# Copyright 2014 Rackspace # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from cryptography.hazmat.backends import default_backend from cryptography import x509 from oslo_config import cfg from oslo_log import log as logging from pecan import request as pecan_request from pecan import rest as pecan_rest from stevedore import driver as stevedore_driver from wsme import types as wtypes from octavia.common import constants from octavia.common import data_models from octavia.common import exceptions from octavia.common import policy from octavia.db import repositories from octavia.i18n import _ CONF = cfg.CONF LOG = logging.getLogger(__name__) class BaseController(pecan_rest.RestController): RBAC_TYPE = None def __init__(self): super().__init__() self.cert_manager = stevedore_driver.DriverManager( namespace='octavia.cert_manager', name=CONF.certificates.cert_manager, invoke_on_load=True, ).driver self.repositories = repositories.Repositories() @staticmethod def _convert_db_to_type(db_entity, to_type, children=False): """Converts a data model into an Octavia WSME type :param db_entity: data model to convert :param to_type: converts db_entity to this type """ if isinstance(to_type, list): to_type = to_type[0] def _convert(db_obj): return to_type.from_data_model(db_obj, children=children) if isinstance(db_entity, list): converted = [_convert(db_obj) for db_obj in db_entity] else: converted = _convert(db_entity) return converted @staticmethod def _get_db_obj(session, repo, data_model, id, show_deleted=True): """Gets an object from the database and returns it.""" db_obj = repo.get(session, id=id, show_deleted=show_deleted) if not db_obj: LOG.debug('%(name)s %(id)s not found', {'name': data_model._name(), 'id': id}) raise exceptions.NotFound( resource=data_model._name(), id=id) return db_obj def _get_db_lb(self, session, id, show_deleted=True): """Get a load balancer from the database.""" return self._get_db_obj(session, self.repositories.load_balancer, data_models.LoadBalancer, id, show_deleted=show_deleted) def _get_db_listener(self, session, id, show_deleted=True): """Get a listener from the database.""" return self._get_db_obj(session, self.repositories.listener, data_models.Listener, id, show_deleted=show_deleted) def _get_listener_and_loadbalancer_id(self, db_l7policy): """Get listener and loadbalancer ids from the l7policy db_model.""" load_balancer_id = db_l7policy.listener.load_balancer_id listener_id = db_l7policy.listener_id return load_balancer_id, listener_id def _get_db_pool(self, session, id, show_deleted=True): """Get a pool from the database.""" return self._get_db_obj(session, self.repositories.pool, data_models.Pool, id, show_deleted=show_deleted) def _get_db_member(self, session, id, show_deleted=True): """Get a member from the database.""" return self._get_db_obj(session, self.repositories.member, data_models.Member, id, show_deleted=show_deleted) def _get_db_hm(self, session, id, show_deleted=True): """Get a health monitor from the database.""" return self._get_db_obj(session, self.repositories.health_monitor, data_models.HealthMonitor, id, show_deleted=show_deleted) def _get_db_flavor(self, session, id): """Get a flavor from the database.""" return self._get_db_obj(session, self.repositories.flavor, data_models.Flavor, id) def _get_db_flavor_profile(self, session, id): """Get a flavor profile from the database.""" return self._get_db_obj(session, self.repositories.flavor_profile, data_models.FlavorProfile, id) def _get_db_availability_zone(self, session, name): """Get an availability zone from the database.""" db_obj = self.repositories.availability_zone.get(session, name=name) if not db_obj: LOG.debug('%(obj_name)s %(name)s not found', {'obj_name': data_models.AvailabilityZone._name(), 'name': name}) raise exceptions.NotFound( resource=data_models.AvailabilityZone._name(), id=name) return db_obj def _get_db_availability_zone_profile(self, session, id): """Get an availability zone profile from the database.""" return self._get_db_obj(session, self.repositories.availability_zone_profile, data_models.AvailabilityZoneProfile, id) def _get_db_l7policy(self, session, id, show_deleted=True): """Get a L7 Policy from the database.""" return self._get_db_obj(session, self.repositories.l7policy, data_models.L7Policy, id, show_deleted=show_deleted) def _get_db_l7rule(self, session, id, show_deleted=True): """Get a L7 Rule from the database.""" return self._get_db_obj(session, self.repositories.l7rule, data_models.L7Rule, id, show_deleted=show_deleted) def _get_db_amp(self, session, id, show_deleted=True): """Gets an Amphora from the database.""" return self._get_db_obj(session, self.repositories.amphora, data_models.Amphora, id, show_deleted=show_deleted) def _get_lb_project_id(self, session, id, show_deleted=True): """Get the project_id of the load balancer from the database.""" lb = self._get_db_obj(session, self.repositories.load_balancer, data_models.LoadBalancer, id, show_deleted=show_deleted) return lb.project_id def _get_lb_project_id_provider(self, session, id, show_deleted=True): """Get the project_id of the load balancer from the database.""" lb = self._get_db_obj(session, self.repositories.load_balancer, data_models.LoadBalancer, id, show_deleted=show_deleted) return lb.project_id, lb.provider def _get_l7policy_project_id(self, session, id, show_deleted=True): """Get the project_id of the load balancer from the database.""" l7policy = self._get_db_obj(session, self.repositories.l7policy, data_models.LoadBalancer, id, show_deleted=show_deleted) return l7policy.project_id def _get_default_quotas(self, project_id): """Gets the project's default quotas.""" quotas = data_models.Quotas( project_id=project_id, load_balancer=CONF.quotas.default_load_balancer_quota, listener=CONF.quotas.default_listener_quota, pool=CONF.quotas.default_pool_quota, health_monitor=CONF.quotas.default_health_monitor_quota, member=CONF.quotas.default_member_quota, l7policy=CONF.quotas.default_l7policy_quota, l7rule=CONF.quotas.default_l7rule_quota) return quotas def _get_db_quotas(self, session, project_id): """Gets the project's quotas from the database, or responds with the default quotas. """ # At this point project_id should not ever be None or Unset db_quotas = self.repositories.quotas.get( session, project_id=project_id) if not db_quotas: LOG.debug("No custom quotas for project %s. Returning " "defaults...", project_id) db_quotas = self._get_default_quotas(project_id=project_id) else: # Fill in any that are using the configured defaults if db_quotas.load_balancer is None: db_quotas.load_balancer = (CONF.quotas. default_load_balancer_quota) if db_quotas.listener is None: db_quotas.listener = CONF.quotas.default_listener_quota if db_quotas.pool is None: db_quotas.pool = CONF.quotas.default_pool_quota if db_quotas.health_monitor is None: db_quotas.health_monitor = (CONF.quotas. default_health_monitor_quota) if db_quotas.member is None: db_quotas.member = CONF.quotas.default_member_quota if db_quotas.l7policy is None: db_quotas.l7policy = CONF.quotas.default_l7policy_quota if db_quotas.l7rule is None: db_quotas.l7rule = CONF.quotas.default_l7rule_quota return db_quotas def _auth_get_all(self, context, project_id): # Check authorization to list objects under all projects action = '{rbac_obj}{action}'.format( rbac_obj=self.RBAC_TYPE, action=constants.RBAC_GET_ALL_GLOBAL) target = {'project_id': project_id} if not policy.get_enforcer().authorize(action, target, context, do_raise=False): # Not a global observer or admin if project_id is None: project_id = context.project_id # If we still don't know who it is, reject it. if project_id is None: raise exceptions.PolicyForbidden() # Check authorization to list objects under this project self._auth_validate_action(context, project_id, constants.RBAC_GET_ALL) if project_id is None: query_filter = {} else: query_filter = {'project_id': project_id} return query_filter def _auth_validate_action(self, context, project_id, action): # Check that the user is authorized to do an action in this object action = '{rbac_obj}{action}'.format( rbac_obj=self.RBAC_TYPE, action=action) target = {'project_id': project_id} policy.get_enforcer().authorize(action, target, context) def _filter_fields(self, object_list, fields): if CONF.api_settings.allow_field_selection: for index, obj in enumerate(object_list): members = self._get_attrs(obj) for member in members: if member not in fields: setattr(obj, member, wtypes.Unset) return object_list @staticmethod def _get_attrs(obj): attrs = [attr for attr in dir(obj) if not callable( getattr(obj, attr)) and not attr.startswith("_")] return attrs def _validate_tls_refs(self, tls_refs): context = pecan_request.context.get('octavia_context') bad_refs = [] for ref in tls_refs: try: self.cert_manager.set_acls(context, ref) self.cert_manager.get_cert(context, ref, check_only=True) except exceptions.UnreadablePKCS12: raise except Exception: bad_refs.append(ref) if bad_refs: raise exceptions.CertificateRetrievalException(ref=bad_refs) def _validate_client_ca_and_crl_refs(self, client_ca_ref, crl_ref): context = pecan_request.context.get('octavia_context') bad_refs = [] try: self.cert_manager.set_acls(context, client_ca_ref) ca_pem = self.cert_manager.get_secret(context, client_ca_ref) except Exception: bad_refs.append(client_ca_ref) pem_crl = None if crl_ref: try: self.cert_manager.set_acls(context, crl_ref) pem_crl = self.cert_manager.get_secret(context, crl_ref) except Exception: bad_refs.append(crl_ref) if bad_refs: raise exceptions.CertificateRetrievalException(ref=bad_refs) ca_cert = None try: # Test if it needs to be UTF-8 encoded try: ca_pem = ca_pem.encode('utf-8') except AttributeError: pass ca_cert = x509.load_pem_x509_certificate(ca_pem, default_backend()) except Exception as e: raise exceptions.ValidationException(detail=_( "The client authentication CA certificate is invalid. " "It must be a valid x509 PEM format certificate. " "Error: %s") % str(e)) # Validate the CRL is for the client CA if pem_crl: ca_pub_key = ca_cert.public_key() crl = None # Test if it needs to be UTF-8 encoded try: pem_crl = pem_crl.encode('utf-8') except AttributeError: pass try: crl = x509.load_pem_x509_crl(pem_crl, default_backend()) except Exception as e: raise exceptions.ValidationException(detail=_( "The client authentication certificate revocation list " "is invalid. It must be a valid x509 PEM format " "certificate revocation list. Error: %s") % str(e)) if not crl.is_signature_valid(ca_pub_key): raise exceptions.ValidationException(detail=_( "The CRL specified is not valid for client certificate " "authority reference supplied.")) @staticmethod def _validate_protocol(listener_protocol, pool_protocol): proto_map = constants.VALID_LISTENER_POOL_PROTOCOL_MAP for valid_pool_proto in proto_map[listener_protocol]: if pool_protocol == valid_pool_proto: return detail = _("The pool protocol '%(pool_protocol)s' is invalid while " "the listener protocol is '%(listener_protocol)s'.") % { "pool_protocol": pool_protocol, "listener_protocol": listener_protocol} raise exceptions.ValidationException(detail=detail)