1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

[cloud] s3_bucket: policy comparison - fixes #25428 (#25723)

Creates a new way to compare bucket policies by making their elements hashable & comparing that way after normalizing syntax like single-item lists.
This commit is contained in:
Sloane Hertel 2017-07-19 07:01:33 -04:00 committed by Ryan Brown
parent beca565c79
commit 79e54f4006
2 changed files with 62 additions and 8 deletions

View file

@ -120,6 +120,7 @@ import xml.etree.ElementTree as ET
import ansible.module_utils.six.moves.urllib.parse as urlparse import ansible.module_utils.six.moves.urllib.parse as urlparse
from ansible.module_utils.six import string_types from ansible.module_utils.six import string_types
from ansible.module_utils._text import to_text
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ec2 import get_aws_connection_info, ec2_argument_spec from ansible.module_utils.ec2 import get_aws_connection_info, ec2_argument_spec
from ansible.module_utils.ec2 import sort_json_policy_dict from ansible.module_utils.ec2 import sort_json_policy_dict
@ -155,6 +156,57 @@ def create_tags_container(tags):
return tags_obj return tags_obj
def hashable_policy(policy, policy_list):
"""
Takes a policy and returns a list, the contents of which are all hashable and sorted.
Example input policy:
{'Version': '2012-10-17',
'Statement': [{'Action': 's3:PutObjectAcl',
'Sid': 'AddCannedAcl2',
'Resource': 'arn:aws:s3:::test_policy/*',
'Effect': 'Allow',
'Principal': {'AWS': ['arn:aws:iam::XXXXXXXXXXXX:user/username1', 'arn:aws:iam::XXXXXXXXXXXX:user/username2']}
}]}
Returned value:
[('Statement', ((('Action', (u's3:PutObjectAcl',)),
('Effect', (u'Allow',)),
('Principal', ('AWS', ((u'arn:aws:iam::XXXXXXXXXXXX:user/username1',), (u'arn:aws:iam::XXXXXXXXXXXX:user/username2',)))),
('Resource', (u'arn:aws:s3:::test_policy/*',)), ('Sid', (u'AddCannedAcl2',)))),
('Version', (u'2012-10-17',)))]
"""
if isinstance(policy, list):
for each in policy:
tupleified = hashable_policy(each, [])
if isinstance(tupleified, list):
tupleified = tuple(tupleified)
policy_list.append(tupleified)
elif isinstance(policy, string_types):
return [(to_text(policy))]
elif isinstance(policy, dict):
sorted_keys = list(policy.keys())
sorted_keys.sort()
for key in sorted_keys:
tupleified = hashable_policy(policy[key], [])
if isinstance(tupleified, list):
tupleified = tuple(tupleified)
policy_list.append((key, tupleified))
# ensure we aren't returning deeply nested structures of length 1
if len(policy_list) == 1 and isinstance(policy_list[0], tuple):
policy_list = policy_list[0]
if isinstance(policy_list, list):
policy_list.sort()
return policy_list
def compare_policies(current_policy, new_policy):
""" Compares the existing policy and the updated policy
Returns True if there is a difference between policies.
"""
return set(hashable_policy(new_policy, [])) != set(hashable_policy(current_policy, []))
def _create_or_update_bucket(connection, module, location): def _create_or_update_bucket(connection, module, location):
policy = module.params.get("policy") policy = module.params.get("policy")
@ -195,9 +247,9 @@ def _create_or_update_bucket(connection, module, location):
requester_pays_status = get_request_payment_status(bucket) requester_pays_status = get_request_payment_status(bucket)
if requester_pays_status != requester_pays: if requester_pays_status != requester_pays:
if requester_pays: if requester_pays:
payer='Requester' payer = 'Requester'
else: else:
payer='BucketOwner' payer = 'BucketOwner'
bucket.set_request_payment(payer=payer) bucket.set_request_payment(payer=payer)
changed = True changed = True
requester_pays_status = get_request_payment_status(bucket) requester_pays_status = get_request_payment_status(bucket)
@ -220,9 +272,11 @@ def _create_or_update_bucket(connection, module, location):
changed = bool(current_policy) changed = bool(current_policy)
elif sort_json_policy_dict(current_policy) != sort_json_policy_dict(policy): elif sort_json_policy_dict(current_policy) != sort_json_policy_dict(policy):
# doesn't necessarily mean the policy has changed; syntax could differ
changed = compare_policies(sort_json_policy_dict(current_policy), sort_json_policy_dict(policy))
try: try:
bucket.set_policy(json.dumps(policy)) if changed:
changed = True bucket.set_policy(json.dumps(policy))
current_policy = json.loads(bucket.get_policy()) current_policy = json.loads(bucket.get_policy())
except S3ResponseError as e: except S3ResponseError as e:
module.fail_json(msg=e.message) module.fail_json(msg=e.message)
@ -291,7 +345,7 @@ def _destroy_bucket(connection, module):
def _create_or_update_bucket_ceph(connection, module, location): def _create_or_update_bucket_ceph(connection, module, location):
#TODO: add update # TODO: add update
name = module.params.get("name") name = module.params.get("name")
@ -349,6 +403,7 @@ def is_walrus(s3_url):
else: else:
return False return False
def main(): def main():
argument_spec = ec2_argument_spec() argument_spec = ec2_argument_spec()
@ -434,8 +489,8 @@ def main():
except Exception as e: except Exception as e:
module.fail_json(msg='Failed to connect to S3: %s' % str(e)) module.fail_json(msg='Failed to connect to S3: %s' % str(e))
if connection is None: # this should never happen if connection is None: # this should never happen
module.fail_json(msg ='Unknown error, failed to create s3 connection, no information from boto.') module.fail_json(msg='Unknown error, failed to create s3 connection, no information from boto.')
state = module.params.get("state") state = module.params.get("state")

View file

@ -57,7 +57,6 @@ lib/ansible/modules/cloud/amazon/rds_subnet_group.py
lib/ansible/modules/cloud/amazon/redshift.py lib/ansible/modules/cloud/amazon/redshift.py
lib/ansible/modules/cloud/amazon/route53_health_check.py lib/ansible/modules/cloud/amazon/route53_health_check.py
lib/ansible/modules/cloud/amazon/s3.py lib/ansible/modules/cloud/amazon/s3.py
lib/ansible/modules/cloud/amazon/s3_bucket.py
lib/ansible/modules/cloud/amazon/s3_lifecycle.py lib/ansible/modules/cloud/amazon/s3_lifecycle.py
lib/ansible/modules/cloud/amazon/s3_logging.py lib/ansible/modules/cloud/amazon/s3_logging.py
lib/ansible/modules/cloud/amazon/s3_website.py lib/ansible/modules/cloud/amazon/s3_website.py