Adding new role management (#98)

* Adding new role management

New role management is checking runtime config to create additional
accounts based on 'additonal_groups` parameter.

This allows to create two (admin and generic) accounts for users with
privileged role like cluster administrators.

* Fixing user-reset functionality

The user-reset functionality is partially broken now since list for user
to reset is not including accounts that was created for the additional
groups configured in runtime.

This fix includes all accounts associated with user specified under
queue/user-management-*.json files.

* Minor fixes after testing

* Adding check for runtime.json file

* Fixing remove queue generation

* Adding verification to user_options.user_roles.options

* Code fine-tuning and clean-up

* Code fine-tuning and clean-up

* Code fine-tuning and clean-up

* Code fine-tuning and clean-up

* Minor fixes

- process_list_of_users.yml called twice, so user_list variable contain
  data not only form list of users to be added but list of users to
remove (queue). This leads to incorrect group information.

- state absent was missed from users listed for removal

* Removing debug code

Removing debug code

Co-authored-by: Øystein Bedin <[email protected]>
Co-authored-by: Øystein Bedin <[email protected]>

Author: makirill

inventory-generation/identity-management/main.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: Generate identity-management inventory based off of engagement.json
   hosts: local
   gather_facts: true
@@ -13,12 +14,36 @@
       include_vars:
         file: "{{ directory }}/engagement.json"
 
+    - name: Check if Runtime Data file exist
+      stat:
+        path: "{{ directory }}/runtime.json"
+      register: runtime_file_data
+
+    - name: Fail if runtime.json not found
+      fail:
+        msg: "The runtime.json file not found"
+      when: not runtime_file_data.stat.exists
+
+    - name: Read Runtime Data
+      include_vars:
+        file: "{{ directory }}/runtime.json"
+      when: runtime_file_data.stat.exists
+
     - name: "Fail If Governor Type Is Not Provided"
       fail:
         msg: "governor_type and governor_spec vars need to be provided in order to indicate babylon workflow"
       when:
         - (governor_type is undefined or (governor_type | trim) == "") or (governor_spec is undefined or (governor_spec | trim) == "")
 
+    - name: "Fail if user_options.user_roles.options Is Not Provided"
+      fail:
+        msg: "user_options.user_roles.options is not defined at runtime.json file or contain incorrect values"
+      when: >
+        user_options is undefined or 
+        user_options.user_roles is undefined or
+        user_options.user_roles.options is undefined or
+        user_options.user_roles.options[0].value is undefined
+
     - name: Generate Timestamp
       set_fact:
         inv_ts: "{{ lookup('pipe','date +%Y%m%d%H%M%S') }}"
@@ -30,50 +55,84 @@
         - "ocp-admin-credentials.json"
         - "ocp-ldap-sa-credentials.json"
 
-    - name: "Add users to inventory"
-      set_fact:
-        users: "{{ (users | default([])) + [ { 'first_name': (item.first_name | trim), 'last_name': (item.last_name | trim), 'email': (item.email | trim) , 'user_name': (item.email.split('@')[0] | trim) } ] }}"
-      loop: "{{ engagement_users }}"
+    #####################################################################################################################
+    # Process list of users in the queue that needs to be removed
+    # 
+    - block:
+        - include_tasks: process_queue_list.yml
+        - include_tasks: process_list_of_users.yml
+          vars:
+            list_of_users_to_process: "{{ list_of_users_to_remove | d([]) }}"
+        - set_fact:
+            users_to_remove: "{{ processed_users | d([]) }}"
 
-    - name: "Add LDAP Service Account"
-      set_fact:
-        users: "{{ (users | default([])) + [ { 'first_name': 'LDAP', 'last_name': 'SA', 'email': '[email protected]', 'user_name': ocp_ldap_sa_username, 'generate_password': False, 'notify_user': False, 'password': ocp_ldap_sa_password  } ] }}"
+    #####################################################################################################################
+    # Process list of users that are part of this engagement
+    # 
+    - block:
+        - include_tasks: process_list_of_users.yml
+          vars:
+            list_of_users_to_process: "{{ engagement_users | d([]) }}"
+        - set_fact:
+            users: "{{ processed_users | d([]) }}"
 
-    - name: "Get Unique Groups"
+    #####################################################################################################################
+    # Process user groups and group memberships
+    # 
+    - include_tasks: process_groups.yml
+      loop_control:
+        loop_var: group_item
+      loop: "{{ user_options.user_roles.options }}"
+
+    - name: "Get Unique Groups from runtime config"
       set_fact:
-        unique_groups: "{{ engagement_users | json_query('[].role') | unique }}"
+        unique_groups: "{{ user_options.user_roles.options | json_query('[].value') | unique }}"
 
-    - name: "Set Group Membership"
+    #####################################################################################################################
+    # Add in the LDAP SA and group sync memberships
+    # 
+    - name: "Create a LDAP user and group facts to simplify processing below"
+      set_fact:
+        ldap_users:
+          - first_name: 'LDAP'
+            last_name: 'SA'
+            email: '[email protected]'
+            user_name: "{{ ocp_ldap_sa_username }}"
+            password: "{{ ocp_ldap_sa_password }}"
+            generate_password: False
+            notify_user: False
+        ldap_groups:
+          - name: 'ldap-members'
+            childgroups: "{{ unique_groups }}"
+
+    - name: "Add LDAP Service Account to list of users"
       set_fact:
-        usrgrp: "{{ (usrgrp | default([])) + [ {'name': item, 'members': (engagement_users | selectattr('role','equalto',item) | map(attribute='email') | map('regex_replace','@.*','') | list) } ] }}"
-      loop: "{{ unique_groups }}"
+        users: "{{ (users | default([])) + ldap_users }}"
 
     - name: Add LDAP Groups Grouping
       set_fact:
-        usrgrp: "{{ (usrgrp | default([])) + [ {'name': 'ldap-members', 'childgroups': unique_groups } ] }}"
+        user_groups: "{{ (user_groups | default([])) + ldap_groups }}"
+
 
+    #####################################################################################################################
+    # Generate the CC list for emails
+    # 
     - name: "Set List of Mail CC"
       set_fact:
         cc_list: "{{ ', '.join(( '{{ engagement_lead_email }}', '{{ technical_lead_email }}' )) }}"
 
-    - name: "Check for Job queue"
-      ansible.builtin.stat:
-        path: "{{ directory }}/queue"
-      register: job_queue
-      ignore_errors: True
-
-    - name: "Process Job queue"
-      include: "queue/main.yml"
-      when:
-        - job_queue.stat.isdir is defined
 
+    #####################################################################################################################
+    # Gather repository facts for better processing below
+    # 
     - name: "Set repository information"
       set_fact:
         repository_url: "{{ url | default(omit) }}"
         repository_ssh_key: "{{ lookup('file', ssh_key_data_path, lstrip=False, rstrip=False) | default(omit) }}"
         repository_username: "{{ username if username is defined else omit }}"
         repository_password: "{{ password if password is defined else omit }}"
 
+
     #####################################################################################################################
     # Right now, the only supported configuration is a list of one hosting environment.
     # In the near future, this should be updated to support more than one, and this comment (and the code below)
@@ -103,9 +162,9 @@
               list_of_mail_cc: "{{ cc_list }}"
               lodestar_identities:
                 users: "{{ users }}"
-                groups: "{{ usrgrp }}"
+                groups: "{{ user_groups }}"
               lodestar_identities_remove:
-                users: "{{ users_remove | default([]) }}"
+                users: "{{ users_to_remove | default([]) }}"
               repository:
                 url: "{{ repository_url if repository_url is defined else omit }}"
                 ssh_key: "{{ ( repository_ssh_key | to_nice_yaml( default_style='>-', indent=4, width=5000 ) | trim) if repository_ssh_key is defined else omit }}"

inventory-generation/identity-management/process_groups.yml

@@ -0,0 +1,6 @@
+---
+
+- name: "Set Group Membership"
+  set_fact:
+    user_groups: "{{ (user_groups | default([])) + [ {'name': group_item.value, 'members': (user_list[group_item.value] | map(attribute='user_name') | list) } ] }}"
+  when: user_list[group_item.value] is defined

inventory-generation/identity-management/process_list_of_users.yml

@@ -0,0 +1,15 @@
+---
+- set_fact:
+    user_list: []
+
+- include_tasks: process_user.yml
+  loop_control:
+    loop_var: user_item
+  loop: "{{ list_of_users_to_process | d([]) }}"
+
+- name: "Assemble final list of users"
+  set_fact:
+    processed_users: "{{ user_list.keys() | map('extract', user_list) | list | flatten | unique }}"
+  when: 
+    - user_list | length > 0
+

inventory-generation/identity-management/process_queue_list.yml

@@ -0,0 +1,25 @@
+---
+
+- name: "Check for Job queue"
+  ansible.builtin.stat:
+    path: "{{ directory }}/queue"
+  register: job_queue
+  ignore_errors: True
+
+- name: "Process User Management Jobs in the queue"
+  find:
+    paths: "{{ directory }}/queue"
+    patterns: "user-management-*.json"
+  register: jobs_user_management
+  when:
+    - job_queue.stat.path is defined
+
+- name: "Assemble list of users to be removed"
+  include: "process_user_removal.yml"
+  loop_control:
+    loop_var: job
+  with_items:
+    - "{{ jobs_user_management.files }}"
+  when:
+    - jobs_user_management is defined
+

inventory-generation/identity-management/process_user.yml

@@ -0,0 +1,15 @@
+---
+
+- set_fact:
+    user_group_list: []
+
+- set_fact:
+    user_group_list: "{{ item.additional_groups | d([]) + [ user_item.role] }}"
+  loop: "{{ user_options.user_roles.options }}"
+  when:
+    - user_item.role == item.value
+
+- include_tasks: process_user_entry.yml
+  loop_control:
+    loop_var: user_group
+  loop: "{{ user_group_list }}"

inventory-generation/identity-management/process_user_entry.yml

@@ -0,0 +1,27 @@
+---
+
+- set_fact:
+    name_append: ''
+
+- set_fact:
+    prefix: "{{ item.username_alteration.prefix | d('') }}"
+    suffix: "{{ item.username_alteration.suffix | d('') }}"
+  loop: "{{ user_options.user_roles.options }}"
+  when:
+    - user_group == item.value
+
+- set_fact:
+    name_append: " ({{ user_group }})"
+  when:
+    - prefix|trim != '' or suffix|trim != ''
+
+- set_fact:
+    new_user:
+      first_name: "{{ user_item.first_name|trim }}"
+      last_name: "{{ user_item.last_name|trim }}{{ name_append|d('') }}"
+      email: "{{ user_item.email|trim }}"
+      user_name: "{{ prefix }}{{ user_item.email.split('@')[0]|trim }}{{ suffix }}"
+      state: "{{ user_item.state | d('present') }}"
+
+- set_fact:
+    user_list: "{{ user_list|d({})|combine({user_group: (user_list[user_group]|d([]) + [ new_user ]) }) }}"

inventory-generation/identity-management/queue/user-management.yml renamed to inventory-generation/identity-management/process_user_removal.yml

@@ -11,8 +11,9 @@
       last_name: "{{ last_name | trim }}"
       email: "{{ email | trim }}"
       user_name: "{{ email.split('@')[0] | trim }}"
+      role: "{{ role | trim }}"
       state: "absent"
 
 - name: "Add User to removal queue"
   set_fact:
-    users_remove: "{{ (users_remove | default([])) + [ user_info ] }}"
+    list_of_users_to_remove: "{{ (list_of_users_to_remove | d([])) + [ user_info ] }}"