qontract-reconcile 0.10.1rc508__py3-none-any.whl → 0.10.1rc510__py3-none-any.whl

{qontract_reconcile-0.10.1rc508.dist-info → qontract_reconcile-0.10.1rc510.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc508
+Version: 0.10.1rc510
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc508.dist-info → qontract_reconcile-0.10.1rc510.dist-info}/RECORD

@@ -62,7 +62,7 @@ reconcile/ocm_update_recommended_version.py,sha256=IYkfLXIprOW1jguZeELcGP1iBPuj-
 reconcile/ocm_upgrade_scheduler_org_updater.py,sha256=ta8hMJ-su5mRcPpYrvB1COsojXV-SU3PzLPbQhy2Q0I,4190
 reconcile/openshift_base.py,sha256=7aifvl-ay5wpY6encbUX9pGbKdjiwJmevZ3XWGRzpCM,49696
 reconcile/openshift_cluster_bots.py,sha256=cdvIIXBh7QZl3g7ZheCR2NeI_Pq4eKn-hJPoixl9NS8,10168
-reconcile/openshift_clusterrolebindings.py,sha256=uSptf8xPiPpPRq94dKVe3w--grO1mMeZU5G17oIbUoQ,5816
+reconcile/openshift_clusterrolebindings.py,sha256=QfSy1Ik8eEY5XObc1Q4xyhqyErZenJmbPv_u9wcDNNo,5864
 reconcile/openshift_groups.py,sha256=d-qGI1aUEpZZLZq7PuSnjVDgsy5EB063CQr2tNvYPCE,9419
 reconcile/openshift_limitranges.py,sha256=UvCGo_OQ4XoDK55TJmn55qEhhlkhLzhU12tX8nT5kPQ,3442
 reconcile/openshift_namespace_labels.py,sha256=dLkQgtgsD51WtDHiQOc-lF2yaaFzkiUAZ7ueKUkg-ZM,15669
@@ -585,6 +585,10 @@ reconcile/utils/unleash.py,sha256=1D56CsZfE3ShDtN3IErE1T2eeIwNmxhK-yYbCotJ99E,36
 reconcile/utils/vault.py,sha256=S0eHqvZ9N3fya1E8YDaUffEvLk_fdtpzL4rvWn6f828,14991
 reconcile/utils/vaultsecretref.py,sha256=3Ed2uBy36TzSvL0B-l4FoWQqB2SbBKDKEuUPIO608Bo,931
 reconcile/utils/vcs.py,sha256=o1r0n_IrU2El75CED_6sjR2GZGM-exuWsj5F7jONaMU,6779
+reconcile/utils/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/utils/acs/base.py,sha256=Qih-xZ3RBJZEE291iHHlv7lUY6ShcAvSj1PA3_aTTnM,2276
+reconcile/utils/acs/policies.py,sha256=ucmvWhcu9I5uumOyFIr5POb64TqHNNJ8LutZWo2Jw7k,5099
+reconcile/utils/acs/rbac.py,sha256=ugsLM9Pb7FbUbdq85E3VzXGMaB9ZovXob7tdWCxwqZ8,8808
 reconcile/utils/cloud_resource_best_practice/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/utils/cloud_resource_best_practice/aws_rds.py,sha256=EvE6XKLsrZ531MJptKqPht2lOETrOjySTHXk6CzMgo0,2279
 reconcile/utils/glitchtip/__init__.py,sha256=FT6iBhGqoe7KExFdbgL8AYUb64iW_4snF5__Dcl7yt0,258
@@ -661,8 +665,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=d18KrdhtUGqoC7_kWZU128U0-VJEj-0rjFkLVufcI6I,2755
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc508.dist-info/METADATA,sha256=Dbs0FBqea-1B7hfU1DYUgteYYPDKOLLm9M49EKc_yDs,2349
-qontract_reconcile-0.10.1rc508.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc508.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc508.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc508.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc510.dist-info/METADATA,sha256=GZqpYG08olXHPFA1b6JcnDqPweC-vf7spJk2BXC6vZU,2349
+qontract_reconcile-0.10.1rc510.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc510.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc510.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc510.dist-info/RECORD,,

reconcile/openshift_clusterrolebindings.py

@@ -159,6 +159,7 @@ def run(dry_run, thread_pool_size=10, internal=None, use_jump_host=True, defer=N
         cluster_info
         for cluster_info in queries.get_clusters()
         if cluster_info.get("managedClusterRoles")
+        and cluster_info.get("automationToken")
     ]
     ri, oc_map = ob.fetch_current_state(
         clusters=clusters,

reconcile/utils/acs/base.py

@@ -0,0 +1,72 @@
+from collections.abc import Callable
+from typing import (
+    Any,
+    Optional,
+    Self,
+)
+
+import requests
+
+from reconcile.gql_definitions.acs.acs_instances import AcsInstanceV1
+from reconcile.gql_definitions.acs.acs_instances import query as acs_instances_query
+from reconcile.utils.exceptions import AppInterfaceSettingsError
+
+
+class AcsBaseApi:
+    def __init__(
+        self,
+        instance: Any,
+        timeout: int = 30,
+    ) -> None:
+        self.base_url = instance["url"]
+        self.token = instance["token"]
+        self.timeout = timeout
+        self.session = requests.Session()
+
+    def __enter__(self) -> Self:
+        return self
+
+    def __exit__(self, exc_type: Any, exc_value: Any, traceback: Any) -> None:
+        self.session.close()
+
+    @staticmethod
+    def get_acs_instance(query_func: Callable) -> AcsInstanceV1:
+        """
+        Get an ACS instance
+
+        :param query_func: function which queries GQL Server
+        """
+        if instances := acs_instances_query(query_func=query_func).instances:
+            # mirroring logic for gitlab instances
+            # current assumption is for appsre to only utilize one instance
+            if len(instances) != 1:
+                raise AppInterfaceSettingsError("More than one ACS instance found!")
+            return instances[0]
+        raise AppInterfaceSettingsError("No ACS instance found!")
+
+    @staticmethod
+    def check_len_attributes(attrs: list[Any], api_data: Any) -> None:
+        # generic attribute check function for expected types with valid len()
+        for attr in attrs:
+            value = api_data.get(attr)
+            if value is None or len(value) == 0:
+                raise ValueError(
+                    f"Attribute '{attr}' must exist and not be empty\n\t{api_data}"
+                )
+
+    def generic_request(
+        self, path: str, verb: str, json: Optional[Any] = None
+    ) -> requests.Response:
+        url = f"{self.base_url}{path}"
+        headers = {
+            "Authorization": f"Bearer {self.token}",
+        }
+        response = self.session.request(
+            verb,
+            url,
+            headers=headers,
+            json=json,
+            timeout=self.timeout,
+        )
+        response.raise_for_status()
+        return response

reconcile/utils/acs/policies.py

@@ -0,0 +1,151 @@
+from typing import Any, Optional
+
+from pydantic import BaseModel
+
+from reconcile.utils.acs.base import AcsBaseApi
+
+
+class Scope(BaseModel):
+    """
+    Scope represents a single cluster or namespace that an acs security policy is applied to.
+    """
+
+    cluster: str
+    namespace: Optional[str]
+
+
+class PolicyCondition(BaseModel):
+    """
+    PolicyCondition represents a single condition criteria enforced within an ACS security policy.
+    Current attributes support subset of "build" lifecycle condition criteria.
+    See section 6.4.3 for table of all condition criteria:
+    https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_security_for_kubernetes/4.3/html/operating/manage-security-policies
+    """
+
+    field_name: str
+    negate: Optional[bool]
+    values: list[str]
+
+
+class Policy(BaseModel):
+    """
+    Policy is minimum attributes required to represent an ACS security policy
+    https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_security_for_kubernetes/4.3/html/operating/manage-security-policies
+    """
+
+    name: str
+    description: str
+    notifiers: list[str]
+    categories: list[str]
+    severity: str
+    scope: list[Scope]
+    conditions: list[PolicyCondition]
+
+
+class AcsPolicyApi(AcsBaseApi):
+    """
+    Implements methods to support reconcile operations against the ACS PolicyService api
+    """
+
+    def _build_policy(
+        self, api_policy: Any, conditions: list[PolicyCondition]
+    ) -> Policy:
+        return Policy(
+            name=api_policy["name"],
+            description=api_policy["description"],
+            notifiers=sorted(api_policy["notifiers"]),
+            categories=sorted(api_policy["categories"]),
+            severity=api_policy["severity"],
+            scope=sorted(
+                [
+                    Scope(
+                        cluster=s["cluster"],
+                        namespace=s["namespace"],
+                    )
+                    for s in api_policy["scope"]
+                ],
+                key=lambda s: s.cluster,
+            ),
+            conditions=conditions,
+        )
+
+    def _build_policy_condition(self, api_policy_group: Any) -> PolicyCondition:
+        return PolicyCondition(
+            field_name=api_policy_group["fieldName"],
+            values=[v["value"] for v in api_policy_group["values"]],
+            negate=api_policy_group["negate"],
+        )
+
+    def list_custom_policies(self) -> list[Any]:
+        # retrieve summary data for each custom policy
+        return [
+            p
+            for p in self.generic_request("/v1/policies", "GET").json()["policies"]
+            if not p["isDefault"]
+        ]
+
+    def get_custom_policies(self) -> list[Policy]:
+        custom_policy_ids = [p["id"] for p in self.list_custom_policies()]
+        # make individual policy requests to obtain further details
+        custom_policies_api_result = [
+            self.generic_request(f"/v1/policies/{pid}", "GET").json()
+            for pid in custom_policy_ids
+        ]
+        return [
+            self._build_policy(
+                api_policy=cp,
+                conditions=[
+                    self._build_policy_condition(group)
+                    for section in cp["policySections"]
+                    for group in section.get("policyGroups", [])
+                ],
+            )
+            for cp in custom_policies_api_result
+        ]
+
+    def create_or_update_policy(self, desired: Policy, id: str = "") -> None:
+        body = {
+            "name": desired.name,
+            "description": desired.description,
+            "categories": desired.categories,
+            "severity": desired.severity,
+            "notifiers": desired.notifiers,
+            "isDefault": False,
+            "disabled": False,
+            "scope": [
+                {"cluster": s.cluster, "namespace": s.namespace} for s in desired.scope
+            ],
+            "lifecycleStages": [
+                "BUILD"
+            ],  # all currently supported policy criteria are classified as 'build' stage
+            "policySections": [
+                {
+                    "sectionName": "primary",
+                    "policyGroups": [
+                        {
+                            "fieldName": c.field_name,
+                            "negate": c.negate,
+                            "values": [{"value": v} for v in c.values],
+                        }
+                        for c in desired.conditions
+                    ],
+                }
+            ],
+        }
+        if id:
+            self.generic_request(f"/v1/policies/{id}", "PUT", body)
+        else:
+            self.generic_request("/v1/policies", "POST", body)
+
+    def delete_policy(self, id: str) -> None:
+        self.generic_request(f"/v1/policies/{id}", "DELETE")
+
+    class NotifierIdentifiers(BaseModel):
+        id: str
+        name: str
+
+    def list_notifiers(self) -> list[NotifierIdentifiers]:
+        return [
+            self.NotifierIdentifiers(id=c["id"], name=c["name"])
+            for c in self.generic_request("/v1/notifiers", "GET").json()["notifiers"]
+        ]

reconcile/utils/acs/rbac.py

@@ -0,0 +1,277 @@
+from typing import Any
+
+from pydantic import BaseModel
+
+from reconcile.utils.acs.base import AcsBaseApi
+
+
+class Role(BaseModel):
+    name: str
+    permission_set_id: str
+    access_scope_id: str
+    description: str
+    system_default: bool
+
+    def __init__(self, api_data: Any) -> None:
+        # attributes defined within stackrox(ACS) API for GET /v1/roles
+        AcsBaseApi.check_len_attributes(
+            ["name", "permissionSetId", "accessScopeId"],
+            api_data,
+        )
+
+        # traits is populated for system default resources and contains `origin: DEFAULT`
+        # this attribute is used to ignore such resources from reconciliation
+        traits = api_data.get("traits")
+        is_default = traits is not None and traits.get("origin") == "DEFAULT"
+
+        super().__init__(
+            name=api_data["name"],
+            permission_set_id=api_data["permissionSetId"],
+            access_scope_id=api_data["accessScopeId"],
+            description=api_data.get("description", ""),
+            system_default=is_default,
+        )
+
+
+class Group(BaseModel):
+    id: str
+    role_name: str
+    auth_provider_id: str
+    key: str
+    value: str
+
+    def __init__(self, api_data: Any) -> None:
+        # attributes defined within stackrox(ACS) API for GET /v1/groups
+        AcsBaseApi.check_len_attributes(["roleName", "props"], api_data)
+        if api_data["roleName"] != "None":
+            AcsBaseApi.check_len_attributes(
+                ["id", "authProviderId", "key", "value"], api_data["props"]
+            )
+        else:
+            # it is valid for the default None group to contain empty key/value
+            AcsBaseApi.check_len_attributes(["id", "authProviderId"], api_data["props"])
+
+        super().__init__(
+            role_name=api_data["roleName"],
+            id=api_data["props"]["id"],
+            auth_provider_id=api_data["props"]["authProviderId"],
+            key=api_data["props"]["key"],
+            value=api_data["props"]["value"],
+        )
+
+
+class AccessScope(BaseModel):
+    id: str
+    name: str
+    description: str
+    clusters: list[str]
+    namespaces: list[dict[str, str]]
+
+    def __init__(self, api_data: Any) -> None:
+        # attributes defined within stackrox(ACS) API for GET /v1/simpleaccessscopes/{id}
+        unrestricted = False
+        AcsBaseApi.check_len_attributes(["id", "name"], api_data)
+
+        # it is valid for the default Unrestricted access scope to have null 'rules'
+        unrestricted = api_data["name"] == "Unrestricted"
+        if not unrestricted:
+            AcsBaseApi.check_len_attributes(["rules"], api_data)
+
+        super().__init__(
+            id=api_data["id"],
+            name=api_data["name"],
+            clusters=[]
+            if unrestricted
+            else api_data["rules"].get("includedClusters", []),
+            namespaces=[]
+            if unrestricted
+            else api_data["rules"].get("includedNamespaces", []),
+            description=api_data.get("description", ""),
+        )
+
+
+class PermissionSet(BaseModel):
+    id: str
+    name: str
+
+    def __init__(self, api_data: Any) -> None:
+        # attributes defined within stackrox(ACS) API for GET /v1/permissionsets/{id}
+        AcsBaseApi.check_len_attributes(["id", "name"], api_data)
+
+        super().__init__(id=api_data["id"], name=api_data["name"])
+
+
+class RbacResources(BaseModel):
+    roles: list[Role]
+    access_scopes: list[AccessScope]
+    groups: list[Group]
+    permission_sets: list[PermissionSet]
+
+
+class AcsRbacApi(AcsBaseApi):
+    def get_roles(self) -> list[Role]:
+        response = self.generic_request("/v1/roles", "GET")
+        return [Role(r) for r in response.json()["roles"]]
+
+    def create_role(
+        self, name: str, desc: str, permission_set_id: str, access_scope_id: str
+    ) -> None:
+        json = {
+            "name": name,
+            "description": desc,
+            "permissionSetId": permission_set_id,
+            "accessScopeId": access_scope_id,
+        }
+
+        self.generic_request(f"/v1/roles/{name}", "POST", json)
+
+    def update_role(
+        self, name: str, desc: str, permission_set_id: str, access_scope_id: str
+    ) -> None:
+        json = {
+            "name": name,
+            "description": desc,
+            "permissionSetId": permission_set_id,
+            "accessScopeId": access_scope_id,
+        }
+
+        self.generic_request(f"/v1/roles/{name}", "PUT", json)
+
+    def delete_role(self, name: str) -> None:
+        self.generic_request(f"/v1/roles/{name}", "DELETE")
+
+    def get_groups(self) -> list[Group]:
+        response = self.generic_request("/v1/groups", "GET")
+        return [Group(g) for g in response.json()["groups"]]
+
+    class GroupAdd(BaseModel):
+        role_name: str
+        key: str
+        value: str
+        auth_provider_id: str
+
+    def create_group_batch(self, additions: list[GroupAdd]) -> None:
+        json = {
+            "previousGroups": [],
+            "requiredGroups": [
+                {
+                    "roleName": group.role_name,
+                    "props": {
+                        "id": "",
+                        "authProviderId": group.auth_provider_id,
+                        "key": group.key,
+                        "value": group.value,
+                    },
+                }
+                for group in additions
+            ],
+        }
+
+        self.generic_request("/v1/groupsbatch", "POST", json)
+
+    def delete_group_batch(self, removals: list[Group]) -> None:
+        json = {
+            "previousGroups": [
+                {
+                    "roleName": group.role_name,
+                    "props": {
+                        "id": group.id,
+                        "authProviderId": group.auth_provider_id,
+                        "key": group.key,
+                        "value": group.value,
+                    },
+                }
+                for group in removals
+            ],
+            "requiredGroups": [],
+        }
+
+        self.generic_request("/v1/groupsbatch", "POST", json)
+
+    def update_group_batch(self, old: list[Group], new: list[GroupAdd]) -> None:
+        json = {
+            "previousGroups": [
+                {
+                    "roleName": o.role_name,
+                    "props": {
+                        "id": o.id,
+                        "authProviderId": o.auth_provider_id,
+                        "key": o.key,
+                        "value": o.value,
+                    },
+                }
+                for o in old
+            ],
+            "requiredGroups": [
+                {
+                    "roleName": n.role_name,
+                    "props": {
+                        "id": "",
+                        "authProviderId": n.auth_provider_id,
+                        "key": n.key,
+                        "value": n.value,
+                    },
+                }
+                for n in new
+            ],
+        }
+        self.generic_request("/v1/groupsbatch", "POST", json)
+
+    def get_access_scopes(self) -> list[AccessScope]:
+        response = self.generic_request("/v1/simpleaccessscopes", "GET")
+        return [AccessScope(a) for a in response.json()["accessScopes"]]
+
+    def create_access_scope(
+        self,
+        name: str,
+        desc: str,
+        clusters: list[str],
+        namespaces: list[dict[str, str]],
+    ) -> str:
+        # response is the created access_scope id
+        json = {
+            "name": name,
+            "description": desc,
+            "rules": {
+                "includedClusters": clusters,
+                "includedNamespaces": namespaces,
+            },
+        }
+
+        response = self.generic_request("/v1/simpleaccessscopes", "POST", json)
+
+        return response.json()["id"]
+
+    def delete_access_scope(self, id: str) -> None:
+        self.generic_request(f"/v1/simpleaccessscopes/{id}", "DELETE")
+
+    def update_access_scope(
+        self,
+        id: str,
+        name: str,
+        desc: str,
+        clusters: list[str],
+        namespaces: list[dict[str, str]],
+    ) -> None:
+        json = {
+            "name": name,
+            "description": desc,
+            "rules": {
+                "includedClusters": clusters,
+                "includedNamespaces": namespaces,
+            },
+        }
+
+        self.generic_request(f"/v1/simpleaccessscopes/{id}", "PUT", json)
+
+    def get_permission_sets(self) -> list[PermissionSet]:
+        response = self.generic_request("/v1/permissionsets", "GET")
+        return [PermissionSet(p) for p in response.json()["permissionSets"]]
+
+    def get_rbac_resources(self) -> RbacResources:
+        return RbacResources(
+            roles=self.get_roles(),
+            access_scopes=self.get_access_scopes(),
+            groups=self.get_groups(),
+            permission_sets=self.get_permission_sets(),
+        )