From 5e36d75d47b18e3ac09f33cdf65a2292a9952b20 Mon Sep 17 00:00:00 2001 From: jupierce Date: Wed, 1 Mar 2017 14:09:01 -0500 Subject: oadm_policy_group/adm_policy_user module --- roles/lib_openshift/library/oc_adm_policy_group.py | 2092 ++++++++++++++++++++ roles/lib_openshift/library/oc_adm_policy_user.py | 2091 +++++++++++++++++++ .../src/ansible/oc_adm_policy_group.py | 34 + .../src/ansible/oc_adm_policy_user.py | 34 + .../lib_openshift/src/class/oc_adm_policy_group.py | 195 ++ .../lib_openshift/src/class/oc_adm_policy_user.py | 194 ++ roles/lib_openshift/src/doc/policy_group | 74 + roles/lib_openshift/src/doc/policy_user | 74 + roles/lib_openshift/src/lib/scc.py | 218 ++ roles/lib_openshift/src/sources.yml | 24 + 10 files changed, 5030 insertions(+) create mode 100644 roles/lib_openshift/library/oc_adm_policy_group.py create mode 100644 roles/lib_openshift/library/oc_adm_policy_user.py create mode 100644 roles/lib_openshift/src/ansible/oc_adm_policy_group.py create mode 100644 roles/lib_openshift/src/ansible/oc_adm_policy_user.py create mode 100644 roles/lib_openshift/src/class/oc_adm_policy_group.py create mode 100644 roles/lib_openshift/src/class/oc_adm_policy_user.py create mode 100644 roles/lib_openshift/src/doc/policy_group create mode 100644 roles/lib_openshift/src/doc/policy_user create mode 100644 roles/lib_openshift/src/lib/scc.py diff --git a/roles/lib_openshift/library/oc_adm_policy_group.py b/roles/lib_openshift/library/oc_adm_policy_group.py new file mode 100644 index 000000000..1a64812b1 --- /dev/null +++ b/roles/lib_openshift/library/oc_adm_policy_group.py @@ -0,0 +1,2092 @@ +#!/usr/bin/env python +# pylint: disable=missing-docstring +# flake8: noqa: T001 +# ___ ___ _ _ ___ ___ _ _____ ___ ___ +# / __| __| \| | __| _ \ /_\_ _| __| \ +# | (_ | _|| .` | _|| / / _ \| | | _|| |) | +# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____ +# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _| +# | |) | (_) | | .` | (_) || | | _|| |) | | | | +# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_| +# +# Copyright 2016 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*- +''' + OpenShiftCLI class that wraps the oc commands in a subprocess +''' +# pylint: disable=too-many-lines + +from __future__ import print_function +import atexit +import copy +import json +import os +import re +import shutil +import subprocess +import tempfile +# pylint: disable=import-error +try: + import ruamel.yaml as yaml +except ImportError: + import yaml + +from ansible.module_utils.basic import AnsibleModule + +# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: doc/policy_group -*- -*- -*- + +DOCUMENTATION = ''' +--- +module: oc_adm_policy_group +short_description: Module to manage openshift policy for groups +description: + - Manage openshift policy for groups. +options: + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + namespace: + description: + - The namespace scope + required: false + default: None + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + group: + description: + - The name of the group + required: true + default: None + aliases: [] + resource_kind: + description: + - The kind of policy to affect + required: true + default: None + choices: ["role", "cluster-role", "scc"] + aliases: [] + resource_name: + description: + - The name of the policy + required: true + default: None + aliases: [] + state: + description: + - Desired state of the policy + required: true + default: present + choices: ["present", "absent"] + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: oc adm policy remove-scc-from-group an-scc agroup + oc_adm_policy_group: + group: agroup + resource_kind: scc + resource_name: an-scc + state: absent + +- name: oc adm policy add-cluster-role-to-group system:build-strategy-docker agroup + oc_adm_policy_group: + group: agroup + resource_kind: cluster-role + resource_name: system:build-strategy-docker + state: present +''' + +# -*- -*- -*- End included fragment: doc/policy_group -*- -*- -*- + +# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- +# pylint: disable=undefined-variable,missing-docstring +# noqa: E301,E302 + + +class YeditException(Exception): + ''' Exception class for Yedit ''' + pass + + +# pylint: disable=too-many-public-methods +class Yedit(object): + ''' Class to modify yaml files ''' + re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$" + re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)" + com_sep = set(['.', '#', '|', ':']) + + # pylint: disable=too-many-arguments + def __init__(self, + filename=None, + content=None, + content_type='yaml', + separator='.', + backup=False): + self.content = content + self._separator = separator + self.filename = filename + self.__yaml_dict = content + self.content_type = content_type + self.backup = backup + self.load(content_type=self.content_type) + if self.__yaml_dict is None: + self.__yaml_dict = {} + + @property + def separator(self): + ''' getter method for yaml_dict ''' + return self._separator + + @separator.setter + def separator(self): + ''' getter method for yaml_dict ''' + return self._separator + + @property + def yaml_dict(self): + ''' getter method for yaml_dict ''' + return self.__yaml_dict + + @yaml_dict.setter + def yaml_dict(self, value): + ''' setter method for yaml_dict ''' + self.__yaml_dict = value + + @staticmethod + def parse_key(key, sep='.'): + '''parse the key allowing the appropriate separator''' + common_separators = list(Yedit.com_sep - set([sep])) + return re.findall(Yedit.re_key % ''.join(common_separators), key) + + @staticmethod + def valid_key(key, sep='.'): + '''validate the incoming key''' + common_separators = list(Yedit.com_sep - set([sep])) + if not re.match(Yedit.re_valid_key % ''.join(common_separators), key): + return False + + return True + + @staticmethod + def remove_entry(data, key, sep='.'): + ''' remove data at location key ''' + if key == '' and isinstance(data, dict): + data.clear() + return True + elif key == '' and isinstance(data, list): + del data[:] + return True + + if not (key and Yedit.valid_key(key, sep)) and \ + isinstance(data, (list, dict)): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes[:-1]: + if dict_key and isinstance(data, dict): + data = data.get(dict_key, None) + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + # process last index for remove + # expected list entry + if key_indexes[-1][0]: + if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 + del data[int(key_indexes[-1][0])] + return True + + # expected dict entry + elif key_indexes[-1][1]: + if isinstance(data, dict): + del data[key_indexes[-1][1]] + return True + + @staticmethod + def add_entry(data, key, item=None, sep='.'): + ''' Get an item from a dictionary with key notation a.b.c + d = {'a': {'b': 'c'}}} + key = a#b + return c + ''' + if key == '': + pass + elif (not (key and Yedit.valid_key(key, sep)) and + isinstance(data, (list, dict))): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes[:-1]: + if dict_key: + if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501 + data = data[dict_key] + continue + + elif data and not isinstance(data, dict): + return None + + data[dict_key] = {} + data = data[dict_key] + + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + if key == '': + data = item + + # process last index for add + # expected list entry + elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 + data[int(key_indexes[-1][0])] = item + + # expected dict entry + elif key_indexes[-1][1] and isinstance(data, dict): + data[key_indexes[-1][1]] = item + + return data + + @staticmethod + def get_entry(data, key, sep='.'): + ''' Get an item from a dictionary with key notation a.b.c + d = {'a': {'b': 'c'}}} + key = a.b + return c + ''' + if key == '': + pass + elif (not (key and Yedit.valid_key(key, sep)) and + isinstance(data, (list, dict))): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes: + if dict_key and isinstance(data, dict): + data = data.get(dict_key, None) + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + return data + + @staticmethod + def _write(filename, contents): + ''' Actually write the file contents to disk. This helps with mocking. ''' + + tmp_filename = filename + '.yedit' + + with open(tmp_filename, 'w') as yfd: + yfd.write(contents) + + os.rename(tmp_filename, filename) + + def write(self): + ''' write to file ''' + if not self.filename: + raise YeditException('Please specify a filename.') + + if self.backup and self.file_exists(): + shutil.copy(self.filename, self.filename + '.orig') + + # Try to set format attributes if supported + try: + self.yaml_dict.fa.set_block_style() + except AttributeError: + pass + + # Try to use RoundTripDumper if supported. + try: + Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) + except AttributeError: + Yedit._write(self.filename, yaml.safe_dump(self.yaml_dict, default_flow_style=False)) + + return (True, self.yaml_dict) + + def read(self): + ''' read from file ''' + # check if it exists + if self.filename is None or not self.file_exists(): + return None + + contents = None + with open(self.filename) as yfd: + contents = yfd.read() + + return contents + + def file_exists(self): + ''' return whether file exists ''' + if os.path.exists(self.filename): + return True + + return False + + def load(self, content_type='yaml'): + ''' return yaml file ''' + contents = self.read() + + if not contents and not self.content: + return None + + if self.content: + if isinstance(self.content, dict): + self.yaml_dict = self.content + return self.yaml_dict + elif isinstance(self.content, str): + contents = self.content + + # check if it is yaml + try: + if content_type == 'yaml' and contents: + # Try to set format attributes if supported + try: + self.yaml_dict.fa.set_block_style() + except AttributeError: + pass + + # Try to use RoundTripLoader if supported. + try: + self.yaml_dict = yaml.safe_load(contents, yaml.RoundTripLoader) + except AttributeError: + self.yaml_dict = yaml.safe_load(contents) + + # Try to set format attributes if supported + try: + self.yaml_dict.fa.set_block_style() + except AttributeError: + pass + + elif content_type == 'json' and contents: + self.yaml_dict = json.loads(contents) + except yaml.YAMLError as err: + # Error loading yaml or json + raise YeditException('Problem with loading yaml file. %s' % err) + + return self.yaml_dict + + def get(self, key): + ''' get a specified key''' + try: + entry = Yedit.get_entry(self.yaml_dict, key, self.separator) + except KeyError: + entry = None + + return entry + + def pop(self, path, key_or_item): + ''' remove a key, value pair from a dict or an item for a list''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + return (False, self.yaml_dict) + + if isinstance(entry, dict): + # AUDIT:maybe-no-member makes sense due to fuzzy types + # pylint: disable=maybe-no-member + if key_or_item in entry: + entry.pop(key_or_item) + return (True, self.yaml_dict) + return (False, self.yaml_dict) + + elif isinstance(entry, list): + # AUDIT:maybe-no-member makes sense due to fuzzy types + # pylint: disable=maybe-no-member + ind = None + try: + ind = entry.index(key_or_item) + except ValueError: + return (False, self.yaml_dict) + + entry.pop(ind) + return (True, self.yaml_dict) + + return (False, self.yaml_dict) + + def delete(self, path): + ''' remove path from a dict''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + return (False, self.yaml_dict) + + result = Yedit.remove_entry(self.yaml_dict, path, self.separator) + if not result: + return (False, self.yaml_dict) + + return (True, self.yaml_dict) + + def exists(self, path, value): + ''' check if value exists at path''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if isinstance(entry, list): + if value in entry: + return True + return False + + elif isinstance(entry, dict): + if isinstance(value, dict): + rval = False + for key, val in value.items(): + if entry[key] != val: + rval = False + break + else: + rval = True + return rval + + return value in entry + + return entry == value + + def append(self, path, value): + '''append value to a list''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + self.put(path, []) + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + if not isinstance(entry, list): + return (False, self.yaml_dict) + + # AUDIT:maybe-no-member makes sense due to loading data from + # a serialized format. + # pylint: disable=maybe-no-member + entry.append(value) + return (True, self.yaml_dict) + + # pylint: disable=too-many-arguments + def update(self, path, value, index=None, curr_value=None): + ''' put path, value into a dict ''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if isinstance(entry, dict): + # AUDIT:maybe-no-member makes sense due to fuzzy types + # pylint: disable=maybe-no-member + if not isinstance(value, dict): + raise YeditException('Cannot replace key, value entry in ' + + 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501 + + entry.update(value) + return (True, self.yaml_dict) + + elif isinstance(entry, list): + # AUDIT:maybe-no-member makes sense due to fuzzy types + # pylint: disable=maybe-no-member + ind = None + if curr_value: + try: + ind = entry.index(curr_value) + except ValueError: + return (False, self.yaml_dict) + + elif index is not None: + ind = index + + if ind is not None and entry[ind] != value: + entry[ind] = value + return (True, self.yaml_dict) + + # see if it exists in the list + try: + ind = entry.index(value) + except ValueError: + # doesn't exist, append it + entry.append(value) + return (True, self.yaml_dict) + + # already exists, return + if ind is not None: + return (False, self.yaml_dict) + return (False, self.yaml_dict) + + def put(self, path, value): + ''' put path, value into a dict ''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry == value: + return (False, self.yaml_dict) + + # deepcopy didn't work + # Try to use ruamel.yaml and fallback to pyyaml + try: + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, + default_flow_style=False), + yaml.RoundTripLoader) + except AttributeError: + tmp_copy = copy.deepcopy(self.yaml_dict) + + # set the format attributes if available + try: + tmp_copy.fa.set_block_style() + except AttributeError: + pass + + result = Yedit.add_entry(tmp_copy, path, value, self.separator) + if not result: + return (False, self.yaml_dict) + + self.yaml_dict = tmp_copy + + return (True, self.yaml_dict) + + def create(self, path, value): + ''' create a yaml file ''' + if not self.file_exists(): + # deepcopy didn't work + # Try to use ruamel.yaml and fallback to pyyaml + try: + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, + default_flow_style=False), + yaml.RoundTripLoader) + except AttributeError: + tmp_copy = copy.deepcopy(self.yaml_dict) + + # set the format attributes if available + try: + tmp_copy.fa.set_block_style() + except AttributeError: + pass + + result = Yedit.add_entry(tmp_copy, path, value, self.separator) + if result: + self.yaml_dict = tmp_copy + return (True, self.yaml_dict) + + return (False, self.yaml_dict) + + @staticmethod + def get_curr_value(invalue, val_type): + '''return the current value''' + if invalue is None: + return None + + curr_value = invalue + if val_type == 'yaml': + curr_value = yaml.load(invalue) + elif val_type == 'json': + curr_value = json.loads(invalue) + + return curr_value + + @staticmethod + def parse_value(inc_value, vtype=''): + '''determine value type passed''' + true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE', + 'on', 'On', 'ON', ] + false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE', + 'off', 'Off', 'OFF'] + + # It came in as a string but you didn't specify value_type as string + # we will convert to bool if it matches any of the above cases + if isinstance(inc_value, str) and 'bool' in vtype: + if inc_value not in true_bools and inc_value not in false_bools: + raise YeditException('Not a boolean type. str=[%s] vtype=[%s]' + % (inc_value, vtype)) + elif isinstance(inc_value, bool) and 'str' in vtype: + inc_value = str(inc_value) + + # If vtype is not str then go ahead and attempt to yaml load it. + if isinstance(inc_value, str) and 'str' not in vtype: + try: + inc_value = yaml.load(inc_value) + except Exception: + raise YeditException('Could not determine type of incoming ' + + 'value. value=[%s] vtype=[%s]' + % (type(inc_value), vtype)) + + return inc_value + + # pylint: disable=too-many-return-statements,too-many-branches + @staticmethod + def run_ansible(module): + '''perform the idempotent crud operations''' + yamlfile = Yedit(filename=module.params['src'], + backup=module.params['backup'], + separator=module.params['separator']) + + if module.params['src']: + rval = yamlfile.load() + + if yamlfile.yaml_dict is None and \ + module.params['state'] != 'present': + return {'failed': True, + 'msg': 'Error opening file [%s]. Verify that the ' + + 'file exists, that it is has correct' + + ' permissions, and is valid yaml.'} + + if module.params['state'] == 'list': + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + yamlfile.yaml_dict = content + + if module.params['key']: + rval = yamlfile.get(module.params['key']) or {} + + return {'changed': False, 'result': rval, 'state': "list"} + + elif module.params['state'] == 'absent': + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + yamlfile.yaml_dict = content + + if module.params['update']: + rval = yamlfile.pop(module.params['key'], + module.params['value']) + else: + rval = yamlfile.delete(module.params['key']) + + if rval[0] and module.params['src']: + yamlfile.write() + + return {'changed': rval[0], 'result': rval[1], 'state': "absent"} + + elif module.params['state'] == 'present': + # check if content is different than what is in the file + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + + # We had no edits to make and the contents are the same + if yamlfile.yaml_dict == content and \ + module.params['value'] is None: + return {'changed': False, + 'result': yamlfile.yaml_dict, + 'state': "present"} + + yamlfile.yaml_dict = content + + # we were passed a value; parse it + if module.params['value']: + value = Yedit.parse_value(module.params['value'], + module.params['value_type']) + key = module.params['key'] + if module.params['update']: + # pylint: disable=line-too-long + curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501 + module.params['curr_value_format']) # noqa: E501 + + rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501 + + elif module.params['append']: + rval = yamlfile.append(key, value) + else: + rval = yamlfile.put(key, value) + + if rval[0] and module.params['src']: + yamlfile.write() + + return {'changed': rval[0], + 'result': rval[1], 'state': "present"} + + # no edits to make + if module.params['src']: + # pylint: disable=redefined-variable-type + rval = yamlfile.write() + return {'changed': rval[0], + 'result': rval[1], + 'state': "present"} + + return {'failed': True, 'msg': 'Unkown state passed'} + +# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*- +# pylint: disable=too-many-lines +# noqa: E301,E302,E303,T001 + + +class OpenShiftCLIError(Exception): + '''Exception class for openshiftcli''' + pass + + +ADDITIONAL_PATH_LOOKUPS = ['/usr/local/bin', os.path.expanduser('~/bin')] + + +def locate_oc_binary(): + ''' Find and return oc binary file ''' + # https://github.com/openshift/openshift-ansible/issues/3410 + # oc can be in /usr/local/bin in some cases, but that may not + # be in $PATH due to ansible/sudo + paths = os.environ.get("PATH", os.defpath).split(os.pathsep) + ADDITIONAL_PATH_LOOKUPS + + oc_binary = 'oc' + + # Use shutil.which if it is available, otherwise fallback to a naive path search + try: + which_result = shutil.which(oc_binary, path=os.pathsep.join(paths)) + if which_result is not None: + oc_binary = which_result + except AttributeError: + for path in paths: + if os.path.exists(os.path.join(path, oc_binary)): + oc_binary = os.path.join(path, oc_binary) + break + + return oc_binary + + +# pylint: disable=too-few-public-methods +class OpenShiftCLI(object): + ''' Class to wrap the command line tools ''' + def __init__(self, + namespace, + kubeconfig='/etc/origin/master/admin.kubeconfig', + verbose=False, + all_namespaces=False): + ''' Constructor for OpenshiftCLI ''' + self.namespace = namespace + self.verbose = verbose + self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig) + self.all_namespaces = all_namespaces + self.oc_binary = locate_oc_binary() + + # Pylint allows only 5 arguments to be passed. + # pylint: disable=too-many-arguments + def _replace_content(self, resource, rname, content, force=False, sep='.'): + ''' replace the current object with the content ''' + res = self._get(resource, rname) + if not res['results']: + return res + + fname = Utils.create_tmpfile(rname + '-') + + yed = Yedit(fname, res['results'][0], separator=sep) + changes = [] + for key, value in content.items(): + changes.append(yed.put(key, value)) + + if any([change[0] for change in changes]): + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self._replace(fname, force) + + return {'returncode': 0, 'updated': False} + + def _replace(self, fname, force=False): + '''replace the current object with oc replace''' + cmd = ['replace', '-f', fname] + if force: + cmd.append('--force') + return self.openshift_cmd(cmd) + + def _create_from_content(self, rname, content): + '''create a temporary file and then call oc create on it''' + fname = Utils.create_tmpfile(rname + '-') + yed = Yedit(fname, content=content) + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self._create(fname) + + def _create(self, fname): + '''call oc create on a filename''' + return self.openshift_cmd(['create', '-f', fname]) + + def _delete(self, resource, rname, selector=None): + '''call oc delete on a resource''' + cmd = ['delete', resource, rname] + if selector: + cmd.append('--selector=%s' % selector) + + return self.openshift_cmd(cmd) + + def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501 + '''process a template + + template_name: the name of the template to process + create: whether to send to oc create after processing + params: the parameters for the template + template_data: the incoming template's data; instead of a file + ''' + cmd = ['process'] + if template_data: + cmd.extend(['-f', '-']) + else: + cmd.append(template_name) + if params: + param_str = ["%s=%s" % (key, value) for key, value in params.items()] + cmd.append('-v') + cmd.extend(param_str) + + results = self.openshift_cmd(cmd, output=True, input_data=template_data) + + if results['returncode'] != 0 or not create: + return results + + fname = Utils.create_tmpfile(template_name + '-') + yed = Yedit(fname, results['results']) + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self.openshift_cmd(['create', '-f', fname]) + + def _get(self, resource, rname=None, selector=None): + '''return a resource by name ''' + cmd = ['get', resource] + if selector: + cmd.append('--selector=%s' % selector) + elif rname: + cmd.append(rname) + + cmd.extend(['-o', 'json']) + + rval = self.openshift_cmd(cmd, output=True) + + # Ensure results are retuned in an array + if 'items' in rval: + rval['results'] = rval['items'] + elif not isinstance(rval['results'], list): + rval['results'] = [rval['results']] + + return rval + + def _schedulable(self, node=None, selector=None, schedulable=True): + ''' perform oadm manage-node scheduable ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + cmd.append('--schedulable=%s' % schedulable) + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501 + + def _list_pods(self, node=None, selector=None, pod_selector=None): + ''' perform oadm list pods + + node: the node in which to list pods + selector: the label selector filter if provided + pod_selector: the pod selector filter if provided + ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + if pod_selector: + cmd.append('--pod-selector=%s' % pod_selector) + + cmd.extend(['--list-pods', '-o', 'json']) + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') + + # pylint: disable=too-many-arguments + def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False): + ''' perform oadm manage-node evacuate ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + if dry_run: + cmd.append('--dry-run') + + if pod_selector: + cmd.append('--pod-selector=%s' % pod_selector) + + if grace_period: + cmd.append('--grace-period=%s' % int(grace_period)) + + if force: + cmd.append('--force') + + cmd.append('--evacuate') + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') + + def _version(self): + ''' return the openshift version''' + return self.openshift_cmd(['version'], output=True, output_type='raw') + + def _import_image(self, url=None, name=None, tag=None): + ''' perform image import ''' + cmd = ['import-image'] + + image = '{0}'.format(name) + if tag: + image += ':{0}'.format(tag) + + cmd.append(image) + + if url: + cmd.append('--from={0}/{1}'.format(url, image)) + + cmd.append('-n{0}'.format(self.namespace)) + + cmd.append('--confirm') + return self.openshift_cmd(cmd) + + def _run(self, cmds, input_data): + ''' Actually executes the command. This makes mocking easier. ''' + curr_env = os.environ.copy() + curr_env.update({'KUBECONFIG': self.kubeconfig}) + proc = subprocess.Popen(cmds, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + env=curr_env) + + stdout, stderr = proc.communicate(input_data) + + return proc.returncode, stdout.decode(), stderr.decode() + + # pylint: disable=too-many-arguments,too-many-branches + def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): + '''Base command for oc ''' + cmds = [self.oc_binary] + + if oadm: + cmds.append('adm') + + cmds.extend(cmd) + + if self.all_namespaces: + cmds.extend(['--all-namespaces']) + elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501 + cmds.extend(['-n', self.namespace]) + + rval = {} + results = '' + err = None + + if self.verbose: + print(' '.join(cmds)) + + try: + returncode, stdout, stderr = self._run(cmds, input_data) + except OSError as ex: + returncode, stdout, stderr = 1, '', 'Failed to execute {}: {}'.format(subprocess.list2cmdline(cmds), ex) + + rval = {"returncode": returncode, + "results": results, + "cmd": ' '.join(cmds)} + + if returncode == 0: + if output: + if output_type == 'json': + try: + rval['results'] = json.loads(stdout) + except ValueError as err: + if "No JSON object could be decoded" in err.args: + err = err.args + elif output_type == 'raw': + rval['results'] = stdout + + if self.verbose: + print("STDOUT: {0}".format(stdout)) + print("STDERR: {0}".format(stderr)) + + if err: + rval.update({"err": err, + "stderr": stderr, + "stdout": stdout, + "cmd": cmds}) + + else: + rval.update({"stderr": stderr, + "stdout": stdout, + "results": {}}) + + return rval + + +class Utils(object): + ''' utilities for openshiftcli modules ''' + + @staticmethod + def _write(filename, contents): + ''' Actually write the file contents to disk. This helps with mocking. ''' + + with open(filename, 'w') as sfd: + sfd.write(contents) + + @staticmethod + def create_tmp_file_from_contents(rname, data, ftype='yaml'): + ''' create a file in tmp with name and contents''' + + tmp = Utils.create_tmpfile(prefix=rname) + + if ftype == 'yaml': + # AUDIT:no-member makes sense here due to ruamel.YAML/PyYAML usage + # pylint: disable=no-member + if hasattr(yaml, 'RoundTripDumper'): + Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) + else: + Utils._write(tmp, yaml.safe_dump(data, default_flow_style=False)) + + elif ftype == 'json': + Utils._write(tmp, json.dumps(data)) + else: + Utils._write(tmp, data) + + # Register cleanup when module is done + atexit.register(Utils.cleanup, [tmp]) + return tmp + + @staticmethod + def create_tmpfile_copy(inc_file): + '''create a temporary copy of a file''' + tmpfile = Utils.create_tmpfile('lib_openshift-') + Utils._write(tmpfile, open(inc_file).read()) + + # Cleanup the tmpfile + atexit.register(Utils.cleanup, [tmpfile]) + + return tmpfile + + @staticmethod + def create_tmpfile(prefix='tmp'): + ''' Generates and returns a temporary file name ''' + + with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp: + return tmp.name + + @staticmethod + def create_tmp_files_from_contents(content, content_type=None): + '''Turn an array of dict: filename, content into a files array''' + if not isinstance(content, list): + content = [content] + files = [] + for item in content: + path = Utils.create_tmp_file_from_contents(item['path'] + '-', + item['data'], + ftype=content_type) + files.append({'name': os.path.basename(item['path']), + 'path': path}) + return files + + @staticmethod + def cleanup(files): + '''Clean up on exit ''' + for sfile in files: + if os.path.exists(sfile): + if os.path.isdir(sfile): + shutil.rmtree(sfile) + elif os.path.isfile(sfile): + os.remove(sfile) + + @staticmethod + def exists(results, _name): + ''' Check to see if the results include the name ''' + if not results: + return False + + if Utils.find_result(results, _name): + return True + + return False + + @staticmethod + def find_result(results, _name): + ''' Find the specified result by name''' + rval = None + for result in results: + if 'metadata' in result and result['metadata']['name'] == _name: + rval = result + break + + return rval + + @staticmethod + def get_resource_file(sfile, sfile_type='yaml'): + ''' return the service file ''' + contents = None + with open(sfile) as sfd: + contents = sfd.read() + + if sfile_type == 'yaml': + # AUDIT:no-member makes sense here due to ruamel.YAML/PyYAML usage + # pylint: disable=no-member + if hasattr(yaml, 'RoundTripLoader'): + contents = yaml.load(contents, yaml.RoundTripLoader) + else: + contents = yaml.safe_load(contents) + elif sfile_type == 'json': + contents = json.loads(contents) + + return contents + + @staticmethod + def filter_versions(stdout): + ''' filter the oc version output ''' + + version_dict = {} + version_search = ['oc', 'openshift', 'kubernetes'] + + for line in stdout.strip().split('\n'): + for term in version_search: + if not line: + continue + if line.startswith(term): + version_dict[term] = line.split()[-1] + + # horrible hack to get openshift version in Openshift 3.2 + # By default "oc version in 3.2 does not return an "openshift" version + if "openshift" not in version_dict: + version_dict["openshift"] = version_dict["oc"] + + return version_dict + + @staticmethod + def add_custom_versions(versions): + ''' create custom versions strings ''' + + versions_dict = {} + + for tech, version in versions.items(): + # clean up "-" from version + if "-" in version: + version = version.split("-")[0] + + if version.startswith('v'): + versions_dict[tech + '_numeric'] = version[1:].split('+')[0] + # "v3.3.0.33" is what we have, we want "3.3" + versions_dict[tech + '_short'] = version[1:4] + + return versions_dict + + @staticmethod + def openshift_installed(): + ''' check if openshift is installed ''' + import yum + + yum_base = yum.YumBase() + if yum_base.rpmdb.searchNevra(name='atomic-openshift'): + return True + + return False + + # Disabling too-many-branches. This is a yaml dictionary comparison function + # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements + @staticmethod + def check_def_equal(user_def, result_def, skip_keys=None, debug=False): + ''' Given a user defined definition, compare it with the results given back by our query. ''' + + # Currently these values are autogenerated and we do not need to check them + skip = ['metadata', 'status'] + if skip_keys: + skip.extend(skip_keys) + + for key, value in result_def.items(): + if key in skip: + continue + + # Both are lists + if isinstance(value, list): + if key not in user_def: + if debug: + print('User data does not have key [%s]' % key) + print('User data: %s' % user_def) + return False + + if not isinstance(user_def[key], list): + if debug: + print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key])) + return False + + if len(user_def[key]) != len(value): + if debug: + print("List lengths are not equal.") + print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value))) + print("user_def: %s" % user_def[key]) + print("value: %s" % value) + return False + + for values in zip(user_def[key], value): + if isinstance(values[0], dict) and isinstance(values[1], dict): + if debug: + print('sending list - list') + print(type(values[0])) + print(type(values[1])) + result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug) + if not result: + print('list compare returned false') + return False + + elif value != user_def[key]: + if debug: + print('value should be identical') + print(user_def[key]) + print(value) + return False + + # recurse on a dictionary + elif isinstance(value, dict): + if key not in user_def: + if debug: + print("user_def does not have key [%s]" % key) + return False + if not isinstance(user_def[key], dict): + if debug: + print("dict returned false: not instance of dict") + return False + + # before passing ensure keys match + api_values = set(value.keys()) - set(skip) + user_values = set(user_def[key].keys()) - set(skip) + if api_values != user_values: + if debug: + print("keys are not equal in dict") + print(user_values) + print(api_values) + return False + + result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug) + if not result: + if debug: + print("dict returned false") + print(result) + return False + + # Verify each key, value pair is the same + else: + if key not in user_def or value != user_def[key]: + if debug: + print("value not equal; user_def does not have key") + print(key) + print(value) + if key in user_def: + print(user_def[key]) + return False + + if debug: + print('returning true') + return True + + +class OpenShiftCLIConfig(object): + '''Generic Config''' + def __init__(self, rname, namespace, kubeconfig, options): + self.kubeconfig = kubeconfig + self.name = rname + self.namespace = namespace + self._options = options + + @property + def config_options(self): + ''' return config options ''' + return self._options + + def to_option_list(self): + '''return all options as a string''' + return self.stringify() + + def stringify(self): + ''' return the options hash as cli params in a string ''' + rval = [] + for key, data in self.config_options.items(): + if data['include'] \ + and (data['value'] or isinstance(data['value'], int)): + rval.append('--%s=%s' % (key.replace('_', '-'), data['value'])) + + return rval + + +# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: lib/rolebinding.py -*- -*- -*- + +# pylint: disable=too-many-instance-attributes +class RoleBindingConfig(object): + ''' Handle rolebinding config ''' + # pylint: disable=too-many-arguments + def __init__(self, + name, + namespace, + kubeconfig, + group_names=None, + role_ref=None, + subjects=None, + usernames=None): + ''' constructor for handling rolebinding options ''' + self.kubeconfig = kubeconfig + self.name = name + self.namespace = namespace + self.group_names = group_names + self.role_ref = role_ref + self.subjects = subjects + self.usernames = usernames + self.data = {} + + self.create_dict() + + def create_dict(self): + ''' create a default rolebinding as a dict ''' + self.data['apiVersion'] = 'v1' + self.data['kind'] = 'RoleBinding' + self.data['groupNames'] = self.group_names + self.data['metadata']['name'] = self.name + self.data['metadata']['namespace'] = self.namespace + + self.data['roleRef'] = self.role_ref + self.data['subjects'] = self.subjects + self.data['userNames'] = self.usernames + + +# pylint: disable=too-many-instance-attributes,too-many-public-methods +class RoleBinding(Yedit): + ''' Class to model a rolebinding openshift object''' + group_names_path = "groupNames" + role_ref_path = "roleRef" + subjects_path = "subjects" + user_names_path = "userNames" + + kind = 'RoleBinding' + + def __init__(self, content): + '''RoleBinding constructor''' + super(RoleBinding, self).__init__(content=content) + self._subjects = None + self._role_ref = None + self._group_names = None + self._user_names = None + + @property + def subjects(self): + ''' subjects property ''' + if self._subjects is None: + self._subjects = self.get_subjects() + return self._subjects + + @subjects.setter + def subjects(self, data): + ''' subjects property setter''' + self._subjects = data + + @property + def role_ref(self): + ''' role_ref property ''' + if self._role_ref is None: + self._role_ref = self.get_role_ref() + return self._role_ref + + @role_ref.setter + def role_ref(self, data): + ''' role_ref property setter''' + self._role_ref = data + + @property + def group_names(self): + ''' group_names property ''' + if self._group_names is None: + self._group_names = self.get_group_names() + return self._group_names + + @group_names.setter + def group_names(self, data): + ''' group_names property setter''' + self._group_names = data + + @property + def user_names(self): + ''' user_names property ''' + if self._user_names is None: + self._user_names = self.get_user_names() + return self._user_names + + @user_names.setter + def user_names(self, data): + ''' user_names property setter''' + self._user_names = data + + def get_group_names(self): + ''' return groupNames ''' + return self.get(RoleBinding.group_names_path) or [] + + def get_user_names(self): + ''' return usernames ''' + return self.get(RoleBinding.user_names_path) or [] + + def get_role_ref(self): + ''' return role_ref ''' + return self.get(RoleBinding.role_ref_path) or {} + + def get_subjects(self): + ''' return subjects ''' + return self.get(RoleBinding.subjects_path) or [] + + #### ADD ##### + def add_subject(self, inc_subject): + ''' add a subject ''' + if self.subjects: + # pylint: disable=no-member + self.subjects.append(inc_subject) + else: + self.put(RoleBinding.subjects_path, [inc_subject]) + + return True + + def add_role_ref(self, inc_role_ref): + ''' add a role_ref ''' + if not self.role_ref: + self.put(RoleBinding.role_ref_path, {"name": inc_role_ref}) + return True + + return False + + def add_group_names(self, inc_group_names): + ''' add a group_names ''' + if self.group_names: + # pylint: disable=no-member + self.group_names.append(inc_group_names) + else: + self.put(RoleBinding.group_names_path, [inc_group_names]) + + return True + + def add_user_name(self, inc_user_name): + ''' add a username ''' + if self.user_names: + # pylint: disable=no-member + self.user_names.append(inc_user_name) + else: + self.put(RoleBinding.user_names_path, [inc_user_name]) + + return True + + #### /ADD ##### + + #### Remove ##### + def remove_subject(self, inc_subject): + ''' remove a subject ''' + try: + # pylint: disable=no-member + self.subjects.remove(inc_subject) + except ValueError as _: + return False + + return True + + def remove_role_ref(self, inc_role_ref): + ''' remove a role_ref ''' + if self.role_ref and self.role_ref['name'] == inc_role_ref: + del self.role_ref['name'] + return True + + return False + + def remove_group_name(self, inc_group_name): + ''' remove a groupname ''' + try: + # pylint: disable=no-member + self.group_names.remove(inc_group_name) + except ValueError as _: + return False + + return True + + def remove_user_name(self, inc_user_name): + ''' remove a username ''' + try: + # pylint: disable=no-member + self.user_names.remove(inc_user_name) + except ValueError as _: + return False + + return True + + #### /REMOVE ##### + + #### UPDATE ##### + def update_subject(self, inc_subject): + ''' update a subject ''' + try: + # pylint: disable=no-member + index = self.subjects.index(inc_subject) + except ValueError as _: + return self.add_subject(inc_subject) + + self.subjects[index] = inc_subject + + return True + + def update_group_name(self, inc_group_name): + ''' update a groupname ''' + try: + # pylint: disable=no-member + index = self.group_names.index(inc_group_name) + except ValueError as _: + return self.add_group_names(inc_group_name) + + self.group_names[index] = inc_group_name + + return True + + def update_user_name(self, inc_user_name): + ''' update a username ''' + try: + # pylint: disable=no-member + index = self.user_names.index(inc_user_name) + except ValueError as _: + return self.add_user_name(inc_user_name) + + self.user_names[index] = inc_user_name + + return True + + def update_role_ref(self, inc_role_ref): + ''' update a role_ref ''' + self.role_ref['name'] = inc_role_ref + + return True + + #### /UPDATE ##### + + #### FIND #### + def find_subject(self, inc_subject): + ''' find a subject ''' + index = None + try: + # pylint: disable=no-member + index = self.subjects.index(inc_subject) + except ValueError as _: + return index + + return index + + def find_group_name(self, inc_group_name): + ''' find a group_name ''' + index = None + try: + # pylint: disable=no-member + index = self.group_names.index(inc_group_name) + except ValueError as _: + return index + + return index + + def find_user_name(self, inc_user_name): + ''' find a user_name ''' + index = None + try: + # pylint: disable=no-member + index = self.user_names.index(inc_user_name) + except ValueError as _: + return index + + return index + + def find_role_ref(self, inc_role_ref): + ''' find a user_name ''' + if self.role_ref and self.role_ref['name'] == inc_role_ref['name']: + return self.role_ref + + return None + +# -*- -*- -*- End included fragment: lib/rolebinding.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: lib/scc.py -*- -*- -*- + + +# pylint: disable=too-many-instance-attributes +class SecurityContextConstraintsConfig(object): + ''' Handle scc options ''' + # pylint: disable=too-many-arguments + def __init__(self, + sname, + kubeconfig, + options=None, + fs_group='MustRunAs', + default_add_capabilities=None, + groups=None, + priority=None, + required_drop_capabilities=None, + run_as_user='MustRunAsRange', + se_linux_context='MustRunAs', + supplemental_groups='RunAsAny', + users=None, + annotations=None): + ''' constructor for handling scc options ''' + self.kubeconfig = kubeconfig + self.name = sname + self.options = options + self.fs_group = fs_group + self.default_add_capabilities = default_add_capabilities + self.groups = groups + self.priority = priority + self.required_drop_capabilities = required_drop_capabilities + self.run_as_user = run_as_user + self.se_linux_context = se_linux_context + self.supplemental_groups = supplemental_groups + self.users = users + self.annotations = annotations + self.data = {} + + self.create_dict() + + def create_dict(self): + ''' assign the correct properties for a scc dict ''' + # allow options + if self.options: + for key, value in self.options.items(): + self.data[key] = value + else: + self.data['allowHostDirVolumePlugin'] = False + self.data['allowHostIPC'] = False + self.data['allowHostNetwork'] = False + self.data['allowHostPID'] = False + self.data['allowHostPorts'] = False + self.data['allowPrivilegedContainer'] = False + self.data['allowedCapabilities'] = None + + # version + self.data['apiVersion'] = 'v1' + # kind + self.data['kind'] = 'SecurityContextConstraints' + # defaultAddCapabilities + self.data['defaultAddCapabilities'] = self.default_add_capabilities + # fsGroup + self.data['fsGroup']['type'] = self.fs_group + # groups + self.data['groups'] = [] + if self.groups: + self.data['groups'] = self.groups + # metadata + self.data['metadata'] = {} + self.data['metadata']['name'] = self.name + if self.annotations: + for key, value in self.annotations.items(): + self.data['metadata'][key] = value + # priority + self.data['priority'] = self.priority + # requiredDropCapabilities + self.data['requiredDropCapabilities'] = self.required_drop_capabilities + # runAsUser + self.data['runAsUser'] = {'type': self.run_as_user} + # seLinuxContext + self.data['seLinuxContext'] = {'type': self.se_linux_context} + # supplementalGroups + self.data['supplementalGroups'] = {'type': self.supplemental_groups} + # users + self.data['users'] = [] + if self.users: + self.data['users'] = self.users + + +# pylint: disable=too-many-instance-attributes,too-many-public-methods,no-member +class SecurityContextConstraints(Yedit): + ''' Class to wrap the oc command line tools ''' + default_add_capabilities_path = "defaultAddCapabilities" + fs_group_path = "fsGroup" + groups_path = "groups" + priority_path = "priority" + required_drop_capabilities_path = "requiredDropCapabilities" + run_as_user_path = "runAsUser" + se_linux_context_path = "seLinuxContext" + supplemental_groups_path = "supplementalGroups" + users_path = "users" + kind = 'SecurityContextConstraints' + + def __init__(self, content): + '''SecurityContextConstraints constructor''' + super(SecurityContextConstraints, self).__init__(content=content) + self._users = None + self._groups = None + + @property + def users(self): + ''' users property getter ''' + if self._users is None: + self._users = self.get_users() + return self._users + + @property + def groups(self): + ''' groups property getter ''' + if self._groups is None: + self._groups = self.get_groups() + return self._groups + + @users.setter + def users(self, data): + ''' users property setter''' + self._users = data + + @groups.setter + def groups(self, data): + ''' groups property setter''' + self._groups = data + + def get_users(self): + '''get scc users''' + return self.get(SecurityContextConstraints.users_path) or [] + + def get_groups(self): + '''get scc groups''' + return self.get(SecurityContextConstraints.groups_path) or [] + + def add_user(self, inc_user): + ''' add a user ''' + if self.users: + self.users.append(inc_user) + else: + self.put(SecurityContextConstraints.users_path, [inc_user]) + + return True + + def add_group(self, inc_group): + ''' add a group ''' + if self.groups: + self.groups.append(inc_group) + else: + self.put(SecurityContextConstraints.groups_path, [inc_group]) + + return True + + def remove_user(self, inc_user): + ''' remove a user ''' + try: + self.users.remove(inc_user) + except ValueError as _: + return False + + return True + + def remove_group(self, inc_group): + ''' remove a group ''' + try: + self.groups.remove(inc_group) + except ValueError as _: + return False + + return True + + def update_user(self, inc_user): + ''' update a user ''' + try: + index = self.users.index(inc_user) + except ValueError as _: + return self.add_user(inc_user) + + self.users[index] = inc_user + + return True + + def update_group(self, inc_group): + ''' update a group ''' + try: + index = self.groups.index(inc_group) + except ValueError as _: + return self.add_group(inc_group) + + self.groups[index] = inc_group + + return True + + def find_user(self, inc_user): + ''' find a user ''' + index = None + try: + index = self.users.index(inc_user) + except ValueError as _: + return index + + return index + + def find_group(self, inc_group): + ''' find a group ''' + index = None + try: + index = self.groups.index(inc_group) + except ValueError as _: + return index + + return index + +# -*- -*- -*- End included fragment: lib/scc.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: class/oc_adm_policy_group.py -*- -*- -*- + + +class PolicyGroupException(Exception): + ''' PolicyGroup exception''' + pass + + +class PolicyGroupConfig(OpenShiftCLIConfig): + ''' PolicyGroupConfig is a DTO for group related policy. ''' + def __init__(self, namespace, kubeconfig, policy_options): + super(PolicyGroupConfig, self).__init__(policy_options['name']['value'], + namespace, kubeconfig, policy_options) + self.kind = self.get_kind() + self.namespace = namespace + + def get_kind(self): + ''' return the kind we are working with ''' + if self.config_options['resource_kind']['value'] == 'role': + return 'rolebinding' + elif self.config_options['resource_kind']['value'] == 'cluster-role': + return 'clusterrolebinding' + elif self.config_options['resource_kind']['value'] == 'scc': + return 'scc' + + return None + + +# pylint: disable=too-many-return-statements +class PolicyGroup(OpenShiftCLI): + ''' Class to handle attaching policies to users ''' + + + def __init__(self, + config, + verbose=False): + ''' Constructor for PolicyGroup ''' + super(PolicyGroup, self).__init__(config.namespace, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + self._rolebinding = None + self._scc = None + + @property + def role_binding(self): + ''' role_binding getter ''' + return self._rolebinding + + @role_binding.setter + def role_binding(self, binding): + ''' role_binding setter ''' + self._rolebinding = binding + + @property + def security_context_constraint(self): + ''' security_context_constraint getter ''' + return self._scc + + @security_context_constraint.setter + def security_context_constraint(self, scc): + ''' security_context_constraint setter ''' + self._scc = scc + + def get(self): + '''fetch the desired kind''' + resource_name = self.config.config_options['name']['value'] + if resource_name == 'cluster-reader': + resource_name += 's' + + # oc adm policy add-... creates policy bindings with the name + # "[resource_name]-binding", however some bindings in the system + # simply use "[resource_name]". So try both. + + results = self._get(self.config.kind, resource_name) + if results['returncode'] == 0: + return results + + # Now try -binding naming convention + return self._get(self.config.kind, resource_name + "-binding") + + def exists_role_binding(self): + ''' return whether role_binding exists ''' + results = self.get() + if results['returncode'] == 0: + self.role_binding = RoleBinding(results['results'][0]) + if self.role_binding.find_group_name(self.config.config_options['group']['value']) != None: + return True + + return False + + elif '\"%s\" not found' % self.config.config_options['name']['value'] in results['stderr']: + return False + + return results + + def exists_scc(self): + ''' return whether scc exists ''' + results = self.get() + if results['returncode'] == 0: + self.security_context_constraint = SecurityContextConstraints(results['results'][0]) + + if self.security_context_constraint.find_group(self.config.config_options['group']['value']) != None: + return True + + return False + + return results + + def exists(self): + '''does the object exist?''' + if self.config.config_options['resource_kind']['value'] == 'cluster-role': + return self.exists_role_binding() + + elif self.config.config_options['resource_kind']['value'] == 'role': + return self.exists_role_binding() + + elif self.config.config_options['resource_kind']['value'] == 'scc': + return self.exists_scc() + + return False + + def perform(self): + '''perform action on resource''' + cmd = ['policy', + self.config.config_options['action']['value'], + self.config.config_options['name']['value'], + self.config.config_options['group']['value']] + + return self.openshift_cmd(cmd, oadm=True) + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + state = params['state'] + + action = None + if state == 'present': + action = 'add-' + params['resource_kind'] + '-to-group' + else: + action = 'remove-' + params['resource_kind'] + '-from-group' + + nconfig = PolicyGroupConfig(params['namespace'], + params['kubeconfig'], + {'action': {'value': action, 'include': False}, + 'group': {'value': params['group'], 'include': False}, + 'resource_kind': {'value': params['resource_kind'], 'include': False}, + 'name': {'value': params['resource_name'], 'include': False}, + }) + + policygroup = PolicyGroup(nconfig, params['debug']) + + # Run the oc adm policy group related command + + ######## + # Delete + ######## + if state == 'absent': + if not policygroup.exists(): + return {'changed': False, 'state': 'absent'} + + if check_mode: + return {'changed': False, 'msg': 'CHECK_MODE: would have performed a delete.'} + + api_rval = policygroup.perform() + + if api_rval['returncode'] != 0: + return {'msg': api_rval} + + return {'changed': True, 'results' : api_rval, state:'absent'} + + if state == 'present': + ######## + # Create + ######## + results = policygroup.exists() + if isinstance(results, dict) and 'returncode' in results and results['returncode'] != 0: + return {'msg': results} + + if not results: + + if check_mode: + return {'changed': False, 'msg': 'CHECK_MODE: would have performed a create.'} + + api_rval = policygroup.perform() + + if api_rval['returncode'] != 0: + return {'msg': api_rval} + + return {'changed': True, 'results': api_rval, state: 'present'} + + return {'changed': False, state: 'present'} + + return {'failed': True, 'changed': False, 'results': 'Unknown state passed. %s' % state, state: 'unknown'} + +# -*- -*- -*- End included fragment: class/oc_adm_policy_group.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: ansible/oc_adm_policy_group.py -*- -*- -*- + + +def main(): + ''' + ansible oc adm module for group policy + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', + choices=['present', 'absent']), + debug=dict(default=False, type='bool'), + resource_name=dict(required=True, type='str'), + namespace=dict(default='default', type='str'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + + group=dict(required=True, type='str'), + resource_kind=dict(required=True, choices=['role', 'cluster-role', 'scc'], type='str'), + ), + supports_check_mode=True, + ) + + results = PolicyGroup.run_ansible(module.params, module.check_mode) + + if 'failed' in results: + module.fail_json(**results) + + module.exit_json(**results) + + +if __name__ == "__main__": + main() + +# -*- -*- -*- End included fragment: ansible/oc_adm_policy_group.py -*- -*- -*- diff --git a/roles/lib_openshift/library/oc_adm_policy_user.py b/roles/lib_openshift/library/oc_adm_policy_user.py new file mode 100644 index 000000000..f0f80f25f --- /dev/null +++ b/roles/lib_openshift/library/oc_adm_policy_user.py @@ -0,0 +1,2091 @@ +#!/usr/bin/env python +# pylint: disable=missing-docstring +# flake8: noqa: T001 +# ___ ___ _ _ ___ ___ _ _____ ___ ___ +# / __| __| \| | __| _ \ /_\_ _| __| \ +# | (_ | _|| .` | _|| / / _ \| | | _|| |) | +# \___|___|_|\_|___|_|_\/_/_\_\_|_|___|___/_ _____ +# | \ / _ \ | \| |/ _ \_ _| | __| \_ _|_ _| +# | |) | (_) | | .` | (_) || | | _|| |) | | | | +# |___/ \___/ |_|\_|\___/ |_| |___|___/___| |_| +# +# Copyright 2016 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# -*- -*- -*- Begin included fragment: lib/import.py -*- -*- -*- +''' + OpenShiftCLI class that wraps the oc commands in a subprocess +''' +# pylint: disable=too-many-lines + +from __future__ import print_function +import atexit +import copy +import json +import os +import re +import shutil +import subprocess +import tempfile +# pylint: disable=import-error +try: + import ruamel.yaml as yaml +except ImportError: + import yaml + +from ansible.module_utils.basic import AnsibleModule + +# -*- -*- -*- End included fragment: lib/import.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: doc/policy_user -*- -*- -*- + +DOCUMENTATION = ''' +--- +module: oc_adm_policy_user +short_description: Module to manage openshift policy for users +description: + - Manage openshift policy for users. +options: + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + namespace: + description: + - The namespace scope + required: false + default: None + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + user: + description: + - The name of the user + required: true + default: None + aliases: [] + resource_kind: + description: + - The kind of policy to affect + required: true + default: None + choices: ["role", "cluster-role", "scc"] + aliases: [] + resource_name: + description: + - The name of the policy + required: true + default: None + aliases: [] + state: + description: + - Desired state of the policy + required: true + default: present + choices: ["present", "absent"] + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: oc adm policy remove-scc-from-user an-scc ausername + oc_adm_policy_user: + user: ausername + resource_kind: scc + resource_name: an-scc + state: absent + +- name: oc adm policy add-cluster-role-to-user system:build-strategy-docker ausername + oc_adm_policy_user: + user: ausername + resource_kind: cluster-role + resource_name: system:build-strategy-docker + state: present +''' + +# -*- -*- -*- End included fragment: doc/policy_user -*- -*- -*- + +# -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- +# pylint: disable=undefined-variable,missing-docstring +# noqa: E301,E302 + + +class YeditException(Exception): + ''' Exception class for Yedit ''' + pass + + +# pylint: disable=too-many-public-methods +class Yedit(object): + ''' Class to modify yaml files ''' + re_valid_key = r"(((\[-?\d+\])|([0-9a-zA-Z%s/_-]+)).?)+$" + re_key = r"(?:\[(-?\d+)\])|([0-9a-zA-Z%s/_-]+)" + com_sep = set(['.', '#', '|', ':']) + + # pylint: disable=too-many-arguments + def __init__(self, + filename=None, + content=None, + content_type='yaml', + separator='.', + backup=False): + self.content = content + self._separator = separator + self.filename = filename + self.__yaml_dict = content + self.content_type = content_type + self.backup = backup + self.load(content_type=self.content_type) + if self.__yaml_dict is None: + self.__yaml_dict = {} + + @property + def separator(self): + ''' getter method for yaml_dict ''' + return self._separator + + @separator.setter + def separator(self): + ''' getter method for yaml_dict ''' + return self._separator + + @property + def yaml_dict(self): + ''' getter method for yaml_dict ''' + return self.__yaml_dict + + @yaml_dict.setter + def yaml_dict(self, value): + ''' setter method for yaml_dict ''' + self.__yaml_dict = value + + @staticmethod + def parse_key(key, sep='.'): + '''parse the key allowing the appropriate separator''' + common_separators = list(Yedit.com_sep - set([sep])) + return re.findall(Yedit.re_key % ''.join(common_separators), key) + + @staticmethod + def valid_key(key, sep='.'): + '''validate the incoming key''' + common_separators = list(Yedit.com_sep - set([sep])) + if not re.match(Yedit.re_valid_key % ''.join(common_separators), key): + return False + + return True + + @staticmethod + def remove_entry(data, key, sep='.'): + ''' remove data at location key ''' + if key == '' and isinstance(data, dict): + data.clear() + return True + elif key == '' and isinstance(data, list): + del data[:] + return True + + if not (key and Yedit.valid_key(key, sep)) and \ + isinstance(data, (list, dict)): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes[:-1]: + if dict_key and isinstance(data, dict): + data = data.get(dict_key, None) + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + # process last index for remove + # expected list entry + if key_indexes[-1][0]: + if isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 + del data[int(key_indexes[-1][0])] + return True + + # expected dict entry + elif key_indexes[-1][1]: + if isinstance(data, dict): + del data[key_indexes[-1][1]] + return True + + @staticmethod + def add_entry(data, key, item=None, sep='.'): + ''' Get an item from a dictionary with key notation a.b.c + d = {'a': {'b': 'c'}}} + key = a#b + return c + ''' + if key == '': + pass + elif (not (key and Yedit.valid_key(key, sep)) and + isinstance(data, (list, dict))): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes[:-1]: + if dict_key: + if isinstance(data, dict) and dict_key in data and data[dict_key]: # noqa: E501 + data = data[dict_key] + continue + + elif data and not isinstance(data, dict): + return None + + data[dict_key] = {} + data = data[dict_key] + + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + if key == '': + data = item + + # process last index for add + # expected list entry + elif key_indexes[-1][0] and isinstance(data, list) and int(key_indexes[-1][0]) <= len(data) - 1: # noqa: E501 + data[int(key_indexes[-1][0])] = item + + # expected dict entry + elif key_indexes[-1][1] and isinstance(data, dict): + data[key_indexes[-1][1]] = item + + return data + + @staticmethod + def get_entry(data, key, sep='.'): + ''' Get an item from a dictionary with key notation a.b.c + d = {'a': {'b': 'c'}}} + key = a.b + return c + ''' + if key == '': + pass + elif (not (key and Yedit.valid_key(key, sep)) and + isinstance(data, (list, dict))): + return None + + key_indexes = Yedit.parse_key(key, sep) + for arr_ind, dict_key in key_indexes: + if dict_key and isinstance(data, dict): + data = data.get(dict_key, None) + elif (arr_ind and isinstance(data, list) and + int(arr_ind) <= len(data) - 1): + data = data[int(arr_ind)] + else: + return None + + return data + + @staticmethod + def _write(filename, contents): + ''' Actually write the file contents to disk. This helps with mocking. ''' + + tmp_filename = filename + '.yedit' + + with open(tmp_filename, 'w') as yfd: + yfd.write(contents) + + os.rename(tmp_filename, filename) + + def write(self): + ''' write to file ''' + if not self.filename: + raise YeditException('Please specify a filename.') + + if self.backup and self.file_exists(): + shutil.copy(self.filename, self.filename + '.orig') + + # Try to set format attributes if supported + try: + self.yaml_dict.fa.set_block_style() + except AttributeError: + pass + + # Try to use RoundTripDumper if supported. + try: + Yedit._write(self.filename, yaml.dump(self.yaml_dict, Dumper=yaml.RoundTripDumper)) + except AttributeError: + Yedit._write(self.filename, yaml.safe_dump(self.yaml_dict, default_flow_style=False)) + + return (True, self.yaml_dict) + + def read(self): + ''' read from file ''' + # check if it exists + if self.filename is None or not self.file_exists(): + return None + + contents = None + with open(self.filename) as yfd: + contents = yfd.read() + + return contents + + def file_exists(self): + ''' return whether file exists ''' + if os.path.exists(self.filename): + return True + + return False + + def load(self, content_type='yaml'): + ''' return yaml file ''' + contents = self.read() + + if not contents and not self.content: + return None + + if self.content: + if isinstance(self.content, dict): + self.yaml_dict = self.content + return self.yaml_dict + elif isinstance(self.content, str): + contents = self.content + + # check if it is yaml + try: + if content_type == 'yaml' and contents: + # Try to set format attributes if supported + try: + self.yaml_dict.fa.set_block_style() + except AttributeError: + pass + + # Try to use RoundTripLoader if supported. + try: + self.yaml_dict = yaml.safe_load(contents, yaml.RoundTripLoader) + except AttributeError: + self.yaml_dict = yaml.safe_load(contents) + + # Try to set format attributes if supported + try: + self.yaml_dict.fa.set_block_style() + except AttributeError: + pass + + elif content_type == 'json' and contents: + self.yaml_dict = json.loads(contents) + except yaml.YAMLError as err: + # Error loading yaml or json + raise YeditException('Problem with loading yaml file. %s' % err) + + return self.yaml_dict + + def get(self, key): + ''' get a specified key''' + try: + entry = Yedit.get_entry(self.yaml_dict, key, self.separator) + except KeyError: + entry = None + + return entry + + def pop(self, path, key_or_item): + ''' remove a key, value pair from a dict or an item for a list''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + return (False, self.yaml_dict) + + if isinstance(entry, dict): + # AUDIT:maybe-no-member makes sense due to fuzzy types + # pylint: disable=maybe-no-member + if key_or_item in entry: + entry.pop(key_or_item) + return (True, self.yaml_dict) + return (False, self.yaml_dict) + + elif isinstance(entry, list): + # AUDIT:maybe-no-member makes sense due to fuzzy types + # pylint: disable=maybe-no-member + ind = None + try: + ind = entry.index(key_or_item) + except ValueError: + return (False, self.yaml_dict) + + entry.pop(ind) + return (True, self.yaml_dict) + + return (False, self.yaml_dict) + + def delete(self, path): + ''' remove path from a dict''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + return (False, self.yaml_dict) + + result = Yedit.remove_entry(self.yaml_dict, path, self.separator) + if not result: + return (False, self.yaml_dict) + + return (True, self.yaml_dict) + + def exists(self, path, value): + ''' check if value exists at path''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if isinstance(entry, list): + if value in entry: + return True + return False + + elif isinstance(entry, dict): + if isinstance(value, dict): + rval = False + for key, val in value.items(): + if entry[key] != val: + rval = False + break + else: + rval = True + return rval + + return value in entry + + return entry == value + + def append(self, path, value): + '''append value to a list''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry is None: + self.put(path, []) + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + if not isinstance(entry, list): + return (False, self.yaml_dict) + + # AUDIT:maybe-no-member makes sense due to loading data from + # a serialized format. + # pylint: disable=maybe-no-member + entry.append(value) + return (True, self.yaml_dict) + + # pylint: disable=too-many-arguments + def update(self, path, value, index=None, curr_value=None): + ''' put path, value into a dict ''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if isinstance(entry, dict): + # AUDIT:maybe-no-member makes sense due to fuzzy types + # pylint: disable=maybe-no-member + if not isinstance(value, dict): + raise YeditException('Cannot replace key, value entry in ' + + 'dict with non-dict type. value=[%s] [%s]' % (value, type(value))) # noqa: E501 + + entry.update(value) + return (True, self.yaml_dict) + + elif isinstance(entry, list): + # AUDIT:maybe-no-member makes sense due to fuzzy types + # pylint: disable=maybe-no-member + ind = None + if curr_value: + try: + ind = entry.index(curr_value) + except ValueError: + return (False, self.yaml_dict) + + elif index is not None: + ind = index + + if ind is not None and entry[ind] != value: + entry[ind] = value + return (True, self.yaml_dict) + + # see if it exists in the list + try: + ind = entry.index(value) + except ValueError: + # doesn't exist, append it + entry.append(value) + return (True, self.yaml_dict) + + # already exists, return + if ind is not None: + return (False, self.yaml_dict) + return (False, self.yaml_dict) + + def put(self, path, value): + ''' put path, value into a dict ''' + try: + entry = Yedit.get_entry(self.yaml_dict, path, self.separator) + except KeyError: + entry = None + + if entry == value: + return (False, self.yaml_dict) + + # deepcopy didn't work + # Try to use ruamel.yaml and fallback to pyyaml + try: + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, + default_flow_style=False), + yaml.RoundTripLoader) + except AttributeError: + tmp_copy = copy.deepcopy(self.yaml_dict) + + # set the format attributes if available + try: + tmp_copy.fa.set_block_style() + except AttributeError: + pass + + result = Yedit.add_entry(tmp_copy, path, value, self.separator) + if not result: + return (False, self.yaml_dict) + + self.yaml_dict = tmp_copy + + return (True, self.yaml_dict) + + def create(self, path, value): + ''' create a yaml file ''' + if not self.file_exists(): + # deepcopy didn't work + # Try to use ruamel.yaml and fallback to pyyaml + try: + tmp_copy = yaml.load(yaml.round_trip_dump(self.yaml_dict, + default_flow_style=False), + yaml.RoundTripLoader) + except AttributeError: + tmp_copy = copy.deepcopy(self.yaml_dict) + + # set the format attributes if available + try: + tmp_copy.fa.set_block_style() + except AttributeError: + pass + + result = Yedit.add_entry(tmp_copy, path, value, self.separator) + if result: + self.yaml_dict = tmp_copy + return (True, self.yaml_dict) + + return (False, self.yaml_dict) + + @staticmethod + def get_curr_value(invalue, val_type): + '''return the current value''' + if invalue is None: + return None + + curr_value = invalue + if val_type == 'yaml': + curr_value = yaml.load(invalue) + elif val_type == 'json': + curr_value = json.loads(invalue) + + return curr_value + + @staticmethod + def parse_value(inc_value, vtype=''): + '''determine value type passed''' + true_bools = ['y', 'Y', 'yes', 'Yes', 'YES', 'true', 'True', 'TRUE', + 'on', 'On', 'ON', ] + false_bools = ['n', 'N', 'no', 'No', 'NO', 'false', 'False', 'FALSE', + 'off', 'Off', 'OFF'] + + # It came in as a string but you didn't specify value_type as string + # we will convert to bool if it matches any of the above cases + if isinstance(inc_value, str) and 'bool' in vtype: + if inc_value not in true_bools and inc_value not in false_bools: + raise YeditException('Not a boolean type. str=[%s] vtype=[%s]' + % (inc_value, vtype)) + elif isinstance(inc_value, bool) and 'str' in vtype: + inc_value = str(inc_value) + + # If vtype is not str then go ahead and attempt to yaml load it. + if isinstance(inc_value, str) and 'str' not in vtype: + try: + inc_value = yaml.load(inc_value) + except Exception: + raise YeditException('Could not determine type of incoming ' + + 'value. value=[%s] vtype=[%s]' + % (type(inc_value), vtype)) + + return inc_value + + # pylint: disable=too-many-return-statements,too-many-branches + @staticmethod + def run_ansible(module): + '''perform the idempotent crud operations''' + yamlfile = Yedit(filename=module.params['src'], + backup=module.params['backup'], + separator=module.params['separator']) + + if module.params['src']: + rval = yamlfile.load() + + if yamlfile.yaml_dict is None and \ + module.params['state'] != 'present': + return {'failed': True, + 'msg': 'Error opening file [%s]. Verify that the ' + + 'file exists, that it is has correct' + + ' permissions, and is valid yaml.'} + + if module.params['state'] == 'list': + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + yamlfile.yaml_dict = content + + if module.params['key']: + rval = yamlfile.get(module.params['key']) or {} + + return {'changed': False, 'result': rval, 'state': "list"} + + elif module.params['state'] == 'absent': + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + yamlfile.yaml_dict = content + + if module.params['update']: + rval = yamlfile.pop(module.params['key'], + module.params['value']) + else: + rval = yamlfile.delete(module.params['key']) + + if rval[0] and module.params['src']: + yamlfile.write() + + return {'changed': rval[0], 'result': rval[1], 'state': "absent"} + + elif module.params['state'] == 'present': + # check if content is different than what is in the file + if module.params['content']: + content = Yedit.parse_value(module.params['content'], + module.params['content_type']) + + # We had no edits to make and the contents are the same + if yamlfile.yaml_dict == content and \ + module.params['value'] is None: + return {'changed': False, + 'result': yamlfile.yaml_dict, + 'state': "present"} + + yamlfile.yaml_dict = content + + # we were passed a value; parse it + if module.params['value']: + value = Yedit.parse_value(module.params['value'], + module.params['value_type']) + key = module.params['key'] + if module.params['update']: + # pylint: disable=line-too-long + curr_value = Yedit.get_curr_value(Yedit.parse_value(module.params['curr_value']), # noqa: E501 + module.params['curr_value_format']) # noqa: E501 + + rval = yamlfile.update(key, value, module.params['index'], curr_value) # noqa: E501 + + elif module.params['append']: + rval = yamlfile.append(key, value) + else: + rval = yamlfile.put(key, value) + + if rval[0] and module.params['src']: + yamlfile.write() + + return {'changed': rval[0], + 'result': rval[1], 'state': "present"} + + # no edits to make + if module.params['src']: + # pylint: disable=redefined-variable-type + rval = yamlfile.write() + return {'changed': rval[0], + 'result': rval[1], + 'state': "present"} + + return {'failed': True, 'msg': 'Unkown state passed'} + +# -*- -*- -*- End included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: lib/base.py -*- -*- -*- +# pylint: disable=too-many-lines +# noqa: E301,E302,E303,T001 + + +class OpenShiftCLIError(Exception): + '''Exception class for openshiftcli''' + pass + + +ADDITIONAL_PATH_LOOKUPS = ['/usr/local/bin', os.path.expanduser('~/bin')] + + +def locate_oc_binary(): + ''' Find and return oc binary file ''' + # https://github.com/openshift/openshift-ansible/issues/3410 + # oc can be in /usr/local/bin in some cases, but that may not + # be in $PATH due to ansible/sudo + paths = os.environ.get("PATH", os.defpath).split(os.pathsep) + ADDITIONAL_PATH_LOOKUPS + + oc_binary = 'oc' + + # Use shutil.which if it is available, otherwise fallback to a naive path search + try: + which_result = shutil.which(oc_binary, path=os.pathsep.join(paths)) + if which_result is not None: + oc_binary = which_result + except AttributeError: + for path in paths: + if os.path.exists(os.path.join(path, oc_binary)): + oc_binary = os.path.join(path, oc_binary) + break + + return oc_binary + + +# pylint: disable=too-few-public-methods +class OpenShiftCLI(object): + ''' Class to wrap the command line tools ''' + def __init__(self, + namespace, + kubeconfig='/etc/origin/master/admin.kubeconfig', + verbose=False, + all_namespaces=False): + ''' Constructor for OpenshiftCLI ''' + self.namespace = namespace + self.verbose = verbose + self.kubeconfig = Utils.create_tmpfile_copy(kubeconfig) + self.all_namespaces = all_namespaces + self.oc_binary = locate_oc_binary() + + # Pylint allows only 5 arguments to be passed. + # pylint: disable=too-many-arguments + def _replace_content(self, resource, rname, content, force=False, sep='.'): + ''' replace the current object with the content ''' + res = self._get(resource, rname) + if not res['results']: + return res + + fname = Utils.create_tmpfile(rname + '-') + + yed = Yedit(fname, res['results'][0], separator=sep) + changes = [] + for key, value in content.items(): + changes.append(yed.put(key, value)) + + if any([change[0] for change in changes]): + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self._replace(fname, force) + + return {'returncode': 0, 'updated': False} + + def _replace(self, fname, force=False): + '''replace the current object with oc replace''' + cmd = ['replace', '-f', fname] + if force: + cmd.append('--force') + return self.openshift_cmd(cmd) + + def _create_from_content(self, rname, content): + '''create a temporary file and then call oc create on it''' + fname = Utils.create_tmpfile(rname + '-') + yed = Yedit(fname, content=content) + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self._create(fname) + + def _create(self, fname): + '''call oc create on a filename''' + return self.openshift_cmd(['create', '-f', fname]) + + def _delete(self, resource, rname, selector=None): + '''call oc delete on a resource''' + cmd = ['delete', resource, rname] + if selector: + cmd.append('--selector=%s' % selector) + + return self.openshift_cmd(cmd) + + def _process(self, template_name, create=False, params=None, template_data=None): # noqa: E501 + '''process a template + + template_name: the name of the template to process + create: whether to send to oc create after processing + params: the parameters for the template + template_data: the incoming template's data; instead of a file + ''' + cmd = ['process'] + if template_data: + cmd.extend(['-f', '-']) + else: + cmd.append(template_name) + if params: + param_str = ["%s=%s" % (key, value) for key, value in params.items()] + cmd.append('-v') + cmd.extend(param_str) + + results = self.openshift_cmd(cmd, output=True, input_data=template_data) + + if results['returncode'] != 0 or not create: + return results + + fname = Utils.create_tmpfile(template_name + '-') + yed = Yedit(fname, results['results']) + yed.write() + + atexit.register(Utils.cleanup, [fname]) + + return self.openshift_cmd(['create', '-f', fname]) + + def _get(self, resource, rname=None, selector=None): + '''return a resource by name ''' + cmd = ['get', resource] + if selector: + cmd.append('--selector=%s' % selector) + elif rname: + cmd.append(rname) + + cmd.extend(['-o', 'json']) + + rval = self.openshift_cmd(cmd, output=True) + + # Ensure results are retuned in an array + if 'items' in rval: + rval['results'] = rval['items'] + elif not isinstance(rval['results'], list): + rval['results'] = [rval['results']] + + return rval + + def _schedulable(self, node=None, selector=None, schedulable=True): + ''' perform oadm manage-node scheduable ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + cmd.append('--schedulable=%s' % schedulable) + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501 + + def _list_pods(self, node=None, selector=None, pod_selector=None): + ''' perform oadm list pods + + node: the node in which to list pods + selector: the label selector filter if provided + pod_selector: the pod selector filter if provided + ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + if pod_selector: + cmd.append('--pod-selector=%s' % pod_selector) + + cmd.extend(['--list-pods', '-o', 'json']) + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') + + # pylint: disable=too-many-arguments + def _evacuate(self, node=None, selector=None, pod_selector=None, dry_run=False, grace_period=None, force=False): + ''' perform oadm manage-node evacuate ''' + cmd = ['manage-node'] + if node: + cmd.extend(node) + else: + cmd.append('--selector=%s' % selector) + + if dry_run: + cmd.append('--dry-run') + + if pod_selector: + cmd.append('--pod-selector=%s' % pod_selector) + + if grace_period: + cmd.append('--grace-period=%s' % int(grace_period)) + + if force: + cmd.append('--force') + + cmd.append('--evacuate') + + return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') + + def _version(self): + ''' return the openshift version''' + return self.openshift_cmd(['version'], output=True, output_type='raw') + + def _import_image(self, url=None, name=None, tag=None): + ''' perform image import ''' + cmd = ['import-image'] + + image = '{0}'.format(name) + if tag: + image += ':{0}'.format(tag) + + cmd.append(image) + + if url: + cmd.append('--from={0}/{1}'.format(url, image)) + + cmd.append('-n{0}'.format(self.namespace)) + + cmd.append('--confirm') + return self.openshift_cmd(cmd) + + def _run(self, cmds, input_data): + ''' Actually executes the command. This makes mocking easier. ''' + curr_env = os.environ.copy() + curr_env.update({'KUBECONFIG': self.kubeconfig}) + proc = subprocess.Popen(cmds, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + env=curr_env) + + stdout, stderr = proc.communicate(input_data) + + return proc.returncode, stdout.decode(), stderr.decode() + + # pylint: disable=too-many-arguments,too-many-branches + def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): + '''Base command for oc ''' + cmds = [self.oc_binary] + + if oadm: + cmds.append('adm') + + cmds.extend(cmd) + + if self.all_namespaces: + cmds.extend(['--all-namespaces']) + elif self.namespace is not None and self.namespace.lower() not in ['none', 'emtpy']: # E501 + cmds.extend(['-n', self.namespace]) + + rval = {} + results = '' + err = None + + if self.verbose: + print(' '.join(cmds)) + + try: + returncode, stdout, stderr = self._run(cmds, input_data) + except OSError as ex: + returncode, stdout, stderr = 1, '', 'Failed to execute {}: {}'.format(subprocess.list2cmdline(cmds), ex) + + rval = {"returncode": returncode, + "results": results, + "cmd": ' '.join(cmds)} + + if returncode == 0: + if output: + if output_type == 'json': + try: + rval['results'] = json.loads(stdout) + except ValueError as err: + if "No JSON object could be decoded" in err.args: + err = err.args + elif output_type == 'raw': + rval['results'] = stdout + + if self.verbose: + print("STDOUT: {0}".format(stdout)) + print("STDERR: {0}".format(stderr)) + + if err: + rval.update({"err": err, + "stderr": stderr, + "stdout": stdout, + "cmd": cmds}) + + else: + rval.update({"stderr": stderr, + "stdout": stdout, + "results": {}}) + + return rval + + +class Utils(object): + ''' utilities for openshiftcli modules ''' + + @staticmethod + def _write(filename, contents): + ''' Actually write the file contents to disk. This helps with mocking. ''' + + with open(filename, 'w') as sfd: + sfd.write(contents) + + @staticmethod + def create_tmp_file_from_contents(rname, data, ftype='yaml'): + ''' create a file in tmp with name and contents''' + + tmp = Utils.create_tmpfile(prefix=rname) + + if ftype == 'yaml': + # AUDIT:no-member makes sense here due to ruamel.YAML/PyYAML usage + # pylint: disable=no-member + if hasattr(yaml, 'RoundTripDumper'): + Utils._write(tmp, yaml.dump(data, Dumper=yaml.RoundTripDumper)) + else: + Utils._write(tmp, yaml.safe_dump(data, default_flow_style=False)) + + elif ftype == 'json': + Utils._write(tmp, json.dumps(data)) + else: + Utils._write(tmp, data) + + # Register cleanup when module is done + atexit.register(Utils.cleanup, [tmp]) + return tmp + + @staticmethod + def create_tmpfile_copy(inc_file): + '''create a temporary copy of a file''' + tmpfile = Utils.create_tmpfile('lib_openshift-') + Utils._write(tmpfile, open(inc_file).read()) + + # Cleanup the tmpfile + atexit.register(Utils.cleanup, [tmpfile]) + + return tmpfile + + @staticmethod + def create_tmpfile(prefix='tmp'): + ''' Generates and returns a temporary file name ''' + + with tempfile.NamedTemporaryFile(prefix=prefix, delete=False) as tmp: + return tmp.name + + @staticmethod + def create_tmp_files_from_contents(content, content_type=None): + '''Turn an array of dict: filename, content into a files array''' + if not isinstance(content, list): + content = [content] + files = [] + for item in content: + path = Utils.create_tmp_file_from_contents(item['path'] + '-', + item['data'], + ftype=content_type) + files.append({'name': os.path.basename(item['path']), + 'path': path}) + return files + + @staticmethod + def cleanup(files): + '''Clean up on exit ''' + for sfile in files: + if os.path.exists(sfile): + if os.path.isdir(sfile): + shutil.rmtree(sfile) + elif os.path.isfile(sfile): + os.remove(sfile) + + @staticmethod + def exists(results, _name): + ''' Check to see if the results include the name ''' + if not results: + return False + + if Utils.find_result(results, _name): + return True + + return False + + @staticmethod + def find_result(results, _name): + ''' Find the specified result by name''' + rval = None + for result in results: + if 'metadata' in result and result['metadata']['name'] == _name: + rval = result + break + + return rval + + @staticmethod + def get_resource_file(sfile, sfile_type='yaml'): + ''' return the service file ''' + contents = None + with open(sfile) as sfd: + contents = sfd.read() + + if sfile_type == 'yaml': + # AUDIT:no-member makes sense here due to ruamel.YAML/PyYAML usage + # pylint: disable=no-member + if hasattr(yaml, 'RoundTripLoader'): + contents = yaml.load(contents, yaml.RoundTripLoader) + else: + contents = yaml.safe_load(contents) + elif sfile_type == 'json': + contents = json.loads(contents) + + return contents + + @staticmethod + def filter_versions(stdout): + ''' filter the oc version output ''' + + version_dict = {} + version_search = ['oc', 'openshift', 'kubernetes'] + + for line in stdout.strip().split('\n'): + for term in version_search: + if not line: + continue + if line.startswith(term): + version_dict[term] = line.split()[-1] + + # horrible hack to get openshift version in Openshift 3.2 + # By default "oc version in 3.2 does not return an "openshift" version + if "openshift" not in version_dict: + version_dict["openshift"] = version_dict["oc"] + + return version_dict + + @staticmethod + def add_custom_versions(versions): + ''' create custom versions strings ''' + + versions_dict = {} + + for tech, version in versions.items(): + # clean up "-" from version + if "-" in version: + version = version.split("-")[0] + + if version.startswith('v'): + versions_dict[tech + '_numeric'] = version[1:].split('+')[0] + # "v3.3.0.33" is what we have, we want "3.3" + versions_dict[tech + '_short'] = version[1:4] + + return versions_dict + + @staticmethod + def openshift_installed(): + ''' check if openshift is installed ''' + import yum + + yum_base = yum.YumBase() + if yum_base.rpmdb.searchNevra(name='atomic-openshift'): + return True + + return False + + # Disabling too-many-branches. This is a yaml dictionary comparison function + # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements + @staticmethod + def check_def_equal(user_def, result_def, skip_keys=None, debug=False): + ''' Given a user defined definition, compare it with the results given back by our query. ''' + + # Currently these values are autogenerated and we do not need to check them + skip = ['metadata', 'status'] + if skip_keys: + skip.extend(skip_keys) + + for key, value in result_def.items(): + if key in skip: + continue + + # Both are lists + if isinstance(value, list): + if key not in user_def: + if debug: + print('User data does not have key [%s]' % key) + print('User data: %s' % user_def) + return False + + if not isinstance(user_def[key], list): + if debug: + print('user_def[key] is not a list key=[%s] user_def[key]=%s' % (key, user_def[key])) + return False + + if len(user_def[key]) != len(value): + if debug: + print("List lengths are not equal.") + print("key=[%s]: user_def[%s] != value[%s]" % (key, len(user_def[key]), len(value))) + print("user_def: %s" % user_def[key]) + print("value: %s" % value) + return False + + for values in zip(user_def[key], value): + if isinstance(values[0], dict) and isinstance(values[1], dict): + if debug: + print('sending list - list') + print(type(values[0])) + print(type(values[1])) + result = Utils.check_def_equal(values[0], values[1], skip_keys=skip_keys, debug=debug) + if not result: + print('list compare returned false') + return False + + elif value != user_def[key]: + if debug: + print('value should be identical') + print(user_def[key]) + print(value) + return False + + # recurse on a dictionary + elif isinstance(value, dict): + if key not in user_def: + if debug: + print("user_def does not have key [%s]" % key) + return False + if not isinstance(user_def[key], dict): + if debug: + print("dict returned false: not instance of dict") + return False + + # before passing ensure keys match + api_values = set(value.keys()) - set(skip) + user_values = set(user_def[key].keys()) - set(skip) + if api_values != user_values: + if debug: + print("keys are not equal in dict") + print(user_values) + print(api_values) + return False + + result = Utils.check_def_equal(user_def[key], value, skip_keys=skip_keys, debug=debug) + if not result: + if debug: + print("dict returned false") + print(result) + return False + + # Verify each key, value pair is the same + else: + if key not in user_def or value != user_def[key]: + if debug: + print("value not equal; user_def does not have key") + print(key) + print(value) + if key in user_def: + print(user_def[key]) + return False + + if debug: + print('returning true') + return True + + +class OpenShiftCLIConfig(object): + '''Generic Config''' + def __init__(self, rname, namespace, kubeconfig, options): + self.kubeconfig = kubeconfig + self.name = rname + self.namespace = namespace + self._options = options + + @property + def config_options(self): + ''' return config options ''' + return self._options + + def to_option_list(self): + '''return all options as a string''' + return self.stringify() + + def stringify(self): + ''' return the options hash as cli params in a string ''' + rval = [] + for key, data in self.config_options.items(): + if data['include'] \ + and (data['value'] or isinstance(data['value'], int)): + rval.append('--%s=%s' % (key.replace('_', '-'), data['value'])) + + return rval + + +# -*- -*- -*- End included fragment: lib/base.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: lib/rolebinding.py -*- -*- -*- + +# pylint: disable=too-many-instance-attributes +class RoleBindingConfig(object): + ''' Handle rolebinding config ''' + # pylint: disable=too-many-arguments + def __init__(self, + name, + namespace, + kubeconfig, + group_names=None, + role_ref=None, + subjects=None, + usernames=None): + ''' constructor for handling rolebinding options ''' + self.kubeconfig = kubeconfig + self.name = name + self.namespace = namespace + self.group_names = group_names + self.role_ref = role_ref + self.subjects = subjects + self.usernames = usernames + self.data = {} + + self.create_dict() + + def create_dict(self): + ''' create a default rolebinding as a dict ''' + self.data['apiVersion'] = 'v1' + self.data['kind'] = 'RoleBinding' + self.data['groupNames'] = self.group_names + self.data['metadata']['name'] = self.name + self.data['metadata']['namespace'] = self.namespace + + self.data['roleRef'] = self.role_ref + self.data['subjects'] = self.subjects + self.data['userNames'] = self.usernames + + +# pylint: disable=too-many-instance-attributes,too-many-public-methods +class RoleBinding(Yedit): + ''' Class to model a rolebinding openshift object''' + group_names_path = "groupNames" + role_ref_path = "roleRef" + subjects_path = "subjects" + user_names_path = "userNames" + + kind = 'RoleBinding' + + def __init__(self, content): + '''RoleBinding constructor''' + super(RoleBinding, self).__init__(content=content) + self._subjects = None + self._role_ref = None + self._group_names = None + self._user_names = None + + @property + def subjects(self): + ''' subjects property ''' + if self._subjects is None: + self._subjects = self.get_subjects() + return self._subjects + + @subjects.setter + def subjects(self, data): + ''' subjects property setter''' + self._subjects = data + + @property + def role_ref(self): + ''' role_ref property ''' + if self._role_ref is None: + self._role_ref = self.get_role_ref() + return self._role_ref + + @role_ref.setter + def role_ref(self, data): + ''' role_ref property setter''' + self._role_ref = data + + @property + def group_names(self): + ''' group_names property ''' + if self._group_names is None: + self._group_names = self.get_group_names() + return self._group_names + + @group_names.setter + def group_names(self, data): + ''' group_names property setter''' + self._group_names = data + + @property + def user_names(self): + ''' user_names property ''' + if self._user_names is None: + self._user_names = self.get_user_names() + return self._user_names + + @user_names.setter + def user_names(self, data): + ''' user_names property setter''' + self._user_names = data + + def get_group_names(self): + ''' return groupNames ''' + return self.get(RoleBinding.group_names_path) or [] + + def get_user_names(self): + ''' return usernames ''' + return self.get(RoleBinding.user_names_path) or [] + + def get_role_ref(self): + ''' return role_ref ''' + return self.get(RoleBinding.role_ref_path) or {} + + def get_subjects(self): + ''' return subjects ''' + return self.get(RoleBinding.subjects_path) or [] + + #### ADD ##### + def add_subject(self, inc_subject): + ''' add a subject ''' + if self.subjects: + # pylint: disable=no-member + self.subjects.append(inc_subject) + else: + self.put(RoleBinding.subjects_path, [inc_subject]) + + return True + + def add_role_ref(self, inc_role_ref): + ''' add a role_ref ''' + if not self.role_ref: + self.put(RoleBinding.role_ref_path, {"name": inc_role_ref}) + return True + + return False + + def add_group_names(self, inc_group_names): + ''' add a group_names ''' + if self.group_names: + # pylint: disable=no-member + self.group_names.append(inc_group_names) + else: + self.put(RoleBinding.group_names_path, [inc_group_names]) + + return True + + def add_user_name(self, inc_user_name): + ''' add a username ''' + if self.user_names: + # pylint: disable=no-member + self.user_names.append(inc_user_name) + else: + self.put(RoleBinding.user_names_path, [inc_user_name]) + + return True + + #### /ADD ##### + + #### Remove ##### + def remove_subject(self, inc_subject): + ''' remove a subject ''' + try: + # pylint: disable=no-member + self.subjects.remove(inc_subject) + except ValueError as _: + return False + + return True + + def remove_role_ref(self, inc_role_ref): + ''' remove a role_ref ''' + if self.role_ref and self.role_ref['name'] == inc_role_ref: + del self.role_ref['name'] + return True + + return False + + def remove_group_name(self, inc_group_name): + ''' remove a groupname ''' + try: + # pylint: disable=no-member + self.group_names.remove(inc_group_name) + except ValueError as _: + return False + + return True + + def remove_user_name(self, inc_user_name): + ''' remove a username ''' + try: + # pylint: disable=no-member + self.user_names.remove(inc_user_name) + except ValueError as _: + return False + + return True + + #### /REMOVE ##### + + #### UPDATE ##### + def update_subject(self, inc_subject): + ''' update a subject ''' + try: + # pylint: disable=no-member + index = self.subjects.index(inc_subject) + except ValueError as _: + return self.add_subject(inc_subject) + + self.subjects[index] = inc_subject + + return True + + def update_group_name(self, inc_group_name): + ''' update a groupname ''' + try: + # pylint: disable=no-member + index = self.group_names.index(inc_group_name) + except ValueError as _: + return self.add_group_names(inc_group_name) + + self.group_names[index] = inc_group_name + + return True + + def update_user_name(self, inc_user_name): + ''' update a username ''' + try: + # pylint: disable=no-member + index = self.user_names.index(inc_user_name) + except ValueError as _: + return self.add_user_name(inc_user_name) + + self.user_names[index] = inc_user_name + + return True + + def update_role_ref(self, inc_role_ref): + ''' update a role_ref ''' + self.role_ref['name'] = inc_role_ref + + return True + + #### /UPDATE ##### + + #### FIND #### + def find_subject(self, inc_subject): + ''' find a subject ''' + index = None + try: + # pylint: disable=no-member + index = self.subjects.index(inc_subject) + except ValueError as _: + return index + + return index + + def find_group_name(self, inc_group_name): + ''' find a group_name ''' + index = None + try: + # pylint: disable=no-member + index = self.group_names.index(inc_group_name) + except ValueError as _: + return index + + return index + + def find_user_name(self, inc_user_name): + ''' find a user_name ''' + index = None + try: + # pylint: disable=no-member + index = self.user_names.index(inc_user_name) + except ValueError as _: + return index + + return index + + def find_role_ref(self, inc_role_ref): + ''' find a user_name ''' + if self.role_ref and self.role_ref['name'] == inc_role_ref['name']: + return self.role_ref + + return None + +# -*- -*- -*- End included fragment: lib/rolebinding.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: lib/scc.py -*- -*- -*- + + +# pylint: disable=too-many-instance-attributes +class SecurityContextConstraintsConfig(object): + ''' Handle scc options ''' + # pylint: disable=too-many-arguments + def __init__(self, + sname, + kubeconfig, + options=None, + fs_group='MustRunAs', + default_add_capabilities=None, + groups=None, + priority=None, + required_drop_capabilities=None, + run_as_user='MustRunAsRange', + se_linux_context='MustRunAs', + supplemental_groups='RunAsAny', + users=None, + annotations=None): + ''' constructor for handling scc options ''' + self.kubeconfig = kubeconfig + self.name = sname + self.options = options + self.fs_group = fs_group + self.default_add_capabilities = default_add_capabilities + self.groups = groups + self.priority = priority + self.required_drop_capabilities = required_drop_capabilities + self.run_as_user = run_as_user + self.se_linux_context = se_linux_context + self.supplemental_groups = supplemental_groups + self.users = users + self.annotations = annotations + self.data = {} + + self.create_dict() + + def create_dict(self): + ''' assign the correct properties for a scc dict ''' + # allow options + if self.options: + for key, value in self.options.items(): + self.data[key] = value + else: + self.data['allowHostDirVolumePlugin'] = False + self.data['allowHostIPC'] = False + self.data['allowHostNetwork'] = False + self.data['allowHostPID'] = False + self.data['allowHostPorts'] = False + self.data['allowPrivilegedContainer'] = False + self.data['allowedCapabilities'] = None + + # version + self.data['apiVersion'] = 'v1' + # kind + self.data['kind'] = 'SecurityContextConstraints' + # defaultAddCapabilities + self.data['defaultAddCapabilities'] = self.default_add_capabilities + # fsGroup + self.data['fsGroup']['type'] = self.fs_group + # groups + self.data['groups'] = [] + if self.groups: + self.data['groups'] = self.groups + # metadata + self.data['metadata'] = {} + self.data['metadata']['name'] = self.name + if self.annotations: + for key, value in self.annotations.items(): + self.data['metadata'][key] = value + # priority + self.data['priority'] = self.priority + # requiredDropCapabilities + self.data['requiredDropCapabilities'] = self.required_drop_capabilities + # runAsUser + self.data['runAsUser'] = {'type': self.run_as_user} + # seLinuxContext + self.data['seLinuxContext'] = {'type': self.se_linux_context} + # supplementalGroups + self.data['supplementalGroups'] = {'type': self.supplemental_groups} + # users + self.data['users'] = [] + if self.users: + self.data['users'] = self.users + + +# pylint: disable=too-many-instance-attributes,too-many-public-methods,no-member +class SecurityContextConstraints(Yedit): + ''' Class to wrap the oc command line tools ''' + default_add_capabilities_path = "defaultAddCapabilities" + fs_group_path = "fsGroup" + groups_path = "groups" + priority_path = "priority" + required_drop_capabilities_path = "requiredDropCapabilities" + run_as_user_path = "runAsUser" + se_linux_context_path = "seLinuxContext" + supplemental_groups_path = "supplementalGroups" + users_path = "users" + kind = 'SecurityContextConstraints' + + def __init__(self, content): + '''SecurityContextConstraints constructor''' + super(SecurityContextConstraints, self).__init__(content=content) + self._users = None + self._groups = None + + @property + def users(self): + ''' users property getter ''' + if self._users is None: + self._users = self.get_users() + return self._users + + @property + def groups(self): + ''' groups property getter ''' + if self._groups is None: + self._groups = self.get_groups() + return self._groups + + @users.setter + def users(self, data): + ''' users property setter''' + self._users = data + + @groups.setter + def groups(self, data): + ''' groups property setter''' + self._groups = data + + def get_users(self): + '''get scc users''' + return self.get(SecurityContextConstraints.users_path) or [] + + def get_groups(self): + '''get scc groups''' + return self.get(SecurityContextConstraints.groups_path) or [] + + def add_user(self, inc_user): + ''' add a user ''' + if self.users: + self.users.append(inc_user) + else: + self.put(SecurityContextConstraints.users_path, [inc_user]) + + return True + + def add_group(self, inc_group): + ''' add a group ''' + if self.groups: + self.groups.append(inc_group) + else: + self.put(SecurityContextConstraints.groups_path, [inc_group]) + + return True + + def remove_user(self, inc_user): + ''' remove a user ''' + try: + self.users.remove(inc_user) + except ValueError as _: + return False + + return True + + def remove_group(self, inc_group): + ''' remove a group ''' + try: + self.groups.remove(inc_group) + except ValueError as _: + return False + + return True + + def update_user(self, inc_user): + ''' update a user ''' + try: + index = self.users.index(inc_user) + except ValueError as _: + return self.add_user(inc_user) + + self.users[index] = inc_user + + return True + + def update_group(self, inc_group): + ''' update a group ''' + try: + index = self.groups.index(inc_group) + except ValueError as _: + return self.add_group(inc_group) + + self.groups[index] = inc_group + + return True + + def find_user(self, inc_user): + ''' find a user ''' + index = None + try: + index = self.users.index(inc_user) + except ValueError as _: + return index + + return index + + def find_group(self, inc_group): + ''' find a group ''' + index = None + try: + index = self.groups.index(inc_group) + except ValueError as _: + return index + + return index + +# -*- -*- -*- End included fragment: lib/scc.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: class/oc_adm_policy_user.py -*- -*- -*- + + +class PolicyUserException(Exception): + ''' PolicyUser exception''' + pass + + +class PolicyUserConfig(OpenShiftCLIConfig): + ''' PolicyUserConfig is a DTO for user related policy. ''' + def __init__(self, namespace, kubeconfig, policy_options): + super(PolicyUserConfig, self).__init__(policy_options['name']['value'], + namespace, kubeconfig, policy_options) + self.kind = self.get_kind() + self.namespace = namespace + + def get_kind(self): + ''' return the kind we are working with ''' + if self.config_options['resource_kind']['value'] == 'role': + return 'rolebinding' + elif self.config_options['resource_kind']['value'] == 'cluster-role': + return 'clusterrolebinding' + elif self.config_options['resource_kind']['value'] == 'scc': + return 'scc' + + return None + + +# pylint: disable=too-many-return-statements +class PolicyUser(OpenShiftCLI): + ''' Class to handle attaching policies to users ''' + + def __init__(self, + policy_config, + verbose=False): + ''' Constructor for PolicyUser ''' + super(PolicyUser, self).__init__(policy_config.namespace, policy_config.kubeconfig, verbose) + self.config = policy_config + self.verbose = verbose + self._rolebinding = None + self._scc = None + + @property + def role_binding(self): + ''' role_binding property ''' + return self._rolebinding + + @role_binding.setter + def role_binding(self, binding): + ''' setter for role_binding property ''' + self._rolebinding = binding + + @property + def security_context_constraint(self): + ''' security_context_constraint property ''' + return self._scc + + @security_context_constraint.setter + def security_context_constraint(self, scc): + ''' setter for security_context_constraint property ''' + self._scc = scc + + def get(self): + '''fetch the desired kind''' + resource_name = self.config.config_options['name']['value'] + if resource_name == 'cluster-reader': + resource_name += 's' + + # oc adm policy add-... creates policy bindings with the name + # "[resource_name]-binding", however some bindings in the system + # simply use "[resource_name]". So try both. + + results = self._get(self.config.kind, resource_name) + if results['returncode'] == 0: + return results + + # Now try -binding naming convention + return self._get(self.config.kind, resource_name + "-binding") + + def exists_role_binding(self): + ''' return whether role_binding exists ''' + results = self.get() + if results['returncode'] == 0: + self.role_binding = RoleBinding(results['results'][0]) + if self.role_binding.find_user_name(self.config.config_options['user']['value']) != None: + return True + + return False + + elif '\"%s\" not found' % self.config.config_options['name']['value'] in results['stderr']: + return False + + return results + + def exists_scc(self): + ''' return whether scc exists ''' + results = self.get() + if results['returncode'] == 0: + self.security_context_constraint = SecurityContextConstraints(results['results'][0]) + + if self.security_context_constraint.find_user(self.config.config_options['user']['value']) != None: + return True + + return False + + return results + + def exists(self): + '''does the object exist?''' + if self.config.config_options['resource_kind']['value'] == 'cluster-role': + return self.exists_role_binding() + + elif self.config.config_options['resource_kind']['value'] == 'role': + return self.exists_role_binding() + + elif self.config.config_options['resource_kind']['value'] == 'scc': + return self.exists_scc() + + return False + + def perform(self): + '''perform action on resource''' + cmd = ['policy', + self.config.config_options['action']['value'], + self.config.config_options['name']['value'], + self.config.config_options['user']['value']] + + return self.openshift_cmd(cmd, oadm=True) + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + state = params['state'] + + action = None + if state == 'present': + action = 'add-' + params['resource_kind'] + '-to-user' + else: + action = 'remove-' + params['resource_kind'] + '-from-user' + + nconfig = PolicyUserConfig(params['namespace'], + params['kubeconfig'], + {'action': {'value': action, 'include': False}, + 'user': {'value': params['user'], 'include': False}, + 'resource_kind': {'value': params['resource_kind'], 'include': False}, + 'name': {'value': params['resource_name'], 'include': False}, + }) + + policyuser = PolicyUser(nconfig, params['debug']) + + # Run the oc adm policy user related command + + ######## + # Delete + ######## + if state == 'absent': + if not policyuser.exists(): + return {'changed': False, 'state': 'absent'} + + if check_mode: + return {'changed': False, 'msg': 'CHECK_MODE: would have performed a delete.'} + + api_rval = policyuser.perform() + + if api_rval['returncode'] != 0: + return {'msg': api_rval} + + return {'changed': True, 'results' : api_rval, state:'absent'} + + if state == 'present': + ######## + # Create + ######## + results = policyuser.exists() + if isinstance(results, dict) and 'returncode' in results and results['returncode'] != 0: + return {'msg': results} + + if not results: + + if check_mode: + return {'changed': False, 'msg': 'CHECK_MODE: would have performed a create.'} + + api_rval = policyuser.perform() + + if api_rval['returncode'] != 0: + return {'msg': api_rval} + + return {'changed': True, 'results': api_rval, state: 'present'} + + return {'changed': False, state: 'present'} + + return {'failed': True, 'changed': False, 'results': 'Unknown state passed. %s' % state, state: 'unknown'} + +# -*- -*- -*- End included fragment: class/oc_adm_policy_user.py -*- -*- -*- + +# -*- -*- -*- Begin included fragment: ansible/oc_adm_policy_user.py -*- -*- -*- + + +def main(): + ''' + ansible oc adm module for user policy + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', + choices=['present', 'absent']), + debug=dict(default=False, type='bool'), + resource_name=dict(required=True, type='str'), + namespace=dict(default='default', type='str'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + + user=dict(required=True, type='str'), + resource_kind=dict(required=True, choices=['role', 'cluster-role', 'scc'], type='str'), + ), + supports_check_mode=True, + ) + + results = PolicyUser.run_ansible(module.params, module.check_mode) + + if 'failed' in results: + module.fail_json(**results) + + module.exit_json(**results) + + +if __name__ == "__main__": + main() + +# -*- -*- -*- End included fragment: ansible/oc_adm_policy_user.py -*- -*- -*- diff --git a/roles/lib_openshift/src/ansible/oc_adm_policy_group.py b/roles/lib_openshift/src/ansible/oc_adm_policy_group.py new file mode 100644 index 000000000..cf6691b03 --- /dev/null +++ b/roles/lib_openshift/src/ansible/oc_adm_policy_group.py @@ -0,0 +1,34 @@ +# pylint: skip-file +# flake8: noqa + + +def main(): + ''' + ansible oc adm module for group policy + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', + choices=['present', 'absent']), + debug=dict(default=False, type='bool'), + resource_name=dict(required=True, type='str'), + namespace=dict(default='default', type='str'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + + group=dict(required=True, type='str'), + resource_kind=dict(required=True, choices=['role', 'cluster-role', 'scc'], type='str'), + ), + supports_check_mode=True, + ) + + results = PolicyGroup.run_ansible(module.params, module.check_mode) + + if 'failed' in results: + module.fail_json(**results) + + module.exit_json(**results) + + +if __name__ == "__main__": + main() diff --git a/roles/lib_openshift/src/ansible/oc_adm_policy_user.py b/roles/lib_openshift/src/ansible/oc_adm_policy_user.py new file mode 100644 index 000000000..a22496866 --- /dev/null +++ b/roles/lib_openshift/src/ansible/oc_adm_policy_user.py @@ -0,0 +1,34 @@ +# pylint: skip-file +# flake8: noqa + + +def main(): + ''' + ansible oc adm module for user policy + ''' + + module = AnsibleModule( + argument_spec=dict( + state=dict(default='present', type='str', + choices=['present', 'absent']), + debug=dict(default=False, type='bool'), + resource_name=dict(required=True, type='str'), + namespace=dict(default='default', type='str'), + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + + user=dict(required=True, type='str'), + resource_kind=dict(required=True, choices=['role', 'cluster-role', 'scc'], type='str'), + ), + supports_check_mode=True, + ) + + results = PolicyUser.run_ansible(module.params, module.check_mode) + + if 'failed' in results: + module.fail_json(**results) + + module.exit_json(**results) + + +if __name__ == "__main__": + main() diff --git a/roles/lib_openshift/src/class/oc_adm_policy_group.py b/roles/lib_openshift/src/class/oc_adm_policy_group.py new file mode 100644 index 000000000..1d6b2450a --- /dev/null +++ b/roles/lib_openshift/src/class/oc_adm_policy_group.py @@ -0,0 +1,195 @@ +# pylint: skip-file +# flake8: noqa + + +class PolicyGroupException(Exception): + ''' PolicyGroup exception''' + pass + + +class PolicyGroupConfig(OpenShiftCLIConfig): + ''' PolicyGroupConfig is a DTO for group related policy. ''' + def __init__(self, namespace, kubeconfig, policy_options): + super(PolicyGroupConfig, self).__init__(policy_options['name']['value'], + namespace, kubeconfig, policy_options) + self.kind = self.get_kind() + self.namespace = namespace + + def get_kind(self): + ''' return the kind we are working with ''' + if self.config_options['resource_kind']['value'] == 'role': + return 'rolebinding' + elif self.config_options['resource_kind']['value'] == 'cluster-role': + return 'clusterrolebinding' + elif self.config_options['resource_kind']['value'] == 'scc': + return 'scc' + + return None + + +# pylint: disable=too-many-return-statements +class PolicyGroup(OpenShiftCLI): + ''' Class to handle attaching policies to users ''' + + + def __init__(self, + config, + verbose=False): + ''' Constructor for PolicyGroup ''' + super(PolicyGroup, self).__init__(config.namespace, config.kubeconfig, verbose) + self.config = config + self.verbose = verbose + self._rolebinding = None + self._scc = None + + @property + def role_binding(self): + ''' role_binding getter ''' + return self._rolebinding + + @role_binding.setter + def role_binding(self, binding): + ''' role_binding setter ''' + self._rolebinding = binding + + @property + def security_context_constraint(self): + ''' security_context_constraint getter ''' + return self._scc + + @security_context_constraint.setter + def security_context_constraint(self, scc): + ''' security_context_constraint setter ''' + self._scc = scc + + def get(self): + '''fetch the desired kind''' + resource_name = self.config.config_options['name']['value'] + if resource_name == 'cluster-reader': + resource_name += 's' + + # oc adm policy add-... creates policy bindings with the name + # "[resource_name]-binding", however some bindings in the system + # simply use "[resource_name]". So try both. + + results = self._get(self.config.kind, resource_name) + if results['returncode'] == 0: + return results + + # Now try -binding naming convention + return self._get(self.config.kind, resource_name + "-binding") + + def exists_role_binding(self): + ''' return whether role_binding exists ''' + results = self.get() + if results['returncode'] == 0: + self.role_binding = RoleBinding(results['results'][0]) + if self.role_binding.find_group_name(self.config.config_options['group']['value']) != None: + return True + + return False + + elif '\"%s\" not found' % self.config.config_options['name']['value'] in results['stderr']: + return False + + return results + + def exists_scc(self): + ''' return whether scc exists ''' + results = self.get() + if results['returncode'] == 0: + self.security_context_constraint = SecurityContextConstraints(results['results'][0]) + + if self.security_context_constraint.find_group(self.config.config_options['group']['value']) != None: + return True + + return False + + return results + + def exists(self): + '''does the object exist?''' + if self.config.config_options['resource_kind']['value'] == 'cluster-role': + return self.exists_role_binding() + + elif self.config.config_options['resource_kind']['value'] == 'role': + return self.exists_role_binding() + + elif self.config.config_options['resource_kind']['value'] == 'scc': + return self.exists_scc() + + return False + + def perform(self): + '''perform action on resource''' + cmd = ['policy', + self.config.config_options['action']['value'], + self.config.config_options['name']['value'], + self.config.config_options['group']['value']] + + return self.openshift_cmd(cmd, oadm=True) + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + state = params['state'] + + action = None + if state == 'present': + action = 'add-' + params['resource_kind'] + '-to-group' + else: + action = 'remove-' + params['resource_kind'] + '-from-group' + + nconfig = PolicyGroupConfig(params['namespace'], + params['kubeconfig'], + {'action': {'value': action, 'include': False}, + 'group': {'value': params['group'], 'include': False}, + 'resource_kind': {'value': params['resource_kind'], 'include': False}, + 'name': {'value': params['resource_name'], 'include': False}, + }) + + policygroup = PolicyGroup(nconfig, params['debug']) + + # Run the oc adm policy group related command + + ######## + # Delete + ######## + if state == 'absent': + if not policygroup.exists(): + return {'changed': False, 'state': 'absent'} + + if check_mode: + return {'changed': False, 'msg': 'CHECK_MODE: would have performed a delete.'} + + api_rval = policygroup.perform() + + if api_rval['returncode'] != 0: + return {'msg': api_rval} + + return {'changed': True, 'results' : api_rval, state:'absent'} + + if state == 'present': + ######## + # Create + ######## + results = policygroup.exists() + if isinstance(results, dict) and 'returncode' in results and results['returncode'] != 0: + return {'msg': results} + + if not results: + + if check_mode: + return {'changed': False, 'msg': 'CHECK_MODE: would have performed a create.'} + + api_rval = policygroup.perform() + + if api_rval['returncode'] != 0: + return {'msg': api_rval} + + return {'changed': True, 'results': api_rval, state: 'present'} + + return {'changed': False, state: 'present'} + + return {'failed': True, 'changed': False, 'results': 'Unknown state passed. %s' % state, state: 'unknown'} diff --git a/roles/lib_openshift/src/class/oc_adm_policy_user.py b/roles/lib_openshift/src/class/oc_adm_policy_user.py new file mode 100644 index 000000000..8d2c5eadf --- /dev/null +++ b/roles/lib_openshift/src/class/oc_adm_policy_user.py @@ -0,0 +1,194 @@ +# pylint: skip-file +# flake8: noqa + + +class PolicyUserException(Exception): + ''' PolicyUser exception''' + pass + + +class PolicyUserConfig(OpenShiftCLIConfig): + ''' PolicyUserConfig is a DTO for user related policy. ''' + def __init__(self, namespace, kubeconfig, policy_options): + super(PolicyUserConfig, self).__init__(policy_options['name']['value'], + namespace, kubeconfig, policy_options) + self.kind = self.get_kind() + self.namespace = namespace + + def get_kind(self): + ''' return the kind we are working with ''' + if self.config_options['resource_kind']['value'] == 'role': + return 'rolebinding' + elif self.config_options['resource_kind']['value'] == 'cluster-role': + return 'clusterrolebinding' + elif self.config_options['resource_kind']['value'] == 'scc': + return 'scc' + + return None + + +# pylint: disable=too-many-return-statements +class PolicyUser(OpenShiftCLI): + ''' Class to handle attaching policies to users ''' + + def __init__(self, + policy_config, + verbose=False): + ''' Constructor for PolicyUser ''' + super(PolicyUser, self).__init__(policy_config.namespace, policy_config.kubeconfig, verbose) + self.config = policy_config + self.verbose = verbose + self._rolebinding = None + self._scc = None + + @property + def role_binding(self): + ''' role_binding property ''' + return self._rolebinding + + @role_binding.setter + def role_binding(self, binding): + ''' setter for role_binding property ''' + self._rolebinding = binding + + @property + def security_context_constraint(self): + ''' security_context_constraint property ''' + return self._scc + + @security_context_constraint.setter + def security_context_constraint(self, scc): + ''' setter for security_context_constraint property ''' + self._scc = scc + + def get(self): + '''fetch the desired kind''' + resource_name = self.config.config_options['name']['value'] + if resource_name == 'cluster-reader': + resource_name += 's' + + # oc adm policy add-... creates policy bindings with the name + # "[resource_name]-binding", however some bindings in the system + # simply use "[resource_name]". So try both. + + results = self._get(self.config.kind, resource_name) + if results['returncode'] == 0: + return results + + # Now try -binding naming convention + return self._get(self.config.kind, resource_name + "-binding") + + def exists_role_binding(self): + ''' return whether role_binding exists ''' + results = self.get() + if results['returncode'] == 0: + self.role_binding = RoleBinding(results['results'][0]) + if self.role_binding.find_user_name(self.config.config_options['user']['value']) != None: + return True + + return False + + elif '\"%s\" not found' % self.config.config_options['name']['value'] in results['stderr']: + return False + + return results + + def exists_scc(self): + ''' return whether scc exists ''' + results = self.get() + if results['returncode'] == 0: + self.security_context_constraint = SecurityContextConstraints(results['results'][0]) + + if self.security_context_constraint.find_user(self.config.config_options['user']['value']) != None: + return True + + return False + + return results + + def exists(self): + '''does the object exist?''' + if self.config.config_options['resource_kind']['value'] == 'cluster-role': + return self.exists_role_binding() + + elif self.config.config_options['resource_kind']['value'] == 'role': + return self.exists_role_binding() + + elif self.config.config_options['resource_kind']['value'] == 'scc': + return self.exists_scc() + + return False + + def perform(self): + '''perform action on resource''' + cmd = ['policy', + self.config.config_options['action']['value'], + self.config.config_options['name']['value'], + self.config.config_options['user']['value']] + + return self.openshift_cmd(cmd, oadm=True) + + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + state = params['state'] + + action = None + if state == 'present': + action = 'add-' + params['resource_kind'] + '-to-user' + else: + action = 'remove-' + params['resource_kind'] + '-from-user' + + nconfig = PolicyUserConfig(params['namespace'], + params['kubeconfig'], + {'action': {'value': action, 'include': False}, + 'user': {'value': params['user'], 'include': False}, + 'resource_kind': {'value': params['resource_kind'], 'include': False}, + 'name': {'value': params['resource_name'], 'include': False}, + }) + + policyuser = PolicyUser(nconfig, params['debug']) + + # Run the oc adm policy user related command + + ######## + # Delete + ######## + if state == 'absent': + if not policyuser.exists(): + return {'changed': False, 'state': 'absent'} + + if check_mode: + return {'changed': False, 'msg': 'CHECK_MODE: would have performed a delete.'} + + api_rval = policyuser.perform() + + if api_rval['returncode'] != 0: + return {'msg': api_rval} + + return {'changed': True, 'results' : api_rval, state:'absent'} + + if state == 'present': + ######## + # Create + ######## + results = policyuser.exists() + if isinstance(results, dict) and 'returncode' in results and results['returncode'] != 0: + return {'msg': results} + + if not results: + + if check_mode: + return {'changed': False, 'msg': 'CHECK_MODE: would have performed a create.'} + + api_rval = policyuser.perform() + + if api_rval['returncode'] != 0: + return {'msg': api_rval} + + return {'changed': True, 'results': api_rval, state: 'present'} + + return {'changed': False, state: 'present'} + + return {'failed': True, 'changed': False, 'results': 'Unknown state passed. %s' % state, state: 'unknown'} diff --git a/roles/lib_openshift/src/doc/policy_group b/roles/lib_openshift/src/doc/policy_group new file mode 100644 index 000000000..343413269 --- /dev/null +++ b/roles/lib_openshift/src/doc/policy_group @@ -0,0 +1,74 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oc_adm_policy_group +short_description: Module to manage openshift policy for groups +description: + - Manage openshift policy for groups. +options: + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + namespace: + description: + - The namespace scope + required: false + default: None + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + group: + description: + - The name of the group + required: true + default: None + aliases: [] + resource_kind: + description: + - The kind of policy to affect + required: true + default: None + choices: ["role", "cluster-role", "scc"] + aliases: [] + resource_name: + description: + - The name of the policy + required: true + default: None + aliases: [] + state: + description: + - Desired state of the policy + required: true + default: present + choices: ["present", "absent"] + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: oc adm policy remove-scc-from-group an-scc agroup + oc_adm_policy_group: + group: agroup + resource_kind: scc + resource_name: an-scc + state: absent + +- name: oc adm policy add-cluster-role-to-group system:build-strategy-docker agroup + oc_adm_policy_group: + group: agroup + resource_kind: cluster-role + resource_name: system:build-strategy-docker + state: present +''' diff --git a/roles/lib_openshift/src/doc/policy_user b/roles/lib_openshift/src/doc/policy_user new file mode 100644 index 000000000..351c9af65 --- /dev/null +++ b/roles/lib_openshift/src/doc/policy_user @@ -0,0 +1,74 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oc_adm_policy_user +short_description: Module to manage openshift policy for users +description: + - Manage openshift policy for users. +options: + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + namespace: + description: + - The namespace scope + required: false + default: None + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + user: + description: + - The name of the user + required: true + default: None + aliases: [] + resource_kind: + description: + - The kind of policy to affect + required: true + default: None + choices: ["role", "cluster-role", "scc"] + aliases: [] + resource_name: + description: + - The name of the policy + required: true + default: None + aliases: [] + state: + description: + - Desired state of the policy + required: true + default: present + choices: ["present", "absent"] + aliases: [] +author: +- "Kenny Woodson " +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: oc adm policy remove-scc-from-user an-scc ausername + oc_adm_policy_user: + user: ausername + resource_kind: scc + resource_name: an-scc + state: absent + +- name: oc adm policy add-cluster-role-to-user system:build-strategy-docker ausername + oc_adm_policy_user: + user: ausername + resource_kind: cluster-role + resource_name: system:build-strategy-docker + state: present +''' diff --git a/roles/lib_openshift/src/lib/scc.py b/roles/lib_openshift/src/lib/scc.py new file mode 100644 index 000000000..3e2aa08d7 --- /dev/null +++ b/roles/lib_openshift/src/lib/scc.py @@ -0,0 +1,218 @@ +# pylint: skip-file +# flake8: noqa + + +# pylint: disable=too-many-instance-attributes +class SecurityContextConstraintsConfig(object): + ''' Handle scc options ''' + # pylint: disable=too-many-arguments + def __init__(self, + sname, + kubeconfig, + options=None, + fs_group='MustRunAs', + default_add_capabilities=None, + groups=None, + priority=None, + required_drop_capabilities=None, + run_as_user='MustRunAsRange', + se_linux_context='MustRunAs', + supplemental_groups='RunAsAny', + users=None, + annotations=None): + ''' constructor for handling scc options ''' + self.kubeconfig = kubeconfig + self.name = sname + self.options = options + self.fs_group = fs_group + self.default_add_capabilities = default_add_capabilities + self.groups = groups + self.priority = priority + self.required_drop_capabilities = required_drop_capabilities + self.run_as_user = run_as_user + self.se_linux_context = se_linux_context + self.supplemental_groups = supplemental_groups + self.users = users + self.annotations = annotations + self.data = {} + + self.create_dict() + + def create_dict(self): + ''' assign the correct properties for a scc dict ''' + # allow options + if self.options: + for key, value in self.options.items(): + self.data[key] = value + else: + self.data['allowHostDirVolumePlugin'] = False + self.data['allowHostIPC'] = False + self.data['allowHostNetwork'] = False + self.data['allowHostPID'] = False + self.data['allowHostPorts'] = False + self.data['allowPrivilegedContainer'] = False + self.data['allowedCapabilities'] = None + + # version + self.data['apiVersion'] = 'v1' + # kind + self.data['kind'] = 'SecurityContextConstraints' + # defaultAddCapabilities + self.data['defaultAddCapabilities'] = self.default_add_capabilities + # fsGroup + self.data['fsGroup']['type'] = self.fs_group + # groups + self.data['groups'] = [] + if self.groups: + self.data['groups'] = self.groups + # metadata + self.data['metadata'] = {} + self.data['metadata']['name'] = self.name + if self.annotations: + for key, value in self.annotations.items(): + self.data['metadata'][key] = value + # priority + self.data['priority'] = self.priority + # requiredDropCapabilities + self.data['requiredDropCapabilities'] = self.required_drop_capabilities + # runAsUser + self.data['runAsUser'] = {'type': self.run_as_user} + # seLinuxContext + self.data['seLinuxContext'] = {'type': self.se_linux_context} + # supplementalGroups + self.data['supplementalGroups'] = {'type': self.supplemental_groups} + # users + self.data['users'] = [] + if self.users: + self.data['users'] = self.users + + +# pylint: disable=too-many-instance-attributes,too-many-public-methods,no-member +class SecurityContextConstraints(Yedit): + ''' Class to wrap the oc command line tools ''' + default_add_capabilities_path = "defaultAddCapabilities" + fs_group_path = "fsGroup" + groups_path = "groups" + priority_path = "priority" + required_drop_capabilities_path = "requiredDropCapabilities" + run_as_user_path = "runAsUser" + se_linux_context_path = "seLinuxContext" + supplemental_groups_path = "supplementalGroups" + users_path = "users" + kind = 'SecurityContextConstraints' + + def __init__(self, content): + '''SecurityContextConstraints constructor''' + super(SecurityContextConstraints, self).__init__(content=content) + self._users = None + self._groups = None + + @property + def users(self): + ''' users property getter ''' + if self._users is None: + self._users = self.get_users() + return self._users + + @property + def groups(self): + ''' groups property getter ''' + if self._groups is None: + self._groups = self.get_groups() + return self._groups + + @users.setter + def users(self, data): + ''' users property setter''' + self._users = data + + @groups.setter + def groups(self, data): + ''' groups property setter''' + self._groups = data + + def get_users(self): + '''get scc users''' + return self.get(SecurityContextConstraints.users_path) or [] + + def get_groups(self): + '''get scc groups''' + return self.get(SecurityContextConstraints.groups_path) or [] + + def add_user(self, inc_user): + ''' add a user ''' + if self.users: + self.users.append(inc_user) + else: + self.put(SecurityContextConstraints.users_path, [inc_user]) + + return True + + def add_group(self, inc_group): + ''' add a group ''' + if self.groups: + self.groups.append(inc_group) + else: + self.put(SecurityContextConstraints.groups_path, [inc_group]) + + return True + + def remove_user(self, inc_user): + ''' remove a user ''' + try: + self.users.remove(inc_user) + except ValueError as _: + return False + + return True + + def remove_group(self, inc_group): + ''' remove a group ''' + try: + self.groups.remove(inc_group) + except ValueError as _: + return False + + return True + + def update_user(self, inc_user): + ''' update a user ''' + try: + index = self.users.index(inc_user) + except ValueError as _: + return self.add_user(inc_user) + + self.users[index] = inc_user + + return True + + def update_group(self, inc_group): + ''' update a group ''' + try: + index = self.groups.index(inc_group) + except ValueError as _: + return self.add_group(inc_group) + + self.groups[index] = inc_group + + return True + + def find_user(self, inc_user): + ''' find a user ''' + index = None + try: + index = self.users.index(inc_user) + except ValueError as _: + return index + + return index + + def find_group(self, inc_group): + ''' find a group ''' + index = None + try: + index = self.groups.index(inc_group) + except ValueError as _: + return index + + return index diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml index a48fdf0c2..a0e200d0a 100644 --- a/roles/lib_openshift/src/sources.yml +++ b/roles/lib_openshift/src/sources.yml @@ -19,6 +19,30 @@ oadm_manage_node.py: - class/oadm_manage_node.py - ansible/oadm_manage_node.py +oc_adm_policy_user.py: +- doc/generated +- doc/license +- lib/import.py +- doc/policy_user +- ../../lib_utils/src/class/yedit.py +- lib/base.py +- lib/rolebinding.py +- lib/scc.py +- class/oc_adm_policy_user.py +- ansible/oc_adm_policy_user.py + +oc_adm_policy_group.py: +- doc/generated +- doc/license +- lib/import.py +- doc/policy_group +- ../../lib_utils/src/class/yedit.py +- lib/base.py +- lib/rolebinding.py +- lib/scc.py +- class/oc_adm_policy_group.py +- ansible/oc_adm_policy_group.py + oc_adm_registry.py: - doc/generated - doc/license -- cgit v1.2.3