qontract-reconcile 0.10.1rc466__py3-none-any.whl → 0.10.1rc467__py3-none-any.whl

{qontract_reconcile-0.10.1rc466.dist-info → qontract_reconcile-0.10.1rc467.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc466
+Version: 0.10.1rc467
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc466.dist-info → qontract_reconcile-0.10.1rc467.dist-info}/RECORD

@@ -8,7 +8,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=b-5nFAGfzid2XhVc31RnU7bnq-Il-QUxt061Vfe7ehQ,81537
+reconcile/cli.py,sha256=2FIP7dyW9lxJwbJFyZou5noGIl0B0gEj9IKLNM0vk-I,81792
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -44,7 +44,7 @@ reconcile/jenkins_roles.py,sha256=f8ELpZY36UjoaCpR_9LijQuIMuB6a7sVLFf_H1ct9Hc,44
 reconcile/jenkins_webhooks.py,sha256=j8vhJMWcRhOdc9XzRSm0CPj84jsF3e4Syjm7r1BIsDE,1978
 reconcile/jenkins_webhooks_cleaner.py,sha256=JsN_NVPfZJwv1JtSzZXDIHUqGiefL-DRffFnDGau9aY,1539
 reconcile/jenkins_worker_fleets.py,sha256=PMNGOX0krubFjInPiFT0za0KCiWBLEcVDuXdKRd1BrE,5378
-reconcile/jira_permissions_validator.py,sha256=Iul5-2_QgQ8joGfP542UQYA0Y5Qm5chvdRzUltCo_yM,1434
+reconcile/jira_permissions_validator.py,sha256=mXMB5t958gwP1yFQJU8Aml8r0QjdbJ6Dx-6-U12qOiA,9890
 reconcile/jira_watcher.py,sha256=eyOQ92t8TFi6gogfNTO448h_h1CUyr24E0MPHc51R-o,3617
 reconcile/ldap_users.py,sha256=uEWQ0V41tN9KCZi4ZKPamjrJ6djSpdpvDBo7yJ0e7ZI,3008
 reconcile/mr_client_gateway.py,sha256=WhjMd-sIXDFCV8-rt8CEjurJ5OYB1pOD0K3o0tZRXQg,1885
@@ -196,6 +196,7 @@ reconcile/gql_definitions/common/clusters_minimal.py,sha256=yZpjS9qWyusCEiWtD8wz
 reconcile/gql_definitions/common/clusters_with_peering.py,sha256=GJjV0coYt2IAyeV00rEFZWxz6YOW5txt0FzRdLT2T5w,11099
 reconcile/gql_definitions/common/github_orgs.py,sha256=rZ0pDAA2_9hF9N-ykRZIxPtEmczTSjuA_k3nkp0k1W0,2039
 reconcile/gql_definitions/common/jira_settings.py,sha256=Fmjxhlhr69kc4jkG_0k17fuYlQVucbNex0jXYu83wbY,1990
+reconcile/gql_definitions/common/jiralert_settings.py,sha256=H96nMg_r2YcOvioj3aIkwqtFrALGSLt7uhbx9jGSUTo,1984
 reconcile/gql_definitions/common/namespaces.py,sha256=AmE6XSxGVKYUHjmWI8y2scHw1ya9EfTnEkvffzyRKDE,8922
 reconcile/gql_definitions/common/namespaces_minimal.py,sha256=XVt8LFe-bGYbjN3ysX3b9sFGmLX4snQ_A9ZouQGaaAI,3429
 reconcile/gql_definitions/common/ocm_environments.py,sha256=mQyZR04tI_-paCo2FxrK0G-Zl8-izKntuo7Z9fIaY0M,1991
@@ -245,7 +246,7 @@ reconcile/gql_definitions/integrations/integrations.py,sha256=R-COVEcr8OWiOjuYTv
 reconcile/gql_definitions/jenkins_configs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/jenkins_configs/jenkins_configs.py,sha256=0nMkH0G-AjQwu53fqHykth6X6jjbHdW2hBp5n7N-r24,2766
 reconcile/gql_definitions/jira_permissions_validator/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/jira_permissions_validator/jira_boards_for_permissions_validator.py,sha256=Er-zz8g6EZn6CThzopzBMsOKmUd2kAPo9__8WFLr4WA,2256
+reconcile/gql_definitions/jira_permissions_validator/jira_boards_for_permissions_validator.py,sha256=4_Uz4by1AOfLMicEkBHrUt6hyKYHnbQ9naTsrKbq0as,3365
 reconcile/gql_definitions/jumphosts/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/jumphosts/jumphosts.py,sha256=gN595lx7K1XsB2AfxDQ911TBVBbCoxibVeujnsGue_Q,2371
 reconcile/gql_definitions/ldap_groups/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -386,6 +387,7 @@ reconcile/test/test_gitlab_members.py,sha256=dP_dm-1THba9Vyzcq-EX1tdmBoX2hq8R-MY
 reconcile/test/test_instrumented_wrappers.py,sha256=CZzhnQH0c4i7-Rxjg7-0dfFMvVPegLHL46z5NHOOCwo,608
 reconcile/test/test_integrations_manager.py,sha256=l6KwSFT0NS9VSR-b_9z_ZEGXDWH3EMitUEMC_1h8Xkk,38184
 reconcile/test/test_jenkins_worker_fleets.py,sha256=o1jlT7OBBSgu0M3iI4xMdz_x6SciF7yhNBpLk5gTJfg,2361
+reconcile/test/test_jira_permissions_validator.py,sha256=FGLLsRV52PQNsYPaxNv7HWxERMouQ9RmUddh-IWJ3ns,12949
 reconcile/test/test_jump_host.py,sha256=yczTqvT-hNAf9zBMuFjqka9fQOA31SCNG7D-9K9MRPw,3323
 reconcile/test/test_ldap_users.py,sha256=8jjzVgoiRRylGad6-TvkugoFGXt3eko--zVVKjmZDn4,3812
 reconcile/test/test_make.py,sha256=zTdjgq-3idFlec_0qJenk9wWw0QMLvSpJfPsptXmync,677
@@ -479,6 +481,7 @@ reconcile/typed_queries/clusters_with_peering.py,sha256=lIai7SJJD0bqIJbe7virgrbY
 reconcile/typed_queries/github_orgs.py,sha256=UZhoPl8qvA_tcO7CZlN8GuMKckt3ywd47Suu61rgHsc,258
 reconcile/typed_queries/gitlab_instances.py,sha256=ZVQHy2W9xIp53f5qYkjKLHLHgOVtQpxTfcmM1C2046g,291
 reconcile/typed_queries/jira_settings.py,sha256=i0ddx5xxHrM1v-9mtL_6OB-jBFLw7-HS6xenpIDjrkw,570
+reconcile/typed_queries/jiralert_settings.py,sha256=y59S5xvYmuaGxszzfKhVLjbCyDwKiaSIlajocbK5MDE,793
 reconcile/typed_queries/namespaces.py,sha256=vItPrn7sfcHOix-VvkzQkf54_ljzI_ymyxh5esdBJ5Y,262
 reconcile/typed_queries/namespaces_minimal.py,sha256=rUtqNQ0ORXXUTQfnpsMURymAJ4gYtE77V-Lb3LiJFEY,278
 reconcile/typed_queries/pagerduty_instances.py,sha256=QCHqEAakiH6eSob0Pnnn3IBd8Ga0zpEp1Z6Qu3v2uH4,733
@@ -527,7 +530,7 @@ reconcile/utils/imap_client.py,sha256=byFAJATbITJPsGECSbvXBOcCnoeTUpDFiEjzOAxLm_
 reconcile/utils/instrumented_wrappers.py,sha256=eVwMoa6FCrYxLv3RML3WpZF9qKVfCTjMxphgVXG03OM,1073
 reconcile/utils/jenkins_api.py,sha256=MyJSB_S3uYf3sXnt9t03-gZNQ7tbdd7Wusv3MoF2fRc,7113
 reconcile/utils/jinja2_ext.py,sha256=l628RR9r9dAGBWLVegoCbSqnjojeizNGiq9Cstt02nE,1129
-reconcile/utils/jira_client.py,sha256=pQw4LKZL5d-Guaj4BMiIVrL6EZsmAMYII1-b8xYZ8Yk,5021
+reconcile/utils/jira_client.py,sha256=CxQYWc90YWFESpvFW61Gw5VQAfG9Qn2M4o1WrAeiqv4,6444
 reconcile/utils/jjb_client.py,sha256=Pdy0dLCFvD6GPCaC0tZydYgkVJPOxYXIiwWECZaFJBU,14551
 reconcile/utils/jsonpath.py,sha256=NRpAEijKN4cMDjo7qivNPqpm0__GQQ1TiE0PBEBO45s,5572
 reconcile/utils/jump_host.py,sha256=AdwmCZYNhRe53VwV2iAsUdVyUdVtSd4REmdThJDkM5w,4973
@@ -646,8 +649,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=awwTHEc2DWlykuqGIYM0WOBoSL0KRnOraCLk3C7izis,1401
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc466.dist-info/METADATA,sha256=pzQbY1450zfzFNl25IISegSnCHqnJs1N0zmryTmQh2w,2348
-qontract_reconcile-0.10.1rc466.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc466.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc466.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc466.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc467.dist-info/METADATA,sha256=yhMB3IIg1C8P75RrPC2gBb4Pr3NTpREbOTWw91lKSZY,2348
+qontract_reconcile-0.10.1rc467.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc467.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc467.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc467.dist-info/RECORD,,

reconcile/cli.py

@@ -884,11 +884,18 @@ def jenkins_webhooks_cleaner(ctx):
 
 
 @integration.command(short_help="Validate permissions in Jira.")
+@click.option(
+    "--exit-on-permission-errors/--no-exit-on-permission-errors",
+    help="Throw and error in case of board permission errors. Useful for PR checks.",
+    default=True,
+)
 @click.pass_context
-def jira_permissions_validator(ctx):
+def jira_permissions_validator(ctx, exit_on_permission_errors):
     import reconcile.jira_permissions_validator
 
-    run_integration(reconcile.jira_permissions_validator, ctx.obj)
+    run_integration(
+        reconcile.jira_permissions_validator, ctx.obj, exit_on_permission_errors
+    )
 
 
 @integration.command(short_help="Watch for changes in Jira boards and notify on Slack.")

reconcile/gql_definitions/common/jiralert_settings.py

@@ -0,0 +1,68 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+
+DEFINITION = """
+query JiralertSettings {
+  settings: app_interface_settings_v1 {
+    jiralert {
+      defaultIssueType
+      defaultReopenState
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class JiralertSettingsV1(ConfiguredBaseModel):
+    default_issue_type: str = Field(..., alias="defaultIssueType")
+    default_reopen_state: str = Field(..., alias="defaultReopenState")
+
+
+class AppInterfaceSettingsV1(ConfiguredBaseModel):
+    jiralert: Optional[JiralertSettingsV1] = Field(..., alias="jiralert")
+
+
+class JiralertSettingsQueryData(ConfiguredBaseModel):
+    settings: Optional[list[AppInterfaceSettingsV1]] = Field(..., alias="settings")
+
+
+def query(query_func: Callable, **kwargs: Any) -> JiralertSettingsQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        JiralertSettingsQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return JiralertSettingsQueryData(**raw_data)

reconcile/gql_definitions/jira_permissions_validator/jira_boards_for_permissions_validator.py

@@ -38,6 +38,19 @@ query JiraBoardsForPermissionValidation {
         ... VaultSecret
       }
     }
+    issueType
+    issueResolveState
+    issueReopenState
+    issueSecurityId
+    severityPriorityMappings {
+      name
+      mappings {
+        priority
+      }
+    }
+    disable {
+      integrations
+    }
   }
 }
 """
@@ -54,10 +67,29 @@ class JiraServerV1(ConfiguredBaseModel):
     token: VaultSecret = Field(..., alias="token")
 
 
+class SeverityPriorityMappingV1(ConfiguredBaseModel):
+    priority: str = Field(..., alias="priority")
+
+
+class JiraSeverityPriorityMappingsV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    mappings: list[SeverityPriorityMappingV1] = Field(..., alias="mappings")
+
+
+class DisableJiraBoardAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
 class JiraBoardV1(ConfiguredBaseModel):
     path: str = Field(..., alias="path")
     name: str = Field(..., alias="name")
     server: JiraServerV1 = Field(..., alias="server")
+    issue_type: Optional[str] = Field(..., alias="issueType")
+    issue_resolve_state: Optional[str] = Field(..., alias="issueResolveState")
+    issue_reopen_state: Optional[str] = Field(..., alias="issueReopenState")
+    issue_security_id: Optional[str] = Field(..., alias="issueSecurityId")
+    severity_priority_mappings: JiraSeverityPriorityMappingsV1 = Field(..., alias="severityPriorityMappings")
+    disable: Optional[DisableJiraBoardAutomationsV1] = Field(..., alias="disable")
 
 
 class JiraBoardsForPermissionValidationQueryData(ConfiguredBaseModel):

reconcile/jira_permissions_validator.py

@@ -1,6 +1,18 @@
 import logging
 import sys
+from collections.abc import Callable, Iterable
+from enum import IntFlag, auto
+from typing import Any
 
+from jira import JIRAError
+from pydantic import BaseModel
+
+from reconcile.gql_definitions.jira_permissions_validator.jira_boards_for_permissions_validator import (
+    DEFINITION as JIRA_BOARDS_DEFINITION,
+)
+from reconcile.gql_definitions.jira_permissions_validator.jira_boards_for_permissions_validator import (
+    JiraBoardV1,
+)
 from reconcile.gql_definitions.jira_permissions_validator.jira_boards_for_permissions_validator import (
     query as query_jira_boards,
 )
@@ -9,31 +21,231 @@ from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
 from reconcile.typed_queries.jira_settings import get_jira_settings
-from reconcile.utils import gql
-from reconcile.utils.jira_client import JiraClient
-from reconcile.utils.secret_reader import create_secret_reader
+from reconcile.typed_queries.jiralert_settings import get_jiralert_settings
+from reconcile.utils import gql, metrics
+from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.jira_client import JiraClient, JiraWatcherSettings
+from reconcile.utils.secret_reader import SecretReaderBase, create_secret_reader
 
 QONTRACT_INTEGRATION = "jira-permissions-validator"
 
+NameToIdMap = dict[str, str]
+
+
+class BaseMetric(BaseModel):
+    """Base class for metrics"""
+
+    jira_server: str
+    board: str
+
+
+class PermissionErrorCounter(BaseMetric, metrics.GaugeMetric):
+    """Boards with permission errors."""
+
+    @classmethod
+    def name(cls) -> str:
+        return "jira_permissions_validator_permission_error"
 
-def run(dry_run: bool) -> None:
+
+class ValidationError(IntFlag):
+    CANT_CREATE_ISSUE = auto()
+    CANT_TRANSITION_ISSUES = auto()
+    INVALID_ISSUE_TYPE = auto()
+    INVALID_ISSUE_STATE = auto()
+    INVALID_SECURITY_LEVEL = auto()
+    INVALID_PRIORITY = auto()
+    PERMISSION_ERROR = auto()
+
+
+def board_is_valid(
+    jira: JiraClient,
+    board: JiraBoardV1,
+    default_issue_type: str,
+    default_reopen_state: str,
+    jira_server_priorities: NameToIdMap,
+) -> ValidationError:
+    error = ValidationError(0)
+    try:
+        if not jira.can_create_issues():
+            logging.error(f"[{board.name}] can not create issues in project")
+            error |= ValidationError.CANT_CREATE_ISSUE
+
+        if not jira.can_transition_issues():
+            logging.error(
+                f"[{board.name}] AppSRE Jira Bot user does not have the permission to change the issue status."
+            )
+            error |= ValidationError.CANT_TRANSITION_ISSUES
+
+        issue_type = board.issue_type if board.issue_type else default_issue_type
+        project_issue_types = jira.project_issue_types(board.name)
+        project_issue_types_str = [i.name for i in project_issue_types]
+        if issue_type not in project_issue_types_str:
+            logging.error(
+                f"[{board.name}] {issue_type} is not a valid issue type in project. Valid issue types: {project_issue_types_str}"
+            )
+            error |= ValidationError.INVALID_ISSUE_TYPE
+
+        available_states = []
+        for project_issue_type in project_issue_types:
+            if issue_type == project_issue_type.name:
+                available_states = project_issue_type.statuses
+                break
+
+        if not available_states:
+            logging.error(
+                f"[{board.name}] {issue_type} doesn't have any status. Choose a different issue type."
+            )
+            error |= ValidationError.INVALID_ISSUE_TYPE
+
+        reopen_state = (
+            board.issue_reopen_state
+            if board.issue_reopen_state
+            else default_reopen_state
+        )
+        if reopen_state.lower() not in [t.lower() for t in available_states]:
+            logging.error(
+                f"[{board.name}] '{reopen_state}' is not a valid state in project. Valid states: {available_states}"
+            )
+            error |= ValidationError.INVALID_ISSUE_STATE
+
+        if board.issue_resolve_state and board.issue_resolve_state.lower() not in [
+            t.lower() for t in available_states
+        ]:
+            logging.error(
+                f"[{board.name}] '{board.issue_resolve_state}' is not a valid state in project. Valid states: {available_states}"
+            )
+            error |= ValidationError.INVALID_ISSUE_STATE
+
+        if board.issue_security_id:
+            security_levels = jira.security_levels()
+            if board.issue_security_id not in [level.id for level in security_levels]:
+                logging.error(
+                    f"[{board.name}] {board.issue_security_id} is not a valid security level in project. Valid security ids: "
+                    + ", ".join([
+                        f"{level.name} - {level.id}" for level in jira.security_levels()
+                    ])
+                )
+                error |= ValidationError.INVALID_SECURITY_LEVEL
+
+        project_priorities = jira.project_priority_scheme()
+        for priority in board.severity_priority_mappings.mappings:
+            if priority.priority not in jira_server_priorities:
+                logging.error(
+                    f"[{board.name}] {priority.priority} is not a valid Jira priority. Valid priorities: {project_priorities}"
+                )
+                error |= ValidationError.INVALID_PRIORITY
+                continue
+            if jira_server_priorities[priority.priority] not in project_priorities:
+                logging.error(
+                    f"[{board.name}] {priority.priority} is not a valid priority in project. Valid priorities: {project_priorities}"
+                )
+                error |= ValidationError.INVALID_PRIORITY
+    except JIRAError as e:
+        if e.status_code != 403:
+            raise
+        logging.error(
+            f"[{board.name}] AppSRE Jira Bot user does not have all necessary permissions. Try granting the user the administrator permissions. API URL: {e.url}"
+        )
+        error |= ValidationError.PERMISSION_ERROR
+
+    return error
+
+
+def validate_boards(
+    metrics_container: metrics.MetricsContainer,
+    secret_reader: SecretReaderBase,
+    exit_on_permission_errors: bool,
+    jira_client_settings: JiraWatcherSettings | None,
+    jira_boards: Iterable[JiraBoardV1],
+    default_issue_type: str,
+    default_reopen_state: str,
+    jira_client_class: type[JiraClient] = JiraClient,
+) -> bool:
+    error = False
+    jira_clients: dict[str, JiraClient] = {}
+    for board in jira_boards:
+        logging.debug(f"[{board.name}] checking ...")
+        if board.server.server_url not in jira_clients:
+            jira_clients[board.server.server_url] = jira_client_class.create(
+                project_name=board.name,
+                token=secret_reader.read_secret(board.server.token),
+                server_url=board.server.server_url,
+                jira_watcher_settings=jira_client_settings,
+            )
+
+        jira = jira_clients[board.server.server_url]
+        jira.project = board.name
+        try:
+            error_flags = board_is_valid(
+                jira=jira,
+                board=board,
+                default_issue_type=default_issue_type,
+                default_reopen_state=default_reopen_state,
+                jira_server_priorities={p.name: p.id for p in jira.priorities()},
+            )
+            match error_flags:
+                case 0:
+                    # no errors
+                    logging.debug(f"[{board.name}] is valid")
+                case ValidationError.PERMISSION_ERROR:
+                    # we don't have all the permissions, but we can create jira tickets
+                    metrics_container.set_gauge(
+                        PermissionErrorCounter(
+                            jira_server=board.server.server_url,
+                            board=board.name,
+                        ),
+                        value=1,
+                    )
+                    # don't fail during PR checks at the moment
+                    # this make the transistion to the new integration behaviour much smoother
+                    if exit_on_permission_errors:
+                        error = True
+                case (
+                    ValidationError.PERMISSION_ERROR
+                    | ValidationError.CANT_CREATE_ISSUE
+                ):
+                    # we can't create jira tickets, and we don't have all needed the permissions
+                    error = True
+                case _:
+                    error = True
+        except Exception as e:
+            logging.error(f"[{board.name}] {e}")
+            error = True
+    return error
+
+
+def get_jira_boards(query_func: Callable) -> list[JiraBoardV1]:
+    return [
+        board
+        for board in query_jira_boards(query_func=query_func).jira_boards or []
+        if integration_is_enabled(QONTRACT_INTEGRATION, board)
+    ]
+
+
+def run(dry_run: bool, exit_on_permission_errors: bool) -> None:
     gql_api = gql.get_api()
-    settings = get_jira_settings(gql_api=gql_api)
+    settings = get_jira_settings(gql_api=gql_api.query)
+    jiralert_settings = get_jiralert_settings(query_func=gql_api.query)
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-    jira_boards = query_jira_boards(query_func=gql_api.query).jira_boards or []
-    error = False
-    for jira_board in jira_boards:
-        token = secret_reader.read_secret(jira_board.server.token)
-        jira = JiraClient.create(
-            project_name=jira_board.name,
-            token=token,
-            server_url=jira_board.server.server_url,
-            jira_watcher_settings=settings.jira_watcher,
+    boards = get_jira_boards(query_func=gql_api.query)
+
+    with metrics.transactional_metrics("jira-boards") as metrics_container:
+        error = validate_boards(
+            metrics_container=metrics_container,
+            secret_reader=secret_reader,
+            exit_on_permission_errors=exit_on_permission_errors,
+            jira_client_settings=settings.jira_watcher,
+            jira_boards=boards,
+            default_issue_type=jiralert_settings.default_issue_type,
+            default_reopen_state=jiralert_settings.default_reopen_state,
         )
-        if not jira.can_create_issues():
-            error = True
-            logging.error(f"can not create issues in project {jira.project}")
 
     if error:
         sys.exit(ExitCodes.ERROR)
+
+
+def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
+    return {
+        "boards": gql.get_api().query(JIRA_BOARDS_DEFINITION)["jira_boards"],
+    }

reconcile/test/test_jira_permissions_validator.py

@@ -0,0 +1,386 @@
+from collections.abc import Callable, Mapping
+from typing import Any
+from unittest.mock import Mock
+
+import pytest
+from jira import JIRAError
+from pytest_mock import MockerFixture
+
+from reconcile.gql_definitions.jira_permissions_validator.jira_boards_for_permissions_validator import (
+    JiraBoardV1,
+)
+from reconcile.jira_permissions_validator import (
+    ValidationError,
+    board_is_valid,
+    get_jira_boards,
+    validate_boards,
+)
+from reconcile.test.fixtures import Fixtures
+from reconcile.utils import metrics
+from reconcile.utils.jira_client import IssueType, JiraClient, SecurityLevel
+
+
+@pytest.fixture
+def fx() -> Fixtures:
+    return Fixtures("jira_permissions_validator")
+
+
+@pytest.fixture
+def raw_fixture_data(fx: Fixtures) -> dict[str, Any]:
+    return fx.get_anymarkup("boards.yml")
+
+
+@pytest.fixture
+def query_func(
+    data_factory: Callable[[type[JiraBoardV1], Mapping[str, Any]], Mapping[str, Any]],
+    raw_fixture_data: dict[str, Any],
+) -> Callable:
+    return lambda *args, **kwargs: {
+        "jira_boards": [
+            data_factory(JiraBoardV1, item) for item in raw_fixture_data["jira_boards"]
+        ]
+    }
+
+
+@pytest.fixture
+def boards(query_func: Callable) -> list[JiraBoardV1]:
+    return get_jira_boards(query_func)
+
+
+def test_jira_permissions_validator_get_jira_boards(
+    query_func: Callable, gql_class_factory: Callable
+) -> None:
+    default = {
+        "name": "jira-board-default",
+        "server": {
+            "serverUrl": "https://jira-server.com",
+            "token": {"path": "vault/path/token", "field": "token"},
+        },
+        "issueResolveState": "Closed",
+        "severityPriorityMappings": {
+            "name": "major-major",
+            "mappings": [
+                {"priority": "Minor"},
+                {"priority": "Major"},
+                {"priority": "Critical"},
+            ],
+        },
+    }
+    custom = {
+        "name": "jira-board-custom",
+        "server": {
+            "serverUrl": "https://jira-server.com",
+            "token": {"path": "vault/path/token", "field": "token"},
+        },
+        "issueType": "bug",
+        "issueResolveState": "Closed",
+        "issueReopenState": "Open",
+        "issueSecurityId": 32168,
+        "severityPriorityMappings": {
+            "name": "major-major",
+            "mappings": [
+                {"priority": "Minor"},
+                {"priority": "Major"},
+                {"priority": "Major"},
+                {"priority": "Critical"},
+            ],
+        },
+    }
+    assert get_jira_boards(query_func) == [
+        gql_class_factory(JiraBoardV1, default),
+        gql_class_factory(JiraBoardV1, custom),
+    ]
+
+
+@pytest.mark.parametrize(
+    "board_is_valid, exit_on_permission_errors, expected, metric_set",
+    [
+        (0, True, False, False),
+        (ValidationError.CANT_CREATE_ISSUE, True, True, False),
+        (ValidationError.CANT_TRANSITION_ISSUES, True, True, False),
+        (ValidationError.INVALID_ISSUE_TYPE, True, True, False),
+        (ValidationError.INVALID_ISSUE_STATE, True, True, False),
+        (ValidationError.INVALID_SECURITY_LEVEL, True, True, False),
+        (ValidationError.INVALID_PRIORITY, True, True, False),
+        (ValidationError.PERMISSION_ERROR, True, True, True),
+        # special case: CANT_CREATE_ISSUE and PERMISSION_ERROR
+        (
+            ValidationError.CANT_CREATE_ISSUE | ValidationError.PERMISSION_ERROR,
+            True,
+            True,
+            False,
+        ),
+        (
+            ValidationError.CANT_CREATE_ISSUE | ValidationError.PERMISSION_ERROR,
+            False,
+            True,
+            False,
+        ),
+        # test with another error
+        (
+            ValidationError.INVALID_PRIORITY | ValidationError.PERMISSION_ERROR,
+            True,
+            True,
+            False,
+        ),
+        (
+            ValidationError.INVALID_PRIORITY | ValidationError.PERMISSION_ERROR,
+            False,
+            True,
+            False,
+        ),
+    ],
+)
+def test_jira_permissions_validator_validate_boards(
+    mocker: MockerFixture,
+    boards: list[JiraBoardV1],
+    secret_reader: Mock,
+    board_is_valid: ValidationError,
+    exit_on_permission_errors: bool,
+    expected: bool,
+    metric_set: bool,
+) -> None:
+    board_is_valid_mock = mocker.patch(
+        "reconcile.jira_permissions_validator.board_is_valid"
+    )
+    board_is_valid_mock.return_value = board_is_valid
+    metrics_container_mock = mocker.create_autospec(spec=metrics.MetricsContainer)
+    jira_client_class = mocker.create_autospec(spec=JiraClient)
+    assert (
+        validate_boards(
+            metrics_container=metrics_container_mock,
+            secret_reader=secret_reader,
+            exit_on_permission_errors=exit_on_permission_errors,
+            jira_client_settings=None,
+            jira_boards=boards,
+            default_issue_type="task",
+            default_reopen_state="new",
+            jira_client_class=jira_client_class,
+        )
+        == expected
+    )
+    if metric_set:
+        metrics_container_mock.set_gauge.assert_called()
+    else:
+        metrics_container_mock.set_gauge.assert_not_called()
+
+
+def test_jira_permissions_validator_board_is_valid_happy_path(
+    mocker: MockerFixture, gql_class_factory: Callable
+) -> None:
+    board = gql_class_factory(
+        JiraBoardV1,
+        {
+            "name": "jira-board-default",
+            "server": {
+                "serverUrl": "https://jira-server.com",
+                "token": {"path": "vault/path/token", "field": "token"},
+            },
+            "issueType": "bug",
+            "issueResolveState": "Closed",
+            "issueReopenState": "Open",
+            "issueSecurityId": "32168",
+            "severityPriorityMappings": {
+                "name": "major-major",
+                "mappings": [
+                    {"priority": "Minor"},
+                    {"priority": "Major"},
+                    {"priority": "Critical"},
+                ],
+            },
+        },
+    )
+    jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.can_create_issues.return_value = True
+    jira_client.can_transition_issues.return_value = True
+    jira_client.project_issue_types.return_value = [
+        IssueType(id="1", name="task", statuses=["open", "closed"]),
+        IssueType(id="2", name="bug", statuses=["open", "closed"]),
+    ]
+    jira_client.security_levels.return_value = [
+        SecurityLevel(id="32168", name="foo"),
+        SecurityLevel(id="1", name="bar"),
+    ]
+    jira_client.project_priority_scheme.return_value = ["1", "2", "3"]
+    assert board_is_valid(
+        jira=jira_client,
+        board=board,
+        default_issue_type="task",
+        default_reopen_state="new",
+        jira_server_priorities={"Minor": "1", "Major": "2", "Critical": "3"},
+    ) == ValidationError(0)
+
+
+def test_jira_permissions_validator_board_is_valid_all_errors(
+    mocker: MockerFixture, gql_class_factory: Callable
+) -> None:
+    board = gql_class_factory(
+        JiraBoardV1,
+        {
+            "name": "jira-board-default",
+            "server": {
+                "serverUrl": "https://jira-server.com",
+                "token": {"path": "vault/path/token", "field": "token"},
+            },
+            "issueType": "bug",
+            "issueResolveState": "Closed",
+            "issueReopenState": "Open",
+            "issueSecurityId": "32168",
+            "severityPriorityMappings": {
+                "name": "major-major",
+                "mappings": [
+                    {"priority": "Minor"},
+                    {"priority": "Major"},
+                    {"priority": "Critical"},
+                ],
+            },
+        },
+    )
+    jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.can_create_issues.return_value = False
+    jira_client.can_transition_issues.return_value = False
+    jira_client.project_issue_types.return_value = []
+    jira_client.security_levels.return_value = [
+        SecurityLevel(id="1", name="bar"),
+    ]
+    jira_client.project_priority_scheme.return_value = ["1", "2"]
+    assert (
+        board_is_valid(
+            jira=jira_client,
+            board=board,
+            default_issue_type="task",
+            default_reopen_state="new",
+            jira_server_priorities={"Minor": "1", "Major": "2", "Critical": "3"},
+        )
+        == ValidationError.CANT_CREATE_ISSUE
+        | ValidationError.CANT_TRANSITION_ISSUES
+        | ValidationError.INVALID_ISSUE_TYPE
+        | ValidationError.INVALID_ISSUE_STATE
+        | ValidationError.INVALID_SECURITY_LEVEL
+        | ValidationError.INVALID_PRIORITY
+    )
+
+
+def test_jira_permissions_validator_board_is_valid_bad_issue_status(
+    mocker: MockerFixture, gql_class_factory: Callable
+) -> None:
+    board = gql_class_factory(
+        JiraBoardV1,
+        {
+            "name": "jira-board-default",
+            "server": {
+                "serverUrl": "https://jira-server.com",
+                "token": {"path": "vault/path/token", "field": "token"},
+            },
+            "issueType": "bug",
+            "issueResolveState": "Closed",
+            "issueReopenState": "Open",
+            "issueSecurityId": "32168",
+            "severityPriorityMappings": {
+                "name": "major-major",
+                "mappings": [
+                    {"priority": "Minor"},
+                    {"priority": "Major"},
+                    {"priority": "Critical"},
+                ],
+            },
+        },
+    )
+    jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.can_create_issues.return_value = True
+    jira_client.can_transition_issues.return_value = True
+    jira_client.project_issue_types.return_value = [
+        IssueType(id="1", name="task", statuses=["not - open", "closed"]),
+        IssueType(id="2", name="bug", statuses=["not - open", "closed"]),
+    ]
+    jira_client.security_levels.return_value = [
+        SecurityLevel(id="32168", name="foo"),
+        SecurityLevel(id="1", name="bar"),
+    ]
+    jira_client.project_priority_scheme.return_value = ["1", "2", "3"]
+    assert (
+        board_is_valid(
+            jira=jira_client,
+            board=board,
+            default_issue_type="task",
+            default_reopen_state="new",
+            jira_server_priorities={"Minor": "1", "Major": "2", "Critical": "3"},
+        )
+        == ValidationError.INVALID_ISSUE_STATE
+    )
+
+
+def test_jira_permissions_validator_board_is_valid_permission_error(
+    mocker: MockerFixture, gql_class_factory: Callable
+) -> None:
+    board = gql_class_factory(
+        JiraBoardV1,
+        {
+            "name": "jira-board-default",
+            "server": {
+                "serverUrl": "https://jira-server.com",
+                "token": {"path": "vault/path/token", "field": "token"},
+            },
+            "issueType": "bug",
+            "issueResolveState": "Closed",
+            "issueReopenState": "Open",
+            "issueSecurityId": "32168",
+            "severityPriorityMappings": {
+                "name": "major-major",
+                "mappings": [
+                    {"priority": "Minor"},
+                    {"priority": "Major"},
+                    {"priority": "Critical"},
+                ],
+            },
+        },
+    )
+    jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.can_create_issues.side_effect = JIRAError(status_code=403)
+    assert (
+        board_is_valid(
+            jira=jira_client,
+            board=board,
+            default_issue_type="task",
+            default_reopen_state="new",
+            jira_server_priorities={"Minor": "1", "Major": "2", "Critical": "3"},
+        )
+        == ValidationError.PERMISSION_ERROR
+    )
+
+
+def test_jira_permissions_validator_board_is_valid_exception(
+    mocker: MockerFixture, gql_class_factory: Callable
+) -> None:
+    board = gql_class_factory(
+        JiraBoardV1,
+        {
+            "name": "jira-board-default",
+            "server": {
+                "serverUrl": "https://jira-server.com",
+                "token": {"path": "vault/path/token", "field": "token"},
+            },
+            "issueType": "bug",
+            "issueResolveState": "Closed",
+            "issueReopenState": "Open",
+            "issueSecurityId": "32168",
+            "severityPriorityMappings": {
+                "name": "major-major",
+                "mappings": [
+                    {"priority": "Minor"},
+                    {"priority": "Major"},
+                    {"priority": "Critical"},
+                ],
+            },
+        },
+    )
+    jira_client = mocker.create_autospec(spec=JiraClient)
+    jira_client.can_create_issues.side_effect = JIRAError(status_code=401)
+    with pytest.raises(JIRAError):
+        board_is_valid(
+            jira=jira_client,
+            board=board,
+            default_issue_type="task",
+            default_reopen_state="new",
+            jira_server_priorities={"Minor": "1", "Major": "2", "Critical": "3"},
+        )

reconcile/typed_queries/jiralert_settings.py

@@ -0,0 +1,22 @@
+from collections.abc import Callable
+
+from reconcile.gql_definitions.common.jiralert_settings import (
+    JiralertSettingsV1,
+    query,
+)
+from reconcile.utils import gql
+from reconcile.utils.exceptions import AppInterfaceSettingsError
+
+
+def get_jiralert_settings(
+    query_func: Callable | None = None,
+) -> JiralertSettingsV1:
+    """Returns App Interface Settings and raises err if none are found"""
+    if not query_func:
+        query_func = gql.get_api().query
+    data = query(query_func)
+    if data.settings and len(data.settings) == 1:
+        if data.settings[0].jiralert:
+            return data.settings[0].jiralert
+        return JiralertSettingsV1(defaultIssueType="Task", defaultReopenState="To Do")
+    raise AppInterfaceSettingsError("jira settings not uniquely defined.")

reconcile/utils/jira_client.py

@@ -16,6 +16,7 @@ from jira import (
     Issue,
 )
 from jira.client import ResultList
+from pydantic import BaseModel
 
 from reconcile.utils.secret_reader import SecretReader
 
@@ -25,6 +26,28 @@ class JiraWatcherSettings(Protocol):
     connect_timeout: int
 
 
+class SecurityLevel(BaseModel):
+    """Jira security level."""
+
+    id: str
+    name: str
+
+
+class Priority(BaseModel):
+    """Jira priority."""
+
+    id: str
+    name: str
+
+
+class IssueType(BaseModel):
+    """Jira issue type."""
+
+    id: str
+    name: str
+    statuses: list[str]
+
+
 class JiraClient:
     """Wrapper around Jira client."""
 
@@ -156,3 +179,29 @@ class JiraClient:
 
     def can_create_issues(self) -> bool:
         return self.can_i("CREATE_ISSUES")
+
+    def can_transition_issues(self) -> bool:
+        return self.can_i("TRANSITION_ISSUES")
+
+    def project_issue_types(self, project: str) -> list[IssueType]:
+        return [
+            IssueType(id=t.id, name=t.name, statuses=[s.name for s in t.statuses])
+            for t in self.jira.issue_types_for_project(project)
+        ]
+
+    def security_levels(self) -> list[SecurityLevel]:
+        """Return a list of all available security levels for the project.
+
+        This API endpoint needs admin/owner project permissions.
+        """
+        scheme = self.jira.project_issue_security_level_scheme(self.project)
+        return [SecurityLevel(id=level.id, name=level.name) for level in scheme.levels]
+
+    def priorities(self) -> list[Priority]:
+        """Return a list of all available Jira priorities."""
+        return [Priority(id=p.id, name=p.name) for p in self.jira.priorities()]
+
+    def project_priority_scheme(self) -> list[str]:
+        """Return a list of all priority IDs for the project."""
+        scheme = self.jira.project_priority_scheme(self.project)
+        return scheme.optionIds