def fetch_desired_state():
gqlapi = gql.get_api()
roles = expiration.filter(gqlapi.query(QUAY_ORG_QUERY)['roles'])
state = AggregatedList()
for role in roles:
permissions = [
process_permission(p)
for p in role['permissions']
if p.get('service') == 'quay-membership'
]
if permissions:
members = []
for user in role['users'] + role['bots']:
quay_username = user.get('quay_username')
if quay_username:
members.append(quay_username)
for p in permissions:
state.add(p, members)
return state
def get_desired_state():
gqlapi = gql.get_api()
roles = expiration.filter(gqlapi.query(ROLES_QUERY)['roles'])
desired_state = []
for r in roles:
for p in r['permissions']:
if p['service'] != 'jenkins-role':
continue
for u in r['users']:
desired_state.append({
"instance": p['instance']['name'],
"role": p['role'],
"user": u['org_username']
})
for u in r['bots']:
if u['org_username'] is None:
continue
desired_state.append({
"instance": p['instance']['name'],
"role": p['role'],
"user": u['org_username']
})
return desired_state
def test_valid_roles():
roles = [{
"expirationDate": "2500-01-01"
}, {
"expirationDate": "1990-01-01"
}]
filtered = expiration.filter(roles)
assert len(filtered) == 1
assert filtered[0]["expirationDate"] == "2500-01-01"
def setup(print_to_file, thread_pool_size: int) \
-> tuple[list[dict[str, Any]], dict[str, str], bool, AWSApi]:
gqlapi = gql.get_api()
accounts = queries.get_aws_accounts()
settings = queries.get_app_interface_settings()
roles = expiration.filter(gqlapi.query(TF_QUERY)['roles'])
tf_roles = [
r for r in roles
if r['aws_groups'] is not None or r['user_policies'] is not None
]
ts = Terrascript(QONTRACT_INTEGRATION,
QONTRACT_TF_PREFIX,
thread_pool_size,
accounts,
settings=settings)
err = ts.populate_users(tf_roles)
working_dirs = ts.dump(print_to_file)
aws_api = AWSApi(1, accounts, settings=settings, init_users=False)
return accounts, working_dirs, err, aws_api
def fetch_desired_state():
desired_state = {}
gqlapi = gql.get_api()
roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"])
for role in roles:
permissions = [
p for p in role["permissions"]
if p.get("service") in ["github-org", "github-org-team"]
and p.get("role") == "owner"
]
if not permissions:
continue
for permission in permissions:
github_org = permission["org"]
desired_state.setdefault(github_org, [])
for user in role["users"]:
github_username = user["github_username"]
desired_state[github_org].append(github_username)
for bot in role["bots"]:
github_username = bot["github_username"]
desired_state[github_org].append(github_username)
return desired_state
def fetch_desired_state(oc_map):
gqlapi = gql.get_api()
roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"])
desired_state = []
for r in roles:
for a in r["access"] or []:
if None in [a["cluster"], a["group"]]:
continue
if oc_map and a["cluster"]["name"] not in oc_map.clusters():
continue
user_key = ob.determine_user_key_for_access(a["cluster"])
for u in r["users"]:
if u[user_key] is None:
continue
desired_state.append({
"cluster": a["cluster"]["name"],
"group": a["group"],
"user": u[user_key],
})
return desired_state
def fetch_desired_state(ri, oc_map):
gqlapi = gql.get_api()
roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"])
users_desired_state = []
for role in roles:
permissions = [{
"cluster": a["namespace"]["cluster"],
"namespace": a["namespace"]["name"],
"role": a["role"],
} for a in role["access"] or []
if None not in [a["namespace"], a["role"]]
and a["namespace"].get("managedRoles")]
if not permissions:
continue
service_accounts = [
bot["openshift_serviceaccount"] for bot in role["bots"]
if bot.get("openshift_serviceaccount")
]
for permission in permissions:
cluster_info = permission["cluster"]
cluster = cluster_info["name"]
namespace = permission["namespace"]
if not is_in_shard(f"{cluster}/{namespace}"):
continue
if oc_map and not oc_map.get(cluster):
continue
user_key = ob.determine_user_key_for_access(cluster_info)
for user in role["users"]:
# used by openshift-users and github integrations
# this is just to simplify things a bit on the their side
users_desired_state.append({
"cluster": cluster,
"user": user[user_key]
})
if ri is None:
continue
oc_resource, resource_name = construct_user_oc_resource(
permission["role"], user[user_key])
try:
ri.add_desired(
cluster,
permission["namespace"],
"RoleBinding.authorization.openshift.io",
resource_name,
oc_resource,
)
except ResourceKeyExistsError:
# a user may have a Role assigned to them
# from multiple app-interface roles
pass
for sa in service_accounts:
if ri is None:
continue
namespace, sa_name = sa.split("/")
oc_resource, resource_name = construct_sa_oc_resource(
permission["role"], namespace, sa_name)
try:
ri.add_desired(
cluster,
permission["namespace"],
"RoleBinding.authorization.openshift.io",
resource_name,
oc_resource,
)
except ResourceKeyExistsError:
# a ServiceAccount may have a Role assigned to it
# from multiple app-interface roles
pass
return users_desired_state
def fetch_desired_state(infer_clusters=True):
gqlapi = gql.get_api()
state = AggregatedList()
roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"])
for role in roles:
permissions = list(
filter(
lambda p: p.get("service") in
["github-org", "github-org-team"],
role["permissions"],
))
if not permissions:
continue
members = []
for user in role["users"]:
members.append(user["github_username"])
for bot in role["bots"]:
if "github_username" in bot:
members.append(bot["github_username"])
members = [m.lower() for m in members]
for permission in permissions:
if permission["service"] == "github-org":
state.add(permission, members)
elif permission["service"] == "github-org-team":
state.add(permission, members)
state.add(
{
"service": "github-org",
"org": permission["org"],
},
members,
)
if not infer_clusters:
return state
clusters = gqlapi.query(CLUSTERS_QUERY)["clusters"]
openshift_users_desired_state = openshift_users.fetch_desired_state(
oc_map=None)
for cluster in clusters:
if not cluster["auth"]:
continue
cluster_name = cluster["name"]
members = [
ou["user"].lower() for ou in openshift_users_desired_state
if ou["cluster"] == cluster_name
]
state.add(
{
"service": "github-org",
"org": cluster["auth"]["org"],
},
members,
)
if cluster["auth"]["service"] == "github-org-team":
state.add(
{
"service": "github-org-team",
"org": cluster["auth"]["org"],
"team": cluster["auth"]["team"],
},
members,
)
return state
def fetch_desired_state(gqlapi, sentry_instance, ghapi):
user_roles = {}
def process_user_role(user, role, sentryUrl):
if role["sentry_roles"] is not None:
for r in role["sentry_roles"]:
if r["instance"]["consoleUrl"] == sentryUrl and r[
"role"] is not None:
try:
process_role(user, r["role"])
except ValueError:
logging.error([
"desired_state", "multiple_roles", user, sentryUrl
])
def process_role(gh_user, sentryRole):
email = get_github_email(ghapi, gh_user)
if email is not None:
if email in user_roles:
raise ValueError
user_roles[email] = sentryRole
state = SentryState()
# Query for users that should be in sentry
team_members = {}
sentryUrl = sentry_instance["consoleUrl"]
roles = expiration.filter(gqlapi.query(SENTRY_USERS_QUERY)["roles"])
for role in roles:
if role["sentry_teams"] is None:
continue
# Users that should exist
members = []
for user in role["users"] + role["bots"]:
email = get_github_email(ghapi, user)
if email is not None:
members.append(email)
process_user_role(user, role, sentryUrl)
for team in role["sentry_teams"]:
# Only add users if the team they are a part of is in the same
# sentry instance we are querying for information
if team["instance"]["consoleUrl"] == sentryUrl:
if team["name"] not in team_members:
team_members[team["name"]] = members
else:
team_members[team["name"]].extend(members)
state.init_roles(user_roles)
state.init_users_from_desired_state(team_members)
# Query for teams that should be in sentry
result = gqlapi.query(SENTRY_TEAMS_QUERY)
teams = []
for team in result["teams"]:
if team["instance"]["consoleUrl"] == sentry_instance["consoleUrl"]:
if team in teams:
logging.error(["team_exists", team])
continue
teams.append(_to_slug_(team["name"]))
state.init_teams(teams)
# Query for projects that should be in sentry
result = gqlapi.query(SENTRY_PROJECTS_QUERY)
projects = {}
for app in result["apps"]:
sentry_projects = app.get("sentryProjects")
if sentry_projects is None:
continue
for sentry_project in sentry_projects:
if (sentry_project["team"]["instance"]["consoleUrl"] !=
sentry_instance["consoleUrl"]):
continue
team = _to_slug_(sentry_project["team"]["name"])
team_projects = []
for project_config in sentry_project["projects"]:
if project_in_project_list(project_config, projects.values()):
logging.error(["project_exists", project_config["name"]])
continue
config = {}
for field in project_config.keys():
if project_config[field] is not None:
if field == "name":
slug = _to_slug_(project_config[field])
config[field] = slug
else:
config[field] = project_config[field]
team_projects.append(config)
if team in projects:
projects[team].extend(team_projects)
else:
projects[team] = team_projects
state.init_projects(projects)
return state
def test_invalid_format():
roles = [{"expirationDate": "25000101"}]
with pytest.raises(ValueError):
expiration.filter(roles)
def test_no_roles():
roles = [{"expirationDate": "1990-01-01"}]
filtered = expiration.filter(roles)
assert len(filtered) == 0
