diff options
Diffstat (limited to 'roles/lib_utils/filter_plugins/oo_filters.py')
| -rw-r--r-- | roles/lib_utils/filter_plugins/oo_filters.py | 142 |
1 files changed, 131 insertions, 11 deletions
diff --git a/roles/lib_utils/filter_plugins/oo_filters.py b/roles/lib_utils/filter_plugins/oo_filters.py index a2ea287cf..ed6bb4c28 100644 --- a/roles/lib_utils/filter_plugins/oo_filters.py +++ b/roles/lib_utils/filter_plugins/oo_filters.py @@ -4,6 +4,7 @@ """ Custom filters for use in openshift-ansible """ +import json import os import pdb import random @@ -21,13 +22,10 @@ import yaml from ansible import errors from ansible.parsing.yaml.dumper import AnsibleDumper -# ansible.compat.six goes away with Ansible 2.4 -try: - from ansible.compat.six import string_types, u - from ansible.compat.six.moves.urllib.parse import urlparse -except ImportError: - from ansible.module_utils.six import string_types, u - from ansible.module_utils.six.moves.urllib.parse import urlparse +# pylint: disable=import-error,no-name-in-module +from ansible.module_utils.six import string_types, u +# pylint: disable=import-error,no-name-in-module +from ansible.module_utils.six.moves.urllib.parse import urlparse HAS_OPENSSL = False try: @@ -128,7 +126,7 @@ def lib_utils_oo_collect(data_list, attribute=None, filters=None): raise errors.AnsibleFilterError( "lib_utils_oo_collect expects filter to be a dict") retval.extend([get_attr(d, attribute) for d in data if ( - all([d.get(key, None) == filters[key] for key in filters]))]) + all([get_attr(d, key) == filters[key] for key in filters]))]) else: retval.extend([get_attr(d, attribute) for d in data]) @@ -274,7 +272,7 @@ def haproxy_backend_masters(hosts, port): return servers -# pylint: disable=too-many-branches +# pylint: disable=too-many-branches, too-many-nested-blocks def lib_utils_oo_parse_named_certificates(certificates, named_certs_dir, internal_hostnames): """ Parses names from list of certificate hashes. @@ -320,8 +318,9 @@ def lib_utils_oo_parse_named_certificates(certificates, named_certs_dir, interna certificate['names'].append(str(cert.get_subject().commonName.decode())) for i in range(cert.get_extension_count()): if cert.get_extension(i).get_short_name() == 'subjectAltName': - for name in str(cert.get_extension(i)).replace('DNS:', '').split(', '): - certificate['names'].append(name) + for name in str(cert.get_extension(i)).split(', '): + if 'DNS:' in name: + certificate['names'].append(name.replace('DNS:', '')) except Exception: raise errors.AnsibleFilterError(("|failed to parse certificate '%s', " % certificate['certfile'] + "please specify certificate names in host inventory")) @@ -343,6 +342,58 @@ def lib_utils_oo_parse_named_certificates(certificates, named_certs_dir, interna return certificates +def lib_utils_oo_parse_certificate_san(certificate): + """ Parses SubjectAlternativeNames from a PEM certificate. + + Ex: certificate = '''-----BEGIN CERTIFICATE----- + MIIEcjCCAlqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZldGNk + LXNpZ25lckAxNTE2ODIwNTg1MB4XDTE4MDEyNDE5MDMzM1oXDTIzMDEyMzE5MDMz + M1owHzEdMBsGA1UEAwwUbWFzdGVyMS5hYnV0Y2hlci5jb20wggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQD4wBdWXNI3TF1M0b0bEIGyJPvdqKeGwF5XlxWg + NoA1Ain/Xz0N1SW5pXW2CDo9HX+ay8DyhzR532yrBa+RO3ivNCmfnexTQinfSLWG + mBEdiu7HO3puR/GNm74JNyXoEKlMAIRiTGq9HPoTo7tNV5MLodgYirpHrkSutOww + DfFSrNjH/ehqxwQtrIOnTAHigdTOrKVdoYxqXblDEMONTPLI5LMvm4/BqnAVaOyb + 9RUzND6lxU/ei3FbUS5IoeASOHx0l1ifxae3OeSNAimm/RIRo9rieFNUFh45TzID + elsdGrLB75LH/gnRVV1xxVbwPN6xW1mEwOceRMuhIArJQ2G5AgMBAAGjgbYwgbMw + UQYDVR0jBEowSIAUXTqN88vCI6E7wONls3QJ4/63unOhJaQjMCExHzAdBgNVBAMM + FmV0Y2Qtc2lnbmVyQDE1MTY4MjA1ODWCCQDMaopfom6OljAMBgNVHRMBAf8EAjAA + MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU7l05 + OYeY3HppL6/0VJSirudj8t0wDwYDVR0RBAgwBocEwKh6ujANBgkqhkiG9w0BAQsF + AAOCAgEAFU8sicE5EeQsUPnFEqDvoJd1cVE+8aCBqkW0++4GsVw2A/JOJ3OBJL6r + BV3b1u8/e8xBNi8hPi42Q+LWBITZZ/COFyhwEAK94hcr7eZLCV2xfUdMJziP4Qkh + /WRN7vXHTtJ6NP/d6A22SPbtnMSt9Y6G8y9qa5HBrqIqmkYbLzDw/SdZbDbuGhRk + xUwg2ahXNblVoE5P6rxPONgXliA94telZ1/61iyrVaiGQb1/GUP/DRfvvR4dOCrA + lMosW6fm37Wdi/8iYW+aDPWGS+yVK/sjSnHNjxqvrzkfGk+COa5riT9hJ7wZY0Hb + YiJS74SZgZt/nnr5PI2zFRUiZLECqCkZnC/sz29i+irLabnq7Cif9Mv+TUcXWvry + TdJuaaYdTSMRSUkDd/c9Ife8tOr1i1xhFzDNKNkZjTVRk1MBquSXndVCDKucdfGi + YoWm+NDFrayw8yxK/KTHo3Db3lu1eIXTHxriodFx898b//hysHr4hs4/tsEFUTZi + 705L2ScIFLfnyaPby5GK/3sBIXtuhOFM3QV3JoYKlJB5T6wJioVoUmSLc+UxZMeE + t9gGVQbVxtLvNHUdW7uKQ5pd76nIJqApQf8wg2Pja8oo56fRZX2XLt8nm9cswcC4 + Y1mDMvtfxglQATwMTuoKGdREuu1mbdb8QqdyQmZuMa72q+ax2kQ= + -----END CERTIFICATE-----''' + + returns ['192.168.122.186'] + """ + + if not HAS_OPENSSL: + raise errors.AnsibleFilterError("|missing OpenSSL python bindings") + + names = [] + + try: + lcert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, certificate) + for i in range(lcert.get_extension_count()): + if lcert.get_extension(i).get_short_name() == 'subjectAltName': + sanstr = str(lcert.get_extension(i)) + sanstr = sanstr.replace('DNS:', '') + sanstr = sanstr.replace('IP Address:', '') + names = sanstr.split(', ') + except Exception: + raise errors.AnsibleFilterError("|failed to parse certificate") + + return names + + def lib_utils_oo_generate_secret(num_bytes): """ generate a session secret """ @@ -589,6 +640,70 @@ that result to this filter plugin. return secret_name +def lib_utils_oo_l_of_d_to_csv(input_list): + """Map a list of dictionaries, input_list, into a csv string + of json values. + + Example input: + [{'var1': 'val1', 'var2': 'val2'}, {'var1': 'val3', 'var2': 'val4'}] + Example output: + u'{"var1": "val1", "var2": "val2"},{"var1": "val3", "var2": "val4"}' + """ + return ','.join(json.dumps(x) for x in input_list) + + +def map_from_pairs(source, delim="="): + ''' Returns a dict given the source and delim delimited ''' + if source == '': + return dict() + + return dict(item.split(delim) for item in source.split(",")) + + +def lib_utils_oo_get_node_labels(source, hostvars=None): + ''' Return a list of labels assigned to schedulable nodes ''' + labels = list() + + # Filter out the unschedulable nodes + for host in source: + if host not in hostvars: + return + node_vars = hostvars[host] + + # All nodes are considered schedulable, + # unless explicitly marked so + schedulable = node_vars.get('openshift_schedulable') + if schedulable is None: + schedulable = True + try: + if not strtobool(str(schedulable)): + # explicitly marked as unschedulable + continue + except ValueError: + # Incorrect value in openshift_schedulable, skip node + continue + + # Get a list of labels from the node + node_labels = node_vars.get('openshift_node_labels') + if node_labels: + labels.append(node_labels) + + return labels + + +def lib_utils_oo_has_no_matching_selector(source, selector=None): + ''' Return True when selector cannot be placed + on nodes with labels from source ''' + # Empty selector means any node + if not selector: + return False + for item in source: + if selector.items() <= item.items(): + # Matching selector found + return False + return True + + class FilterModule(object): """ Custom ansible filter mapping """ @@ -607,6 +722,7 @@ class FilterModule(object): "lib_utils_oo_dict_to_keqv_list": lib_utils_oo_dict_to_keqv_list, "lib_utils_oo_list_to_dict": lib_utils_oo_list_to_dict, "lib_utils_oo_parse_named_certificates": lib_utils_oo_parse_named_certificates, + "lib_utils_oo_parse_certificate_san": lib_utils_oo_parse_certificate_san, "lib_utils_oo_generate_secret": lib_utils_oo_generate_secret, "lib_utils_oo_pods_match_component": lib_utils_oo_pods_match_component, "lib_utils_oo_image_tag_to_rpm_version": lib_utils_oo_image_tag_to_rpm_version, @@ -618,4 +734,8 @@ class FilterModule(object): "lib_utils_oo_contains_rule": lib_utils_oo_contains_rule, "lib_utils_oo_selector_to_string_list": lib_utils_oo_selector_to_string_list, "lib_utils_oo_filter_sa_secrets": lib_utils_oo_filter_sa_secrets, + "lib_utils_oo_l_of_d_to_csv": lib_utils_oo_l_of_d_to_csv, + "lib_utils_oo_has_no_matching_selector": lib_utils_oo_has_no_matching_selector, + "lib_utils_oo_get_node_labels": lib_utils_oo_get_node_labels, + "map_from_pairs": map_from_pairs, } |