1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/plugins/modules/web_infrastructure/rundeck_acl_policy.py

256 lines
9 KiB
Python
Raw Normal View History

2020-03-09 10:11:07 +01:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2017, Loic Blot <loic.blot@unix-experience.fr>
# Sponsored by Infopro Digital. http://www.infopro-digital.com/
# Sponsored by E.T.A.I. http://www.etai.fr/
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
module: rundeck_acl_policy
short_description: Manage Rundeck ACL policies.
description:
- Create, update and remove Rundeck ACL policies through HTTP API.
author: "Loic Blot (@nerzhul)"
options:
state:
Enabling validation-modules for web_infrastructure modules (#1200) * fixed validation-modules for apache2_mod_proxy.py * fixed validation-modules for apache2_module.py * fixed validation-modules for deploy_helper.py The ignore lines were put back in place because add_file_common_args=True is used and the module inherits a number of options that do not show up in the documentation (nor should they). * fixed validation-modules for ejabberd_user.py * fixed validation-modules for gunicorn.py * fixed validation-modules for htpasswd.py * fixed validation-modules for jenkins_job.py * fixed validation-modules for jenkins_job_info.py * fixed validation-modules for jenkins_plugin.py * fixed validation-modules for jenkins_script.py * fixed validation-modules for jira.py * fixed validation-modules for nginx_status_facts.py * fixed validation-modules for rundeck_acl_policy.py * fixed validation-modules for rundeck_project.py * fixed validation-modules for supervisorctl.py * fixed validation-modules for taiga_issue.py * fixed pylint mistake in plugins/modules/web_infrastructure/jenkins_job_info.py * removed ignore lines for almost-all web_infrastructure modules * rolled back ignore lines for nested sophos_utm modules that were not adjusted * Removed doc-missing-type from ignore-2.11.txt for deploy_helper and jenkins_plugin * When adding lines back to ignore files, we added more than it was before. Removing. * Rolled back deprecation line in ignore-2.9.txt for nginx_status_facts * Rolled back yet another line in ignore-2.9.txt for nginx_status_facts * Fixed argument_spec and docs for crypt_scheme parameter in htpasswd, per PR * Added extends_documentation_fragment:files to deploy_helper and jenkins_plugin * Removed long-deprecated option params from jenkins_plugin, removed validate-modules lines from ignore files for that module * Update plugins/modules/web_infrastructure/htpasswd.py Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2020-10-31 13:53:57 +01:00
type: str
2020-03-09 10:11:07 +01:00
description:
- Create or remove Rundeck project.
choices: ['present', 'absent']
default: 'present'
name:
Enabling validation-modules for web_infrastructure modules (#1200) * fixed validation-modules for apache2_mod_proxy.py * fixed validation-modules for apache2_module.py * fixed validation-modules for deploy_helper.py The ignore lines were put back in place because add_file_common_args=True is used and the module inherits a number of options that do not show up in the documentation (nor should they). * fixed validation-modules for ejabberd_user.py * fixed validation-modules for gunicorn.py * fixed validation-modules for htpasswd.py * fixed validation-modules for jenkins_job.py * fixed validation-modules for jenkins_job_info.py * fixed validation-modules for jenkins_plugin.py * fixed validation-modules for jenkins_script.py * fixed validation-modules for jira.py * fixed validation-modules for nginx_status_facts.py * fixed validation-modules for rundeck_acl_policy.py * fixed validation-modules for rundeck_project.py * fixed validation-modules for supervisorctl.py * fixed validation-modules for taiga_issue.py * fixed pylint mistake in plugins/modules/web_infrastructure/jenkins_job_info.py * removed ignore lines for almost-all web_infrastructure modules * rolled back ignore lines for nested sophos_utm modules that were not adjusted * Removed doc-missing-type from ignore-2.11.txt for deploy_helper and jenkins_plugin * When adding lines back to ignore files, we added more than it was before. Removing. * Rolled back deprecation line in ignore-2.9.txt for nginx_status_facts * Rolled back yet another line in ignore-2.9.txt for nginx_status_facts * Fixed argument_spec and docs for crypt_scheme parameter in htpasswd, per PR * Added extends_documentation_fragment:files to deploy_helper and jenkins_plugin * Removed long-deprecated option params from jenkins_plugin, removed validate-modules lines from ignore files for that module * Update plugins/modules/web_infrastructure/htpasswd.py Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2020-10-31 13:53:57 +01:00
type: str
2020-03-09 10:11:07 +01:00
description:
- Sets the project name.
required: True
url:
Enabling validation-modules for web_infrastructure modules (#1200) * fixed validation-modules for apache2_mod_proxy.py * fixed validation-modules for apache2_module.py * fixed validation-modules for deploy_helper.py The ignore lines were put back in place because add_file_common_args=True is used and the module inherits a number of options that do not show up in the documentation (nor should they). * fixed validation-modules for ejabberd_user.py * fixed validation-modules for gunicorn.py * fixed validation-modules for htpasswd.py * fixed validation-modules for jenkins_job.py * fixed validation-modules for jenkins_job_info.py * fixed validation-modules for jenkins_plugin.py * fixed validation-modules for jenkins_script.py * fixed validation-modules for jira.py * fixed validation-modules for nginx_status_facts.py * fixed validation-modules for rundeck_acl_policy.py * fixed validation-modules for rundeck_project.py * fixed validation-modules for supervisorctl.py * fixed validation-modules for taiga_issue.py * fixed pylint mistake in plugins/modules/web_infrastructure/jenkins_job_info.py * removed ignore lines for almost-all web_infrastructure modules * rolled back ignore lines for nested sophos_utm modules that were not adjusted * Removed doc-missing-type from ignore-2.11.txt for deploy_helper and jenkins_plugin * When adding lines back to ignore files, we added more than it was before. Removing. * Rolled back deprecation line in ignore-2.9.txt for nginx_status_facts * Rolled back yet another line in ignore-2.9.txt for nginx_status_facts * Fixed argument_spec and docs for crypt_scheme parameter in htpasswd, per PR * Added extends_documentation_fragment:files to deploy_helper and jenkins_plugin * Removed long-deprecated option params from jenkins_plugin, removed validate-modules lines from ignore files for that module * Update plugins/modules/web_infrastructure/htpasswd.py Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2020-10-31 13:53:57 +01:00
type: str
2020-03-09 10:11:07 +01:00
description:
- Sets the rundeck instance URL.
required: True
api_version:
Enabling validation-modules for web_infrastructure modules (#1200) * fixed validation-modules for apache2_mod_proxy.py * fixed validation-modules for apache2_module.py * fixed validation-modules for deploy_helper.py The ignore lines were put back in place because add_file_common_args=True is used and the module inherits a number of options that do not show up in the documentation (nor should they). * fixed validation-modules for ejabberd_user.py * fixed validation-modules for gunicorn.py * fixed validation-modules for htpasswd.py * fixed validation-modules for jenkins_job.py * fixed validation-modules for jenkins_job_info.py * fixed validation-modules for jenkins_plugin.py * fixed validation-modules for jenkins_script.py * fixed validation-modules for jira.py * fixed validation-modules for nginx_status_facts.py * fixed validation-modules for rundeck_acl_policy.py * fixed validation-modules for rundeck_project.py * fixed validation-modules for supervisorctl.py * fixed validation-modules for taiga_issue.py * fixed pylint mistake in plugins/modules/web_infrastructure/jenkins_job_info.py * removed ignore lines for almost-all web_infrastructure modules * rolled back ignore lines for nested sophos_utm modules that were not adjusted * Removed doc-missing-type from ignore-2.11.txt for deploy_helper and jenkins_plugin * When adding lines back to ignore files, we added more than it was before. Removing. * Rolled back deprecation line in ignore-2.9.txt for nginx_status_facts * Rolled back yet another line in ignore-2.9.txt for nginx_status_facts * Fixed argument_spec and docs for crypt_scheme parameter in htpasswd, per PR * Added extends_documentation_fragment:files to deploy_helper and jenkins_plugin * Removed long-deprecated option params from jenkins_plugin, removed validate-modules lines from ignore files for that module * Update plugins/modules/web_infrastructure/htpasswd.py Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2020-10-31 13:53:57 +01:00
type: int
2020-03-09 10:11:07 +01:00
description:
- Sets the API version used by module.
- API version must be at least 14.
default: 14
token:
Enabling validation-modules for web_infrastructure modules (#1200) * fixed validation-modules for apache2_mod_proxy.py * fixed validation-modules for apache2_module.py * fixed validation-modules for deploy_helper.py The ignore lines were put back in place because add_file_common_args=True is used and the module inherits a number of options that do not show up in the documentation (nor should they). * fixed validation-modules for ejabberd_user.py * fixed validation-modules for gunicorn.py * fixed validation-modules for htpasswd.py * fixed validation-modules for jenkins_job.py * fixed validation-modules for jenkins_job_info.py * fixed validation-modules for jenkins_plugin.py * fixed validation-modules for jenkins_script.py * fixed validation-modules for jira.py * fixed validation-modules for nginx_status_facts.py * fixed validation-modules for rundeck_acl_policy.py * fixed validation-modules for rundeck_project.py * fixed validation-modules for supervisorctl.py * fixed validation-modules for taiga_issue.py * fixed pylint mistake in plugins/modules/web_infrastructure/jenkins_job_info.py * removed ignore lines for almost-all web_infrastructure modules * rolled back ignore lines for nested sophos_utm modules that were not adjusted * Removed doc-missing-type from ignore-2.11.txt for deploy_helper and jenkins_plugin * When adding lines back to ignore files, we added more than it was before. Removing. * Rolled back deprecation line in ignore-2.9.txt for nginx_status_facts * Rolled back yet another line in ignore-2.9.txt for nginx_status_facts * Fixed argument_spec and docs for crypt_scheme parameter in htpasswd, per PR * Added extends_documentation_fragment:files to deploy_helper and jenkins_plugin * Removed long-deprecated option params from jenkins_plugin, removed validate-modules lines from ignore files for that module * Update plugins/modules/web_infrastructure/htpasswd.py Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2020-10-31 13:53:57 +01:00
type: str
2020-03-09 10:11:07 +01:00
description:
- Sets the token to authenticate against Rundeck API.
required: True
project:
Enabling validation-modules for web_infrastructure modules (#1200) * fixed validation-modules for apache2_mod_proxy.py * fixed validation-modules for apache2_module.py * fixed validation-modules for deploy_helper.py The ignore lines were put back in place because add_file_common_args=True is used and the module inherits a number of options that do not show up in the documentation (nor should they). * fixed validation-modules for ejabberd_user.py * fixed validation-modules for gunicorn.py * fixed validation-modules for htpasswd.py * fixed validation-modules for jenkins_job.py * fixed validation-modules for jenkins_job_info.py * fixed validation-modules for jenkins_plugin.py * fixed validation-modules for jenkins_script.py * fixed validation-modules for jira.py * fixed validation-modules for nginx_status_facts.py * fixed validation-modules for rundeck_acl_policy.py * fixed validation-modules for rundeck_project.py * fixed validation-modules for supervisorctl.py * fixed validation-modules for taiga_issue.py * fixed pylint mistake in plugins/modules/web_infrastructure/jenkins_job_info.py * removed ignore lines for almost-all web_infrastructure modules * rolled back ignore lines for nested sophos_utm modules that were not adjusted * Removed doc-missing-type from ignore-2.11.txt for deploy_helper and jenkins_plugin * When adding lines back to ignore files, we added more than it was before. Removing. * Rolled back deprecation line in ignore-2.9.txt for nginx_status_facts * Rolled back yet another line in ignore-2.9.txt for nginx_status_facts * Fixed argument_spec and docs for crypt_scheme parameter in htpasswd, per PR * Added extends_documentation_fragment:files to deploy_helper and jenkins_plugin * Removed long-deprecated option params from jenkins_plugin, removed validate-modules lines from ignore files for that module * Update plugins/modules/web_infrastructure/htpasswd.py Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2020-10-31 13:53:57 +01:00
type: str
2020-03-09 10:11:07 +01:00
description:
- Sets the project which receive the ACL policy.
- If unset, it's a system ACL policy.
policy:
Enabling validation-modules for web_infrastructure modules (#1200) * fixed validation-modules for apache2_mod_proxy.py * fixed validation-modules for apache2_module.py * fixed validation-modules for deploy_helper.py The ignore lines were put back in place because add_file_common_args=True is used and the module inherits a number of options that do not show up in the documentation (nor should they). * fixed validation-modules for ejabberd_user.py * fixed validation-modules for gunicorn.py * fixed validation-modules for htpasswd.py * fixed validation-modules for jenkins_job.py * fixed validation-modules for jenkins_job_info.py * fixed validation-modules for jenkins_plugin.py * fixed validation-modules for jenkins_script.py * fixed validation-modules for jira.py * fixed validation-modules for nginx_status_facts.py * fixed validation-modules for rundeck_acl_policy.py * fixed validation-modules for rundeck_project.py * fixed validation-modules for supervisorctl.py * fixed validation-modules for taiga_issue.py * fixed pylint mistake in plugins/modules/web_infrastructure/jenkins_job_info.py * removed ignore lines for almost-all web_infrastructure modules * rolled back ignore lines for nested sophos_utm modules that were not adjusted * Removed doc-missing-type from ignore-2.11.txt for deploy_helper and jenkins_plugin * When adding lines back to ignore files, we added more than it was before. Removing. * Rolled back deprecation line in ignore-2.9.txt for nginx_status_facts * Rolled back yet another line in ignore-2.9.txt for nginx_status_facts * Fixed argument_spec and docs for crypt_scheme parameter in htpasswd, per PR * Added extends_documentation_fragment:files to deploy_helper and jenkins_plugin * Removed long-deprecated option params from jenkins_plugin, removed validate-modules lines from ignore files for that module * Update plugins/modules/web_infrastructure/htpasswd.py Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2020-10-31 13:53:57 +01:00
type: str
2020-03-09 10:11:07 +01:00
description:
- Sets the ACL policy content.
- ACL policy content is a YAML object as described in http://rundeck.org/docs/man5/aclpolicy.html.
- It can be a YAML string or a pure Ansible inventory YAML object.
client_cert:
version_added: '0.2.0'
client_key:
version_added: '0.2.0'
force:
version_added: '0.2.0'
force_basic_auth:
version_added: '0.2.0'
http_agent:
version_added: '0.2.0'
url_password:
version_added: '0.2.0'
url_username:
version_added: '0.2.0'
use_proxy:
version_added: '0.2.0'
validate_certs:
version_added: '0.2.0'
2020-03-09 10:11:07 +01:00
extends_documentation_fragment: url
'''
EXAMPLES = '''
- name: Create or update a rundeck ACL policy in project Ansible
community.general.rundeck_acl_policy:
2020-03-09 10:11:07 +01:00
name: "Project_01"
api_version: 18
url: "https://rundeck.example.org"
token: "mytoken"
state: present
project: "Ansible"
policy:
description: "my policy"
context:
application: rundeck
for:
project:
- allow: read
by:
group: "build"
- name: Remove a rundeck system policy
community.general.rundeck_acl_policy:
2020-03-09 10:11:07 +01:00
name: "Project_02"
url: "https://rundeck.example.org"
token: "mytoken"
state: absent
'''
RETURN = '''
rundeck_response:
description: Rundeck response when a failure occurs.
returned: failed
type: str
before:
description: Dictionary containing ACL policy informations before modification.
returned: success
type: dict
after:
description: Dictionary containing ACL policy informations after modification.
returned: success
type: dict
'''
# import module snippets
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.urls import fetch_url, url_argument_spec
from ansible.module_utils._text import to_text
import json
import re
2020-03-09 10:11:07 +01:00
class RundeckACLManager:
def __init__(self, module):
self.module = module
def handle_http_code_if_needed(self, infos):
if infos["status"] == 403:
self.module.fail_json(msg="Token not allowed. Please ensure token is allowed or has the correct "
"permissions.", rundeck_response=infos["body"])
elif infos["status"] >= 500:
self.module.fail_json(msg="Fatal Rundeck API error.", rundeck_response=infos["body"])
def request_rundeck_api(self, query, data=None, method="GET"):
resp, info = fetch_url(self.module,
"%s/api/%d/%s" % (self.module.params["url"], self.module.params["api_version"], query),
data=json.dumps(data),
method=method,
headers={
"Content-Type": "application/json",
"Accept": "application/json",
"X-Rundeck-Auth-Token": self.module.params["token"]
})
self.handle_http_code_if_needed(info)
if resp is not None:
resp = resp.read()
if resp != b"":
try:
json_resp = json.loads(to_text(resp, errors='surrogate_or_strict'))
return json_resp, info
except ValueError as e:
self.module.fail_json(msg="Rundeck response was not a valid JSON. Exception was: %s. "
"Object was: %s" % (str(e), resp))
return resp, info
def get_acl(self):
resp, info = self.request_rundeck_api("system/acl/%s.aclpolicy" % self.module.params["name"])
return resp
def create_or_update_acl(self):
facts = self.get_acl()
if facts is None:
# If in check mode don't create project, simulate a fake project creation
if self.module.check_mode:
self.module.exit_json(changed=True, before={}, after=self.module.params["policy"])
Tidy up all pylint:blacklisted-name ignore lines (#1819) (#1839) * fixed validation-modules for plugins/callback/hipchat.py * fixed validation-modules for plugins/connection/lxc.py * fixed validation-modules for plugins/modules/cloud/lxc/lxc_container.py * fixed validation-modules for plugins/modules/monitoring/statusio_maintenance.py * fixed validation-modules for plugins/modules/system/alternatives.py * fixed validation-modules for plugins/modules/system/beadm.py * fixed validation-modules for plugins/modules/system/cronvar.py * fixed validation-modules for plugins/modules/system/dconf.py * fixed validation-modules for plugins/modules/system/interfaces_file.py * fixed validation-modules for plugins/modules/system/java_cert.py * fixed validation-modules for plugins/modules/system/lvg.py * fixed validation-modules for plugins/modules/system/lvol.py * fixed validation-modules for plugins/modules/system/parted.py * fixed validation-modules for plugins/modules/system/timezone.py * fixed validation-modules for plugins/modules/web_infrastructure/rundeck_acl_policy.py * Tidy up all pylint:blacklisted-name sanity checks ignore lines * Missed one in statusio_maintenace.py * fixed validation-modules for plugins/modules/system/filesystem.py * Missed one in gconftool2.py * Missed one in alternatives.py * Using dummies now * fixed indentation * Made all the changes about replacing _ with dummy * Rollback bug fixed * Rollback bug fixed, part II * added changelog fragment * Improved changelog frag message per PR (cherry picked from commit 03b7b39424d639821a7994e66459ee25e94365e8) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2021-02-16 08:46:20 +01:00
dummy, info = self.request_rundeck_api("system/acl/%s.aclpolicy" % self.module.params["name"],
method="POST",
data={"contents": self.module.params["policy"]})
2020-03-09 10:11:07 +01:00
if info["status"] == 201:
self.module.exit_json(changed=True, before={}, after=self.get_acl())
elif info["status"] == 400:
self.module.fail_json(msg="Unable to validate acl %s. Please ensure it's a valid ACL" %
self.module.params["name"])
elif info["status"] == 409:
self.module.fail_json(msg="ACL %s already exists" % self.module.params["name"])
else:
self.module.fail_json(msg="Unhandled HTTP status %d, please report the bug" % info["status"],
before={}, after=self.get_acl())
else:
if facts["contents"] == self.module.params["policy"]:
self.module.exit_json(changed=False, before=facts, after=facts)
if self.module.check_mode:
self.module.exit_json(changed=True, before=facts, after=facts)
Tidy up all pylint:blacklisted-name ignore lines (#1819) (#1839) * fixed validation-modules for plugins/callback/hipchat.py * fixed validation-modules for plugins/connection/lxc.py * fixed validation-modules for plugins/modules/cloud/lxc/lxc_container.py * fixed validation-modules for plugins/modules/monitoring/statusio_maintenance.py * fixed validation-modules for plugins/modules/system/alternatives.py * fixed validation-modules for plugins/modules/system/beadm.py * fixed validation-modules for plugins/modules/system/cronvar.py * fixed validation-modules for plugins/modules/system/dconf.py * fixed validation-modules for plugins/modules/system/interfaces_file.py * fixed validation-modules for plugins/modules/system/java_cert.py * fixed validation-modules for plugins/modules/system/lvg.py * fixed validation-modules for plugins/modules/system/lvol.py * fixed validation-modules for plugins/modules/system/parted.py * fixed validation-modules for plugins/modules/system/timezone.py * fixed validation-modules for plugins/modules/web_infrastructure/rundeck_acl_policy.py * Tidy up all pylint:blacklisted-name sanity checks ignore lines * Missed one in statusio_maintenace.py * fixed validation-modules for plugins/modules/system/filesystem.py * Missed one in gconftool2.py * Missed one in alternatives.py * Using dummies now * fixed indentation * Made all the changes about replacing _ with dummy * Rollback bug fixed * Rollback bug fixed, part II * added changelog fragment * Improved changelog frag message per PR (cherry picked from commit 03b7b39424d639821a7994e66459ee25e94365e8) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2021-02-16 08:46:20 +01:00
dummy, info = self.request_rundeck_api("system/acl/%s.aclpolicy" % self.module.params["name"],
method="PUT",
data={"contents": self.module.params["policy"]})
2020-03-09 10:11:07 +01:00
if info["status"] == 200:
self.module.exit_json(changed=True, before=facts, after=self.get_acl())
elif info["status"] == 400:
self.module.fail_json(msg="Unable to validate acl %s. Please ensure it's a valid ACL" %
self.module.params["name"])
elif info["status"] == 404:
self.module.fail_json(msg="ACL %s doesn't exists. Cannot update." % self.module.params["name"])
def remove_acl(self):
facts = self.get_acl()
if facts is None:
self.module.exit_json(changed=False, before={}, after={})
else:
# If not in check mode, remove the project
if not self.module.check_mode:
self.request_rundeck_api("system/acl/%s.aclpolicy" % self.module.params["name"], method="DELETE")
self.module.exit_json(changed=True, before=facts, after={})
def main():
# Also allow the user to set values for fetch_url
argument_spec = url_argument_spec()
argument_spec.update(dict(
state=dict(type='str', choices=['present', 'absent'], default='present'),
name=dict(required=True, type='str'),
url=dict(required=True, type='str'),
api_version=dict(type='int', default=14),
token=dict(required=True, type='str', no_log=True),
policy=dict(type='str'),
project=dict(type='str'),
))
module = AnsibleModule(
argument_spec=argument_spec,
required_if=[
['state', 'present', ['policy']],
],
supports_check_mode=True
)
if not bool(re.match("[a-zA-Z0-9,.+_-]+", module.params["name"])):
module.fail_json(msg="Name contains forbidden characters. The policy can contain the characters: a-zA-Z0-9,.+_-")
2020-03-09 10:11:07 +01:00
if module.params["api_version"] < 14:
module.fail_json(msg="API version should be at least 14")
rundeck = RundeckACLManager(module)
if module.params['state'] == 'present':
rundeck.create_or_update_acl()
elif module.params['state'] == 'absent':
rundeck.remove_acl()
if __name__ == '__main__':
main()