Delete the key value pair. Handles requests: DELETE /keys/1
(self, name, requester_user, scope=None, user=None)
| 415 | return KeyValuePairAPI.from_model(kvp_db) |
| 416 | |
| 417 | def delete(self, name, requester_user, scope=None, user=None): |
| 418 | """ |
| 419 | Delete the key value pair. |
| 420 | |
| 421 | Handles requests: |
| 422 | DELETE /keys/1 |
| 423 | """ |
| 424 | if not scope or scope == ALL_SCOPE: |
| 425 | # Default to system scope |
| 426 | scope = FULL_SYSTEM_SCOPE |
| 427 | |
| 428 | if not requester_user: |
| 429 | requester_user = UserDB(name=cfg.CONF.system_user.user) |
| 430 | |
| 431 | scope = get_datastore_full_scope(scope) |
| 432 | self._validate_scope(scope=scope) |
| 433 | |
| 434 | user = user or requester_user.name |
| 435 | |
| 436 | rbac_utils = get_rbac_backend().get_utils_class() |
| 437 | |
| 438 | # Validate that the authenticated user is admin if user query param is provided |
| 439 | rbac_utils.assert_user_is_admin_if_user_query_param_is_provided( |
| 440 | user_db=requester_user, user=user, require_rbac=True |
| 441 | ) |
| 442 | |
| 443 | # Set key reference for system or user scope |
| 444 | key_ref = get_key_reference(scope=scope, name=name, user=user) |
| 445 | extra = {"scope": scope, "name": name, "user": user, "key_ref": key_ref} |
| 446 | LOG.debug("DELETE /v1/keys/%s", name, extra=extra) |
| 447 | |
| 448 | # Setup a kvp database object used for verifying permission |
| 449 | kvp_db = KeyValuePairDB( |
| 450 | uid="%s:%s:%s" % (ResourceType.KEY_VALUE_PAIR, scope, key_ref), |
| 451 | scope=scope, |
| 452 | name=key_ref, |
| 453 | ) |
| 454 | |
| 455 | # Check that user has permission to the key value pair. |
| 456 | # If RBAC is enabled, this check will verify if user has system role with all access. |
| 457 | # If RBAC is enabled, this check guards against a user accessing another user's kvp. |
| 458 | # If RBAC is enabled, user needs to be explicitly granted permission to delete a system kvp. |
| 459 | # The check is sufficient to allow decryption of the system kvp. |
| 460 | rbac_utils.assert_user_has_resource_db_permission( |
| 461 | user_db=requester_user, |
| 462 | resource_db=kvp_db, |
| 463 | permission_type=PermissionType.KEY_VALUE_PAIR_DELETE, |
| 464 | ) |
| 465 | |
| 466 | # Acquire a lock to avoid race condition between concurrent API calls |
| 467 | with self._coordinator.get_lock( |
| 468 | self._get_lock_name_for_key(name=key_ref, scope=scope) |
| 469 | ): |
| 470 | from_model_kwargs = {"mask_secrets": True} |
| 471 | kvp_api = self._get_one_by_scope_and_name( |
| 472 | name=key_ref, scope=scope, from_model_kwargs=from_model_kwargs |
| 473 | ) |
| 474 | kvp_db = KeyValuePairAPI.to_model(kvp_api) |
nothing calls this directly
no test coverage detected