# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_db.sqlalchemy import utils as sqlalchemyutils
from oslo_log import log
from sqlalchemy import orm
from sqlalchemy.sql import expression
from keystone.common import resource_options
from keystone.common import sql
import keystone.conf
from keystone import exception
from keystone.resource.backends import base
from keystone.resource.backends import sql_model
CONF = keystone.conf.CONF
LOG = log.getLogger(__name__)
[docs]
class Resource(base.ResourceDriverBase):
def _encode_domain_id(self, ref):
if 'domain_id' in ref and ref['domain_id'] is None:
new_ref = ref.copy()
new_ref['domain_id'] = base.NULL_DOMAIN_ID
return new_ref
else:
return ref
def _is_hidden_ref(self, ref):
return ref.id == base.NULL_DOMAIN_ID
def _get_project(self, session, project_id):
project_ref = session.get(sql_model.Project, project_id)
if project_ref is None or self._is_hidden_ref(project_ref):
raise exception.ProjectNotFound(project_id=project_id)
return project_ref
[docs]
def get_project(self, project_id):
with sql.session_for_read() as session:
return self._get_project(session, project_id).to_dict()
[docs]
def get_project_by_name(self, project_name, domain_id):
with sql.session_for_read() as session:
query = session.query(sql_model.Project)
query = query.filter_by(name=project_name)
if domain_id is None:
query = query.filter_by(domain_id=base.NULL_DOMAIN_ID)
else:
query = query.filter_by(domain_id=domain_id)
try:
project_ref = query.one()
except sql.NotFound:
raise exception.ProjectNotFound(project_id=project_name)
if self._is_hidden_ref(project_ref):
raise exception.ProjectNotFound(project_id=project_name)
return project_ref.to_dict()
[docs]
def list_projects(self, hints):
# If there is a filter on domain_id and the value is None, then to
# ensure that the sql filtering works correctly, we need to patch
# the value to be NULL_DOMAIN_ID. This is safe to do here since we
# know we are able to satisfy any filter of this type in the call to
# filter_limit_query() below, which will remove the filter from the
# hints (hence ensuring our substitution is not exposed to the caller).
for f in hints.filters:
if f['name'] == 'domain_id' and f['value'] is None:
f['value'] = base.NULL_DOMAIN_ID
with sql.session_for_read() as session:
query = session.query(sql_model.Project)
query = query.filter(sql_model.Project.id != base.NULL_DOMAIN_ID)
query = sql.filter_query(sql_model.Project, query, hints)
marker_row = None
if hints.marker is not None:
marker_row = (
session.query(sql_model.Project)
.filter_by(id=hints.marker)
.first()
)
if not marker_row:
raise exception.MarkerNotFound(marker=hints.marker)
project_refs = sqlalchemyutils.paginate_query(
query,
sql_model.Project,
hints.get_limit_or_max(),
["id"],
marker=marker_row,
)
# Query the data
data = project_refs.all()
if hints.limit:
# the `common.manager.response_truncated` decorator expects
# that when driver truncates results it should also raise
# 'truncated' flag to indicate that. Since we do not really
# know whether there are more records once we applied filters
# we can only "assume" and set the flag when count of records
# is equal to what we have limited to.
# NOTE(gtema) get rid of that once proper pagination is
# enabled for all resources
if len(data) >= hints.limit["limit"]:
hints.limit["truncated"] = True
return [project_ref.to_dict() for project_ref in data]
[docs]
def list_projects_from_ids(self, ids):
if not ids:
return []
else:
with sql.session_for_read() as session:
query = session.query(sql_model.Project)
query = query.filter(sql_model.Project.id.in_(ids))
return [
project_ref.to_dict()
for project_ref in query.all()
if not self._is_hidden_ref(project_ref)
]
[docs]
def list_project_ids_from_domain_ids(self, domain_ids):
if not domain_ids:
return []
else:
with sql.session_for_read() as session:
query = session.query(sql_model.Project.id)
query = query.filter(
sql_model.Project.domain_id.in_(domain_ids)
)
return [
x.id for x in query.all() if not self._is_hidden_ref(x)
]
[docs]
def list_projects_in_domain(self, domain_id):
with sql.session_for_read() as session:
try:
self._get_project(session, domain_id)
except exception.ProjectNotFound:
raise exception.DomainNotFound(domain_id=domain_id)
query = session.query(sql_model.Project)
project_refs = query.filter(
sql_model.Project.domain_id == domain_id
)
return [project_ref.to_dict() for project_ref in project_refs]
[docs]
def list_projects_acting_as_domain(self, hints):
hints.add_filter('is_domain', True)
return self.list_projects(hints)
def _get_children(self, session, project_ids, domain_id=None):
query = session.query(sql_model.Project)
query = query.filter(sql_model.Project.parent_id.in_(project_ids))
project_refs = query.all()
return [project_ref.to_dict() for project_ref in project_refs]
[docs]
def list_projects_in_subtree(self, project_id):
with sql.session_for_read() as session:
children = self._get_children(session, [project_id])
subtree = []
examined = {project_id}
while children:
children_ids = set()
for ref in children:
if ref['id'] in examined:
msg = (
'Circular reference or a repeated '
'entry found in projects hierarchy - '
'%(project_id)s.'
)
LOG.error(msg, {'project_id': ref['id']})
return
children_ids.add(ref['id'])
examined.update(children_ids)
subtree += children
children = self._get_children(session, children_ids)
return subtree
[docs]
def list_project_parents(self, project_id):
with sql.session_for_read() as session:
project = self._get_project(session, project_id).to_dict()
parents = []
examined = set()
while project.get('parent_id') is not None:
if project['id'] in examined:
msg = (
'Circular reference or a repeated '
'entry found in projects hierarchy - '
'%(project_id)s.'
)
LOG.error(msg, {'project_id': project['id']})
return
examined.add(project['id'])
parent_project = self._get_project(
session, project['parent_id']
).to_dict()
parents.append(parent_project)
project = parent_project
return parents
[docs]
def is_leaf_project(self, project_id):
with sql.session_for_read() as session:
project_refs = self._get_children(session, [project_id])
return not project_refs
def _filter_ids_by_tags(self, query, tags):
filtered_ids = []
subq = query.filter(sql_model.ProjectTag.name.in_(tags))
for ptag in subq:
subq_tags = query.filter(
sql_model.ProjectTag.project_id == ptag['project_id']
)
result = (x['name'] for x in subq_tags.all())
if set(tags) <= set(result):
filtered_ids.append(ptag['project_id'])
return filtered_ids
def _filter_not_tags(self, session, filtered_ids, blacklist_ids):
subq = session.query(sql_model.Project)
valid_ids = [q['id'] for q in subq if q['id'] not in blacklist_ids]
if filtered_ids:
valid_ids = list(set(valid_ids) & set(filtered_ids))
return valid_ids
# CRUD
[docs]
@sql.handle_conflicts(conflict_type='project')
def create_project(self, project_id, project):
new_project = self._encode_domain_id(project)
with sql.session_for_write() as session:
project_ref = sql_model.Project.from_dict(new_project)
session.add(project_ref)
# Set resource options passed on creation
resource_options.resource_options_ref_to_mapper(
project_ref, sql_model.ProjectOption
)
return project_ref.to_dict()
[docs]
@sql.handle_conflicts(conflict_type='project')
def update_project(self, project_id, project):
update_project = self._encode_domain_id(project)
with sql.session_for_write() as session:
project_ref = self._get_project(session, project_id)
old_project_dict = project_ref.to_dict()
for k in update_project:
old_project_dict[k] = update_project[k]
# When we read the old_project_dict, any "null" domain_id will have
# been decoded, so we need to re-encode it
old_project_dict = self._encode_domain_id(old_project_dict)
new_project = sql_model.Project.from_dict(old_project_dict)
for attr in sql_model.Project.attributes:
if attr != 'id':
setattr(project_ref, attr, getattr(new_project, attr))
# Move the "_resource_options" attribute over to the real ref
# so that resource_options.resource_options_ref_to_mapper can
# handle the work.
setattr(
project_ref,
'_resource_options',
getattr(new_project, '_resource_options', {}),
)
# Move options into the proper attribute mapper construct
resource_options.resource_options_ref_to_mapper(
project_ref, sql_model.ProjectOption
)
project_ref.extra = new_project.extra
return project_ref.to_dict(include_extra_dict=True)
[docs]
@sql.handle_conflicts(conflict_type='project')
def delete_project(self, project_id):
with sql.session_for_write() as session:
project_ref = self._get_project(session, project_id)
session.delete(project_ref)
[docs]
@sql.handle_conflicts(conflict_type='project')
def delete_projects_from_ids(self, project_ids):
if not project_ids:
return
with sql.session_for_write() as session:
query = session.query(sql_model.Project).filter(
sql_model.Project.id.in_(project_ids)
)
project_ids_from_bd = [p['id'] for p in query.all()]
for project_id in project_ids:
if (
project_id not in project_ids_from_bd
or project_id == base.NULL_DOMAIN_ID
):
LOG.warning(
'Project %s does not exist and was not deleted.',
project_id,
)
query.delete(synchronize_session=False)
[docs]
def check_project_depth(self, max_depth):
with sql.session_for_read() as session:
obj_list = []
# Using db table self outerjoin to find the project descendants.
#
# We'll only outerjoin the project table `max_depth` times to
# check whether current project tree exceed the max depth limit.
#
# For example:
#
# If max_depth is 2, we will take the outerjoin 2 times, then the
# SQL result may be like:
#
# +---- +-------------+-------------+-------------+
# | No. | project1_id | project2_id | project3_id |
# +--- -+-------------+-------------+-------------+
# | 1 | domain_x | | |
# +- ---+-------------+-------------+-------------+
# | 2 | project_a | | |
# +- ---+-------------+-------------+-------------+
# | 3 | domain_y | project_a | |
# +- ---+-------------+-------------+-------------+
# | 4 | project_b | project_c | |
# +- ---+-------------+-------------+-------------+
# | 5 | domain_y | project_b | project_c |
# +- ---+-------------+-------------+-------------+
#
# `project1_id` column is the root. It is a project or a domain.
# If `project1_id` is a project, there must exist a line that
# `project1` is its domain.
#
# We got 5 lines here. It includes three scenarios:
#
# 1). The No.1 line means there is a domain `domain_x` which has no
# children. The depth is 1.
#
# 2). The No.2 and No.3 lines mean project `project_a` has no child
# and its parent is domain `domain_y`. The depth is 2.
#
# 3). The No.4 and No.5 lines mean project `project_b` has a child
# `project_c` and its parent is domain `domain_y`. The depth is
# 3. This tree hit the max depth
#
# So we can see that if column "project3_id" has value, it means
# some trees hit the max depth limit.
for _ in range(max_depth + 1):
obj_list.append(orm.aliased(sql_model.Project))
query = session.query(*obj_list)
for index in range(max_depth):
query = query.outerjoin(
obj_list[index + 1],
obj_list[index].id == obj_list[index + 1].parent_id,
)
exceeded_lines = query.filter(obj_list[-1].id != expression.null())
if exceeded_lines:
return [line[max_depth].id for line in exceeded_lines]
