gitlabform 0.0.540a0__py3-none-any.whl

gitlabform/processors/group/group_members_processor.py

@@ -0,0 +1,287 @@
+import sys
+from typing import Dict, Tuple
+
+from logging import debug, info, critical, error
+
+from gitlabform.constants import EXIT_INVALID_INPUT
+from gitlabform.gitlab import GitLab, AccessLevel
+from gitlabform.processors.abstract_processor import AbstractProcessor
+from gitlab.v4.objects import Group, GroupMember, User
+from gitlab import GitlabDeleteError, GitlabError, GitlabGetError
+
+
+class GroupMembersProcessor(AbstractProcessor):
+    def __init__(self, gitlab: GitLab):
+        super().__init__("group_members", gitlab)
+
+    def _process_configuration(self, group_name: str, configuration: dict):
+        keep_bots = configuration.get("group_members|keep_bots", False)
+
+        enforce_group_members = configuration.get("group_members|enforce", False)
+
+        (
+            groups_to_set_by_group_path,
+            users_to_set_by_username,
+        ) = self._get_groups_and_users_to_set(configuration)
+
+        if enforce_group_members and not groups_to_set_by_group_path and not users_to_set_by_username:
+            critical(
+                "Group members configuration section has to contain"
+                " some 'users' or 'groups' defined as Owners,"
+                " if you want to enforce them (GitLab requires it)."
+            )
+            sys.exit(EXIT_INVALID_INPUT)
+
+        group = self.gl.get_group_by_path_cached(group_name)
+
+        self._process_groups(group, groups_to_set_by_group_path, enforce_group_members)
+
+        self._process_users(
+            users_to_set_by_username,
+            enforce_group_members,
+            keep_bots,
+            group,
+        )
+
+    @staticmethod
+    def _get_groups_and_users_to_set(configuration: dict) -> Tuple[dict, dict]:
+        groups_to_set_by_group_path = configuration.get("group_members|groups", {})
+
+        users_to_set_by_username = configuration.get("group_members", {})
+        if users_to_set_by_username:
+            proper_users_to_set_by_username = configuration.get("group_members|users", {})
+            if proper_users_to_set_by_username:
+                users_to_set_by_username = proper_users_to_set_by_username
+            else:
+                users_to_set_by_username.pop("enforce", None)
+                users_to_set_by_username.pop("users", None)
+                users_to_set_by_username.pop("groups", None)
+                users_to_set_by_username.pop("keep_bots", None)
+
+        return groups_to_set_by_group_path, users_to_set_by_username
+
+    def _process_groups(
+        self,
+        group_being_processed: Group,
+        groups_to_share_with_by_path: dict,
+        enforce_group_members: bool,
+    ):
+        shared_with_groups_before = group_being_processed.shared_with_groups
+        info("Group shared with BEFORE: %s", shared_with_groups_before)
+
+        groups_before_by_group_path = dict()
+        for shared_with_group in shared_with_groups_before:
+            groups_before_by_group_path[shared_with_group["group_full_path"]] = shared_with_group
+
+        for share_with_group_path in groups_to_share_with_by_path:
+            group_access_to_set = groups_to_share_with_by_path[share_with_group_path]["group_access"]
+
+            expires_at_to_set = (
+                groups_to_share_with_by_path[share_with_group_path]["expires_at"]
+                if "expires_at" in groups_to_share_with_by_path[share_with_group_path]
+                else None
+            )
+
+            if share_with_group_path in groups_before_by_group_path:
+                group_access_before = groups_before_by_group_path[share_with_group_path]["group_access_level"]
+                expires_at_before = groups_before_by_group_path[share_with_group_path]["expires_at"]
+
+                if group_access_before == group_access_to_set and expires_at_before == expires_at_to_set:
+                    info(
+                        "Nothing to change for group '%s' - same config now as to set.",
+                        share_with_group_path,
+                    )
+                else:
+                    info(f"Re-adding group {share_with_group_path} to change their access level or expires at.")
+                    share_with_group_id = groups_before_by_group_path[share_with_group_path]["group_id"]
+                    # we will remove the group first and then re-add them,
+                    # to ensure that the group has the expected access level
+                    self._unshare(group_being_processed, share_with_group_id)
+
+                    try:
+                        group_being_processed.share(share_with_group_id, group_access_to_set, expires_at_to_set)
+                    except GitlabError as e:
+                        error(f"Error processing {share_with_group_path}, {e.error_message}")
+                        raise e
+
+            else:
+                info(
+                    f"Adding group {share_with_group_path} who previously was not a member.",
+                )
+
+                share_with_group_id = self.gl.get_group_id(share_with_group_path)
+                try:
+                    group_being_processed.share(share_with_group_id, group_access_to_set, expires_at_to_set)
+                except GitlabError as e:
+                    error(f"Error processing {share_with_group_path}, {e.error_message}")
+                    raise e
+
+        if enforce_group_members:
+            # remove groups not configured explicitly
+            groups_not_configured = set(groups_before_by_group_path) - set(groups_to_share_with_by_path)
+            for group_path in groups_not_configured:
+                info(
+                    "Removing group '%s' who is not configured to be a member.",
+                    group_path,
+                )
+                share_with_group_id = self.gl.get_group_id(group_path)
+                self._unshare(group_being_processed, share_with_group_id)
+        else:
+            info("Not enforcing group members.")
+
+        info(
+            "Group shared with AFTER: %s",
+            group_being_processed.members.list(get_all=True),
+        )
+
+    @staticmethod
+    def _unshare(group_being_processed, share_with_group_id):
+        try:
+            group_being_processed.unshare(share_with_group_id)
+        except GitlabDeleteError:
+            info(f"Group with id {share_with_group_id} could not be unshared, likely was never shared to begin with")
+            pass
+
+    def _process_users(
+        self,
+        users_to_set_by_username: dict,
+        enforce_group_members: bool,
+        keep_bots: bool,
+        group: Group,
+    ):
+        # group users before by username
+        # (note: we DON'T get inherited users as we don't manage them at this level anyway)
+        users_before = self.get_group_members(group)
+
+        info("Group members BEFORE: %s", users_before.keys())
+
+        if users_to_set_by_username:
+            # group users to set by access level
+            users_to_set_by_access_level: Dict[int, list] = dict()
+            for user in users_to_set_by_username:
+                access_level = users_to_set_by_username[user]["access_level"]
+                users_to_set_by_access_level.setdefault(access_level, []).append(user)
+
+            # we HAVE TO start configuring access from the highest access level - in case of groups this is Owner
+            # - to ensure that we won't end up with no Owner in a group
+            for level in reversed(sorted(AccessLevel.group_levels())):
+                users_to_set_with_this_level = (
+                    users_to_set_by_access_level[level] if level in users_to_set_by_access_level else []
+                )
+
+                for user in users_to_set_with_this_level:
+                    access_level_to_set = users_to_set_by_username[user]["access_level"]
+                    expires_at_to_set = (
+                        users_to_set_by_username[user]["expires_at"]
+                        if "expires_at" in users_to_set_by_username[user]
+                        else None
+                    )
+
+                    member_role_id_or_name = (
+                        users_to_set_by_username[user]["member_role"]
+                        if "member_role" in users_to_set_by_username[user]
+                        else None
+                    )
+                    if member_role_id_or_name:
+                        member_role_id_to_set = self.gl.get_member_role_id_cached(
+                            member_role_id_or_name, group.full_path
+                        )
+                    else:
+                        member_role_id_to_set = None
+
+                    common_username = user.lower()
+
+                    user_id = self.gl.get_user_id_cached(user)
+                    if user_id is None:
+                        message = f"Could not find User '{user}' on the Instance"
+                        error(message)
+                        raise GitlabGetError(message, 404)
+
+                    if common_username in users_before:
+                        group_member: GroupMember = group.members.get(user_id)
+
+                        user_before = users_before[common_username]
+                        access_level_before = user_before.access_level
+                        expires_at_before = user_before.expires_at
+                        if hasattr(user_before, "member_role"):
+                            member_role_id_before = user_before.member_role["id"]
+                        else:
+                            member_role_id_before = None
+
+                        if (
+                            access_level_before == access_level_to_set
+                            and expires_at_before == expires_at_to_set
+                            and member_role_id_before == member_role_id_to_set
+                        ):
+                            info(
+                                "Nothing to change for user '%s' - same config now as to set.",
+                                common_username,
+                            )
+                        else:
+                            info(
+                                f"Editing user {common_username} to change their access level to {access_level_to_set},"
+                                f" expires at to {expires_at_to_set},"
+                                f" and member_role_id to {member_role_id_to_set}."
+                            )
+
+                            group_member.access_level = access_level_to_set
+                            group_member.expires_at = expires_at_to_set
+                            group_member.member_role_id = member_role_id_to_set
+                            try:
+                                group_member.save()
+                            except GitlabError as e:
+                                error(f"Could not save user {common_username}, error: {e.error_message}")
+                                raise e
+
+                    else:
+                        info(f"Adding user {common_username} who previously was not a member.")
+                        group.members.create(
+                            {
+                                "user_id": user_id,
+                                "access_level": access_level_to_set,
+                                "expires_at": expires_at_to_set,
+                                "member_role_id": member_role_id_to_set,
+                            }
+                        )
+
+        if enforce_group_members:
+            # remove users not configured explicitly
+            # note: only direct members are removed - inherited are left
+            users_not_configured = set(users_before.keys()) - set(
+                [username.lower() for username in users_to_set_by_username.keys()]
+            )
+            for user in users_not_configured:
+                info(f"Removing user {user} who is not configured to be a member.")
+
+                gl_user: User | None = self.gl.get_user_by_username_cached(user)
+
+                if gl_user is None:
+                    # User does not exist an instance level but is for whatever reason present on a Group/Project
+                    # We should raise error into Logs but not prevent the rest of GitLabForm from executing
+                    # This error is more likely to be prevalent in Dedicated instances; it is unlikely for a User to
+                    # be completely deleted from gitlab.com
+                    error(f"Could not find User '{user}' on the Instance so can not remove User from Group")
+                    continue
+
+                if keep_bots and gl_user.bot:
+                    info(f"Will not remove bot user '{user}' as the 'keep_bots' option is true.")
+                    continue
+
+                try:
+                    group.members.delete(gl_user.id)
+                except GitlabDeleteError as delete_error:
+                    error(f"Member '{user}' could not be deleted: {delete_error}")
+                    raise delete_error
+
+        else:
+            info("Not enforcing group members.")
+
+        info(f"Group members AFTER: {group.members.list(get_all=True)}")
+
+    @staticmethod
+    def get_group_members(group) -> dict:
+        members = group.members.list(get_all=True)
+        users = {}
+        for member in members:
+            users[member.username.lower()] = member
+        return users

gitlabform/processors/group/group_push_rules_processor.py

@@ -0,0 +1,44 @@
+from logging import info, debug
+from typing import Dict
+
+from gitlabform.gitlab import GitLab
+from gitlabform.processors.abstract_processor import AbstractProcessor
+
+from gitlab.v4.objects.groups import Group
+from gitlab.exceptions import GitlabGetError
+
+
+class GroupPushRulesProcessor(AbstractProcessor):
+    def __init__(self, gitlab: GitLab):
+        super().__init__("group_push_rules", gitlab)
+
+    def _process_configuration(self, group: str, configuration: Dict):
+        configured_group_push_rules = configuration.get("group_push_rules", {})
+
+        gitlab_group: Group = self.gl.get_group_by_path_cached(group)
+
+        try:
+            existing_push_rules = gitlab_group.pushrules.get()
+        except GitlabGetError as e:
+            if e.response_code == 404:
+                debug(f"No existing push rules for {gitlab_group.name}, creating new push rules.")
+                self.create_group_push_rules(gitlab_group, configured_group_push_rules)
+                return
+
+        if self._needs_update(existing_push_rules.asdict(), configured_group_push_rules):
+            debug(f"Updating group push rules for group {gitlab_group.name}")
+            self.update_group_push_rules(existing_push_rules, configured_group_push_rules)
+        else:
+            debug("No update needed for Group Push Rules")
+
+    @staticmethod
+    def update_group_push_rules(push_rules, configured_group_push_rules: dict):
+        for key, value in configured_group_push_rules.items():
+            debug(f"Updating setting {key} to value {value}")
+            setattr(push_rules, key, value)
+        push_rules.save()
+
+    @staticmethod
+    def create_group_push_rules(gitlab_group, push_rules_config: Dict):
+        debug(f"Creating push rules with configuration: {push_rules_config}")
+        gitlab_group.pushrules.create(push_rules_config)

gitlabform/processors/group/group_saml_links_processor.py

@@ -0,0 +1,65 @@
+from logging import debug
+from typing import List
+
+from gitlabform.gitlab import GitLab
+from gitlab.v4.objects import Group, GroupSAMLGroupLink
+from gitlabform.processors.abstract_processor import AbstractProcessor
+
+
+class GroupSAMLLinksProcessor(AbstractProcessor):
+
+    def __init__(self, gitlab: GitLab):
+        super().__init__("group_saml_links", gitlab)
+
+    def _process_configuration(self, group_path: str, configuration: dict) -> None:
+        """Process the SAML links configuration for a group."""
+
+        configured_links = configuration.get("group_saml_links", {})
+        enforce_links = configuration.get("group_saml_links|enforce", False)
+
+        group: Group = self.gl.get_group_by_path_cached(group_path)
+        existing_links: List[GroupSAMLGroupLink] = group.saml_group_links.list(get_all=True)
+        existing_link_names = [existing_link.name for existing_link in existing_links]
+
+        # Remove 'enforce' key from the config so that it's not treated as a "link"
+        if enforce_links:
+            configured_links.pop("enforce")
+
+        # Process each configured SAML link
+        for _, link_configuration in configured_links.items():
+            saml_group_name = link_configuration.get("saml_group_name")
+
+            if saml_group_name not in existing_link_names:
+                # Create the saml link as it does not already exist
+                group.saml_group_links.create(link_configuration)
+                group.save()
+            else:
+                # Check if the existing link needs to be updated
+                # GitLab API does not provide an endpoint for updating SAML links
+                # If update required, we need to delete and recreate
+                existing_link_config = next((link for link in existing_links if link.name == saml_group_name), None)
+                if existing_link_config and self._needs_update(existing_link_config.asdict(), link_configuration):
+                    debug(f"Updating SAML link: {saml_group_name} with {link_configuration}")
+                    existing_link_config.delete()
+                    group.saml_group_links.create(link_configuration)
+                    group.save()
+
+        # Process enforce mode
+        if enforce_links:
+            self._delete_extra_links(group, existing_links, configured_links)
+
+    def _delete_extra_links(
+        self,
+        group: Group,
+        existing: List[GroupSAMLGroupLink],
+        configured: dict,
+    ) -> None:
+        """Delete any SAML links that are not in the configuration."""
+        known_names = [
+            common_name["saml_group_name"] for common_name in configured.values() if common_name != "enforce"
+        ]
+
+        for link in existing:
+            if link.name not in known_names:
+                debug(f"Deleting extra SAML link: {link.name}")
+                group.saml_group_links.delete(link.name)

gitlabform/processors/group/group_settings_processor.py

@@ -0,0 +1,90 @@
+import os
+from logging import info, debug, warning
+from typing import Dict
+
+from gitlabform.gitlab import GitLab
+from gitlab.v4.objects.groups import Group
+from gitlabform.processors.abstract_processor import AbstractProcessor
+
+
+class GroupSettingsProcessor(AbstractProcessor):
+    def __init__(self, gitlab: GitLab):
+        super().__init__("group_settings", gitlab)
+
+    def _process_configuration(self, group: str, configuration: Dict):
+        configured_group_settings = configuration.get("group_settings", {})
+
+        gitlab_group: Group = self.gl.get_group_by_path_cached(group)
+
+        # Remove avatar from config to process it last
+        avatar_config = configured_group_settings.pop("avatar", None)
+
+        # Process other settings first
+        if self._needs_update(gitlab_group.asdict(), configured_group_settings):
+            info(f"Updating group settings for group {gitlab_group.name}")
+            self.update_group_settings(gitlab_group, configured_group_settings)
+        else:
+            debug("No update needed for Group Settings")
+
+        # Process avatar last - with error handling that doesn't stop execution
+        if avatar_config is not None:
+            try:
+                self._process_group_avatar(gitlab_group, {"avatar": avatar_config})
+            except Exception as e:
+                warning(f"Failed to process group avatar: {e}")
+                raise e
+
+    @staticmethod
+    def update_group_settings(gitlab_group: Group, group_settings_config: dict):
+        for key in group_settings_config:
+            value = group_settings_config[key]
+            debug(f"Updating setting {key} to value {value}")
+            gitlab_group.__setattr__(key, value)
+            gitlab_group.save()
+
+    def _process_group_avatar(self, gitlab_group: Group, group_settings_config: dict) -> None:
+        """Process group avatar settings from configuration."""
+        debug("Processing group avatar configuration")
+
+        avatar_path = group_settings_config.get("avatar")
+        if avatar_path is None:
+            debug("No avatar configuration provided, skipping avatar processing")
+            return
+
+        debug(f"Avatar configuration found: {avatar_path}")
+
+        # Check current avatar status
+        current_avatar = getattr(gitlab_group, "avatar_url", None)
+
+        if avatar_path == "":
+            # Want to remove avatar
+            if not current_avatar:
+                debug("Avatar already empty, no update needed")
+                return
+            debug("Deleting group avatar")
+            gitlab_group.avatar = ""
+            gitlab_group.save()
+            debug("Avatar deleted successfully")
+            return
+
+        # Resolve relative paths to absolute paths
+        if not os.path.isabs(avatar_path):
+            # Convert relative path to absolute path relative to current working directory
+            avatar_path = os.path.abspath(avatar_path)
+            debug(f"Resolved relative path to absolute path: {avatar_path}")
+
+        # Want to set avatar from file
+        debug(f"Setting group avatar from file: {avatar_path}")
+        try:
+            with open(avatar_path, "rb") as avatar_file:
+                gitlab_group.avatar = avatar_file
+                gitlab_group.save()
+            debug("Group avatar uploaded successfully")
+        except FileNotFoundError:
+            error_msg = f"Group avatar file not found: {avatar_path}"
+            debug(error_msg)
+            raise FileNotFoundError(error_msg)
+        except Exception as e:
+            error_msg = f"Error uploading group avatar: {str(e)}"
+            debug(error_msg)
+            raise Exception(error_msg) from e

gitlabform/processors/group/group_variables_processor.py

@@ -0,0 +1,26 @@
+from typing import Any, Dict
+from logging import info
+from gitlabform.gitlab import GitLab
+from gitlab.v4.objects import Group
+
+from gitlabform.processors.abstract_processor import AbstractProcessor
+from gitlabform.processors.util.variables_processor import VariablesProcessor
+
+
+class GroupVariablesProcessor(AbstractProcessor):
+    def __init__(self, gitlab: GitLab):
+        super().__init__("group_variables", gitlab)
+        self._variables_processor = VariablesProcessor(self._needs_update)
+
+    def _process_configuration(self, project_and_group: str, configuration: Dict[str, Any]) -> None:
+        group: Group = self.gl.get_group_by_path_cached(project_and_group)
+
+        configured_variables = configuration.get("group_variables", {})
+        enforce_mode: bool = configured_variables.get("enforce", False)
+
+        if enforce_mode:
+            info(f"Enforce mode enabled for variables in {project_and_group}")
+            # Remove 'enforce' key from the config so that it's not treated as a variable
+            configured_variables.pop("enforce")
+
+        self._variables_processor.process_variables(group, configured_variables, enforce_mode)