Correct zos_copy handling of a zoauresponse during opercmd usage for locked data sets. (#1744)

* Test case updates to test opercmd authentication

Signed-off-by: ddimatos <[email protected]>

* Mock test to use a enum class to selected a managed user

Signed-off-by: ddimatos <[email protected]>

* add a users.py helper class with racf commands and users

Signed-off-by: ddimatos <[email protected]>

* RACF updates

Signed-off-by: ddimatos <[email protected]>

* Updates to create user

Signed-off-by: ddimatos <[email protected]>

* Updates to fix creating racf user

Signed-off-by: ddimatos <[email protected]>

* Added support for other user types

Signed-off-by: ddimatos <[email protected]>

* Update user.py to controll user access

Signed-off-by: ddimatos <[email protected]>

* Updated user.py with delete function

Signed-off-by: ddimatos <[email protected]>

* Upudates to change the original get new user design

Signed-off-by: ddimatos <[email protected]>

* Updated doc and exceptions

Signed-off-by: ddimatos <[email protected]>

* Update logic

Signed-off-by: ddimatos <[email protected]>

* Update logic

Signed-off-by: ddimatos <[email protected]>

* Updates to support managed users

Signed-off-by: ddimatos <[email protected]>

* debug stmts

Signed-off-by: ddimatos <[email protected]>

* fix test case

Signed-off-by: ddimatos <[email protected]>

* fix test case

Signed-off-by: ddimatos <[email protected]>

* Debug stmt

Signed-off-by: ddimatos <[email protected]>

* Debug stmt

Signed-off-by: ddimatos <[email protected]>

* Debug stmt

Signed-off-by: ddimatos <[email protected]>

* Debug stmt

Signed-off-by: ddimatos <[email protected]>

* Debug stmt

Signed-off-by: ddimatos <[email protected]>

* debug

Signed-off-by: ddimatos <[email protected]>

* debug

Signed-off-by: ddimatos <[email protected]>

* debug

Signed-off-by: ddimatos <[email protected]>

* debug

Signed-off-by: ddimatos <[email protected]>

* debug

Signed-off-by: ddimatos <[email protected]>

* bug

Signed-off-by: ddimatos <[email protected]>

* debug

Signed-off-by: ddimatos <[email protected]>

* debug

Signed-off-by: ddimatos <[email protected]>

* Added ssh config append

Signed-off-by: ddimatos <[email protected]>

* Update zos_copy and pipeline framework to support dynaic users

Signed-off-by: ddimatos <[email protected]>

* Fixed bug that mixed up dir and files

Signed-off-by: ddimatos <[email protected]>

* Added a todo comment for AC

Signed-off-by: ddimatos <[email protected]>

* Update users py to add new execute function

Signed-off-by: ddimatos <[email protected]>

* updates to complete the ability to use a managed user

Signed-off-by: ddimatos <[email protected]>

* Fixes E123: closing bracket does not match indentation

Signed-off-by: ddimatos <[email protected]>

* Correct name of ManagedUseeType to ManagedUserType

Co-authored-by: Fernando Flores <[email protected]>

* Update tests/functional/modules/test_zos_copy_func.py

Co-authored-by: Fernando Flores <[email protected]>

* PR review comments addressed

Signed-off-by: ddimatos <[email protected]>

---------

Signed-off-by: ddimatos <[email protected]>
Co-authored-by: Fernando Flores <[email protected]>

Author: ddimatos

ac

@@ -684,6 +684,7 @@ ac_test(){
 	    message_error "Unable to find test configration in ${VENV}/config.yml."
 	fi
 
+    # TODO: Consider adding the -vvvv like so `$CURR_DIR/${file}  -vvvv --ignore="${skip}"` so that you can access the verbosity feature of pytest.
     if [ "$file" ]; then
         . ${VENV_BIN}/activate && export ANSIBLE_LIBRARY=$VENV/ansible_collections/ibm/ibm_zos_core/plugins/modules;export ANSIBLE_CONFIG=$VENV/ansible.cfg;${VENV_BIN}/pytest $CURR_DIR/${file} --ignore="${skip}" --host-pattern=all --zinventory=${VENV}/config.yml ${debug} >&2 ; echo $? >&1
     else

changelogs/fragments/1744-zos_copy-racf-uacc-updates.yml

@@ -0,0 +1,12 @@
+bugfixes:
+  - zos_copy - Improve module zos_copy error handling when the user does not have
+    universal access authority set to UACC(READ) for SAF Profile
+    'MVS.MCSOPER.ZOAU' and SAF Class OPERCMDS. The module now handles the exception
+    and returns an informative message.
+    (https://github.com/ansible-collections/ibm_zos_core/pull/1744).
+trivial:
+  - pipeline - Deliver a new users.py framework that allows functional test cases to
+    request a managed user type where this user can have limited access to some SAF
+    profile, or saf class as well as user id's with specific patterns such as including
+    supported special characters such as '@', '#', etc.
+    (https://github.com/ansible-collections/ibm_zos_core/pull/1744).

plugins/modules/zos_copy.py

@@ -3165,32 +3165,46 @@ def data_set_locked(dataset_name):
 
     Parameters
     ----------
-    dataset_name : str
+    dataset_name (str):
         The data set name used to check if there is a lock.
 
     Returns
     -------
     bool
         True if the data set is locked, or False if the data set is not locked.
+
+    Raises
+    ------
+    CopyOperationError
+        When the user does not have Universal Access Authority to
+        ZOAU SAF Profile 'MVS.MCSOPER.ZOAU' and SAF Class OPERCMDS.
     """
     # Using operator command "D GRS,RES=(*,{dataset_name})" to detect if a data set
     # is in use, when a data set is in use it will have "EXC/SHR and SHARE"
     # in the result with a length greater than 4.
     result = dict()
     result["stdout"] = []
     command_dgrs = "D GRS,RES=(*,{0})".format(dataset_name)
-    response = opercmd.execute(command=command_dgrs)
-    stdout = response.stdout_response
-    if stdout is not None:
-        for out in stdout.split("\n"):
-            if out:
-                result["stdout"].append(out)
-    if len(result["stdout"]) > 4 and "EXC/SHR" in stdout and "SHARE" in stdout:
+
+    try:
+        response = opercmd.execute(command=command_dgrs)
+        stdout = response.stdout_response
+
+        if stdout is not None:
+            for out in stdout.split("\n"):
+                if out:
+                    result["stdout"].append(out)
+        if len(result["stdout"]) <= 4 and "NO REQUESTORS FOR RESOURCE" in stdout:
+            return False
+
         return True
-    elif len(result["stdout"]) <= 4 and "NO REQUESTORS FOR RESOURCE" in stdout:
-        return False
-    else:
-        return False
+    except zoau_exceptions.ZOAUException as copy_exception:
+        raise CopyOperationError(
+            msg="Unable to determine if the dest {0} is in use.".format(dataset_name),
+                rc=copy_exception.response.rc,
+                stdout=copy_exception.response.stdout_response,
+                stderr=copy_exception.response.stderr_response
+        )
 
 
 def run_module(module, arg_def):

tests/functional/modules/test_zos_copy_func.py

@@ -13,6 +13,7 @@
 
 from __future__ import absolute_import, division, print_function
 
+from ibm_zos_core.tests.helpers.users import ManagedUserType, ManagedUser
 import pytest
 import os
 import shutil
@@ -365,6 +366,7 @@ def link_loadlib_from_cobol(hosts, cobol_src_pds, cobol_src_mem, loadlib_pds, lo
             wait_time_s=60
         )
         for result in job_result.contacted.values():
+            print(result)
             rc = result.get("jobs")[0].get("ret_code").get("code")
     finally:
         hosts.all.file(path=temp_jcl_uss_path, state="absent")
@@ -1960,8 +1962,15 @@ def test_ensure_copy_file_does_not_change_permission_on_dest(ansible_zos_module,
 
 
 @pytest.mark.seq
-@pytest.mark.parametrize("ds_type", [ "pds", "pdse", "seq"])
-def test_copy_dest_lock(ansible_zos_module, ds_type):
+@pytest.mark.parametrize("ds_type, f_lock",[
+    ( "pds", True),   # Success path, pds locked, force_lock enabled and user authorized
+    ( "pdse", True),  # Success path, pdse locked, force_lock enabled and user authorized
+    ( "seq", True),   # Success path, seq locked, force_lock enabled and user authorized
+    ( "pds", False),  # Module exits with: Unable to write to dest '{0}' because a task is accessing the data set."
+    ( "pdse", False), # Module exits with: Unable to write to dest '{0}' because a task is accessing the data set."
+    ( "seq", False),  # Module exits with: Unable to write to dest '{0}' because a task is accessing the data set."
+])
+def test_copy_dest_lock(ansible_zos_module, ds_type, f_lock ):
     hosts = ansible_zos_module
     data_set_1 = get_tmp_ds_name()
     data_set_2 = get_tmp_ds_name()
@@ -1973,7 +1982,6 @@ def test_copy_dest_lock(ansible_zos_module, ds_type):
         src_data_set = data_set_1
         dest_data_set = data_set_2
     try:
-        hosts = ansible_zos_module
         hosts.all.zos_data_set(name=data_set_1, state="present", type=ds_type, replace=True)
         hosts.all.zos_data_set(name=data_set_2, state="present", type=ds_type, replace=True)
         if ds_type == "pds" or ds_type == "pdse":
@@ -1999,27 +2007,139 @@ def test_copy_dest_lock(ansible_zos_module, ds_type):
             dest = dest_data_set,
             remote_src = True,
             force=True,
-            force_lock=True,
+            force_lock=f_lock,
         )
         for result in results.contacted.values():
             print(result)
-            assert result.get("changed") == True
-            assert result.get("msg") is None
-            # verify that the content is the same
-            verify_copy = hosts.all.shell(
-                cmd="dcat \"{0}\"".format(dest_data_set),
-                executable=SHELL_EXECUTABLE,
-            )
-            for vp_result in verify_copy.contacted.values():
-                print(vp_result)
-                verify_copy_2 = hosts.all.shell(
-                    cmd="dcat \"{0}\"".format(src_data_set),
+            if f_lock: #and apf_auth_user:
+                assert result.get("changed") == True
+                assert result.get("msg") is None
+                # verify that the content is the same
+                verify_copy = hosts.all.shell(
+                    cmd="dcat \"{0}\"".format(dest_data_set),
                     executable=SHELL_EXECUTABLE,
                 )
-                for vp_result_2 in verify_copy_2.contacted.values():
-                    print(vp_result_2)
-                    assert vp_result_2.get("stdout") == vp_result.get("stdout")
+                for vp_result in verify_copy.contacted.values():
+                    print(vp_result)
+                    verify_copy_2 = hosts.all.shell(
+                        cmd="dcat \"{0}\"".format(src_data_set),
+                        executable=SHELL_EXECUTABLE,
+                    )
+                    for vp_result_2 in verify_copy_2.contacted.values():
+                        print(vp_result_2)
+                        assert vp_result_2.get("stdout") == vp_result.get("stdout")
+            elif not f_lock:
+                assert result.get("failed") is True
+                assert result.get("changed") == False
+                assert "because a task is accessing the data set" in result.get("msg")
+                assert result.get("rc") is None
+    finally:
+        # extract pid
+        ps_list_res = hosts.all.shell(cmd="ps -e | grep -i 'pdse-lock'")
+        # kill process - release lock - this also seems to end the job
+        pid = list(ps_list_res.contacted.values())[0].get('stdout').strip().split(' ')[0]
+        hosts.all.shell(cmd="kill 9 {0}".format(pid.strip()))
+        # clean up c code/object/executable files, jcl
+        hosts.all.shell(cmd=f'rm -r {temp_dir}')
+        # remove pdse
+        hosts.all.zos_data_set(name=data_set_1, state="absent")
+        hosts.all.zos_data_set(name=data_set_2, state="absent")
+
+
+def test_copy_dest_lock_test_with_no_opercmd_access_pds_without_force_lock(ansible_zos_module):
+    """
+    This tests the module exeception raised 'msg="Unable to determine if the source {0} is in use.".format(dataset_name)'. 
+    This this a wrapper for the actual test case `managed_user_copy_dest_lock_test_with_no_opercmd_access`.
+    """
+    managed_user = None
+    managed_user_test_case_name = "managed_user_copy_dest_lock_test_with_no_opercmd_access"
+    try:
+        # Initialize the Managed user API from the pytest fixture.
+        managed_user = ManagedUser.from_fixture(ansible_zos_module)
+
+        # Important: Execute the test case with the managed users execution utility.
+        managed_user.execute_managed_user_test(
+            managed_user_test_case = managed_user_test_case_name,debug = True,
+            verbose = False, managed_user_type=ManagedUserType.ZOAU_LIMITED_ACCESS_OPERCMD)
+
+    finally:
+        # Delete the managed user on the remote host to avoid proliferation of users.
+        managed_user.delete_managed_user()
+
+@pytest.mark.parametrize("ds_type, f_lock",[
+    ( "pds", False),    # Module exception raised msg="Unable to determine if the source {0} is in use.".format(dataset_name)
+    ( "pdse", False),   # Module exception raised msg="Unable to determine if the source {0} is in use.".format(dataset_name)
+    ( "seq", False),    # Module exception raised msg="Unable to determine if the source {0} is in use.".format(dataset_name)
+    ( "seq", True),     # Opercmd is not called so a user with limited UACC will not matter and will succeed
+])
+def managed_user_copy_dest_lock_test_with_no_opercmd_access(ansible_zos_module, ds_type, f_lock ):
+    """
+    When force_lock option is false, it exercises the opercmd call which requires RACF universal access.
+    This negative test will ensure that if the user does not have RACF universal access that the module
+    not halt execution and instead bubble up the ZOAU exception.
+    """
+    hosts = ansible_zos_module
 
+    data_set_1 = get_tmp_ds_name()
+    data_set_2 = get_tmp_ds_name()
+    member_1 = "MEM1"
+
+    if ds_type == "pds" or ds_type == "pdse":
+        src_data_set = data_set_1 + "({0})".format(member_1)
+        dest_data_set = data_set_2 + "({0})".format(member_1)
+    else:
+        src_data_set = data_set_1
+        dest_data_set = data_set_2
+    try:
+        hosts.all.zos_data_set(name=data_set_1, state="present", type=ds_type, replace=True)
+        hosts.all.zos_data_set(name=data_set_2, state="present", type=ds_type, replace=True)
+        if ds_type == "pds" or ds_type == "pdse":
+            hosts.all.zos_data_set(name=src_data_set, state="present", type="member", replace=True)
+            hosts.all.zos_data_set(name=dest_data_set, state="present", type="member", replace=True)
+        # copy text_in source
+        hosts.all.shell(cmd="decho \"{0}\" \"{1}\"".format(DUMMY_DATA, src_data_set))
+        # copy/compile c program and copy jcl to hold data set lock for n seconds in background(&)
+        temp_dir = get_random_file_name(dir=TMP_DIRECTORY)
+        hosts.all.zos_copy(content=c_pgm, dest=f'{temp_dir}/pdse-lock.c', force=True)
+        hosts.all.zos_copy(
+            content=call_c_jcl.format(temp_dir, dest_data_set),
+            dest=f'{temp_dir}/call_c_pgm.jcl',
+            force=True
+        )
+        hosts.all.shell(cmd="xlc -o pdse-lock pdse-lock.c", chdir=f"{temp_dir}/")
+        # submit jcl
+        hosts.all.shell(cmd="submit call_c_pgm.jcl", chdir=f"{temp_dir}/")
+        # pause to ensure c code acquires lock
+        time.sleep(10)
+        results = hosts.all.zos_copy(
+            src = src_data_set,
+            dest = dest_data_set,
+            remote_src = True,
+            force=True,
+            force_lock=f_lock,
+        )
+        for result in results.contacted.values():
+            if f_lock:
+                assert result.get("changed") == True
+                assert result.get("msg") is None
+                # verify that the content is the same
+                verify_copy = hosts.all.shell(
+                    cmd="dcat \"{0}\"".format(dest_data_set),
+                    executable=SHELL_EXECUTABLE,
+                )
+                for vp_result in verify_copy.contacted.values():
+                    verify_copy_2 = hosts.all.shell(
+                        cmd="dcat \"{0}\"".format(src_data_set),
+                        executable=SHELL_EXECUTABLE,
+                    )
+                    for vp_result_2 in verify_copy_2.contacted.values():
+                        assert vp_result_2.get("stdout") == vp_result.get("stdout")
+            elif not f_lock:
+                assert result.get("failed") is True
+                assert result.get("changed") == False
+                assert "Unable to determine if the dest" in result.get("msg")
+                assert "BGYSC0819E Insufficient security authorization for resource MVS.MCSOPER.ZOAU in class OPERCMDS" in result.get("stderr")
+                assert result.get("rc") == 6
     finally:
         # extract pid
         ps_list_res = hosts.all.shell(cmd="ps -e | grep -i 'pdse-lock'")