Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / jenkins / f32b009a490ab88a63787ab60000bb64a49d5d43 / . / _states / jenkins_security.py
blob: ae4a496ffc3da97e5e4bf66402acd4c0a9035033 [file] [log] [blame]
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]1import logging
Adam Tengler70763e02017-08-21 16:50:32 +0000[diff] [blame]2
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]3logger = logging.getLogger(__name__)
4
Ilya Kharin3d8bffe2017-06-22 17:40:31 +0400[diff] [blame]5def __virtual__():
6 '''
7 Only load if jenkins_common module exist.
8 '''
9 if 'jenkins_common.call_groovy_script' not in __salt__:
10 return (
11 False,
12 'The jenkins_security state module cannot be loaded: '
13 'jenkins_common not found')
14 return True
15
16
Dmitry Burmistrov2953edf2018-05-24 11:32:54 +0400[diff] [blame]17def agent2master(name, enabled, whitelisted, file_path_rules):
18 """
19 Jenkins Agent to Master Access Control state method
20
21 :param enabled
22 :param whitelisted: Whitelisted Commands
23 :param file_path_rules: File Access Rules
24 """
25
26 template = __salt__['jenkins_common.load_template'](
27 'salt://jenkins/files/groovy/security.agent2master.template',
28 __env__)
29 return __salt__['jenkins_common.api_call'](name, template,
30 ["CHANGED", "EXISTS"],
31 {
32 'enabled': enabled,
33 'newWhitelistedContent': whitelisted,
34 'newFilePathRulesContent': file_path_rules
35 },
36 'Agent to Master Access Control')
37
38def csp(name, policy):
39 """
40 Jenkins Content Security Policy state method
41
42 :param policy
43 """
44 default_policy = """\
45 sandbox; default-src 'none'; img-src 'self'; style-src 'self';
46 """.strip()
47
48 template = __salt__['jenkins_common.load_template'](
49 'salt://jenkins/files/groovy/security.csp.template',
50 __env__)
51 return __salt__['jenkins_common.api_call'](name, template,
52 ["CHANGED", "EXISTS"],
53 {
54 'policy': policy if policy else default_policy,
55 },
56 'Content Security Policy')
57
58def csrf(name, enabled, proxy_compat):
59 """
60 Jenkins CSRF protection state method
61
62 :param enabled
63 :param proxy_compat
64 """
65
66 template = __salt__['jenkins_common.load_template'](
67 'salt://jenkins/files/groovy/security.csrf.template',
68 __env__)
69 return __salt__['jenkins_common.api_call'](name, template,
70 ["CHANGED", "EXISTS"],
71 {
72 'csrfEnabled': enabled,
73 'proxyCompat': proxy_compat
74 },
75 'CSRF Protection')
76
Adam Tengler70763e02017-08-21 16:50:32 +0000[diff] [blame]77def ldap(name, server, root_dn, user_search_base, manager_dn, manager_password,
78 user_search="", group_search_base="", inhibit_infer_root_dn=False):
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]79 """
80 Jenkins ldap state method
81
82 :param name: ldap state name
Andrey6606be02017-08-02 17:09:42 -0500[diff] [blame]83 :param server: ldap server host
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]84 :param root_dn: root domain names
85 :param user_search_base:
86 :param manager_dn:
87 :param manager_password:
88 :param user_search: optional, default empty string
89 :param group_search_base: optional, default empty string
90 :param inhibit_infer_root_dn: optional, default false
91 :returns: salt-specified state dict
92 """
Andrey6606be02017-08-02 17:09:42 -0500[diff] [blame]93 if not server.startswith("ldap:") and not server.startswith("ldaps:"):
94 server = "ldap://{server}".format(server=server)
95
Dmitry Burmistrov2af1da72018-05-24 11:24:17 +0400[diff] [blame]96 template = __salt__['jenkins_common.load_template'](
97 'salt://jenkins/files/groovy/security.ldap.template',
98 __env__)
99 return __salt__['jenkins_common.api_call'](name, template,
100 ["CHANGED", "EXISTS"],
101 {
102 "name": name,
103 "server": server,
104 "rootDN": root_dn,
105 "userSearchBase": user_search_base if user_search_base else "",
106 "managerDN": manager_dn if manager_dn else "",
107 "managerPassword": manager_password if manager_password else "",
108 "userSearch": user_search if user_search else "",
109 "groupSearchBase": group_search_base if group_search_base else "",
110 "inhibitInferRootDN": "true" if inhibit_infer_root_dn else "false"
111 },
112 "Jenkins LDAP Settings")
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]113
Jakub Josef0ee470e2017-01-17 11:46:58 +0100[diff] [blame]114
115def matrix(name, strategies, project_based=False):
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]116 """
117 Jenkins matrix security state method
118
119 :param name: ldap state name
Jakub Josef0ee470e2017-01-17 11:46:58 +0100[diff] [blame]120 :param strategies: dict with matrix strategies
121 :param procect_based: flag if we configuring
122 GlobalMatrix security or ProjectMatrix security
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]123 :returns: salt-specified state dict
124 """
Dmitry Burmistrov2af1da72018-05-24 11:24:17 +0400[diff] [blame]125 template = __salt__['jenkins_common.load_template'](
126 'salt://jenkins/files/groovy/security.matrix.template',
127 __env__)
128 return __salt__['jenkins_common.api_call'](name, template,
129 ["CHANGED", "EXISTS"],
130 {
131 "strategies": _build_strategies(strategies),
132 "matrix_class": "ProjectMatrixAuthorizationStrategy" if project_based else "GlobalMatrixAuthorizationStrategy"},
133 "Jenkins Matrix security setting")
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]134
135def _build_strategies(permissions):
136 strategies_str = ""
Adam Tengler70763e02017-08-21 16:50:32 +0000[diff] [blame]137 for strategy in _to_strategies_list(
138 "strategy.add({},\"{}\")", _to_one_dict(permissions, "")):
Jakub Josef063a7532017-01-11 15:48:01 +0100[diff] [blame]139 strategies_str += "{}\n".format(strategy)
140 return strategies_str
141
142
143def _to_strategies_list(strategy_format, strategy_dict):
144 res = []
145 for key, value in strategy_dict.items():
146 if isinstance(value, list):
147 for user in value:
148 res.append(strategy_format.format(key, user))
149 else:
150 res.append(strategy_format.format(key, value))
151 return res
152
153
154def _to_one_dict(input_dict, input_key):
155 res = {}
156 for key, value in input_dict.items():
157 new_key = key if input_key == "" else "{}.{}".format(input_key, key)
158 if isinstance(value, dict):
159 res.update(_to_one_dict(value, new_key))
160 else:
161 res[new_key] = value
162 return res