api: Add stricter validation of input/output data

This change adds stricter validation of data that enters and leaves the
database. As a result, we clearly separate the database model from the
data model that the REST API exports.

6 files changed, 44 insertions, 35 deletions

diff --git a/opendc-web/opendc-web-api/opendc/api/portfolios.py b/opendc-web/opendc-web-api/opendc/api/portfolios.py
index b07e9da5..84ec466c 100644
--- a/opendc-web/opendc-web-api/opendc/api/portfolios.py
+++ b/opendc-web/opendc-web-api/opendc/api/portfolios.py
@@ -44,7 +44,7 @@ class Portfolio(Resource):
         portfolio.check_exists()
         portfolio.check_user_access(current_user['sub'], False)
 
-        data = portfolio.obj
+        data = PortfolioSchema().dump(portfolio.obj)
         return {'data': data}
 
     def put(self, portfolio_id):
@@ -63,7 +63,7 @@ class Portfolio(Resource):
         portfolio.set_property('targets.repeatsPerScenario', result['portfolio']['targets']['repeatsPerScenario'])
 
         portfolio.update()
-        data = portfolio.obj
+        data = PortfolioSchema().dump(portfolio.obj)
         return {'data': data}
 
     def delete(self, portfolio_id):
@@ -84,7 +84,8 @@ class Portfolio(Resource):
         project.update()
 
         old_object = portfolio.delete()
-        return {'data': old_object}
+        data = PortfolioSchema().dump(old_object)
+        return {'data': data}
 
     class PutSchema(Schema):
         """
@@ -125,7 +126,7 @@ class PortfolioScenarios(Resource):
 
         portfolio.obj['scenarioIds'].append(scenario.get_id())
         portfolio.update()
-        data = scenario.obj
+        data = ScenarioSchema().dump(scenario.obj)
         return {'data': data}
 
     class PostSchema(Schema):
diff --git a/opendc-web/opendc-web-api/opendc/api/prefabs.py b/opendc-web/opendc-web-api/opendc/api/prefabs.py
index 7bb17e7d..730546ba 100644
--- a/opendc-web/opendc-web-api/opendc/api/prefabs.py
+++ b/opendc-web/opendc-web-api/opendc/api/prefabs.py
@@ -24,7 +24,6 @@ from flask_restful import Resource
 from marshmallow import Schema, fields
 
 from opendc.models.prefab import Prefab as PrefabModel, PrefabSchema
-from opendc.database import Database
 from opendc.exts import current_user, requires_auth, db
 
 
@@ -56,14 +55,15 @@ class PrefabList(Resource):
         result = schema.load(request.json)
 
         prefab = PrefabModel(result['prefab'])
-        prefab.set_property('datetimeCreated', Database.datetime_to_string(datetime.now()))
-        prefab.set_property('datetimeLastEdited', Database.datetime_to_string(datetime.now()))
+        prefab.set_property('datetimeCreated', datetime.now())
+        prefab.set_property('datetimeLastEdited', datetime.now())
 
         user_id = current_user['sub']
         prefab.set_property('authorId', user_id)
 
         prefab.insert()
-        return {'data': prefab.obj}
+        data = PrefabSchema().dump(prefab.obj)
+        return {'data': data}
 
     class PostSchema(Schema):
         """
@@ -83,7 +83,8 @@ class Prefab(Resource):
         prefab = PrefabModel.from_id(prefab_id)
         prefab.check_exists()
         prefab.check_user_access(current_user['sub'])
-        return {'data': prefab.obj}
+        data = PrefabSchema().dump(prefab.obj)
+        return {'data': data}
 
     def put(self, prefab_id):
         """Update a prefab's name and/or contents."""
@@ -97,10 +98,11 @@ class Prefab(Resource):
 
         prefab.set_property('name', result['prefab']['name'])
         prefab.set_property('rack', result['prefab']['rack'])
-        prefab.set_property('datetime_last_edited', Database.datetime_to_string(datetime.now()))
+        prefab.set_property('datetimeLastEdited', datetime.now())
         prefab.update()
 
-        return {'data': prefab.obj}
+        data = PrefabSchema().dump(prefab.obj)
+        return {'data': data}
 
     def delete(self, prefab_id):
         """Delete this Prefab."""
@@ -111,7 +113,8 @@ class Prefab(Resource):
 
         old_object = prefab.delete()
 
-        return {'data': old_object}
+        data = PrefabSchema().dump(old_object)
+        return {'data': data}
 
     class PutSchema(Schema):
         """
diff --git a/opendc-web/opendc-web-api/opendc/api/projects.py b/opendc-web/opendc-web-api/opendc/api/projects.py
index 8c44b680..05f02a84 100644
--- a/opendc-web/opendc-web-api/opendc/api/projects.py
+++ b/opendc-web/opendc-web-api/opendc/api/projects.py
@@ -27,7 +27,6 @@ from opendc.models.portfolio import Portfolio, PortfolioSchema
 from opendc.models.topology import Topology, TopologySchema
 from opendc.models.project import Project as ProjectModel, ProjectSchema
 from opendc.exts import current_user, requires_auth
-from opendc.database import Database
 
 
 class ProjectList(Resource):
@@ -40,7 +39,8 @@ class ProjectList(Resource):
         """Get the authorized projects of the user"""
         user_id = current_user['sub']
         projects = ProjectModel.get_for_user(user_id)
-        return {'data': projects}
+        data = ProjectSchema().dump(projects, many=True)
+        return {'data': data}
 
     def post(self):
         """Create a new project, and return that new project."""
@@ -53,8 +53,8 @@ class ProjectList(Resource):
         topology.insert()
 
         project = ProjectModel(result['project'])
-        project.set_property('datetimeCreated', Database.datetime_to_string(datetime.now()))
-        project.set_property('datetimeLastEdited', Database.datetime_to_string(datetime.now()))
+        project.set_property('datetimeCreated', datetime.now())
+        project.set_property('datetimeLastEdited', datetime.now())
         project.set_property('topologyIds', [topology.get_id()])
         project.set_property('portfolioIds', [])
         project.set_property('authorizations', [{'userId': user_id, 'level': 'OWN'}])
@@ -63,7 +63,8 @@ class ProjectList(Resource):
         topology.set_property('projectId', project.get_id())
         topology.update()
 
-        return {'data': project.obj}
+        data = ProjectSchema().dump(project.obj)
+        return {'data': data}
 
 
 class Project(Resource):
@@ -79,7 +80,8 @@ class Project(Resource):
         project.check_exists()
         project.check_user_access(current_user['sub'], False)
 
-        return {'data': project.obj}
+        data = ProjectSchema().dump(project.obj)
+        return {'data': data}
 
     def put(self, project_id):
         """Update a project's name."""
@@ -92,10 +94,11 @@ class Project(Resource):
         project.check_user_access(current_user['sub'], True)
 
         project.set_property('name', result['project']['name'])
-        project.set_property('datetimeLastEdited', Database.datetime_to_string(datetime.now()))
+        project.set_property('datetimeLastEdited', datetime.now())
         project.update()
 
-        return {'data': project.obj}
+        data = ProjectSchema().dump(project.obj)
+        return {'data': data}
 
     def delete(self, project_id):
         """Delete this Project."""
@@ -113,8 +116,8 @@ class Project(Resource):
             portfolio.delete()
 
         old_object = project.delete()
-
-        return {'data': old_object}
+        data = ProjectSchema().dump(old_object)
+        return {'data': data}
 
     class PutSchema(Schema):
         """
@@ -148,10 +151,11 @@ class ProjectTopologies(Resource):
         topology.insert()
 
         project.obj['topologyIds'].append(topology.get_id())
-        project.set_property('datetimeLastEdited', Database.datetime_to_string(datetime.now()))
+        project.set_property('datetimeLastEdited', datetime.now())
         project.update()
 
-        return {'data': topology.obj}
+        data = TopologySchema().dump(topology.obj)
+        return {'data': data}
 
     class PutSchema(Schema):
         """
diff --git a/opendc-web/opendc-web-api/opendc/api/scenarios.py b/opendc-web/opendc-web-api/opendc/api/scenarios.py
index b566950a..234bdec1 100644
--- a/opendc-web/opendc-web-api/opendc/api/scenarios.py
+++ b/opendc-web/opendc-web-api/opendc/api/scenarios.py
@@ -38,7 +38,7 @@ class Scenario(Resource):
         scenario = ScenarioModel.from_id(scenario_id)
         scenario.check_exists()
         scenario.check_user_access(current_user['sub'], False)
-        data = scenario.obj
+        data = ScenarioSchema().dump(scenario.obj)
         return {'data': data}
 
     def put(self, scenario_id):
@@ -54,7 +54,7 @@ class Scenario(Resource):
         scenario.set_property('name', result['scenario']['name'])
 
         scenario.update()
-        data = scenario.obj
+        data = ScenarioSchema().dump(scenario.obj)
         return {'data': data}
 
     def delete(self, scenario_id):
@@ -72,7 +72,8 @@ class Scenario(Resource):
         portfolio.update()
 
         old_object = scenario.delete()
-        return {'data': old_object}
+        data = ScenarioSchema().dump(old_object)
+        return {'data': data}
 
     class PutSchema(Schema):
         """
diff --git a/opendc-web/opendc-web-api/opendc/api/topologies.py b/opendc-web/opendc-web-api/opendc/api/topologies.py
index eedf049d..a2d3f41a 100644
--- a/opendc-web/opendc-web-api/opendc/api/topologies.py
+++ b/opendc-web/opendc-web-api/opendc/api/topologies.py
@@ -24,7 +24,6 @@ from flask import request
 from flask_restful import Resource
 from marshmallow import Schema, fields
 
-from opendc.database import Database
 from opendc.models.project import Project
 from opendc.models.topology import Topology as TopologyModel, TopologySchema
 from opendc.exts import current_user, requires_auth
@@ -43,7 +42,7 @@ class Topology(Resource):
         topology = TopologyModel.from_id(topology_id)
         topology.check_exists()
         topology.check_user_access(current_user['sub'], False)
-        data = topology.obj
+        data = TopologySchema().dump(topology.obj)
         return {'data': data}
 
     def put(self, topology_id):
@@ -60,10 +59,10 @@ class Topology(Resource):
 
         topology.set_property('name', result['topology']['name'])
         topology.set_property('rooms', result['topology']['rooms'])
-        topology.set_property('datetimeLastEdited', Database.datetime_to_string(datetime.now()))
+        topology.set_property('datetimeLastEdited', datetime.now())
 
         topology.update()
-        data = topology.obj
+        data = TopologySchema().dump(topology.obj)
         return {'data': data}
 
     def delete(self, topology_id):
@@ -84,7 +83,8 @@ class Topology(Resource):
         project.update()
 
         old_object = topology.delete()
-        return {'data': old_object}
+        data = TopologySchema().dump(old_object)
+        return {'data': data}
 
     class PutSchema(Schema):
         """
diff --git a/opendc-web/opendc-web-api/opendc/api/traces.py b/opendc-web/opendc-web-api/opendc/api/traces.py
index f685f00c..6be8c5e5 100644
--- a/opendc-web/opendc-web-api/opendc/api/traces.py
+++ b/opendc-web/opendc-web-api/opendc/api/traces.py
@@ -21,7 +21,7 @@
 from flask_restful import Resource
 
 from opendc.exts import requires_auth
-from opendc.models.trace import Trace as TraceModel
+from opendc.models.trace import Trace as TraceModel, TraceSchema
 
 
 class TraceList(Resource):
@@ -33,7 +33,7 @@ class TraceList(Resource):
     def get(self):
         """Get all available Traces."""
         traces = TraceModel.get_all()
-        data = traces.obj
+        data = TraceSchema().dump(traces.obj, many=True)
         return {'data': data}
 
 
@@ -47,5 +47,5 @@ class Trace(Resource):
         """Get trace information by identifier."""
         trace = TraceModel.from_id(trace_id)
         trace.check_exists()
-        data = trace.obj
+        data = TraceSchema().dump(trace.obj)
         return {'data': data}