openshift_facts validation

4 files changed, 55 insertions, 46 deletions

diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py
index 40c1083e0..8d7c62ad1 100644
--- a/filter_plugins/openshift_master.py
+++ b/filter_plugins/openshift_master.py
@@ -463,34 +463,6 @@ class FilterModule(object):
         IdentityProviderBase.validate_idp_list(idp_list)
         return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False)
 
-    @staticmethod
-    def validate_auth_secrets(secrets):
-        ''' validate type and length '''
-
-        if not issubclass(type(secrets), list):
-            raise errors.AnsibleFilterError("|failed expects openshift_master_session_auth_secrets is a list")
-
-        for secret in secrets:
-            if len(secret) < 32:
-                return False
-        return True
-
-    @staticmethod
-    def validate_encryption_secrets(secrets):
-        ''' validate type and length '''
-
-        if not issubclass(type(secrets), list):
-            raise errors.AnsibleFilterError("|failed expects openshift_master_session_encryption_secrets is a list")
-
-        for secret in secrets:
-            if len(secret) not in [16, 24, 32]:
-                return False
-        return True
-
     def filters(self):
         ''' returns a mapping of filters to methods '''
-        return {
-            "translate_idps": self.translate_idps,
-            "validate_auth_secrets": self.validate_auth_secrets,
-            "validate_encryption_secrets": self.validate_encryption_secrets
-        }
+        return {"translate_idps": self.translate_idps}
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index b7e9362cd..0334a002e 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -247,14 +247,6 @@
       msg: >
         openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length
     when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
-  - fail:
-      msg: >
-        Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters
-    when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool
-  - fail:
-      msg: >
-        Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters
-    when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool
   roles:
   - role: openshift_facts
   post_tasks:
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index fed00132a..133de758f 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1043,6 +1043,7 @@ class OpenShiftFacts(object):
             facts (dict): facts for the host
 
         Args:
+            module (AnsibleModule): an AnsibleModule object
             role (str): role for setting local facts
             filename (str): local facts file to use
             local_facts (dict): local facts to set
@@ -1257,14 +1258,66 @@ class OpenShiftFacts(object):
                 del facts[key]
 
         if new_local_facts != local_facts:
-            changed = True
+            self.validate_local_facts(new_local_facts)
 
             if not module.check_mode:
+                changed = True
                 save_local_facts(self.filename, new_local_facts)
 
         self.changed = changed
         return new_local_facts
 
+    def validate_local_facts(self, facts=None):
+        """ Validate local facts
+
+            Args:
+                facts (dict): local facts to validate
+        """
+        invalid_facts = dict()
+        invalid_facts = self.validate_master_facts(facts, invalid_facts)
+        if invalid_facts:
+            msg = 'Invalid facts detected:\n'
+            for key in invalid_facts.keys():
+                msg += '{0}: {1}\n'.format(key, invalid_facts[key])
+            module.fail_json(msg=msg,
+                             changed=self.changed)
+
+    # disabling pylint errors for line-too-long since we're dealing
+    # with best effort reduction of error messages here.
+    # pylint: disable=line-too-long
+    @staticmethod
+    def validate_master_facts(facts, invalid_facts):
+        """ Validate master facts
+
+            Args:
+                facts (dict): local facts to validate
+                invalid_facts (dict): collected invalid_facts
+
+            Returns:
+                dict: Invalid facts
+        """
+        if 'master' in facts:
+            # openshift.master.session_auth_secrets
+            if 'session_auth_secrets' in facts['master']:
+                session_auth_secrets = facts['master']['session_auth_secrets']
+                if not issubclass(type(session_auth_secrets), list):
+                    invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.'
+                else:
+                    for secret in session_auth_secrets:
+                        if len(secret) < 32:
+                            invalid_facts['session_auth_secrets'] = ('Invalid secret in session_auth_secrets. '
+                                                                     'Secrets must be at least 32 characters in length.')
+            # openshift.master.session_encryption_secrets
+            if 'session_encryption_secrets' in facts['master']:
+                session_encryption_secrets = facts['master']['session_encryption_secrets']
+                if not issubclass(type(session_encryption_secrets), list):
+                    invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.'
+                else:
+                    for secret in session_encryption_secrets:
+                        if len(secret) not in [16, 24, 32]:
+                            invalid_facts['session_encryption_secrets'] = ('Invalid secret in session_encryption_secrets. '
+                                                                           'Secrets must be 16, 24, or 32 characters in length.')
+        return invalid_facts
 
 def main():
     """ main """
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index e6ddd1c49..a3cddfd63 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -18,14 +18,6 @@
     msg: >
       openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length
   when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length)
-- fail:
-    msg: >
-      Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters
-  when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool
-- fail:
-    msg: >
-      Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters
-  when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool
 
 # HA Variable Validation
 - fail: