def fetch_desired_state(oc_map):
gqlapi = gql.get_api()
roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"])
desired_state = []
for r in roles:
for a in r["access"] or []:
if None in [a["cluster"], a["group"]]:
continue
if oc_map and a["cluster"]["name"] not in oc_map.clusters():
continue
user_key = ob.determine_user_key_for_access(a["cluster"])
for u in r["users"]:
if u[user_key] is None:
continue
desired_state.append({
"cluster": a["cluster"]["name"],
"group": a["group"],
"user": u[user_key],
})
return desired_state
def fetch_desired_state(ri, oc_map):
gqlapi = gql.get_api()
roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"])
users_desired_state = []
for role in roles:
permissions = [{
"cluster": a["namespace"]["cluster"],
"namespace": a["namespace"]["name"],
"role": a["role"],
} for a in role["access"] or []
if None not in [a["namespace"], a["role"]]
and a["namespace"].get("managedRoles")]
if not permissions:
continue
service_accounts = [
bot["openshift_serviceaccount"] for bot in role["bots"]
if bot.get("openshift_serviceaccount")
]
for permission in permissions:
cluster_info = permission["cluster"]
cluster = cluster_info["name"]
namespace = permission["namespace"]
if not is_in_shard(f"{cluster}/{namespace}"):
continue
if oc_map and not oc_map.get(cluster):
continue
user_key = ob.determine_user_key_for_access(cluster_info)
for user in role["users"]:
# used by openshift-users and github integrations
# this is just to simplify things a bit on the their side
users_desired_state.append({
"cluster": cluster,
"user": user[user_key]
})
if ri is None:
continue
oc_resource, resource_name = construct_user_oc_resource(
permission["role"], user[user_key])
try:
ri.add_desired(
cluster,
permission["namespace"],
"RoleBinding.authorization.openshift.io",
resource_name,
oc_resource,
)
except ResourceKeyExistsError:
# a user may have a Role assigned to them
# from multiple app-interface roles
pass
for sa in service_accounts:
if ri is None:
continue
namespace, sa_name = sa.split("/")
oc_resource, resource_name = construct_sa_oc_resource(
permission["role"], namespace, sa_name)
try:
ri.add_desired(
cluster,
permission["namespace"],
"RoleBinding.authorization.openshift.io",
resource_name,
oc_resource,
)
except ResourceKeyExistsError:
# a ServiceAccount may have a Role assigned to it
# from multiple app-interface roles
pass
return users_desired_state
def test_determine_user_key_for_access_not_implemented():
cluster_info = {"auth": {"service": "not-implemented"}, "name": "c"}
with pytest.raises(NotImplementedError):
sut.determine_user_key_for_access(cluster_info)
def test_determine_user_key_for_access_oidc():
cluster_info = {"auth": {"service": "oidc"}}
user_key = sut.determine_user_key_for_access(cluster_info)
assert user_key == "org_username"
def test_determine_user_key_for_access_github_org_team():
cluster_info = {"auth": {"service": "github-org-team"}}
user_key = sut.determine_user_key_for_access(cluster_info)
assert user_key == "github_username"