diff options
-rw-r--r-- | filter_plugins/openshift_master.py | 30 | ||||
-rw-r--r-- | playbooks/common/openshift-master/config.yml | 8 | ||||
-rwxr-xr-x | roles/openshift_facts/library/openshift_facts.py | 55 | ||||
-rw-r--r-- | roles/openshift_master/tasks/main.yml | 8 |
4 files changed, 55 insertions, 46 deletions
diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index 40c1083e0..8d7c62ad1 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -463,34 +463,6 @@ class FilterModule(object): IdentityProviderBase.validate_idp_list(idp_list) return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False) - @staticmethod - def validate_auth_secrets(secrets): - ''' validate type and length ''' - - if not issubclass(type(secrets), list): - raise errors.AnsibleFilterError("|failed expects openshift_master_session_auth_secrets is a list") - - for secret in secrets: - if len(secret) < 32: - return False - return True - - @staticmethod - def validate_encryption_secrets(secrets): - ''' validate type and length ''' - - if not issubclass(type(secrets), list): - raise errors.AnsibleFilterError("|failed expects openshift_master_session_encryption_secrets is a list") - - for secret in secrets: - if len(secret) not in [16, 24, 32]: - return False - return True - def filters(self): ''' returns a mapping of filters to methods ''' - return { - "translate_idps": self.translate_idps, - "validate_auth_secrets": self.validate_auth_secrets, - "validate_encryption_secrets": self.validate_encryption_secrets - } + return {"translate_idps": self.translate_idps} diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index b7e9362cd..0334a002e 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -247,14 +247,6 @@ msg: > openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - - fail: - msg: > - Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters - when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool - - fail: - msg: > - Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters - when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool roles: - role: openshift_facts post_tasks: diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index fed00132a..133de758f 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1043,6 +1043,7 @@ class OpenShiftFacts(object): facts (dict): facts for the host Args: + module (AnsibleModule): an AnsibleModule object role (str): role for setting local facts filename (str): local facts file to use local_facts (dict): local facts to set @@ -1257,14 +1258,66 @@ class OpenShiftFacts(object): del facts[key] if new_local_facts != local_facts: - changed = True + self.validate_local_facts(new_local_facts) if not module.check_mode: + changed = True save_local_facts(self.filename, new_local_facts) self.changed = changed return new_local_facts + def validate_local_facts(self, facts=None): + """ Validate local facts + + Args: + facts (dict): local facts to validate + """ + invalid_facts = dict() + invalid_facts = self.validate_master_facts(facts, invalid_facts) + if invalid_facts: + msg = 'Invalid facts detected:\n' + for key in invalid_facts.keys(): + msg += '{0}: {1}\n'.format(key, invalid_facts[key]) + module.fail_json(msg=msg, + changed=self.changed) + + # disabling pylint errors for line-too-long since we're dealing + # with best effort reduction of error messages here. + # pylint: disable=line-too-long + @staticmethod + def validate_master_facts(facts, invalid_facts): + """ Validate master facts + + Args: + facts (dict): local facts to validate + invalid_facts (dict): collected invalid_facts + + Returns: + dict: Invalid facts + """ + if 'master' in facts: + # openshift.master.session_auth_secrets + if 'session_auth_secrets' in facts['master']: + session_auth_secrets = facts['master']['session_auth_secrets'] + if not issubclass(type(session_auth_secrets), list): + invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.' + else: + for secret in session_auth_secrets: + if len(secret) < 32: + invalid_facts['session_auth_secrets'] = ('Invalid secret in session_auth_secrets. ' + 'Secrets must be at least 32 characters in length.') + # openshift.master.session_encryption_secrets + if 'session_encryption_secrets' in facts['master']: + session_encryption_secrets = facts['master']['session_encryption_secrets'] + if not issubclass(type(session_encryption_secrets), list): + invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.' + else: + for secret in session_encryption_secrets: + if len(secret) not in [16, 24, 32]: + invalid_facts['session_encryption_secrets'] = ('Invalid secret in session_encryption_secrets. ' + 'Secrets must be 16, 24, or 32 characters in length.') + return invalid_facts def main(): """ main """ diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index e6ddd1c49..a3cddfd63 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -18,14 +18,6 @@ msg: > openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) -- fail: - msg: > - Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters - when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool -- fail: - msg: > - Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters - when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool # HA Variable Validation - fail: |