Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / barbican / 1b5e5db04e4b5c5fc8f117eecd4e1425c0199041 / . / _states / barbicanv1.py
blob: 493f52a9eb18e4abf9887891fec38a022c5865eb [file] [log] [blame]
Oleksiy Petrenko95664c02018-04-19 17:05:16 +0300[diff] [blame]1import logging
2import tempfile
3import shutil
4import os
5
6try:
7 from urllib.parse import urlsplit
8except ImportError:
9 from urlparse import urlsplit
10
11GLANCE_LOADED = False
12CMD_LOADED = False
13
14
15def __virtual__():
16 if 'glancev2.image_list' in __salt__:
17 global GLANCE_LOADED
18 GLANCE_LOADED = True
19 if 'cmd.run_all' in __salt__:
20 global CMD_LOADED
21 CMD_LOADED = True
22 return 'barbicanv1' if 'barbicanv1.secret_list' in __salt__ else False
23
24
25log = logging.getLogger(__name__)
26
27
28def _barbicanv1_call(fname, *args, **kwargs):
29 return __salt__['barbicanv1.{}'.format(fname)](*args, **kwargs)
30
31
32def _glancev2_call(fname, *args, **kwargs):
33 return __salt__['glancev2.{}'.format(fname)](*args, **kwargs)
34
35
36def _cmd_call(fname, *args, **kwargs):
37 return __salt__['cmd.{}'.format(fname)](*args, **kwargs)
38
39
40def secret_present(name, cloud_name, **kwargs):
41 try:
42 exact_secret = _barbicanv1_call(
43 'secret_get_details', name=name, cloud_name=cloud_name
44 )
45 except Exception as e:
46 if 'ResourceNotFound' in repr(e):
47 try:
48 if not kwargs:
49 kwargs = {}
50 resp = _barbicanv1_call(
51 'secret_create', name=name, cloud_name=cloud_name, **kwargs
52 )
53 except Exception as e:
54 log.error('Barbicanv1 create secret failed with {}'.format(e))
55 return _create_failed(name, 'secret')
56 return _created(name, 'secret', resp)
57 if 'MultipleResourcesFound' in repr(e):
58 return _find_failed(name, 'secret')
59 if 'payload' in kwargs:
60 try:
61 _barbicanv1_call(
62 'secret_payload_get', name=name, cloud_name=cloud_name
63 )
64 except Exception:
65 try:
66 _barbicanv1_call(
Oleh Hryhorovde4523f2018-09-11 10:11:06 +0300[diff] [blame]67 'secret_payload_set', name=name,
Oleksiy Petrenko95664c02018-04-19 17:05:16 +0300[diff] [blame]68 cloud_name=cloud_name, **kwargs
69 )
70 except Exception as e:
71 log.error(
72 'Barbicanv1 Secret set payload failed with {}'.format(e)
73 )
74 return _update_failed(name, 'secret_payload')
75 return _updated(
76 name, 'secret_payload', {'payload': kwargs['payload']}
77 )
78 return _no_changes(name, 'secret')
79
80
81def secret_absent(name, cloud_name, **kwargs):
82 try:
83 secret = _barbicanv1_call(
84 'secret_get_details', name=name, cloud_name=cloud_name
85 )
86 except Exception as e:
87 if 'ResourceNotFound' in repr(e):
88 return _absent(name, 'secret')
89 if 'MultipleResourcesFound' in repr(e):
90 return _find_failed(name, 'secret')
91 try:
92 _barbicanv1_call('secret_delete', name=name, cloud_name=cloud_name)
93 except Exception as e:
94 log.error('Barbicanv1 delete failed with {}'.format(e))
95 return _delete_failed(name, 'secret')
96 return _deleted(name, 'secret')
97
98
99def glance_image_signed(image_name, secret_name, pk_fname, out_fname,
100 cloud_name, file_name=None, force_resign=False):
101 """
102
103 :param image_name: The name of the image to sign
104 :param secret_name: Secret's name with certificate
105 :param pk_fname: private_key file name
106 :param out_fname: output filename for signature
107 :param cloud_name: name of the cloud in cloud_yaml
108 :param file_name: name of the file where downloaded image is.
109 :param force_resign: if the image is already signed, resign it.
110 """
111 if not GLANCE_LOADED or not CMD_LOADED:
112 return {
113 'name': image_name,
114 'changes': {},
115 'comment': 'Cant sign an image, glancev2 and/or cmd module '
116 'are/is absent',
117 'result': False,
118 }
119 try:
120 image = _glancev2_call(
121 'image_get_details', name=image_name, cloud_name=cloud_name
122 )
123 except Exception as e:
124 log.error('Barbicanv1 sign_image find image failed with {}'.format(e))
125 return _create_failed(image_name, 'image')
126
127 sign_properties = (
128 'img_signature', 'img_signature_certificate_uuid',
129 'img_signature_hash_method', 'img_signature_key_type',
130 )
131
132 if not force_resign and all(key in image for key in sign_properties):
133 return _no_changes(image_name, 'image_signature')
134
135 file_name = file_name or image['id']
136 dir_path = tempfile.mkdtemp()
137 try:
138 file_path = os.path.join(dir_path, file_name)
139
140 _glancev2_call(
141 'image_download', name=image_name,
142 file_name=file_path,
143 cloud_name=cloud_name
144 )
145 except Exception as e:
146 log.error(
147 "Barbicanv1 sign image can't download image."
148 " failed with {}".format(e)
149 )
150 return _create_failed(image_name, 'downloading_image')
151
152 try:
153 retcode = _cmd_call(
154 'run_all',
155 'openssl dgst -sha256 -sign {} '.format(pk_fname) +
156 '-sigopt rsa_padding_mode:pss -out {} '.format(out_fname) +
157 file_path
158 )['retcode']
159 if not retcode == 0:
160 raise Exception('Cant sign image')
161 image_signature = _cmd_call(
162 'run_all', 'base64 -w 0 {}'.format(out_fname)
163 )['stdout']
164 except Exception as e:
165 log.error(
166 'Barbicanv1 sign image failed because of cmd with {}'.format(e)
167 )
168 return _create_failed(image_name, 'cmd_module')
169 shutil.rmtree(dir_path)
170
171 secret_ref = _barbicanv1_call(
172 'secret_get_details', name=secret_name, cloud_name=cloud_name
173 )['secret_ref']
174
175 def _parse_secret_href(href):
176 return urlsplit(href).path.split('/')[-1]
177
178 secret_uuid = _parse_secret_href(secret_ref)
179
180 to_update = [
181 {
182 'op': 'add',
183 'path': '/img_signature',
184 'value': image_signature,
185 },
186 {
187 'op': 'add',
188 'path': '/img_signature_certificate_uuid',
189 'value': secret_uuid,
190 },
191 {
192 'op': 'add',
193 'path': '/img_signature_hash_method',
194 'value': 'SHA-256',
195 },
196 {
197 'op': 'add',
198 'path': '/img_signature_key_type',
199 'value': 'RSA-PSS'
200 }
201
202 ]
203 try:
204 resp = _glancev2_call(
205 'image_update', image_name, to_update, cloud_name=cloud_name,
206 headers={
207 "Content-Type": "application/openstack-images-v2.1-json-patch"
208 }
209 )
210 except Exception as e:
211 log.error('Barbicanv1 sign image failed with {}'.format(e))
212 return _create_failed(image_name, 'sign_image')
213 return _created(image_name, 'sign_image', resp)
214
215
Ann Taraday96dbd892018-11-19 18:22:45 +0400[diff] [blame]216def secret_acl_present(name, cloud_name, **kwargs):
217 try:
218 secret = _barbicanv1_call(
219 'secret_get_details', name=name, cloud_name=cloud_name
220 )
221 except Exception as e:
222 if 'ResourceNotFound' in repr(e):
223 return _absent(name, 'secret')
224 if 'MultipleResourcesFound' in repr(e):
225 return _find_failed(name, 'secret')
226 try:
227 resp = _barbicanv1_call('secret_acl_get', name=name,
228 cloud_name=cloud_name)
229 except Exception as e:
230 if 'ResourceNotFound' in repr(e):
231 resp = _barbicanv1_call('secret_acl_put', name=name,
232 cloud_name=cloud_name, **kwargs)
233 return _created(name, 'acl', resp)
234 else:
235 log.error('Add acl for user faild with {}'.format(e))
236 return _create_failed(name, 'acl')
237
238 missing_users = [user_id
239 for user_id in kwargs.get('users', [])
Ann Kamyshnikova575a6482018-12-11 13:05:35 +0400[diff] [blame]240 if user_id not in resp['read'].get('users', [])]
Ann Taraday96dbd892018-11-19 18:22:45 +0400[diff] [blame]241 if missing_users:
242 kwargs['users'] = missing_users
243 resp = _barbicanv1_call('secret_acl_put', name=name,
244 cloud_name=cloud_name, **kwargs)
245 return _created(name, 'acl', resp)
246 return _no_changes(name, 'acl')
247
248
Oleksiy Petrenko95664c02018-04-19 17:05:16 +0300[diff] [blame]249def _created(name, resource, resource_definition):
250 changes_dict = {
251 'name': name,
252 'changes': resource_definition,
253 'result': True,
254 'comment': '{}{} created'.format(resource, name)
255 }
256 return changes_dict
257
258
259def _updated(name, resource, resource_definition):
260 changes_dict = {
261 'name': name,
262 'changes': resource_definition,
263 'result': True,
264 'comment': '{}{} updated'.format(resource, name)
265 }
266 return changes_dict
267
268
269def _no_changes(name, resource):
270 changes_dict = {
271 'name': name,
272 'changes': {},
273 'result': True,
274 'comment': '{}{} is in desired state'.format(resource, name)
275 }
276 return changes_dict
277
278
279def _deleted(name, resource):
280 changes_dict = {
281 'name': name,
282 'changes': {},
283 'result': True,
284 'comment': '{}{} removed'.format(resource, name)
285 }
286 return changes_dict
287
288
289def _absent(name, resource):
290 changes_dict = {'name': name,
291 'changes': {},
292 'comment': '{0} {1} not present'.format(resource, name),
293 'result': True}
294 return changes_dict
295
296
297def _delete_failed(name, resource):
298 changes_dict = {'name': name,
299 'changes': {},
300 'comment': '{0} {1} failed to delete'.format(resource,
301 name),
302 'result': False}
303 return changes_dict
304
305
306def _create_failed(name, resource):
307 changes_dict = {'name': name,
308 'changes': {},
309 'comment': '{0} {1} failed to create'.format(resource,
310 name),
311 'result': False}
312 return changes_dict
313
314
315def _update_failed(name, resource):
316 changes_dict = {'name': name,
317 'changes': {},
318 'comment': '{0} {1} failed to update'.format(resource,
319 name),
320 'result': False}
321 return changes_dict
322
323
324def _find_failed(name, resource):
325 changes_dict = {
326 'name': name,
327 'changes': {},
328 'comment': '{0} {1} found multiple {0}'.format(resource, name),
329 'result': False,
330 }
331 return changes_dict