From 62fcc9436db024d189f3ff8107aeb7e2a1ae812f Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Fri, 18 Dec 2015 11:02:52 -0500
Subject: openshift_facts validation
---
roles/openshift_facts/library/openshift_facts.py | 55 +++++++++++++++++++++++-
1 file changed, 54 insertions(+), 1 deletion(-)
(limited to 'roles/openshift_facts/library')
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index fed00132a..133de758f 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1043,6 +1043,7 @@ class OpenShiftFacts(object):
facts (dict): facts for the host
Args:
+ module (AnsibleModule): an AnsibleModule object
role (str): role for setting local facts
filename (str): local facts file to use
local_facts (dict): local facts to set
@@ -1257,14 +1258,66 @@ class OpenShiftFacts(object):
del facts[key]
if new_local_facts != local_facts:
- changed = True
+ self.validate_local_facts(new_local_facts)
if not module.check_mode:
+ changed = True
save_local_facts(self.filename, new_local_facts)
self.changed = changed
return new_local_facts
+ def validate_local_facts(self, facts=None):
+ """ Validate local facts
+
+ Args:
+ facts (dict): local facts to validate
+ """
+ invalid_facts = dict()
+ invalid_facts = self.validate_master_facts(facts, invalid_facts)
+ if invalid_facts:
+ msg = 'Invalid facts detected:\n'
+ for key in invalid_facts.keys():
+ msg += '{0}: {1}\n'.format(key, invalid_facts[key])
+ module.fail_json(msg=msg,
+ changed=self.changed)
+
+ # disabling pylint errors for line-too-long since we're dealing
+ # with best effort reduction of error messages here.
+ # pylint: disable=line-too-long
+ @staticmethod
+ def validate_master_facts(facts, invalid_facts):
+ """ Validate master facts
+
+ Args:
+ facts (dict): local facts to validate
+ invalid_facts (dict): collected invalid_facts
+
+ Returns:
+ dict: Invalid facts
+ """
+ if 'master' in facts:
+ # openshift.master.session_auth_secrets
+ if 'session_auth_secrets' in facts['master']:
+ session_auth_secrets = facts['master']['session_auth_secrets']
+ if not issubclass(type(session_auth_secrets), list):
+ invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.'
+ else:
+ for secret in session_auth_secrets:
+ if len(secret) < 32:
+ invalid_facts['session_auth_secrets'] = ('Invalid secret in session_auth_secrets. '
+ 'Secrets must be at least 32 characters in length.')
+ # openshift.master.session_encryption_secrets
+ if 'session_encryption_secrets' in facts['master']:
+ session_encryption_secrets = facts['master']['session_encryption_secrets']
+ if not issubclass(type(session_encryption_secrets), list):
+ invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.'
+ else:
+ for secret in session_encryption_secrets:
+ if len(secret) not in [16, 24, 32]:
+ invalid_facts['session_encryption_secrets'] = ('Invalid secret in session_encryption_secrets. '
+ 'Secrets must be 16, 24, or 32 characters in length.')
+ return invalid_facts
def main():
""" main """
--
cgit v1.2.3
From 82db6897085a1278e6b982a403875ed8671190bb Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Wed, 6 Jan 2016 13:01:25 -0500
Subject: Move extra secret validations into openshift_facts.
---
roles/openshift_facts/library/openshift_facts.py | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
(limited to 'roles/openshift_facts/library')
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 133de758f..9cebbcce1 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1259,9 +1259,8 @@ class OpenShiftFacts(object):
if new_local_facts != local_facts:
self.validate_local_facts(new_local_facts)
-
+ changed = True
if not module.check_mode:
- changed = True
save_local_facts(self.filename, new_local_facts)
self.changed = changed
@@ -1284,7 +1283,9 @@ class OpenShiftFacts(object):
# disabling pylint errors for line-too-long since we're dealing
# with best effort reduction of error messages here.
- # pylint: disable=line-too-long
+ # disabling errors for too-many-branches since we require checking
+ # many conditions.
+ # pylint: disable=line-too-long, too-many-branches
@staticmethod
def validate_master_facts(facts, invalid_facts):
""" Validate master facts
@@ -1302,6 +1303,13 @@ class OpenShiftFacts(object):
session_auth_secrets = facts['master']['session_auth_secrets']
if not issubclass(type(session_auth_secrets), list):
invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.'
+ elif 'session_encryption_secrets' not in facts['master']:
+ invalid_facts['session_auth_secrets'] = ('openshift_master_session_encryption secrets must be set '
+ 'if openshift_master_session_auth_secrets is provided.')
+ elif len(session_auth_secrets) != len(facts['master']['session_encryption_secrets']):
+ invalid_facts['session_auth_secrets'] = ('openshift_master_session_auth_secrets and '
+ 'openshift_master_session_encryption_secrets must be '
+ 'equal length.')
else:
for secret in session_auth_secrets:
if len(secret) < 32:
@@ -1312,6 +1320,10 @@ class OpenShiftFacts(object):
session_encryption_secrets = facts['master']['session_encryption_secrets']
if not issubclass(type(session_encryption_secrets), list):
invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.'
+ elif 'session_auth_secrets' not in facts['master']:
+ invalid_facts['session_encryption_secrets'] = ('openshift_master_session_auth_secrets must be '
+ 'set if openshift_master_session_encryption_secrets '
+ 'is provided.')
else:
for secret in session_encryption_secrets:
if len(secret) not in [16, 24, 32]:
--
cgit v1.2.3