_create(context, values)
+        return cls._from_db_object(cls(), context, db_obj, data)
+
+    @staticmethod
+    def encrypt_properties_data(data):
+        if cfg.CONF.encrypt_parameters_and_properties and data:
+            result = {}
+            for prop_name, prop_value in data.items():
+                prop_string = jsonutils.dumps(prop_value)
+                encrypted_value = crypt.encrypt(prop_string)
+                result[prop_name] = encrypted_value
+            return (True, result)
+        return (False, data)

heat/tests/test_resource_properties_data.py

@@ -0,0 +1,67 @@
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_config import cfg
+
+from heat.db.sqlalchemy import models
+from heat.objects import resource_properties_data as rpd_object
+from heat.tests import common
+from heat.tests import utils
+
+
+class ResourcePropertiesDataTest(common.HeatTestCase):
+    def setUp(self):
+        super(ResourcePropertiesDataTest, self).setUp()
+        self.ctx = utils.dummy_context()
+
+    data = {'prop1': 'string',
+            'prop2': {'a': 'dict'},
+            'prop3': 1,
+            'prop4': ['a', 'list'],
+            'prop5': True}
+
+    def _get_rpd_and_db_obj(self):
+        rpd_obj = rpd_object.ResourcePropertiesData().create(self.ctx,
+                                                             self.data)
+        db_obj = self.ctx.session.query(
+            models.ResourcePropertiesData).get(rpd_obj.id)
+        self.assertEqual(len(self.data), len(db_obj['data']))
+        return rpd_obj, db_obj
+
+    def test_rsrc_prop_data_encrypt(self):
+        cfg.CONF.set_override('encrypt_parameters_and_properties', True,
+                              enforce_type=True)
+        rpd_obj, db_obj = self._get_rpd_and_db_obj()
+
+        # verify data is encrypted in the db
+        self.assertNotEqual(db_obj['data'], self.data)
+        for key in self.data:
+            self.assertEqual('cryptography_decrypt_v1',
+                             db_obj['data'][key][0])
+
+        # verify rpd_obj data is unencrypted
+        self.assertEqual(self.data, rpd_obj['data'])
+
+        # verify loading a fresh rpd_obj has decrypted data
+        rpd_obj = rpd_object.ResourcePropertiesData._from_db_object(
+            rpd_object.ResourcePropertiesData(self.ctx),
+            self.ctx, db_obj)
+        self.assertEqual(self.data, rpd_obj['data'])
+
+    def test_rsrc_prop_data_no_encrypt(self):
+        cfg.CONF.set_override('encrypt_parameters_and_properties', False,
+                              enforce_type=True)
+        rpd_obj, db_obj = self._get_rpd_and_db_obj()
+
+        # verify data is unencrypted in the db
+        self.assertEqual(db_obj['data'], self.data)