Secret present, Sign image
Aded states and modules to allow using
secret_present, secret_absent states.
Change-Id: Idad75a8445a874e62c2e2d729cb8e98d7a37d6bd
Related-Issue: PROD-18731
diff --git a/_modules/barbicanv1/__init__.py b/_modules/barbicanv1/__init__.py
new file mode 100644
index 0000000..482f067
--- /dev/null
+++ b/_modules/barbicanv1/__init__.py
@@ -0,0 +1,35 @@
+try:
+ import os_client_config
+ from keystoneauth1 import exceptions as ka_exceptions
+ REQUIREMENTS_MET = True
+except ImportError:
+ REQUIREMENTS_MET = False
+
+from barbicanv1 import secrets
+from barbicanv1 import acl
+
+secret_list = secrets.secret_list
+secret_create = secrets.secret_create
+secret_delete = secrets.secret_delete
+secret_get_details = secrets.secret_get_details
+secret_payload_get = secrets.secret_payload_get
+secret_payload_set = secrets.secret_payload_set
+secret_acl_get = acl.secret_acl_get
+secret_acl_put = acl.secret_acl_put
+secret_acl_patch = acl.secret_acl_patch
+secret_acl_delete = acl.secret_acl_delete
+
+__all__ = (
+ 'secret_list', 'secret_create', 'secret_delete', 'secret_get_details',
+ 'secret_payload_get', 'secret_payload_set', 'secret_acl_delete',
+ 'secret_acl_get', 'secret_acl_patch', 'secret_acl_put',
+)
+
+
+def __virtual__():
+ """Only load barbicanv1 if requirements are available."""
+ if REQUIREMENTS_MET:
+ return 'barbicanv1'
+ else:
+ return False, ("The barbicanv1 execution module cannot be loaded: "
+ "os_client_config or keystoneauth are unavailable.")
diff --git a/_modules/barbicanv1/acl.py b/_modules/barbicanv1/acl.py
new file mode 100644
index 0000000..8f3c024
--- /dev/null
+++ b/_modules/barbicanv1/acl.py
@@ -0,0 +1,36 @@
+from barbicanv1.common import send, get_by_name_or_uuid
+from barbicanv1.secrets import secret_list, RESOURCE_LIST_KEY
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('get')
+def secret_acl_get(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}/acl'.format(secret_uuid)
+ return url, {}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('put')
+def secret_acl_put(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}/acl'.format(secret_uuid)
+ json = {
+ 'read': kwargs,
+ }
+ return url, {'json': json}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('patch')
+def secret_acl_patch(secret_uuid, **kwargs):
+ url = 'v1/secrets/{}/acl'.format(secret_uuid)
+ json = {
+ 'read': kwargs,
+ }
+ return url, {'json': json}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('delete')
+def secret_acl_delete(secret_uuid, **kwargs):
+ url = 'v1/secrets/{}/acl'.format(secret_uuid)
+ return url, {}
diff --git a/_modules/barbicanv1/common.py b/_modules/barbicanv1/common.py
new file mode 100644
index 0000000..dd32025
--- /dev/null
+++ b/_modules/barbicanv1/common.py
@@ -0,0 +1,130 @@
+import logging
+import os_client_config
+from uuid import UUID
+try:
+ from urllib.parse import urlsplit
+except ImportError:
+ from urlparse import urlsplit
+
+log = logging.getLogger(__name__)
+
+
+class BarbicanException(Exception):
+
+ _msg = "Barbican module exception occured."
+
+ def __init__(self, message=None, **kwargs):
+ super(BarbicanException, self).__init__(message or self._msg)
+
+
+class NoBarbicanEndpoint(BarbicanException):
+ _msg = "Barbican endpoint not found in keystone catalog."
+
+
+class NoAuthPluginConfigured(BarbicanException):
+ _msg = ("You are using keystoneauth auth plugin that does not support "
+ "fetching endpoint list from token (noauth or admin_token).")
+
+
+class NoCredentials(BarbicanException):
+ _msg = "Please provide cloud name present in clouds.yaml."
+
+
+class ResourceNotFound(BarbicanException):
+ _msg = "Uniq resource: {resource} with name: {name} not found."
+
+ def __init__(self, resource, name, **kwargs):
+ super(BarbicanException, self).__init__(
+ self._msg.format(resource=resource, name=name))
+
+
+class MultipleResourcesFound(BarbicanException):
+ _msg = "Multiple resource: {resource} with name: {name} found."
+
+ def __init__(self, resource, name, **kwargs):
+ super(BarbicanException, self).__init__(
+ self._msg.format(resource=resource, name=name))
+
+
+def _get_raw_client(cloud_name):
+ service_type = 'key-manager'
+ adapter = os_client_config.make_rest_client(service_type,
+ cloud=cloud_name)
+ try:
+ access_info = adapter.session.auth.get_access(adapter.session)
+ endpoints = access_info.service_catalog.get_endpoints()
+ except (AttributeError, ValueError):
+ e = NoAuthPluginConfigured()
+ log.exception('%s' % e)
+ raise e
+ if service_type not in endpoints:
+ if not service_type:
+ e = NoBarbicanEndpoint()
+ log.error('%s' % e)
+ raise e
+ return adapter
+
+
+def send(method):
+ def wrap(func):
+ def wrapped_f(*args, **kwargs):
+ cloud_name = kwargs.pop('cloud_name')
+ if not cloud_name:
+ e = NoCredentials()
+ log.error('%s' % e)
+ raise e
+ adapter = _get_raw_client(cloud_name)
+ # Remove salt internal kwargs
+ kwarg_keys = list(kwargs.keys())
+ for k in kwarg_keys:
+ if k.startswith('__'):
+ kwargs.pop(k)
+ url, request_kwargs = func(*args, **kwargs)
+ response = getattr(adapter, method)(url, **request_kwargs)
+ if not response.content:
+ return {}
+ try:
+ resp = response.json()
+ except:
+ resp = response.content
+ return resp
+ return wrapped_f
+ return wrap
+
+
+def _check_uuid(val):
+ try:
+ return str(UUID(val)).replace('-', '') == val
+ except (TypeError, ValueError, AttributeError):
+ return False
+
+
+def _parse_secret_href(href):
+ return urlsplit(href).path.split('/')[-1]
+
+
+def get_by_name_or_uuid(resource_list, resp_key):
+ def wrap(func):
+ def wrapped_f(*args, **kwargs):
+ if 'name' in kwargs:
+ ref = kwargs.pop('name', None)
+ start_arg = 0
+ else:
+ start_arg = 1
+ ref = args[0]
+ cloud_name = kwargs['cloud_name']
+ if _check_uuid(ref):
+ uuid = ref
+ else:
+ # Then we have name not uuid
+ resp = resource_list(
+ name=ref, cloud_name=cloud_name)[resp_key]
+ if len(resp) == 0:
+ raise ResourceNotFound(resp_key, ref)
+ elif len(resp) > 1:
+ raise MultipleResourcesFound(resp_key, ref)
+ href = resp[0]['secret_ref']
+ uuid = _parse_secret_href(href)
+ return func(uuid, *args[start_arg:], **kwargs)
+ return wrapped_f
+ return wrap
diff --git a/_modules/barbicanv1/secrets.py b/_modules/barbicanv1/secrets.py
new file mode 100644
index 0000000..eda7382
--- /dev/null
+++ b/_modules/barbicanv1/secrets.py
@@ -0,0 +1,61 @@
+try:
+ from urllib.parse import urlencode
+except ImportError:
+ from urllib import urlencode
+
+from barbicanv1.common import send, get_by_name_or_uuid
+
+RESOURCE_LIST_KEY = 'secrets'
+
+
+@send('get')
+def secret_list(**kwargs):
+ url = '/v1/secrets?{}'.format(urlencode(kwargs))
+ return url, {}
+
+
+@send('post')
+def secret_create(**kwargs):
+ url = '/v1/secrets'
+ return url, {'json': kwargs}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('get')
+def secret_get_details(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}'.format(secret_uuid)
+ return url, {}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('delete')
+def secret_delete(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}'.format(secret_uuid)
+ return url, {}
+
+# NOTE::
+# ** payload get and sett requires headers passed in kwargs that describe
+# ** content type of the payload
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('put')
+def secret_payload_set(secret_uuid, payload, **kwargs):
+ url = '/v1/secrets/{}'.format(secret_uuid)
+ # Work around content headers
+ content_type = 'payload_content_type'
+ content_encoding = 'payload_content_encoding'
+ headers = kwargs.get('headers', {})
+ if content_type in kwargs:
+ headers['Content-Type'] = kwargs[content_type]
+ if content_type == 'application/octet-stream':
+ headers['Content-Encoding'] = kwargs[content_encoding]
+
+ return url, {'json': payload, 'headers': headers}
+
+
+@get_by_name_or_uuid(secret_list, RESOURCE_LIST_KEY)
+@send('get')
+def secret_payload_get(secret_uuid, **kwargs):
+ url = '/v1/secrets/{}/payload'.format(secret_uuid)
+ return url, {}