Merge pull request #1018 from abutcher/secrets

Clean up idempotency issues with session secrets.
author: Brenton Leanhardt <bleanhar@redhat.com> 2016-01-06 14:30:09 -0500
committer: Brenton Leanhardt <bleanhar@redhat.com> 2016-01-06 14:30:09 -0500
commit: 31a18b4e6096451bd81603b92a2d4cf7d21cecef (patch)
tree: 26137b20f9df24d47958948baffd3b56880c9b03 /roles/openshift_facts
parent: af803894ad2e214948264d105f539bb7514e92ce (diff)
parent: 82db6897085a1278e6b982a403875ed8671190bb (diff)
download: openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.gz
openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.bz2
openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.xz
openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.zip
1 files changed, 66 insertions, 1 deletions
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 911a684fc..b2acd789d 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1043,6 +1043,7 @@ class OpenShiftFacts(object):
             facts (dict): facts for the host
 
         Args:
+            module (AnsibleModule): an AnsibleModule object
             role (str): role for setting local facts
             filename (str): local facts file to use
             local_facts (dict): local facts to set
@@ -1263,14 +1264,78 @@ class OpenShiftFacts(object):
                 del facts[key]
 
         if new_local_facts != local_facts:
+            self.validate_local_facts(new_local_facts)
             changed = True
-
             if not module.check_mode:
                 save_local_facts(self.filename, new_local_facts)
 
         self.changed = changed
         return new_local_facts
 
+    def validate_local_facts(self, facts=None):
+        """ Validate local facts
+
+            Args:
+                facts (dict): local facts to validate
+        """
+        invalid_facts = dict()
+        invalid_facts = self.validate_master_facts(facts, invalid_facts)
+        if invalid_facts:
+            msg = 'Invalid facts detected:\n'
+            for key in invalid_facts.keys():
+                msg += '{0}: {1}\n'.format(key, invalid_facts[key])
+            module.fail_json(msg=msg,
+                             changed=self.changed)
+
+    # disabling pylint errors for line-too-long since we're dealing
+    # with best effort reduction of error messages here.
+    # disabling errors for too-many-branches since we require checking
+    # many conditions.
+    # pylint: disable=line-too-long, too-many-branches
+    @staticmethod
+    def validate_master_facts(facts, invalid_facts):
+        """ Validate master facts
+
+            Args:
+                facts (dict): local facts to validate
+                invalid_facts (dict): collected invalid_facts
+
+            Returns:
+                dict: Invalid facts
+        """
+        if 'master' in facts:
+            # openshift.master.session_auth_secrets
+            if 'session_auth_secrets' in facts['master']:
+                session_auth_secrets = facts['master']['session_auth_secrets']
+                if not issubclass(type(session_auth_secrets), list):
+                    invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.'
+                elif 'session_encryption_secrets' not in facts['master']:
+                    invalid_facts['session_auth_secrets'] = ('openshift_master_session_encryption secrets must be set '
+                                                             'if openshift_master_session_auth_secrets is provided.')
+                elif len(session_auth_secrets) != len(facts['master']['session_encryption_secrets']):
+                    invalid_facts['session_auth_secrets'] = ('openshift_master_session_auth_secrets and '
+                                                             'openshift_master_session_encryption_secrets must be '
+                                                             'equal length.')
+                else:
+                    for secret in session_auth_secrets:
+                        if len(secret) < 32:
+                            invalid_facts['session_auth_secrets'] = ('Invalid secret in session_auth_secrets. '
+                                                                     'Secrets must be at least 32 characters in length.')
+            # openshift.master.session_encryption_secrets
+            if 'session_encryption_secrets' in facts['master']:
+                session_encryption_secrets = facts['master']['session_encryption_secrets']
+                if not issubclass(type(session_encryption_secrets), list):
+                    invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.'
+                elif 'session_auth_secrets' not in facts['master']:
+                    invalid_facts['session_encryption_secrets'] = ('openshift_master_session_auth_secrets must be '
+                                                                   'set if openshift_master_session_encryption_secrets '
+                                                                   'is provided.')
+                else:
+                    for secret in session_encryption_secrets:
+                        if len(secret) not in [16, 24, 32]:
+                            invalid_facts['session_encryption_secrets'] = ('Invalid secret in session_encryption_secrets. '
+                                                                           'Secrets must be 16, 24, or 32 characters in length.')
+        return invalid_facts
 
 def main():
     """ main """
author	Brenton Leanhardt <bleanhar@redhat.com>	2016-01-06 14:30:09 -0500
committer	Brenton Leanhardt <bleanhar@redhat.com>	2016-01-06 14:30:09 -0500
commit	31a18b4e6096451bd81603b92a2d4cf7d21cecef (patch)
tree	26137b20f9df24d47958948baffd3b56880c9b03 /roles/openshift_facts
parent	af803894ad2e214948264d105f539bb7514e92ce (diff)
parent	82db6897085a1278e6b982a403875ed8671190bb (diff)
download	openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.gz openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.bz2 openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.tar.xz openshift-31a18b4e6096451bd81603b92a2d4cf7d21cecef.zip