deployments.py

from logging import getLogger

from django.conf import settings
from django.db import models
from django.db.models import Q
from django.db.models.signals import post_delete
from django.dispatch import receiver

from django_mysql.models import JSONField
from polymorphic.models import PolymorphicModel

from feudal.backend.models import Site, Service
from feudal.backend.models.brokers import publish_to_user, RabbitMQInstance
from feudal.backend.models.users import User, SSHPublicKey
from feudal.backend.models.auth.vos import VO


LOGGER = getLogger(__name__)


DEPLOYMENT_PENDING = 'deployment_pending'
REMOVAL_PENDING = 'removal_pending'
NOT_DEPLOYED = 'not_deployed'
DEPLOYED = 'deployed'
QUESTIONNAIRE = 'questionnaire'
FAILED = 'failed'
REJECTED = 'rejected'

TARGET_CHOICES = (
    (DEPLOYED, 'Deployed'),
    (NOT_DEPLOYED, 'Not Deployed'),
)
STATE_CHOICES = (
    (DEPLOYMENT_PENDING, 'Deployment Pending'),
    (REMOVAL_PENDING, 'Removal Pending'),
    (DEPLOYED, 'Deployed'),
    (NOT_DEPLOYED, 'Not Deployed'),
    (QUESTIONNAIRE, 'Questionnaire'),
    (FAILED, 'Failed'),
    (REJECTED, 'Rejected'),
)


def questionnaire_default():
    return {}


def answers_default():
    return {}


def credential_default():
    return {}


def get_deployment(user, vo=None, service=None):
    if vo is not None and service is not None:
        raise ValueError('Cannot create deployment for both vo and service')

    if vo is not None:
        # get_deployment updates automatically
        return VODeployment.get_deployment(user, vo)

    if service is not None:
        # get_deployment updates automatically
        return ServiceDeployment.get_deployment(user, service)

    deps = Deployment.objects.filter(user=user)
    for dep in deps:
        dep.update()
    return deps


class Deployment(PolymorphicModel):
    user = models.ForeignKey(
        User,
        related_name='deployments',
        # TODO check what repercussions the change to set null has
        on_delete=models.SET_NULL,
        null=True,
    )

    # which state do we currently want to reach?
    state_target = models.CharField(
        max_length=50,
        choices=TARGET_CHOICES,
        default=NOT_DEPLOYED,
    )

    is_active = models.BooleanField(
        default=True,
    )

    # credentials provided by the backend to the clients
    @property
    def credentials(self):
        return self.user.credentials

    @property
    def state(self):
        if self.states.exists():
            _state = ''
            for state in self.states.all():
                if _state == '':
                    _state = state.state
                elif _state != state.state:
                    return 'mixed'

            return _state

        # if we have no states we have nothing to do
        return self.state_target

    @property
    def target_reached(self):
        return self.state_target == self.state

    def _set_target(self, target):
        if str(self.state_target) == str(target):
            return

        LOGGER.debug(self.msg('Target: {} -> {} '.format(self.state_target, target)))

        self.state_target = target
        self.save()

        self.publish_to_user()

    def _assure_states_exist(self):
        # overridden in the specific implementations
        pass

    def update(self):
        self._assure_states_exist()
        self.publish_to_user()

    # call when you changed Deployment.state_target
    def target_changed(self):
        LOGGER.debug(self.msg('target_changed: {}'.format(self.state_target)))

        self._assure_states_exist()
        for item in self.states.filter(~Q(state=self.state_target)):
            item.dep_target_changed()

        self.publish_to_user()

        # publish if there are pending states
        for item in self.states.all():
            if item.is_pending or item.is_credential_pending:
                self.publish_to_client()
                return

    def user_credential_added(self, key):
        for item in self.states.all():
            item.user_credential_added(key)

        # TODO is this publishing needed?
        if self.state_target == DEPLOYED:
            self.publish()

    def user_credential_removed(self, key):
        for item in self.states.all():
            item.user_credential_removed(key)

        # TODO is this publishing needed?
        if self.state_target == DEPLOYED:
            self.publish()

    def publish_to_client(self):
        for state in self.states.all():
            state.publish_to_client()

    # sends a state update via RabbitMQ / STOMP to the users webpage instance
    def publish_to_user(self):
        if self.user is None:
            return

        if settings.DEBUG_PUBLISHING:
            LOGGER.debug(self.msg('publish_to_user: {}'.format(self.state_target)))

        publish_to_user(
            self.user,
            {
                'deployment': self,
            },
        )

    # TODO is it good to publish from here to the client?
    def publish(self):
        self.publish_to_user()
        self.publish_to_client()

    def msg(self, msg):
        return '{} - {}'.format(self, msg)

    def __str__(self):
        return 'Abstr. Deployment:({})#{}'.format(
            self.user,
            self.id,
        )


class VODeployment(Deployment):
    vo = models.ForeignKey(
        VO,
        related_name='vo_deployments',
        on_delete=models.CASCADE,
    )

    @property
    def services(self):
        return self.vo.services.all()

    @property
    def broker_exchange(self):
        return self.vo.broker_exchange

    @property
    def routing_key(self):
        return self.vo.name

    def _assure_states_exist(self):
        for service in self.services:
            DeploymentState.get_state_item(
                self.user,
                service.site,
                service,
                deployments=[self],
            )

    @classmethod
    def get_deployment(cls, user, vo):
        try:
            deployment = cls.objects.get(
                user=user,
                vo=vo,
            )
            deployment.update()

            return deployment

        except cls.DoesNotExist:
            deployment = cls(
                user=user,
                vo=vo,
            )

            deployment.save()
            deployment.update()

            LOGGER.debug(deployment.msg('Created'))
            return deployment

    def service_added(self, service):
        LOGGER.debug(self.msg('Adding service {}'.format(service)))
        state = DeploymentState.get_state_item(
            self.user,
            service.site,
            service,
            deployments=[self],
        )
        if self.state_target == DEPLOYED:
            state.publish_to_client()
            state.publish_to_user()

    def msg(self, msg):
        return '{} - {}'.format(self, msg)

    def __str__(self):
        return 'VO-Dep: ({}:{})#{}'.format(
            self.vo,
            self.user,
            self.id,
        )


class ServiceDeployment(Deployment):
    service = models.ForeignKey(
        Service,
        related_name='service_deployments',
        on_delete=models.CASCADE,
    )

    @property
    def broker_exchange(self):
        return 'services'

    @property
    def routing_key(self):
        return self.service.name

    def _assure_states_exist(self):
        DeploymentState.get_state_item(
            self.user,
            self.service.site,
            self.service,
            deployments=[self],
        )

    @classmethod
    def get_deployment(cls, user, service):
        try:
            deployment = cls.objects.get(
                user=user,
                service=service,
            )
            deployment.update()

            return deployment

        except cls.DoesNotExist:
            deployment = cls(
                user=user,
                service=service
            )
            deployment.save()
            deployment.update()

            LOGGER.debug(deployment.msg('Created'))
            return deployment

    def msg(self, msg):
        return '{} - {}'.format(self, msg)

    def __str__(self):
        return 'Service-Dep: ({}:{})#{}'.format(
            self.service,
            self.user,
            self.id,
        )


# pylint: disable=unused-argument
@receiver(post_delete, sender=VODeployment)
@receiver(post_delete, sender=ServiceDeployment)
def publish_deletion(sender, instance=None, **kwargs):
    if instance is None:
        return

    LOGGER.debug('Publishing deletion of %s', instance)
    instance.publish()


class DeploymentState(models.Model):
    deployments = models.ManyToManyField(
        Deployment,
        related_name='states',
    )

    user = models.ForeignKey(
        User,
        related_name='states',
        on_delete=models.SET_NULL,
        blank=True,
        null=True,
    )

    site = models.ForeignKey(
        Site,
        related_name='states',
        on_delete=models.CASCADE,
    )

    # FIXME deleting a service currently deletes all deployment states without removing deployments!
    service = models.ForeignKey(
        Service,
        related_name='states',
        on_delete=models.CASCADE,
    )

    state = models.CharField(
        max_length=50,
        choices=STATE_CHOICES,
        default=NOT_DEPLOYED,
    )

    # message for the user
    message = models.TextField(
        max_length=300,
        default='',
    )

    # questions for the user (needed for deployment
    questionnaire = JSONField(
        null=True,
        blank=True,
    )

    # the users answers for the questionnaire
    answers = JSONField(
        null=True,
        blank=True,
    )

    # credentials for the service
    # only valid when state == deployed
    credentials = JSONField(
        default=credential_default,
        null=True,
        blank=True,
    )

    @property
    def state_target(self):
        # this instance needs to be saved before accessing a many to many field
        if self.pk is None:
            self.save()

        for deployment in self.deployments.all():
            if deployment.state_target == DEPLOYED:
                return DEPLOYED

        return NOT_DEPLOYED

    @property
    def is_orphaned(self):
        return not self.deployments.exists()

    @property
    def is_pending(self):
        # When in these states we are never pending
        if self.state in [QUESTIONNAIRE, REJECTED]:
            return False

        return self.is_orphaned or self.state_target != self.state or self.is_credential_pending

    @property
    def is_credential_pending(self):
        # little hack to not confuse the user
        if self.state in [QUESTIONNAIRE, REJECTED]:
            return False

        for credential_state in self.credential_states.all():
            if credential_state.is_pending:
                return True

        return False

    # TODO not accessible when the user is deleted
    @property
    def user_credentials(self):
        return self.user.credentials

    # get_state_item returns a state item for a given user, site and service
    # if the state does not exist it is created
    @classmethod
    def get_state_item(cls, user, site, service, deployments=None):
        try:
            item = cls.objects.get(
                user=user,
                site=site,
                service=service,
            )

            # connect state item to the provided deployments
            if deployments is not None:
                for deployment in deployments:
                    if not item.deployments.filter(id=deployment.id).exists():
                        LOGGER.debug(item.msg('Binding to deployment {}'.format(deployment)))
                        item.deployments.add(deployment)

            return item

        except cls.DoesNotExist:
            item = cls(
                user=user,
                site=site,
                service=service,
            )
            item.save()

            if deployments is not None:
                for deployment in deployments:
                    item.deployments.add(deployment)

            LOGGER.debug(item.msg('Created'))

            item.dep_target_changed()

            return item

    # starts tracking this the credential for this item
    def user_credential_added(self, credential):
        if settings.DEBUG_CREDENTIALS:
            LOGGER.debug(self.msg('Adding credential {}'.format(credential.name)))

        CredentialState.get_credential_state(
            credential,
            self,
        )

    def user_credential_removed(self, credential):
        if settings.DEBUG_CREDENTIALS:
            LOGGER.debug(self.msg('Removing credential {}'.format(credential.name)))

        try:
            credential_state = self.credential_states.get(credential=credential)
            credential_state.credential_deleted()

        except CredentialState.DoesNotExist:
            LOGGER.error(self.msg('Credential {} has no CredentialState'.format(credential)))

    # STATE TRANSITIONS

    # called when one of our deployments changes its state_target
    def dep_target_changed(self):
        LOGGER.debug(self.msg('dep_target_changed: {}'.format(self.state_target)))

        self._assure_credential_states_exist()
        for cred_state in self.credential_states.all():
            cred_state.set_target(self.state_target)

        if self.state_target == DEPLOYED:
            # handle the 7 states we can be in
            if self.state == NOT_DEPLOYED or self.state == REMOVAL_PENDING:
                self._set_state(DEPLOYMENT_PENDING)
            elif self.state == DEPLOYED or self.state == DEPLOYMENT_PENDING:
                LOGGER.debug(self.msg('has already reached the correct state'))
            elif self.state == QUESTIONNAIRE:
                LOGGER.debug(self.msg('is questionnaire! Need answers first'))
                self.publish_to_user()
            elif self.state == REJECTED:
                LOGGER.debug(self.msg('is rejected! The site will never execute this deployement'))
            elif self.state == FAILED:
                LOGGER.debug(self.msg('is failed! We will retry it'))

        elif self.state_target == NOT_DEPLOYED:
            self._reset()

            # handle the 7 states we can be in
            if self.state == DEPLOYED or self.state == DEPLOYMENT_PENDING:
                self._set_state(REMOVAL_PENDING)
            elif self.state == NOT_DEPLOYED or self.state == REMOVAL_PENDING:
                LOGGER.debug(self.msg('has already reached the correct state'))
            elif self.state == FAILED or self.state == REJECTED or self.state == QUESTIONNAIRE:
                self._set_state(NOT_DEPLOYED)

    def state_changed(self):
        LOGGER.debug(self.msg('State: {} Target: {}'.format(self. state, self.state_target)))
        self.save()

    # called when the answers has changed
    def answers_changed(self):
        if self.state == QUESTIONNAIRE or self.state == DEPLOYED:
            LOGGER.debug(self.msg('Changed answers cause republishing'))
            self._set_state(DEPLOYMENT_PENDING)
            self.publish_to_client()

    def client_credential_states(self, credential_states):
        # maps ssh key names to their state
        ssh_key_states = credential_states.get('ssh_key', {})

        # ASSUMPTION:
        # if we hear nothing about a credential we assume it got deprovisioned!
        for credential_state in self.credential_states.all():
            if credential_state.credential.name in ssh_key_states:
                credential_state.set(ssh_key_states[credential_state.credential.name])
            else:
                credential_state.set(NOT_DEPLOYED)

    # resets all client sent values
    def _reset(self):
        self.credentials = credential_default()
        self.message = ''

    def _assure_credential_states_exist(self):
        # assure all user credentials have a state
        if self.user is not None:
            for key in self.user.ssh_keys.all():
                try:
                    CredentialState.get_credential_state(
                        credential=key,
                        target=self,
                    )
                except CredentialState.DoesNotExist:
                    LOGGER.error('CredentialState.DoesNotExist in _set_state')

    def _set_state(self, state, publish=False):
        self._assure_credential_states_exist()

        # not trans
        if str(self.state) == str(state):
            # publish to user (even if the state did not change!)
            if publish:
                self.publish_to_user()
            return

        LOGGER.debug(self.msg('State: {} -> {} - Target: {}'.format(self.state, state, self.state_target)))

        self.state = state
        self.save()

        if publish:
            self.publish_to_user()

    def publish_to_user(self):
        if self.user is not None:
            if settings.DEBUG_PUBLISHING:
                LOGGER.debug(self.msg('publish_to_user'))

            publish_to_user(
                self.user,
                {
                    'deployment_state': self,
                },
            )

    def publish_to_client(self):
        # no need to publish if not pending
        if not self.is_pending:
            return

        LOGGER.log(
            settings.AUDIT_LOG_LEVEL,
            '%s@%s - %s @ %s - request - %s',
            self.user.sub,
            self.user.idp.issuer_uri,
            self.service.name,
            self.site.name,
            self.state_target,
        )

        if settings.DEBUG_PUBLISHING:
            LOGGER.debug(self.msg('publish_to_client'))

        RabbitMQInstance.load().publish_deployment_state(self)

        # DEPRECATED
        # only publish to the client using deployments with our target
        # for deployment in self.deployments.filter(state_target=self.state_target):
        #     deployment.publish_to_client()

    def msg(self, msg):
        return ' {} - {}'.format(self, msg)

    def __str__(self):
        # causes a loop
        # if self.deployments.exists():
        #     deployment_names = [str(deployment.id) for deployment in self.deployments.all()]

        #     return 'Dep-St: ({}:{}:{})#{}'.format(
        #         ','.join(deployment_names),
        #         self.service,
        #         self.site,
        #         self.id,
        #     )

        return 'Dep-St: ({}:{})#{}'.format(
            self.service,
            self.site,
            self.id,
        )


class CredentialState(models.Model):
    state_target = models.CharField(
        max_length=50,
        choices=TARGET_CHOICES,
        default=NOT_DEPLOYED
    )

    state = models.CharField(
        max_length=50,
        choices=STATE_CHOICES,
        default=NOT_DEPLOYED
    )

    credential = models.ForeignKey(
        SSHPublicKey,
        related_name='credential_states',
        on_delete=models.CASCADE,
    )

    # TODO target is a stupid field name. Change it
    target = models.ForeignKey(
        DeploymentState,
        related_name='credential_states',
        on_delete=models.CASCADE,
    )

    @property
    def _credential_deleted(self):
        return self.credential.deleted

    @property
    def is_pending(self):
        return self.state != self.state_target

    @classmethod
    def get_credential_state(cls, credential, target):
        try:
            return cls.objects.get(
                credential=credential,
                target=target,
            )
        except cls.DoesNotExist:

            new_state = cls(
                credential=credential,
                target=target,
                state=NOT_DEPLOYED,
                state_target=target.state_target,
            )
            new_state.save()

            if settings.DEBUG_CREDENTIALS:
                LOGGER.debug(new_state.msg('Created'))

            return new_state

    def set_target(self, target):
        if str(self.state_target) == str(target):
            return

        # state_target is locked, since we are marked for deletion
        if self._credential_deleted:
            return

        LOGGER.debug(self.msg('Target: {} -> {}'.format(self.state_target, target)))

        self.state_target = target
        self.save()

    def set(self, state):
        if state == NOT_DEPLOYED and self._credential_deleted:
            self._delete_state()
            return

        if str(self.state) == str(state):
            return

        if state == self.state:
            return

        if settings.DEBUG_CREDENTIALS:
            LOGGER.debug(self.msg('State: {} -> {}'.format(self.state, state)))

        self.state = state
        self.save()

    def credential_deleted(self):
        if self.state == NOT_DEPLOYED:
            self._delete_state()

        self.state_target = NOT_DEPLOYED
        self.save()

        if settings.DEBUG_CREDENTIALS:
            LOGGER.debug(self.msg('Marked as deleted'))

    def _delete_state(self):
        LOGGER.debug(self.msg('Deleting credential state'))
        credential = self.credential
        self.delete()

        credential.try_delete_key()

    def msg(self, message):
        return '  {} - {}'.format(self, message)

    def __str__(self):
        return 'Cred-St: ({}:{})#{}'.format(
            self.target.id,
            self.credential,
            self.id,
        )