def fetch_desired_state(): gqlapi = gql.get_api() roles = expiration.filter(gqlapi.query(QUAY_ORG_QUERY)['roles']) state = AggregatedList() for role in roles: permissions = [ process_permission(p) for p in role['permissions'] if p.get('service') == 'quay-membership' ] if permissions: members = [] for user in role['users'] + role['bots']: quay_username = user.get('quay_username') if quay_username: members.append(quay_username) for p in permissions: state.add(p, members) return state
def get_desired_state(): gqlapi = gql.get_api() roles = expiration.filter(gqlapi.query(ROLES_QUERY)['roles']) desired_state = [] for r in roles: for p in r['permissions']: if p['service'] != 'jenkins-role': continue for u in r['users']: desired_state.append({ "instance": p['instance']['name'], "role": p['role'], "user": u['org_username'] }) for u in r['bots']: if u['org_username'] is None: continue desired_state.append({ "instance": p['instance']['name'], "role": p['role'], "user": u['org_username'] }) return desired_state
def test_valid_roles(): roles = [{ "expirationDate": "2500-01-01" }, { "expirationDate": "1990-01-01" }] filtered = expiration.filter(roles) assert len(filtered) == 1 assert filtered[0]["expirationDate"] == "2500-01-01"
def setup(print_to_file, thread_pool_size: int) \ -> tuple[list[dict[str, Any]], dict[str, str], bool, AWSApi]: gqlapi = gql.get_api() accounts = queries.get_aws_accounts() settings = queries.get_app_interface_settings() roles = expiration.filter(gqlapi.query(TF_QUERY)['roles']) tf_roles = [ r for r in roles if r['aws_groups'] is not None or r['user_policies'] is not None ] ts = Terrascript(QONTRACT_INTEGRATION, QONTRACT_TF_PREFIX, thread_pool_size, accounts, settings=settings) err = ts.populate_users(tf_roles) working_dirs = ts.dump(print_to_file) aws_api = AWSApi(1, accounts, settings=settings, init_users=False) return accounts, working_dirs, err, aws_api
def fetch_desired_state(): desired_state = {} gqlapi = gql.get_api() roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"]) for role in roles: permissions = [ p for p in role["permissions"] if p.get("service") in ["github-org", "github-org-team"] and p.get("role") == "owner" ] if not permissions: continue for permission in permissions: github_org = permission["org"] desired_state.setdefault(github_org, []) for user in role["users"]: github_username = user["github_username"] desired_state[github_org].append(github_username) for bot in role["bots"]: github_username = bot["github_username"] desired_state[github_org].append(github_username) return desired_state
def fetch_desired_state(oc_map): gqlapi = gql.get_api() roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"]) desired_state = [] for r in roles: for a in r["access"] or []: if None in [a["cluster"], a["group"]]: continue if oc_map and a["cluster"]["name"] not in oc_map.clusters(): continue user_key = ob.determine_user_key_for_access(a["cluster"]) for u in r["users"]: if u[user_key] is None: continue desired_state.append({ "cluster": a["cluster"]["name"], "group": a["group"], "user": u[user_key], }) return desired_state
def fetch_desired_state(ri, oc_map): gqlapi = gql.get_api() roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"]) users_desired_state = [] for role in roles: permissions = [{ "cluster": a["namespace"]["cluster"], "namespace": a["namespace"]["name"], "role": a["role"], } for a in role["access"] or [] if None not in [a["namespace"], a["role"]] and a["namespace"].get("managedRoles")] if not permissions: continue service_accounts = [ bot["openshift_serviceaccount"] for bot in role["bots"] if bot.get("openshift_serviceaccount") ] for permission in permissions: cluster_info = permission["cluster"] cluster = cluster_info["name"] namespace = permission["namespace"] if not is_in_shard(f"{cluster}/{namespace}"): continue if oc_map and not oc_map.get(cluster): continue user_key = ob.determine_user_key_for_access(cluster_info) for user in role["users"]: # used by openshift-users and github integrations # this is just to simplify things a bit on the their side users_desired_state.append({ "cluster": cluster, "user": user[user_key] }) if ri is None: continue oc_resource, resource_name = construct_user_oc_resource( permission["role"], user[user_key]) try: ri.add_desired( cluster, permission["namespace"], "RoleBinding.authorization.openshift.io", resource_name, oc_resource, ) except ResourceKeyExistsError: # a user may have a Role assigned to them # from multiple app-interface roles pass for sa in service_accounts: if ri is None: continue namespace, sa_name = sa.split("/") oc_resource, resource_name = construct_sa_oc_resource( permission["role"], namespace, sa_name) try: ri.add_desired( cluster, permission["namespace"], "RoleBinding.authorization.openshift.io", resource_name, oc_resource, ) except ResourceKeyExistsError: # a ServiceAccount may have a Role assigned to it # from multiple app-interface roles pass return users_desired_state
def fetch_desired_state(infer_clusters=True): gqlapi = gql.get_api() state = AggregatedList() roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"]) for role in roles: permissions = list( filter( lambda p: p.get("service") in ["github-org", "github-org-team"], role["permissions"], )) if not permissions: continue members = [] for user in role["users"]: members.append(user["github_username"]) for bot in role["bots"]: if "github_username" in bot: members.append(bot["github_username"]) members = [m.lower() for m in members] for permission in permissions: if permission["service"] == "github-org": state.add(permission, members) elif permission["service"] == "github-org-team": state.add(permission, members) state.add( { "service": "github-org", "org": permission["org"], }, members, ) if not infer_clusters: return state clusters = gqlapi.query(CLUSTERS_QUERY)["clusters"] openshift_users_desired_state = openshift_users.fetch_desired_state( oc_map=None) for cluster in clusters: if not cluster["auth"]: continue cluster_name = cluster["name"] members = [ ou["user"].lower() for ou in openshift_users_desired_state if ou["cluster"] == cluster_name ] state.add( { "service": "github-org", "org": cluster["auth"]["org"], }, members, ) if cluster["auth"]["service"] == "github-org-team": state.add( { "service": "github-org-team", "org": cluster["auth"]["org"], "team": cluster["auth"]["team"], }, members, ) return state
def fetch_desired_state(gqlapi, sentry_instance, ghapi): user_roles = {} def process_user_role(user, role, sentryUrl): if role["sentry_roles"] is not None: for r in role["sentry_roles"]: if r["instance"]["consoleUrl"] == sentryUrl and r[ "role"] is not None: try: process_role(user, r["role"]) except ValueError: logging.error([ "desired_state", "multiple_roles", user, sentryUrl ]) def process_role(gh_user, sentryRole): email = get_github_email(ghapi, gh_user) if email is not None: if email in user_roles: raise ValueError user_roles[email] = sentryRole state = SentryState() # Query for users that should be in sentry team_members = {} sentryUrl = sentry_instance["consoleUrl"] roles = expiration.filter(gqlapi.query(SENTRY_USERS_QUERY)["roles"]) for role in roles: if role["sentry_teams"] is None: continue # Users that should exist members = [] for user in role["users"] + role["bots"]: email = get_github_email(ghapi, user) if email is not None: members.append(email) process_user_role(user, role, sentryUrl) for team in role["sentry_teams"]: # Only add users if the team they are a part of is in the same # sentry instance we are querying for information if team["instance"]["consoleUrl"] == sentryUrl: if team["name"] not in team_members: team_members[team["name"]] = members else: team_members[team["name"]].extend(members) state.init_roles(user_roles) state.init_users_from_desired_state(team_members) # Query for teams that should be in sentry result = gqlapi.query(SENTRY_TEAMS_QUERY) teams = [] for team in result["teams"]: if team["instance"]["consoleUrl"] == sentry_instance["consoleUrl"]: if team in teams: logging.error(["team_exists", team]) continue teams.append(_to_slug_(team["name"])) state.init_teams(teams) # Query for projects that should be in sentry result = gqlapi.query(SENTRY_PROJECTS_QUERY) projects = {} for app in result["apps"]: sentry_projects = app.get("sentryProjects") if sentry_projects is None: continue for sentry_project in sentry_projects: if (sentry_project["team"]["instance"]["consoleUrl"] != sentry_instance["consoleUrl"]): continue team = _to_slug_(sentry_project["team"]["name"]) team_projects = [] for project_config in sentry_project["projects"]: if project_in_project_list(project_config, projects.values()): logging.error(["project_exists", project_config["name"]]) continue config = {} for field in project_config.keys(): if project_config[field] is not None: if field == "name": slug = _to_slug_(project_config[field]) config[field] = slug else: config[field] = project_config[field] team_projects.append(config) if team in projects: projects[team].extend(team_projects) else: projects[team] = team_projects state.init_projects(projects) return state
def test_invalid_format(): roles = [{"expirationDate": "25000101"}] with pytest.raises(ValueError): expiration.filter(roles)
def test_no_roles(): roles = [{"expirationDate": "1990-01-01"}] filtered = expiration.filter(roles) assert len(filtered) == 0