ma.py

import os
import tempfile
import subprocess

from myslicelib.api.cbas import Cbas, objects, fields, cbas_id
from myslicelib.util.sfa import hrn_to_urn, urn_to_hrn

import logging

logger = logging.getLogger(__name__)


class MemberAuthority(Cbas):

    def __init__(self, endpoint=None, authentication=None):

        super(MemberAuthority, self).__init__(endpoint, authentication)
        self.user_credential = self.get_credential(self.authentication.urn, raw=True)

    def get_credential(self, urn, raw=False):
        _ma = [
            'user',
        ]
        _sa = [
            'slice',
            'project'
        ]
        hrn, entity = urn_to_hrn(urn)
        if entity in _sa:
            return self.sa.get_credential(urn, raw, [self.user_credential])
        elif entity in _ma:
            return super(MemberAuthority, self).get_credential(urn, raw)
        else:
            return {'data': [], 'errors': []}

    def set_sa(self, sa):
        self.sa = sa

    def get(self, entity, urn=None, filter=None, raw=False):
        try:
            if entity in objects.keys():
                cbas_entity = objects[entity]
            else:
                cbas_entity = entity

            result = super(MemberAuthority, self).get(entity, urn, filter, raw)
            if raw:
                return result
            if entity == "user":
                for i, element in enumerate(result["data"]):
                    slices = self.sa._proxy.lookup_for_member('SLICE', element['id'], [self.user_credential], {})
                    result['data'][i]['slices'] = [sl['SLICE_URN'] for sl in slices['value']]
                    projects = self.sa._proxy.lookup_for_member('PROJECT', element['id'], [self.user_credential], {})
                    result['data'][i]['projects'] = [sl['PROJECT_URN'] for sl in projects['value']]
        except Exception as e:
            import traceback
            traceback.print_exc()
            self.logs.append({
                'endpoint': self.endpoint.name,
                'url': self.endpoint.url,
                'protocol': self.endpoint.protocol,
                'type': self.endpoint.type,
                'exception': str(e)
            })
        return result

    def _key(self, data):
        keys = []
        for d in data:
            k = data[d]
            keys.append(
                k['KEY_PUBLIC']
            )
        return keys

    def _user(self, data):
        users = []
        for d in data:
            u = data[d]
            urn = u.get('MEMBER_URN')
            authority = 'urn:publicid:IDN+' + urn.split("+")[1] + '+authority+ma'
            credentials = u.get('MEMBER_CREDENTIALS')
            pi_authorities = []
            # How to check if user has root rights?
            # XXX workaround for now, to be changed
            if "<privilege><name>GLOBAL_MEMBERS_WILDCARDS</name>" in credentials:
                pi_authorities.append(authority)
            # Get the Key of the user
            k = self.get("key", urn)

            users.append({
                'id': urn,
                'shortname': u.get('MEMBER_USERNAME'),
                'hrn': urn_to_hrn(u.get('MEMBER_URN'))[0],
                'first_name': u.get('MEMBER_FIRSTNAME'),
                'last_name': u.get('MEMBER_LASTNAME'),
                'keys': k.get('data', []),
                'certificate': u.get('MEMBER_CERTIFICATE'),
                'email': u.get('MEMBER_EMAIL'),
                'created': u.get('created'),
                # 'updated': self._datetime(d['last_updated']),
                'authority': authority,
                'pi_authorities': pi_authorities,
                'affiliation': u.get('_ONELAB_MEMBER_AFFILIATION', ''),
                'city': u.get('_ONELAB_MEMBER_CITY', ''),
                'country': u.get('_ONELAB_MEMBER_COUNTRY', ''),
                #                   ],
                # 'projects': [
                #                    hrn_to_urn(pi_auth, 'authority') for pi_auth in filter(lambda x: len(x.split('.')) > 2, u.get('reg-pi-authorities', []))
                #                   ],
                # 'slices': [
                #            hrn_to_urn(sli, 'slice') for sli in u.get('reg-slices', [])
                #        ],
            })
        return users

    def _user_mappings(self, record_dict):
        mapped_dict = {
            # 'MEMBER_URN': record_dict.get('id'),
            'MEMBER_USERNAME': record_dict.get('shortname'),
            'MEMBER_EMAIL': record_dict.get('email'),
            'MEMBER_FIRSTNAME': record_dict.get('first_name', ''),
            'MEMBER_LASTNAME': record_dict.get('last_name', ''),
            # 'MEMBER_CERTIFICATE': record_dict.get('certificate',''),
            '_ONELAB_MEMBER_AFFILIATION': record_dict.get('affiliation', ''),
            '_ONELAB_MEMBER_CITY': record_dict.get('city', ''),
            '_ONELAB_MEMBER_COUNTRY': record_dict.get('country', ''),
            # 'type': 'member',
            # 'keys' : record_dict.get('keys', '')

            'KEY_PUBLIC': self.convert_pkcs8(next(iter(record_dict.get('keys', []) or []), None))
        }

        # filter key have empty value
        mapped_dict = {k: v for k, v in mapped_dict.items() if v}
        return mapped_dict

    def _key_mappings(self, record_dict):

        mapped_dict = {
            'KEY_PUBLIC': next(iter(record_dict.get('keys', []) or []), None),
            'KEY_TYPE': "rsa-ssh",
            'KEY_MEMBER': record_dict.get('id')
        }
        # filter key have empty value
        mapped_dict = {k: v for k, v in mapped_dict.items() if v}
        return mapped_dict

    def create(self, entity, urn, record_dict):
        result = []
        try:
            if entity in objects.keys():
                cbas_entity = objects[entity]
            else:
                cbas_entity = entity

            mapped_dict = getattr(self, '_' + entity + '_mappings')(record_dict)

            create_result = self._proxy.create(cbas_entity, [self.user_credential], {'fields': mapped_dict})
            self.save_key(urn, record_dict)
            if 'code' not in create_result or create_result['code'] != 0:
                if 'output' in create_result:
                    raise Exception(create_result['output'])
                raise Exception(create_result)
            result = create_result
            res = self.get(entity, urn)
            result = res['data']
            self.logs += res['errors']
        except Exception as e:
            import traceback
            traceback.print_exc()
            self.logs.append({
                'endpoint': self.endpoint.name,
                'url': self.endpoint.url,
                'protocol': self.endpoint.protocol,
                'type': self.endpoint.type,
                'exception': str(e)
            })
        return {'data': result, 'errors': self.logs}

    def save_key(self, urn, record_dict):
        """
        save_key function creates or update a public key for a user
        """
        try:
            self.delete_keys(record_dict.get('id'))
            if record_dict.get("keys") is not None:
                mapped_dict = getattr(self, '_key' + '_mappings')(record_dict)
                create_key_result = self._proxy.create("KEY", [self.user_credential], {'fields': mapped_dict})
                # DUPLICATE ERROR => update KEY
                if 'code' in create_key_result and create_key_result['code'] == 5:
                    k = self.get("key", urn, raw=True)
                    key_id = next(iter(k.keys()))
                    # UPDATE method do not support these fields
                    del mapped_dict["KEY_TYPE"]
                    del mapped_dict["KEY_MEMBER"]
                    update_key_result = self._proxy.update("KEY", key_id, [self.user_credential],
                                                           {'fields': mapped_dict})
                return True

        except Exception as e:
            logger.exception(e)
            pass

        return False

    def update_sa(self, urn, _type, current, record_dict):
        """
        Update the slices and projects of a user
        this function calls the SliceAuthority
        sa needs to be set by self.set_sa called in api/__init__.py

        :param urn: User.id
        :param _type: slice | project
        :param current: current record of the user before update
        :param record_dict: dict of the record with new values
        """
        rem = list(set(current[_type + 's']) - set(record_dict[_type + 's']))
        add = list(set(record_dict[_type + 's']) - set(current[_type + 's']))
        mod = rem + add
        for item in add:
            obj = self.sa.get(_type, item)['data'][0]
            obj['users'].append(urn)
            self.sa.update(_type, item, obj)
        for item in rem:
            obj = self.sa.get(_type, item)['data'][0]
            obj['users'].remove(urn)
            self.sa.update(_type, item, obj)

    def update(self, entity, urn, record_dict):
        """
        Update a user
        """
        result = []
        try:
            if entity in objects.keys():
                cbas_entity = objects[entity]
            else:
                cbas_entity = entity

            mapped_dict = getattr(self, '_' + entity + '_mappings')(record_dict)
            # UPDATE method do not support these fields
            del mapped_dict["MEMBER_USERNAME"]

            current = self.get(entity, urn)['data'][0]
            self.update_sa(urn, 'slice', current, record_dict)
            self.update_sa(urn, 'project', current, record_dict)

            update_result = self._proxy.update(cbas_entity, urn, [self.user_credential], {'fields': mapped_dict})
            self.save_key(urn, record_dict)
            res = self.get(entity, urn)
            result = res['data']
            self.logs += res['errors']
        except Exception as e:
            import traceback
            traceback.print_exc()
            self.logs.append({
                'endpoint': self.endpoint.name,
                'url': self.endpoint.url,
                'protocol': self.endpoint.protocol,
                'type': self.endpoint.type,
                'exception': str(e)
            })

        return {'data': result, 'errors': self.logs}

    def delete_keys(self, urn):
        """
        delete_keys function removes all public keys of a user
        """
        try:
            keys = self.get("key", urn, raw=True)
            for k in keys:
                delete_key_result = self._proxy.delete("KEY", k, [self.user_credential], {})
            return True

        except Exception as e:
            logger.exception(e)
            pass

        return False

    def convert_pkcs8(self, key):

        try:
            # Write the key in a temporary file
            tempf, fpath = tempfile.mkstemp()
            os.write(tempf, bytes(key, 'utf-8'))
            os.close(tempf)

            # Convert to PKCS8 (---BEGIN PUBLIC KEY---)
            command = "ssh-keygen -e -m pkcs8 -f".split(' ')
            command.append(fpath)

            data = subprocess.run(command, stdout=subprocess.PIPE)
            # Remove temporary file
            os.remove(fpath)

        except Exception as e:
            logger.debug(e)
            return
        else:
            return data.stdout.decode("utf-8")


class MaError(Exception):

    def __init__(self, value):
        self.value = value

    def __str__(self):
        return repr(self.value)