From 82db6897085a1278e6b982a403875ed8671190bb Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 6 Jan 2016 13:01:25 -0500 Subject: Move extra secret validations into openshift_facts. --- playbooks/common/openshift-master/config.yml | 9 --------- roles/openshift_facts/library/openshift_facts.py | 18 +++++++++++++++--- roles/openshift_master/tasks/main.yml | 10 ---------- 3 files changed, 15 insertions(+), 22 deletions(-) diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 0334a002e..a41f489ea 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -238,15 +238,6 @@ - name: Check for cached session secrets hosts: oo_first_master - pre_tasks: - - fail: - msg: > - Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - - fail: - msg: > - openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) roles: - role: openshift_facts post_tasks: diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 133de758f..9cebbcce1 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1259,9 +1259,8 @@ class OpenShiftFacts(object): if new_local_facts != local_facts: self.validate_local_facts(new_local_facts) - + changed = True if not module.check_mode: - changed = True save_local_facts(self.filename, new_local_facts) self.changed = changed @@ -1284,7 +1283,9 @@ class OpenShiftFacts(object): # disabling pylint errors for line-too-long since we're dealing # with best effort reduction of error messages here. - # pylint: disable=line-too-long + # disabling errors for too-many-branches since we require checking + # many conditions. + # pylint: disable=line-too-long, too-many-branches @staticmethod def validate_master_facts(facts, invalid_facts): """ Validate master facts @@ -1302,6 +1303,13 @@ class OpenShiftFacts(object): session_auth_secrets = facts['master']['session_auth_secrets'] if not issubclass(type(session_auth_secrets), list): invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.' + elif 'session_encryption_secrets' not in facts['master']: + invalid_facts['session_auth_secrets'] = ('openshift_master_session_encryption secrets must be set ' + 'if openshift_master_session_auth_secrets is provided.') + elif len(session_auth_secrets) != len(facts['master']['session_encryption_secrets']): + invalid_facts['session_auth_secrets'] = ('openshift_master_session_auth_secrets and ' + 'openshift_master_session_encryption_secrets must be ' + 'equal length.') else: for secret in session_auth_secrets: if len(secret) < 32: @@ -1312,6 +1320,10 @@ class OpenShiftFacts(object): session_encryption_secrets = facts['master']['session_encryption_secrets'] if not issubclass(type(session_encryption_secrets), list): invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.' + elif 'session_auth_secrets' not in facts['master']: + invalid_facts['session_encryption_secrets'] = ('openshift_master_session_auth_secrets must be ' + 'set if openshift_master_session_encryption_secrets ' + 'is provided.') else: for secret in session_encryption_secrets: if len(secret) not in [16, 24, 32]: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index a3cddfd63..397122631 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -9,16 +9,6 @@ Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }} when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods -# Session Options Validation -- fail: - msg: > - Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) -- fail: - msg: > - openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - # HA Variable Validation - fail: msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations" -- cgit v1.2.3