Merge pull request #226 from ImMin5/feature-service-accont-auto-sync

Add managed resource modify rule

src/spaceone/identity/error/custom.py

@@ -3,3 +3,7 @@
 
 class ERROR_GENERATE_KEY_FAILURE(ERROR_BASE):
     _message = "Error on generate key."
+
+
+class ERROR_MANAGED_RESOURCE_CAN_NOT_BE_MODIFIED(ERROR_PERMISSION_DENIED):
+    _message = "Managed resource can not be deleted."

src/spaceone/identity/manager/job_manager.py

@@ -129,7 +129,7 @@ def change_error_status(
 
         job_vo.update(
             {
-                "status": "FAILURE",
+                "status": "ERROR",
                 "error_message": error.message,
                 "finished_at": datetime.utcnow(),
             }

src/spaceone/identity/manager/resource_manager.py

@@ -0,0 +1,19 @@
+from typing import Union
+
+from spaceone.core.manager import BaseManager
+
+from spaceone.identity.error.custom import ERROR_MANAGED_RESOURCE_CAN_NOT_BE_MODIFIED
+from spaceone.identity.model.service_account.database import ServiceAccount
+from spaceone.identity.model.project.database import Project
+from spaceone.identity.model.project_group.database import ProjectGroup
+from spaceone.identity.model.workspace.database import Workspace
+
+
+class ResourceManager(BaseManager):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    @staticmethod
+    def check_is_managed_resource(resource_vo: Union[ServiceAccount, Project, ProjectGroup, Workspace]) -> None:
+        if resource_vo.is_managed:
+            raise ERROR_MANAGED_RESOURCE_CAN_NOT_BE_MODIFIED()

src/spaceone/identity/manager/secret_manager.py

@@ -3,13 +3,17 @@
 from spaceone.core import config
 from spaceone.core.manager import BaseManager
 from spaceone.core.connector.space_connector import SpaceConnector
+from spaceone.core.auth.jwt.jwt_util import JWTUtil
 
 _LOGGER = logging.getLogger(__name__)
 
 
 class SecretManager(BaseManager):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
+        token = self.transaction.get_meta("token")
+        self.token_type = JWTUtil.get_value_from_token(token, "typ")
+
         self.secret_conn: SpaceConnector = self.locator.get_connector(
             "SpaceConnector", service="secret"
         )
@@ -62,8 +66,11 @@ def delete_related_trusted_secrets(self, trusted_account_id: str):
     def list_trusted_secrets(self, params: dict) -> dict:
         return self.secret_conn.dispatch("TrustedSecret.list", params)
 
-    def create_secret(self, params: dict) -> dict:
-        return self.secret_conn.dispatch("Secret.create", params)
+    def create_secret(self, params: dict, domain_id: str = None) -> dict:
+        if self.token_type == "SYSTEM_TOKEN":
+            return self.secret_conn.dispatch("Secret.create", params, x_domain_id=domain_id)
+        else:
+            return self.secret_conn.dispatch("Secret.create", params)
 
     def update_secret(self, params: dict) -> dict:
         return self.secret_conn.dispatch("Secret.update", params)

src/spaceone/identity/manager/service_account_manager.py

@@ -37,7 +37,7 @@ def update_service_account(self, params: dict) -> ServiceAccount:
         return self.update_service_account_by_vo(params, service_account_vo)
 
     def update_service_account_by_vo(
-        self, params: dict, service_account_vo: ServiceAccount
+            self, params: dict, service_account_vo: ServiceAccount
     ) -> ServiceAccount:
         def _rollback(old_data):
             _LOGGER.info(
@@ -55,11 +55,11 @@ def delete_service_account_by_vo(service_account_vo: ServiceAccount) -> None:
         service_account_vo.delete()
 
     def get_service_account(
-        self,
-        service_account_id: str,
-        domain_id: str,
-        workspace_id: str = None,
-        user_projects: List[str] = None,
+            self,
+            service_account_id: str,
+            domain_id: str,
+            workspace_id: str = None,
+            user_projects: List[str] = None,
     ) -> ServiceAccount:
         conditions = {"service_account_id": service_account_id, "domain_id": domain_id}
 
@@ -81,11 +81,11 @@ def stat_service_accounts(self, query: dict) -> dict:
         return self.service_account_model.stat(**query)
 
     def update_secret_project(
-        self,
-        service_account_id: str,
-        domain_id: str,
-        workspace_id: str,
-        project_id: str,
+            self,
+            service_account_id: str,
+            domain_id: str,
+            workspace_id: str,
+            project_id: str,
     ) -> None:
         secret_connector: SpaceConnector = self.locator.get_connector(
             "SpaceConnector", service="secret"
@@ -106,7 +106,7 @@ def update_secret_project(
             )
 
     def delete_secrets(
-        self, service_account_id: str, domain_id: str, workspace_id: str
+            self, service_account_id: str, domain_id: str, workspace_id: str
     ) -> None:
         secret_connector: SpaceConnector = self.locator.get_connector(
             "SpaceConnector", service="secret"
@@ -126,7 +126,7 @@ def delete_secrets(
             )
 
     def get_all_service_account_ids_using_secret(
-        self, domain_id: str, workspace_id: str
+            self, domain_id: str, workspace_id: str
     ) -> List[str]:
         secret_connector: SpaceConnector = self.locator.get_connector(
             "SpaceConnector", service="secret"
@@ -147,10 +147,10 @@ def get_all_service_account_ids_using_secret(
 
     @staticmethod
     def _list_secrets(
-        secret_connector: SpaceConnector,
-        service_account_id: str,
-        domain_id: str,
-        workspace_id: str,
+            secret_connector: SpaceConnector,
+            service_account_id: str,
+            domain_id: str,
+            workspace_id: str,
     ) -> dict:
         return secret_connector.dispatch(
             "Secret.list",

src/spaceone/identity/service/job_service.py

@@ -612,7 +612,7 @@ def _create_service_account(
                 "schema_id": secret_schema_id,
 
             }
-            secret_info = secret_mgr.create_secret(create_secret_params)
+            secret_info = secret_mgr.create_secret(create_secret_params, domain_id)
             # Update secret_id in service_account_vo
             service_account_vo = self.service_account_mgr.update_service_account_by_vo(
                 {"secret_id": secret_info["secret_id"]}, service_account_vo

src/spaceone/identity/service/project_group_service.py

@@ -7,6 +7,7 @@
 
 from spaceone.identity.error.error_project_group import *
 from spaceone.identity.manager.project_group_manager import ProjectGroupManager
+from spaceone.identity.manager.resource_manager import ResourceManager
 from spaceone.identity.manager.workspace_user_manager import WorkspaceUserManager
 from spaceone.identity.model import ProjectGroup
 from spaceone.identity.model.project_group.request import *
@@ -25,13 +26,14 @@ class ProjectGroupService(BaseService):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.project_group_mgr = ProjectGroupManager()
+        self.resource_mgr = ResourceManager()
 
     @transaction(
         permission="identity:ProjectGroup.write", role_types=["WORKSPACE_OWNER"]
     )
     @convert_model
     def create(
-        self, params: ProjectGroupCreateRequest
+            self, params: ProjectGroupCreateRequest
     ) -> Union[ProjectGroupResponse, dict]:
         """Create project group
 
@@ -62,7 +64,7 @@ def create(
     )
     @convert_model
     def update(
-        self, params: ProjectGroupUpdateRequest
+            self, params: ProjectGroupUpdateRequest
     ) -> Union[ProjectGroupResponse, dict]:
         """Update project group
 
@@ -83,6 +85,10 @@ def update(
             params.domain_id,
             params.workspace_id,
         )
+
+        # Check is managed resource
+        self.resource_mgr.check_is_managed_resource(project_group_vo)
+
         project_group_vo = self.project_group_mgr.update_project_group_by_vo(
             params.dict(exclude_unset=True), project_group_vo
         )
@@ -94,7 +100,7 @@ def update(
     )
     @convert_model
     def change_parent_group(
-        self, params: ProjectChangeParentGroupRequest
+            self, params: ProjectChangeParentGroupRequest
     ) -> Union[ProjectGroupResponse, dict]:
         """Change parent project group
 
@@ -115,6 +121,9 @@ def change_parent_group(
             params.workspace_id,
         )
 
+        # Check is managed resource
+        self.resource_mgr.check_is_managed_resource(project_group_vo)
+
         # Check parent project group is
         if params.parent_group_id:
             self.project_group_mgr.get_project_group(
@@ -161,14 +170,17 @@ def delete(self, params: ProjectGroupDeleteRequest) -> None:
             params.workspace_id,
         )
 
+        # Check is managed resource
+        self.resource_mgr.check_is_managed_resource(project_group_vo)
+
         self.project_group_mgr.delete_project_group_by_vo(project_group_vo)
 
     @transaction(
         permission="identity:ProjectGroup.write", role_types=["WORKSPACE_OWNER"]
     )
     @convert_model
     def add_users(
-        self, params: ProjectGroupAddUsersRequest
+            self, params: ProjectGroupAddUsersRequest
     ) -> Union[ProjectGroupResponse, dict]:
         """Add users to project group
 
@@ -209,7 +221,7 @@ def add_users(
     )
     @convert_model
     def remove_users(
-        self, params: ProjectGroupRemoveUsersRequest
+            self, params: ProjectGroupRemoveUsersRequest
     ) -> ProjectGroupResponse:
         """Remove users from project group
         Args:
@@ -276,7 +288,7 @@ def get(self, params: ProjectGroupGetRequest) -> Union[ProjectGroupResponse, dic
     @append_keyword_filter(["project_group_id", "name"])
     @convert_model
     def list(
-        self, params: ProjectGroupSearchQueryRequest
+            self, params: ProjectGroupSearchQueryRequest
     ) -> Union[ProjectGroupsResponse, dict]:
         """List project groups
 
@@ -325,10 +337,10 @@ def stat(self, params: ProjectGroupStatQueryRequest) -> dict:
         return self.project_group_mgr.stat_project_groups(query)
 
     def _check_is_sub_project_group(
-        self,
-        change_parent_group_id: str,
-        cur_group_id: str,
-        project_group_vos: QuerySet,
+            self,
+            change_parent_group_id: str,
+            cur_group_id: str,
+            project_group_vos: QuerySet,
     ) -> Union[None, Exception]:
         for project_group_vo in project_group_vos:
             if project_group_vo.parent_group_id == cur_group_id:
@@ -345,7 +357,7 @@ def _check_is_sub_project_group(
         return None
 
     def _check_workspace_member_permission(
-        self, project_group_vo: ProjectGroup
+            self, project_group_vo: ProjectGroup
     ) -> None:
         role_type = self.transaction.get_meta("authorization.role_type")
         if role_type == "WORKSPACE_MEMBER":

src/spaceone/identity/service/project_service.py

@@ -7,6 +7,7 @@
 from spaceone.identity.manager.role_binding_manager import RoleBindingManager
 from spaceone.identity.manager.project_manager import ProjectManager
 from spaceone.identity.manager.project_group_manager import ProjectGroupManager
+from spaceone.identity.manager.resource_manager import ResourceManager
 from spaceone.identity.manager.workspace_manager import WorkspaceManager
 from spaceone.identity.manager.workspace_user_manager import WorkspaceUserManager
 from spaceone.identity.model.project.request import *
@@ -28,6 +29,7 @@ def __init__(self, *args, **kwargs):
         self.rb_mgr = RoleBindingManager()
         self.project_mgr = ProjectManager()
         self.project_group_mgr = ProjectGroupManager()
+        self.resource_mgr = ResourceManager()
         self.workspace_mgr = WorkspaceManager()
 
     @transaction(permission="identity:Project.write", role_types=["WORKSPACE_OWNER"])
@@ -87,6 +89,9 @@ def update(self, params: ProjectUpdateRequest) -> Union[ProjectResponse, dict]:
             params.user_projects,
         )
 
+        # Check is managed resource
+        self.resource_mgr.check_is_managed_resource(project_vo)
+
         project_vo = self.project_mgr.update_project_by_vo(
             params.dict(exclude_unset=True), project_vo
         )
@@ -96,7 +101,7 @@ def update(self, params: ProjectUpdateRequest) -> Union[ProjectResponse, dict]:
     @transaction(permission="identity:Project.write", role_types=["WORKSPACE_OWNER"])
     @convert_model
     def update_project_type(
-        self, params: ProjectUpdateProjectTypeRequest
+            self, params: ProjectUpdateProjectTypeRequest
     ) -> Union[ProjectResponse, dict]:
         """Update project type
         Args:
@@ -114,6 +119,9 @@ def update_project_type(
             params.project_id, params.domain_id, params.workspace_id
         )
 
+        # Check is managed resource
+        self.resource_mgr.check_is_managed_resource(project_vo)
+
         params_dict = params.dict(exclude_unset=True)
         if params.project_type == "PUBLIC":
             params_dict["users"] = []
@@ -126,7 +134,7 @@ def update_project_type(
     @transaction(permission="identity:Project.write", role_types=["WORKSPACE_OWNER"])
     @convert_model
     def change_project_group(
-        self, params: ProjectChangeProjectGroupRequest
+            self, params: ProjectChangeProjectGroupRequest
     ) -> Union[ProjectResponse, dict]:
         """Change project group
         Args:
@@ -152,6 +160,10 @@ def change_project_group(
             params.domain_id,
             params.workspace_id,
         )
+
+        # Check is managed resource
+        self.resource_mgr.check_is_managed_resource(project_vo)
+
         project_vo = self.project_mgr.update_project_by_vo(params.dict(), project_vo)
 
         return ProjectResponse(**project_vo.to_dict())
@@ -176,6 +188,9 @@ def delete(self, params: ProjectDeleteRequest) -> None:
             params.workspace_id,
         )
 
+        # Check is managed resource
+        self.resource_mgr.check_is_managed_resource(project_vo)
+
         self.project_mgr.delete_project_by_vo(project_vo)
 
     @transaction(
@@ -229,7 +244,7 @@ def add_users(self, params: ProjectAddUsersRequest) -> Union[ProjectResponse, di
     )
     @convert_model
     def remove_users(
-        self, params: ProjectRemoveUsersRequest
+            self, params: ProjectRemoveUsersRequest
     ) -> Union[ProjectResponse, dict]:
         """Remove users from project
         Args:
@@ -272,7 +287,7 @@ def remove_users(
     )
     @convert_model
     def add_user_groups(
-        self, params: ProjectAddUserGroupsRequest
+            self, params: ProjectAddUserGroupsRequest
     ) -> Union[ProjectResponse, dict]:
         return {}
 
@@ -282,7 +297,7 @@ def add_user_groups(
     )
     @convert_model
     def remove_user_groups(
-        self, params: ProjectRemoveUserGroupsRequest
+            self, params: ProjectRemoveUserGroupsRequest
     ) -> Union[ProjectResponse, dict]:
         return {}