From c0898b56e75e4c8e98594f3cf36de62f620575b3 Mon Sep 17 00:00:00 2001
From: Jeff Ohrstrom <johrstrom@osc.edu>
Date: Thu, 12 Dec 2024 09:47:09 -0500
Subject: [PATCH 1/4] add more tests for ondemand.d files

---
 molecule/default/fixtures/ondemand.d/globus.yml |  7 +++++++
 molecule/default/prepare.yml                    |  5 +++++
 molecule/default/tasks/verify_custom.yml        | 16 +++++++++++++++-
 molecule/default/vars/ondemand.yml              | 12 ++++++++++++
 4 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 molecule/default/fixtures/ondemand.d/globus.yml

diff --git a/molecule/default/fixtures/ondemand.d/globus.yml b/molecule/default/fixtures/ondemand.d/globus.yml
new file mode 100644
index 0000000..8ededae
--- /dev/null
+++ b/molecule/default/fixtures/ondemand.d/globus.yml
@@ -0,0 +1,7 @@
+globus_endpoints:
+-   endpoint: 716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+    endpoint_path: /
+    path: <%= CurrentUser.home %>
+-   endpoint: 9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+    endpoint_path: /
+    path: /project
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
index a537994..e5f8ea3 100644
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -15,3 +15,8 @@
       - ca-certificates
       - systemd
       - git
+
+    - name: Create secondary group
+      ansible.builtin.group:
+        name: specialusers
+        state: present
diff --git a/molecule/default/tasks/verify_custom.yml b/molecule/default/tasks/verify_custom.yml
index 982c2f5..fa97c3d 100644
--- a/molecule/default/tasks/verify_custom.yml
+++ b/molecule/default/tasks/verify_custom.yml
@@ -12,6 +12,7 @@
     - { src: "fixtures/config/auth_openidc.conf", dest: "auth_openidc.conf" }
     - { src: "fixtures/ondemand.d/ondemand_custom.yml", dest: "ondemand.yml" }
     - { src: "fixtures/ondemand.d/motd.yml", dest: "motd.yml" }
+    - { src: "fixtures/ondemand.d/globus.yml", dest: "globus.yml" }
 
 - name: Verify config files
   ansible.builtin.command: "diff /tmp/{{ item.left }} {{ item.right }}"
@@ -25,6 +26,7 @@
     - { left: "auth_openidc.conf", right: "{{ apache_conf_dir }}/auth_openidc.conf" }
     - { left: "ondemand.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/ondemand.yml" }
     - { left: "motd.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/motd.yml" }
+    - { left: "globus.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/globus.yml" }
   changed_when: false
 
 - name: Verify sys/jupyter was installed correctly
@@ -41,4 +43,16 @@
     dest: '/var/www/ood/apps/dev/customdir'
     clone: no
     update: no
-    version: v1.0.1
\ No newline at end of file
+    version: v1.0.1
+
+- name: ensure globus.yml has right permissions
+  ansible.builtin.file:
+    path: /etc/ood/config/ondemand.d/globus.yml
+    group: specialusers
+    owner: root
+    mode: 640
+    state: file
+  register: globus_perms
+  failed_when: globus_perms['changed'] is true
+
+- debug: var=globus_perms
\ No newline at end of file
diff --git a/molecule/default/vars/ondemand.yml b/molecule/default/vars/ondemand.yml
index 68a715b..627e0d1 100644
--- a/molecule/default/vars/ondemand.yml
+++ b/molecule/default/vars/ondemand.yml
@@ -71,3 +71,15 @@ ood_ondemand_d_configs:
   motd:
     content:
       motd_render_html: true
+  globus:
+    content:
+      globus_endpoints:
+        - path: "<%= CurrentUser.home %>"
+          endpoint: "716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+
+        - path: "/project"
+          endpoint: "9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+    group: specialusers
+    mode: 640

From e3fcf4cafff5e2552ced4228adb5e9c7d2bcdbfe Mon Sep 17 00:00:00 2001
From: Jeff Ohrstrom <johrstrom@osc.edu>
Date: Thu, 12 Dec 2024 10:01:03 -0500
Subject: [PATCH 2/4] add README item for this feature

---
 README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/README.md b/README.md
index 20ba410..6ac2bdb 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ This ansible role installs and configures [Open OnDemand](https://openondemand.o
     - [ood_apps](#ood_apps)
   - [Open ID Connect](#open-id-connect)
     - [Install Dex](#install-dex)
+  - [OnDemand.d Configurations](#ondemandd-configurations)
 - [Contributing](#contributing)
 
 ## Version compatibility
@@ -294,6 +295,51 @@ See [auth\_openidc](https://github.com/zmartzone/mod_auth_openidc) for more info
 
 To install dex for OIDC use set the flag `install_ondemand_dex` to true and it will install the package.
 
+### OnDemand.d Configurations
+
+In the 4.0 release of this role, configurations for `ondemand.d` files was changed.
+While this role will continue to support the old way of specifing each
+variable and writing them all out to a single `ondemand.d/ondemand.yml` file,
+users should begin to migrate to the new way to write these files.
+
+4.0 introduced `ood_ondemand_d_configs` which will in turn write out as many files
+as you've provided.
+
+Each configuration at a minimum needs `content` which will be the content of
+the file that's begin written. It can additionally accept ``group`` and ``mode``
+to set the file's group ownership and file access mode. These files are always
+owned by the ``root`` user.
+
+In this example, we're writing out two files, ``motd.yml`` and ``globus.yml``.
+These filenames are given by the top level keys under ``ood_ondemand_d_configs``.
+
+``content`` specifies the content of the file that's going to be written out.
+This should be in YAML and will be written out in YAML.
+
+In this configuration ``motd.yml`` will be written out with ``644 root:root``
+permissions.  ``globus.yml`` on the other hand will be written out with
+``640 root:specialusers`` permissions so it'll only be available for certain
+users.
+
+```yaml
+ood_ondemand_d_configs:
+  motd:
+    content:
+      motd_render_html: true
+  globus:
+    content:
+      globus_endpoints:
+        - path: "<%= CurrentUser.home %>"
+          endpoint: "716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+
+        - path: "/project"
+          endpoint: "9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+    group: specialusers
+    mode: 640
+```
+
 ## Contributing
 
 If you run into an issue or have a feature request or fixed some issue, let us know! PRs welcome! Even if you

From a6e3af6fd754a32bf41c9438a5b374e930952e1b Mon Sep 17 00:00:00 2001
From: Jeff Ohrstrom <johrstrom@osc.edu>
Date: Thu, 12 Dec 2024 10:12:33 -0500
Subject: [PATCH 3/4] dont need this debug task

---
 molecule/default/tasks/verify_custom.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/molecule/default/tasks/verify_custom.yml b/molecule/default/tasks/verify_custom.yml
index fa97c3d..e16a11d 100644
--- a/molecule/default/tasks/verify_custom.yml
+++ b/molecule/default/tasks/verify_custom.yml
@@ -54,5 +54,3 @@
     state: file
   register: globus_perms
   failed_when: globus_perms['changed'] is true
-
-- debug: var=globus_perms
\ No newline at end of file

From 692e9d1d8bda9e2520935313f6b827579de838ec Mon Sep 17 00:00:00 2001
From: Jeff Ohrstrom <johrstrom@osc.edu>
Date: Thu, 12 Dec 2024 12:11:11 -0500
Subject: [PATCH 4/4] fix this test

---
 molecule/default/tasks/verify_custom.yml | 25 +++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/molecule/default/tasks/verify_custom.yml b/molecule/default/tasks/verify_custom.yml
index e16a11d..12ec90a 100644
--- a/molecule/default/tasks/verify_custom.yml
+++ b/molecule/default/tasks/verify_custom.yml
@@ -45,12 +45,23 @@
     update: no
     version: v1.0.1
 
-- name: ensure globus.yml has right permissions
-  ansible.builtin.file:
+- name: Get globus.yml file stats.
+  stat:
     path: /etc/ood/config/ondemand.d/globus.yml
-    group: specialusers
-    owner: root
-    mode: 640
-    state: file
   register: globus_perms
-  failed_when: globus_perms['changed'] is true
+
+- debug: var=globus_perms
+
+- name: Assert that globus.yml has correct permissions
+  assert:
+    that:
+      - "globus_perms.stat.mode == '0640'"
+    success_msg: 'globus.yml has correct permissions.'
+    fail_msg: "globus.yml permissions are {{ globus_perms.stat.mode }} when they should be '0640'"
+
+- name: Assert that globus.yml has correct group ownership
+  assert:
+    that:
+      - "globus_perms.stat.gr_name == 'specialusers'"
+    success_msg: 'globus.yml has correct group ownership.'
+    fail_msg: "globus.yml group ownership is {{ globus_perms.stat.gr_name }} when they should be 'specialusers'"