1 files changed, 123 insertions, 116 deletions

diff --git a/keystone-moon/keystone/resource/backends/sql.py b/keystone-moon/keystone/resource/backends/sql.py
index 59bab372..39bb4f3b 100644
--- a/keystone-moon/keystone/resource/backends/sql.py
+++ b/keystone-moon/keystone/resource/backends/sql.py
@@ -10,87 +10,123 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-from oslo_config import cfg
 from oslo_log import log
 
 from keystone.common import clean
+from keystone.common import driver_hints
 from keystone.common import sql
 from keystone import exception
-from keystone.i18n import _LE
+from keystone.i18n import _LE, _LW
 from keystone import resource as keystone_resource
 
 
-CONF = cfg.CONF
 LOG = log.getLogger(__name__)
 
 
-class Resource(keystone_resource.ResourceDriverV8):
+class Resource(keystone_resource.ResourceDriverV9):
 
     def default_assignment_driver(self):
         return 'sql'
 
+    def _encode_domain_id(self, ref):
+        if 'domain_id' in ref and ref['domain_id'] is None:
+            new_ref = ref.copy()
+            new_ref['domain_id'] = keystone_resource.NULL_DOMAIN_ID
+            return new_ref
+        else:
+            return ref
+
+    def _is_hidden_ref(self, ref):
+        return ref.id == keystone_resource.NULL_DOMAIN_ID
+
     def _get_project(self, session, project_id):
         project_ref = session.query(Project).get(project_id)
-        if project_ref is None:
+        if project_ref is None or self._is_hidden_ref(project_ref):
             raise exception.ProjectNotFound(project_id=project_id)
         return project_ref
 
-    def get_project(self, tenant_id):
-        with sql.transaction() as session:
-            return self._get_project(session, tenant_id).to_dict()
+    def get_project(self, project_id):
+        with sql.session_for_read() as session:
+            return self._get_project(session, project_id).to_dict()
 
-    def get_project_by_name(self, tenant_name, domain_id):
-        with sql.transaction() as session:
+    def get_project_by_name(self, project_name, domain_id):
+        with sql.session_for_read() as session:
             query = session.query(Project)
-            query = query.filter_by(name=tenant_name)
-            query = query.filter_by(domain_id=domain_id)
+            query = query.filter_by(name=project_name)
+            if domain_id is None:
+                query = query.filter_by(
+                    domain_id=keystone_resource.NULL_DOMAIN_ID)
+            else:
+                query = query.filter_by(domain_id=domain_id)
             try:
                 project_ref = query.one()
             except sql.NotFound:
-                raise exception.ProjectNotFound(project_id=tenant_name)
+                raise exception.ProjectNotFound(project_id=project_name)
+
+            if self._is_hidden_ref(project_ref):
+                raise exception.ProjectNotFound(project_id=project_name)
             return project_ref.to_dict()
 
-    @sql.truncated
+    @driver_hints.truncated
     def list_projects(self, hints):
-        with sql.transaction() as session:
+        # If there is a filter on domain_id and the value is None, then to
+        # ensure that the sql filtering works correctly, we need to patch
+        # the value to be NULL_DOMAIN_ID. This is safe to do here since we
+        # know we are able to satisfy any filter of this type in the call to
+        # filter_limit_query() below, which will remove the filter from the
+        # hints (hence ensuring our substitution is not exposed to the caller).
+        for f in hints.filters:
+            if (f['name'] == 'domain_id' and f['value'] is None):
+                f['value'] = keystone_resource.NULL_DOMAIN_ID
+        with sql.session_for_read() as session:
             query = session.query(Project)
             project_refs = sql.filter_limit_query(Project, query, hints)
-            return [project_ref.to_dict() for project_ref in project_refs]
+            return [project_ref.to_dict() for project_ref in project_refs
+                    if not self._is_hidden_ref(project_ref)]
 
     def list_projects_from_ids(self, ids):
         if not ids:
             return []
         else:
-            with sql.transaction() as session:
+            with sql.session_for_read() as session:
                 query = session.query(Project)
                 query = query.filter(Project.id.in_(ids))
-                return [project_ref.to_dict() for project_ref in query.all()]
+                return [project_ref.to_dict() for project_ref in query.all()
+                        if not self._is_hidden_ref(project_ref)]
 
     def list_project_ids_from_domain_ids(self, domain_ids):
         if not domain_ids:
             return []
         else:
-            with sql.transaction() as session:
+            with sql.session_for_read() as session:
                 query = session.query(Project.id)
                 query = (
                     query.filter(Project.domain_id.in_(domain_ids)))
-                return [x.id for x in query.all()]
+                return [x.id for x in query.all()
+                        if not self._is_hidden_ref(x)]
 
     def list_projects_in_domain(self, domain_id):
-        with sql.transaction() as session:
-            self._get_domain(session, domain_id)
+        with sql.session_for_read() as session:
+            try:
+                self._get_project(session, domain_id)
+            except exception.ProjectNotFound:
+                raise exception.DomainNotFound(domain_id=domain_id)
             query = session.query(Project)
-            project_refs = query.filter_by(domain_id=domain_id)
+            project_refs = query.filter(Project.domain_id == domain_id)
             return [project_ref.to_dict() for project_ref in project_refs]
 
-    def _get_children(self, session, project_ids):
+    def list_projects_acting_as_domain(self, hints):
+        hints.add_filter('is_domain', True)
+        return self.list_projects(hints)
+
+    def _get_children(self, session, project_ids, domain_id=None):
         query = session.query(Project)
         query = query.filter(Project.parent_id.in_(project_ids))
         project_refs = query.all()
         return [project_ref.to_dict() for project_ref in project_refs]
 
     def list_projects_in_subtree(self, project_id):
-        with sql.transaction() as session:
+        with sql.session_for_read() as session:
             children = self._get_children(session, [project_id])
             subtree = []
             examined = set([project_id])
@@ -111,7 +147,7 @@ class Resource(keystone_resource.ResourceDriverV8):
             return subtree
 
     def list_project_parents(self, project_id):
-        with sql.transaction() as session:
+        with sql.session_for_read() as session:
             project = self._get_project(session, project_id).to_dict()
             parents = []
             examined = set()
@@ -131,105 +167,61 @@ class Resource(keystone_resource.ResourceDriverV8):
             return parents
 
     def is_leaf_project(self, project_id):
-        with sql.transaction() as session:
+        with sql.session_for_read() as session:
             project_refs = self._get_children(session, [project_id])
             return not project_refs
 
     # CRUD
     @sql.handle_conflicts(conflict_type='project')
-    def create_project(self, tenant_id, tenant):
-        tenant['name'] = clean.project_name(tenant['name'])
-        with sql.transaction() as session:
-            tenant_ref = Project.from_dict(tenant)
-            session.add(tenant_ref)
-            return tenant_ref.to_dict()
+    def create_project(self, project_id, project):
+        project['name'] = clean.project_name(project['name'])
+        new_project = self._encode_domain_id(project)
+        with sql.session_for_write() as session:
+            project_ref = Project.from_dict(new_project)
+            session.add(project_ref)
+            return project_ref.to_dict()
 
     @sql.handle_conflicts(conflict_type='project')
-    def update_project(self, tenant_id, tenant):
-        if 'name' in tenant:
-            tenant['name'] = clean.project_name(tenant['name'])
-
-        with sql.transaction() as session:
-            tenant_ref = self._get_project(session, tenant_id)
-            old_project_dict = tenant_ref.to_dict()
-            for k in tenant:
-                old_project_dict[k] = tenant[k]
+    def update_project(self, project_id, project):
+        if 'name' in project:
+            project['name'] = clean.project_name(project['name'])
+
+        update_project = self._encode_domain_id(project)
+        with sql.session_for_write() as session:
+            project_ref = self._get_project(session, project_id)
+            old_project_dict = project_ref.to_dict()
+            for k in update_project:
+                old_project_dict[k] = update_project[k]
+            # When we read the old_project_dict, any "null" domain_id will have
+            # been decoded, so we need to re-encode it
+            old_project_dict = self._encode_domain_id(old_project_dict)
             new_project = Project.from_dict(old_project_dict)
             for attr in Project.attributes:
                 if attr != 'id':
-                    setattr(tenant_ref, attr, getattr(new_project, attr))
-            tenant_ref.extra = new_project.extra
-            return tenant_ref.to_dict(include_extra_dict=True)
+                    setattr(project_ref, attr, getattr(new_project, attr))
+            project_ref.extra = new_project.extra
+            return project_ref.to_dict(include_extra_dict=True)
 
     @sql.handle_conflicts(conflict_type='project')
-    def delete_project(self, tenant_id):
-        with sql.transaction() as session:
-            tenant_ref = self._get_project(session, tenant_id)
-            session.delete(tenant_ref)
-
-    # domain crud
-
-    @sql.handle_conflicts(conflict_type='domain')
-    def create_domain(self, domain_id, domain):
-        with sql.transaction() as session:
-            ref = Domain.from_dict(domain)
-            session.add(ref)
-        return ref.to_dict()
-
-    @sql.truncated
-    def list_domains(self, hints):
-        with sql.transaction() as session:
-            query = session.query(Domain)
-            refs = sql.filter_limit_query(Domain, query, hints)
-            return [ref.to_dict() for ref in refs]
-
-    def list_domains_from_ids(self, ids):
-        if not ids:
-            return []
-        else:
-            with sql.transaction() as session:
-                query = session.query(Domain)
-                query = query.filter(Domain.id.in_(ids))
-                domain_refs = query.all()
-                return [domain_ref.to_dict() for domain_ref in domain_refs]
-
-    def _get_domain(self, session, domain_id):
-        ref = session.query(Domain).get(domain_id)
-        if ref is None:
-            raise exception.DomainNotFound(domain_id=domain_id)
-        return ref
-
-    def get_domain(self, domain_id):
-        with sql.transaction() as session:
-            return self._get_domain(session, domain_id).to_dict()
-
-    def get_domain_by_name(self, domain_name):
-        with sql.transaction() as session:
-            try:
-                ref = (session.query(Domain).
-                       filter_by(name=domain_name).one())
-            except sql.NotFound:
-                raise exception.DomainNotFound(domain_id=domain_name)
-            return ref.to_dict()
-
-    @sql.handle_conflicts(conflict_type='domain')
-    def update_domain(self, domain_id, domain):
-        with sql.transaction() as session:
-            ref = self._get_domain(session, domain_id)
-            old_dict = ref.to_dict()
-            for k in domain:
-                old_dict[k] = domain[k]
-            new_domain = Domain.from_dict(old_dict)
-            for attr in Domain.attributes:
-                if attr != 'id':
-                    setattr(ref, attr, getattr(new_domain, attr))
-            ref.extra = new_domain.extra
-            return ref.to_dict()
+    def delete_project(self, project_id):
+        with sql.session_for_write() as session:
+            project_ref = self._get_project(session, project_id)
+            session.delete(project_ref)
 
-    def delete_domain(self, domain_id):
-        with sql.transaction() as session:
-            ref = self._get_domain(session, domain_id)
-            session.delete(ref)
+    @sql.handle_conflicts(conflict_type='project')
+    def delete_projects_from_ids(self, project_ids):
+        if not project_ids:
+            return
+        with sql.session_for_write() as session:
+            query = session.query(Project).filter(Project.id.in_(
+                project_ids))
+            project_ids_from_bd = [p['id'] for p in query.all()]
+            for project_id in project_ids:
+                if (project_id not in project_ids_from_bd or
+                        project_id == keystone_resource.NULL_DOMAIN_ID):
+                    LOG.warning(_LW('Project %s does not exist and was not '
+                                    'deleted.') % project_id)
+            query.delete(synchronize_session=False)
 
 
 class Domain(sql.ModelBase, sql.DictBase):
@@ -239,22 +231,37 @@ class Domain(sql.ModelBase, sql.DictBase):
     name = sql.Column(sql.String(64), nullable=False)
     enabled = sql.Column(sql.Boolean, default=True, nullable=False)
     extra = sql.Column(sql.JsonBlob())
-    __table_args__ = (sql.UniqueConstraint('name'), {})
+    __table_args__ = (sql.UniqueConstraint('name'),)
 
 
 class Project(sql.ModelBase, sql.DictBase):
+    # NOTE(henry-nash): From the manager and above perspective, the domain_id
+    # is nullable.  However, to ensure uniqueness in multi-process
+    # configurations, it is better to still use the sql uniqueness constraint.
+    # Since the support for a nullable component of a uniqueness constraint
+    # across different sql databases is mixed, we instead store a special value
+    # to represent null, as defined in NULL_DOMAIN_ID above.
+
+    def to_dict(self, include_extra_dict=False):
+        d = super(Project, self).to_dict(
+            include_extra_dict=include_extra_dict)
+        if d['domain_id'] == keystone_resource.NULL_DOMAIN_ID:
+            d['domain_id'] = None
+        return d
+
     __tablename__ = 'project'
     attributes = ['id', 'name', 'domain_id', 'description', 'enabled',
                   'parent_id', 'is_domain']
     id = sql.Column(sql.String(64), primary_key=True)
     name = sql.Column(sql.String(64), nullable=False)
-    domain_id = sql.Column(sql.String(64), sql.ForeignKey('domain.id'),
+    domain_id = sql.Column(sql.String(64), sql.ForeignKey('project.id'),
                            nullable=False)
     description = sql.Column(sql.Text())
     enabled = sql.Column(sql.Boolean)
     extra = sql.Column(sql.JsonBlob())
     parent_id = sql.Column(sql.String(64), sql.ForeignKey('project.id'))
-    is_domain = sql.Column(sql.Boolean, default=False, nullable=False)
+    is_domain = sql.Column(sql.Boolean, default=False, nullable=False,
+                           server_default='0')
     # Unique constraint across two columns to create the separation
     # rather than just only 'name' being unique
-    __table_args__ = (sql.UniqueConstraint('domain_id', 'name'), {})
+    __table_args__ = (sql.UniqueConstraint('domain_id', 'name'),)