Moving rbac to pulp_content_guard

Author: Alex-Welsh

roles/pulp_content_guard/README.md

@@ -10,9 +10,16 @@ Role variables
 * `pulp_username`: Username used to access Pulp server. Default is `admin`
 * `pulp_password`: Password used to access Pulp server. Default is unset
 * `pulp_validate_certs`: Whether to validate Pulp server certificate. Default is `true`
-* `pulp_content_guard_x509_cert_guards`: List of x509 cert guards. Each item is
-  a dict with the following keys: `name`, `description`, `ca_certificate`,
-  `state`.
+* `pulp_content_guard_x509_cert_guards`: List of x509 cert guards to create/update/delete. Each item is
+  a dict containing: 
+  * `name` (Required)
+  * `description`
+  * `ca_certificate`
+  * `state` (default is `present`. Setting this value to `absent` will delete the content guard if it exists)
+* `pulp_content_guard_rbac`: List of groups to create/update/delete. Default is an empty list. Each item is a dict containing:
+  * `name` (Required)
+  * `download_groups` (list of groups to to be added to this content guard with the download role) 
+  * `state` (default is `present`. Setting this value to `absent` will delete the content guard if it exists)
 
 
 Example playbook
@@ -25,7 +32,7 @@ Example playbook
   gather_facts: True
   hosts: all
   roles:
-    - role: stackhpc.pulp.pulp_contentguard
+    - role: stackhpc.pulp.pulp_content_guard
       pulp_username: admin
       pulp_password: "{{ secrets_pulp_admin_password }}"
       pulp_content_guard_x509_cert_guards:
@@ -36,4 +43,25 @@ Example playbook
             ...
             -----END CERTIFICATE-----
           state: present
+          
+    - role: stackhpc.pulp.pulp_content_guard
+      pulp_url: http://localhost:8080
+      pulp_username: admin
+      pulp_password: "{{ secrets_pulp_admin_password }}"
+      pulp_content_guard_rbac:
+        - name: alex-test-rbac_cg-1
+          description: test-description-edited
+          download_groups:
+            - alex-test-group-1
+            - alex-test-group-2
+          state: present
+        - name: alex-test-rbac_cg-2
+          description: test-description2-edited
+          download_groups:
+            - alex-test-group-2
+        - name: alex-test-rbac_cg-3
+          description: test-description3-edited
+          download_groups:
+            - alex-test-group-1
+          state: absent
 ```

roles/pulp_content_guard/defaults/main.yml

@@ -5,3 +5,4 @@ pulp_password:
 pulp_validate_certs: true
 
 pulp_content_guard_x509_cert_guards: []
+pulp_content_guard_rbac: []

roles/pulp_content_guard/tasks/main.yml

@@ -12,3 +12,6 @@
   with_items: "{{ pulp_content_guard_x509_cert_guards }}"
   loop_control:
     label: "{{ item.name }}"
+
+- name: Ensure RBAC cert guards exist
+  include_tasks: rbac/rbac.yml

roles/pulp_content_guard_rbac/tasks/rbac_group/add_or_remove_groups.yml renamed to roles/pulp_content_guard/tasks/rbac/add_or_remove_groups.yml

@@ -8,8 +8,8 @@
 - name: Get RBAC content guard list
   uri:
     url: "{{ pulp_rbac_cg_url }}"
-    user: "{{ pulp_admin_username }}"
-    password: "{{ pulp_admin_password }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
     method: GET
     status_code: 200
     force_basic_auth: true
@@ -37,8 +37,8 @@
     url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
   uri:
     url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}add_role/"
-    user: "{{ pulp_admin_username }}"
-    password: "{{ pulp_admin_password }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
     force_basic_auth: true
     method: POST
     status_code: 201
@@ -59,8 +59,8 @@
     url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
   uri:
     url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}remove_role/"
-    user: "{{ pulp_admin_username }}"
-    password: "{{ pulp_admin_password }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
     force_basic_auth: true
     method: POST
     status_code: 201

roles/pulp_content_guard/tasks/rbac/rbac.yml

@@ -0,0 +1,99 @@
+---
+
+- name: Get RBAC content guard list
+  uri:
+    url: "{{ pulp_rbac_cg_url }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  no_log: true
+  register: rbac_cg_list_result
+
+- name: Set fact remove_rbac_cg
+  set_fact:
+    remove_rbac_cg: "{{ (remove_rbac_cg | default([])) + [item.name] }}"
+  when: item.state | default('present') == 'absent'
+  with_items: "{{ pulp_content_guard_rbac }}"
+
+- name: Create RBAC content guards
+  vars:
+    rbaccgnames: "{{ rbac_cg_list_result.json.results | map(attribute='name') | list }}"
+  uri:
+    url: "{{ pulp_rbac_cg_url }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      name: "{{ item.name }}"
+      description: "{{ item.description | default(omit) }}"
+    body_format: form-urlencoded
+  loop: "{{ pulp_content_guard_rbac | default([], true) }}"
+  loop_control:
+    label: "{{ item.name }}"
+  # no_log: true
+  register: result
+  when: 
+    - item.name not in rbaccgnames
+    - item.state | default('present') != 'absent'
+  changed_when: result.status == 201
+
+- name: Update existing rbac content guards
+  vars:
+    rbaccgnames: "{{ rbac_cg_list_result.json.results | map(attribute='name') | list }}"
+    url_query: "[?name=='{{ item.name }}'].pulp_href"
+  uri:
+    url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: PATCH
+    body:
+      name: "{{ item.name }}"
+      description: "{{ item.description | default(omit) }}"
+    body_format: form-urlencoded
+  loop: "{{ pulp_content_guard_rbac | default([], true) }}"
+  # no_log: true
+  register: result
+  when: 
+    - item.name in rbaccgnames
+    - item.state | default('present') != 'absent'
+  changed_when: 
+  # The pulp API currently does not report when a change is made, so we must
+  # manually check
+  - result.json not in rbac_cg_list_result.json.results
+  - result.status == 200
+
+- name: Add or remove group(s) from content guard
+  include_tasks: add_or_remove_groups.yml
+  loop: "{{ pulp_content_guard_rbac | default([], true) }}"
+  loop_control:
+    loop_var: content_guard
+  when: content_guard.state | default('present') != 'absent'
+
+- name: Initialise hrefs
+  set_fact:
+    hrefs: []
+
+- name: Set fact hrefs
+  set_fact:
+    hrefs: "{{ (hrefs | default([])) + [item.pulp_href] }}"
+  when: item.name in (remove_rbac_cg | default([]))
+  with_items: "{{ rbac_cg_list_result.json.results }}"
+
+- name: Delete RBAC content guards
+  uri:
+    url: "{{ pulp_url }}{{ item }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: DELETE
+    status_code: 204
+    body_format: form-urlencoded
+  loop: "{{ hrefs | default([]) }}"
+  no_log: true
+  register: result
+  changed_when: result.status == 204

roles/pulp_content_guard_rbac/vars/main.yml renamed to roles/pulp_content_guard/vars/main.yml

@@ -4,4 +4,4 @@ pulp_admin_username: admin
 pulp_admin_password:
 pulp_validate_certs: true
 
-pulp_users: []
+pulp_users: []