Dmitry Ukov | f58264b | 2017-04-20 23:08:42 +0200 | [diff] [blame] | 1 | #!/usr/bin/env python |
| 2 | ''' |
| 3 | Management of policy.json |
| 4 | ========================= |
| 5 | |
| 6 | Merge user defined hash to policy.json |
| 7 | -------------------------------------- |
| 8 | |
| 9 | .. code-block:: yaml |
| 10 | |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 11 | my_rule_present: |
| 12 | keystone_policy.rule_present: |
| 13 | - name: rule_name |
| 14 | - rule: rule |
| 15 | - path: /etc/keystone/policy.json |
| 16 | |
| 17 | my_rule_absent: |
| 18 | keystone_policy.rule_absent: |
| 19 | - name: rule_name |
| 20 | - path: /etc/keystone/policy.json |
Dmitry Ukov | f58264b | 2017-04-20 23:08:42 +0200 | [diff] [blame] | 21 | |
| 22 | ''' |
| 23 | import logging |
Dmitry Ukov | f58264b | 2017-04-20 23:08:42 +0200 | [diff] [blame] | 24 | |
| 25 | log = logging.getLogger(__name__) |
| 26 | |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 27 | |
| 28 | def __virtual__(): |
| 29 | return True |
Dmitry Ukov | f58264b | 2017-04-20 23:08:42 +0200 | [diff] [blame] | 30 | |
| 31 | |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 32 | def rule_present(name, rule, path, **kwargs): |
Dmitry Ukov | f58264b | 2017-04-20 23:08:42 +0200 | [diff] [blame] | 33 | ''' |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 34 | Ensures that the policy rule exists |
Pavlo Shchelokovskyy | f297078 | 2018-08-30 16:38:25 +0300 | [diff] [blame] | 35 | |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 36 | :param name: Rule name |
| 37 | :param rule: Rule |
| 38 | :param path: Path to policy file |
Dmitry Ukov | f58264b | 2017-04-20 23:08:42 +0200 | [diff] [blame] | 39 | ''' |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 40 | rule = rule or "" |
| 41 | ret = {'name': name, |
| 42 | 'changes': {}, |
| 43 | 'result': True, |
| 44 | 'comment': 'Rule "{0}" already exists and is in correct state'.format(name)} |
| 45 | rule_check = __salt__['keystone_policy.rule_get'](name, path, **kwargs) |
| 46 | if not rule_check: |
Pavlo Shchelokovskyy | f297078 | 2018-08-30 16:38:25 +0300 | [diff] [blame] | 47 | if __opts__.get('test'): |
| 48 | ret['result'] = None |
| 49 | ret['comment'] = 'Rule {0} will be created'.format(name) |
| 50 | else: |
| 51 | __salt__['keystone_policy.rule_set'](name, rule, path, **kwargs) |
| 52 | ret['comment'] = 'Rule {0} has been created'.format(name) |
| 53 | ret['changes']['Rule'] = 'Rule %s: "%s" has been created' % (name, rule) |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 54 | elif 'Error' in rule_check: |
| 55 | ret['comment'] = rule_check.get('Error') |
| 56 | ret['result'] = False |
| 57 | elif rule_check[name] != rule: |
Pavlo Shchelokovskyy | f297078 | 2018-08-30 16:38:25 +0300 | [diff] [blame] | 58 | if __opts__.get('test'): |
| 59 | ret['result'] = None |
| 60 | ret['comment'] = 'Rule %s will be changed' % (name,) |
| 61 | else: |
| 62 | __salt__['keystone_policy.rule_set'](name, rule, path, **kwargs) |
| 63 | ret['comment'] = 'Rule %s has been changed' % (name,) |
| 64 | ret['changes']['Old Rule'] = '%s: "%s"' % (name, rule_check[name]) |
| 65 | ret['changes']['New Rule'] = '%s: "%s"' % (name, rule) |
Dmitry Ukov | f58264b | 2017-04-20 23:08:42 +0200 | [diff] [blame] | 66 | return ret |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 67 | |
| 68 | |
| 69 | def rule_absent(name, path, **kwargs): |
| 70 | ''' |
| 71 | Ensures that the policy rule does not exist |
| 72 | |
| 73 | :param name: Rule name |
| 74 | :param path: Path to policy file |
| 75 | ''' |
| 76 | ret = {'name': name, |
| 77 | 'changes': {}, |
| 78 | 'result': True, |
| 79 | 'comment': 'Rule "{0}" is already absent'.format(name)} |
| 80 | rule_check = __salt__['keystone_policy.rule_get'](name, path, **kwargs) |
| 81 | if rule_check: |
Pavlo Shchelokovskyy | f297078 | 2018-08-30 16:38:25 +0300 | [diff] [blame] | 82 | if __opts__.get('test'): |
| 83 | ret['result'] = None |
| 84 | ret['comment'] = 'Rule {0} will be deleted'.format(name) |
Oleh Hryhorov | 70910f0 | 2018-09-11 11:24:46 +0300 | [diff] [blame] | 85 | else: |
Pavlo Shchelokovskyy | f297078 | 2018-08-30 16:38:25 +0300 | [diff] [blame] | 86 | __salt__['keystone_policy.rule_delete'](name, path, **kwargs) |
| 87 | ret['comment'] = 'Rule {0} has been deleted'.format(name) |
| 88 | ret['changes']['Rule'] = 'Rule %s: "%s" has been deleted' % (name, rule_check[name]) |
Adam Tengler | b1ebaca | 2017-05-04 21:06:08 +0000 | [diff] [blame] | 89 | elif 'Error' in rule_check: |
| 90 | ret['comment'] = rule_check.get('Error') |
| 91 | ret['result'] = False |
| 92 | return ret |
| 93 | |
Martin Polreich | e98edbd | 2019-11-25 16:09:24 +0100 | [diff] [blame] | 94 | def export_policy_grains(name, path, **kwargs): |
| 95 | ''' |
| 96 | Export policy rules from file to grains |
| 97 | |
| 98 | :param name: Grain name |
| 99 | :param path: Path to policy file |
| 100 | ''' |
| 101 | ret = {'name': name, |
| 102 | 'changes': {}, |
| 103 | 'result': True, |
| 104 | 'comment': 'No changes for grain %s' % (name)} |
| 105 | rules = __salt__['keystone_policy.rule_list'](path, False, **kwargs) |
| 106 | if __opts__.get('test'): |
| 107 | ret['result'] = None |
| 108 | ret['comment'] = 'Rules %s will be exported to grain %s' % (rules, name) |
| 109 | else: |
| 110 | __salt__['grains.setval'](name, rules, **kwargs) |
| 111 | ret['comment'] = 'Rules have been exported to grain %s' %(name) |
| 112 | ret['changes']['Rules'] = 'Rules have been exported: %s' % (rules) |
| 113 | return ret |