def get_desired_state(slack):
desired_state = []
all_users = queries.get_roles()
all_clusters = queries.get_clusters(minimal=True)
clusters = [c for c in all_clusters
if c.get('auth') and c['auth'].get('team')
and c.get('ocm')]
openshift_users_desired_state = \
openshift_users.fetch_desired_state(oc_map=None)
for cluster in clusters:
cluster_name = cluster['name']
cluster_users = [u['user'] for u in openshift_users_desired_state
if u['cluster'] == cluster_name]
usergroup = cluster['auth']['team']
try:
ugid = slack.get_usergroup_id(usergroup)
except UsergroupNotFoundException:
logging.warning(f'Usergroup {usergroup} not found')
continue
user_names = [slack_usergroups.get_slack_username(u)
for u in all_users
if include_user(u, cluster_name, cluster_users)]
users = slack.get_users_by_names(user_names)
channels = slack.get_channels_by_names([slack.chat_kwargs['channel']])
desired_state.append({
"workspace": slack.workspace_name,
"usergroup": usergroup,
"usergroup_id": ugid,
"users": users,
"channels": channels,
"description": f'Users with access to the {cluster_name} cluster',
})
return desired_state
def get_desired_state(slack):
"""
Get the desired state of the Slack cluster usergroups.
:param slack: client for calling Slack API
:type slack: reconcile.utils.slack_api.SlackApi
:return: desired state data, keys are workspace -> usergroup
(ex. state['coreos']['app-sre-ic']
:rtype: dict
"""
desired_state = {}
all_users = queries.get_roles()
all_clusters = queries.get_clusters(minimal=True)
clusters = [
c for c in all_clusters
if c.get("auth") and c["auth"].get("team") and c.get("ocm")
]
openshift_users_desired_state = openshift_users.fetch_desired_state(
oc_map=None)
for cluster in clusters:
cluster_name = cluster["name"]
cluster_users = [
u["user"] for u in openshift_users_desired_state
if u["cluster"] == cluster_name
]
usergroup = cluster["auth"]["team"]
try:
ugid = slack.get_usergroup_id(usergroup)
except UsergroupNotFoundException:
logging.warning(f"Usergroup {usergroup} not found")
continue
user_names = [
slack_usergroups.get_slack_username(u) for u in all_users
if include_user(u, cluster_name, cluster_users)
]
users = slack.get_users_by_names(user_names)
channels = slack.get_channels_by_names([slack.channel])
desired_state.setdefault(slack.workspace_name, {})[usergroup] = {
"workspace": slack.workspace_name,
"usergroup": usergroup,
"usergroup_id": ugid,
"users": users,
"channels": channels,
"description": f"Users with access to the {cluster_name} cluster",
}
return desired_state
def run(dry_run):
settings = queries.get_app_interface_settings()
secret_reader = SecretReader(settings=settings)
users = queries.get_roles(aws=False, saas_files=False, sendgrid=True)
desired_state_all = fetch_desired_state(users)
sendgrid_accounts = queries.get_sendgrid_accounts()
for sg_account in sendgrid_accounts:
token = secret_reader.read(sg_account['token'])
sg_client = sendgrid.SendGridAPIClient(api_key=token).client
current_state = fetch_current_state(sg_client)
desired_state = desired_state_all.get(sg_account['name'], [])
error = act(dry_run, sg_client, desired_state, current_state)
if error:
sys.exit(ExitCodes.ERROR)
def roles(ctx, org_username):
users = queries.get_roles()
users = [u for u in users if u['org_username'] == org_username]
if len(users) == 0:
print("User not found")
return
user = users[0]
roles = []
def add(d):
for i, r in enumerate(roles):
if all(d[k] == r[k] for k in ("type", "name", "resource")):
roles.insert(i + 1, {
"type": "",
"name": "",
"resource": "",
"ref": d["ref"]
})
return
roles.append(d)
for role in user["roles"]:
role_name = role["path"]
for p in role.get("permissions") or []:
r_name = p["service"]
if "org" in p or "team" in p:
r_name = r_name.split("-")[0]
if "org" in p:
r_name += "/" + p["org"]
if "team" in p:
r_name += "/" + p["team"]
add({
"type": "permission",
"name": p["name"],
"resource": r_name,
"ref": role_name
})
for aws in role.get("aws_groups") or []:
for policy in aws["policies"]:
add({
"type": "aws",
"name": policy,
"resource": aws["account"]["name"],
"ref": aws["path"]
})
for a in role.get("access") or []:
if a["cluster"]:
cluster_name = a["cluster"]["name"]
add({
"type": "cluster",
"name": a["clusterRole"],
"resource": cluster_name,
"ref": role_name
})
elif a["namespace"]:
ns_name = a["namespace"]["name"]
add({
"type": "namespace",
"name": a["role"],
"resource": ns_name,
"ref": role_name
})
for s in role.get("owned_saas_files") or []:
add({
"type": "saas_file",
"name": "owner",
"resource": s["name"],
"ref": role_name
})
columns = ['type', 'name', 'resource', 'ref']
print_output(ctx.obj['output'], roles, columns)
