def fetch_desired_state(oc_map): gqlapi = gql.get_api() roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"]) desired_state = [] for r in roles: for a in r["access"] or []: if None in [a["cluster"], a["group"]]: continue if oc_map and a["cluster"]["name"] not in oc_map.clusters(): continue user_key = ob.determine_user_key_for_access(a["cluster"]) for u in r["users"]: if u[user_key] is None: continue desired_state.append({ "cluster": a["cluster"]["name"], "group": a["group"], "user": u[user_key], }) return desired_state
def fetch_desired_state(ri, oc_map): gqlapi = gql.get_api() roles = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"]) users_desired_state = [] for role in roles: permissions = [{ "cluster": a["namespace"]["cluster"], "namespace": a["namespace"]["name"], "role": a["role"], } for a in role["access"] or [] if None not in [a["namespace"], a["role"]] and a["namespace"].get("managedRoles")] if not permissions: continue service_accounts = [ bot["openshift_serviceaccount"] for bot in role["bots"] if bot.get("openshift_serviceaccount") ] for permission in permissions: cluster_info = permission["cluster"] cluster = cluster_info["name"] namespace = permission["namespace"] if not is_in_shard(f"{cluster}/{namespace}"): continue if oc_map and not oc_map.get(cluster): continue user_key = ob.determine_user_key_for_access(cluster_info) for user in role["users"]: # used by openshift-users and github integrations # this is just to simplify things a bit on the their side users_desired_state.append({ "cluster": cluster, "user": user[user_key] }) if ri is None: continue oc_resource, resource_name = construct_user_oc_resource( permission["role"], user[user_key]) try: ri.add_desired( cluster, permission["namespace"], "RoleBinding.authorization.openshift.io", resource_name, oc_resource, ) except ResourceKeyExistsError: # a user may have a Role assigned to them # from multiple app-interface roles pass for sa in service_accounts: if ri is None: continue namespace, sa_name = sa.split("/") oc_resource, resource_name = construct_sa_oc_resource( permission["role"], namespace, sa_name) try: ri.add_desired( cluster, permission["namespace"], "RoleBinding.authorization.openshift.io", resource_name, oc_resource, ) except ResourceKeyExistsError: # a ServiceAccount may have a Role assigned to it # from multiple app-interface roles pass return users_desired_state
def test_determine_user_key_for_access_not_implemented(): cluster_info = {"auth": {"service": "not-implemented"}, "name": "c"} with pytest.raises(NotImplementedError): sut.determine_user_key_for_access(cluster_info)
def test_determine_user_key_for_access_oidc(): cluster_info = {"auth": {"service": "oidc"}} user_key = sut.determine_user_key_for_access(cluster_info) assert user_key == "org_username"
def test_determine_user_key_for_access_github_org_team(): cluster_info = {"auth": {"service": "github-org-team"}} user_key = sut.determine_user_key_for_access(cluster_info) assert user_key == "github_username"