redhat-cop · ivarmu · Oct 30, 2024 · Oct 6, 2024 · Oct 14, 2024 · Oct 14, 2024
@@ -0,0 +1,4 @@
+---
+feature_change:
+  - filetree_create is able to export access list of given object
+...
diff --git a/roles/filetree_create/README.md b/roles/filetree_create/README.md
@@ -27,6 +27,10 @@ The following variables are required for that role to work properly:
 | `organization`| N/A | no | str | Default organization for all objects that have not been set in the source controller.|
 | `export_related_objects` | False | no | bool | Whether to export related objects (job templates related to certain workflows and the projects associated with these job templates) when a single JT or a single WFJT are being exported. |
 | `update_project_state` | False | no | bool | Whether the project should be updated after import to the target controller. |
+| `object_id` | N/A | no | int | Specifying object id with object type exports the access list of object |
+| `object_name` | N/A | no | int | Specifying object name with object type exports the access list of object |
+| `object_type` | N/A | no | str | Specifying object type with object id exports the access list of object |
+
 
 ## Dependencies
 

@@ -0,0 +1,62 @@
+---
+- name: "Get object id from API"
+  when: object_name is defined
+  ansible.builtin.set_fact:
+    object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }},
+                          query_params=({'name': object_name}),
+                          host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs,
+                          return_all=true, max_objects=query_controller_api_max_objects)
+                    }}).0.id"
+  no_log: "{{ controller_configuration_filetree_create_secure_logging }}"
+
+- name: "Get access list for object from the API"
+  ansible.builtin.set_fact:
+    access_lookvar: "{{ query(controller_api_plugin, 'api/v2/' + {{ object_type }} + '/' + {{ object_id }} + '/access_list',
+                               host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs,
+                               return_all=true, max_objects=query_controller_api_max_objects)
+                    }}"
+  no_log: "{{ controller_configuration_filetree_create_secure_logging }}"
+
+- name: "Set team direct access fact"
+  ansible.builtin.set_fact:
+    team_direct_access_fact: "{{ access_lookvar | map(attribute='summary_fields.direct_access') | flatten | map(attribute='role') | selectattr('team_name', 'defined') }}"
+
+- name: "Set roles and object lists"
+  ansible.builtin.set_fact:
+    team_roles: "{{ team_direct_access_fact | map(attribute='name') | unique }}"
+    team_objects: "{{ team_direct_access_fact | map(attribute='resource_name') | unique }}"
+
+- name: "Set team roles matrix"
+  ansible.builtin.set_fact:
+    team_roles_matrix: >-
+      {{ team_roles_matrix | default([]) + [{ 'role': item.0,
+                                              'team': team_direct_access_fact | selectattr('name','equalto', item.0) |
+                                                                                selectattr('resource_name','equalto', item.1) |
+                                                                                map(attribute='team_name') | unique,
+                                              'resource_type': team_direct_access_fact | selectattr('name','equalto', item.0) |
+                                                                                         selectattr('resource_name','equalto', item.1) |
+                                                                                         map(attribute='resource_type') | unique,
+                                              'resource_name': item.1
+                                           }]
+      }}
+  when: team_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | map(attribute='team_name') | length > 0
+  loop: "{{ team_roles | product(team_objects) | list }}"
+
+- name: "Create the output directory for team roles"
+  ansible.builtin.file:
+    path: "{{ output_path }}/team_roles"
+    state: directory
+    mode: '0755'
+  loop: "{{ team_roles_matrix }}"
+  loop_control:
+    loop_var: team_role
+
+- name: "Add current roles to the output yaml file"
+  ansible.builtin.template:
+    src: "templates/current_team_access_list.j2"
+    dest: "{{ output_path }}/team_roles/{{ team_role.resource_name | default('current') }}_roles_{{ team_role.role | regex_replace('/', '_') }}.yaml"
+    mode: '0644'
+  loop: "{{ team_roles_matrix }}"
+  loop_control:
+    loop_var: team_role
+...
@@ -0,0 +1,73 @@
+---
+- name: "Get object id from API"
+  when: object_name is defined
+  ansible.builtin.set_fact:
+    object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }},
+                          query_params=({'name': object_name}),
+                          host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs,
+                          return_all=true, max_objects=query_controller_api_max_objects)
+                    }}).0.id"
+  no_log: "{{ controller_configuration_filetree_create_secure_logging }}"
+
+- name: "Get access list for object from the API"
+  ansible.builtin.set_fact:
+    access_lookvar: "{{ query(controller_api_plugin, 'api/v2/' + {{ object_type }} + '/' + {{ object_id }} + '/access_list',
+                               host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs,
+                               return_all=true, max_objects=query_controller_api_max_objects)
+                    }}"
+  no_log: "{{ controller_configuration_filetree_create_secure_logging }}"
+
+- name: "Get user list"
+  ansible.builtin.set_fact:
+    user_list: "{{ access_lookvar | selectattr('username', 'defined') | map(attribute='username') | unique }}"
+
+- name: "Set direct user access fact"
+  ansible.builtin.set_fact:
+    user_direct_access_fact: >-
+      {{ user_direct_access_fact | default([]) + access_lookvar | selectattr('username', 'equalto', item) |
+                                                                  rejectattr('summary_fields.direct_access', 'equalto', []) |
+                                                                  map(attribute='summary_fields.direct_access') | flatten |
+                                                                  map(attribute='role') |
+                                                                  rejectattr('team_name', 'defined') |
+                                                                  map('combine', {'username': item})
+      }}
+  loop: "{{ user_list }}"
+
+- name: "Set roles and object lists"
+  ansible.builtin.set_fact:
+    user_roles: "{{ user_direct_access_fact | map(attribute='name') | unique }}"
+    user_objects: "{{ user_direct_access_fact | map(attribute='resource_name') | unique }}"
+
+- name: "Set user roles matrix"
+  ansible.builtin.set_fact:
+    user_roles_matrix: >-
+      {{ user_roles_matrix | default([]) + [{ 'role': item.0,
+                                              'user': user_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) |
+                                                      map(attribute='username') | unique,
+                                              'resource_type': user_direct_access_fact | selectattr('username', 'defined') |
+                                                               selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) |
+                                                               map(attribute='resource_type') | unique,
+                                              'resource_name': item.1
+                                           }]
+      }}
+  when: user_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | map(attribute='username') | length > 0
+  loop: "{{ user_roles | product(user_objects) | list }}"
+
+- name: "Create the output directory for user roles"
+  ansible.builtin.file:
+    path: "{{ output_path }}/user_roles"
+    state: directory
+    mode: '0755'
+  loop: "{{ user_roles_matrix }}"
+  loop_control:
+    loop_var: user_role
+
+- name: "Add current roles to the output yaml file"
+  ansible.builtin.template:
+    src: "templates/current_user_access_list.j2"
+    dest: "{{ output_path }}/user_roles/{{ user_role.resource_name | default('current') }}_roles_{{ user_role.role | regex_replace('/', '_') }}.yaml"
+    mode: '0644'
+  loop: "{{ user_roles_matrix }}"
+  loop_control:
+    loop_var: user_role
+...
diff --git a/roles/filetree_create/templates/current_schedules.j2 b/roles/filetree_create/templates/current_schedules.j2
@@ -6,7 +6,7 @@ controller_schedules:
 {% if current_schedules_asset_value.description is defined %}
     description: "{{ current_schedules_asset_value.description }}"
 {% endif %}
-    enabled: {{ current_schedules_asset_value.enabled }}
+    enabled: {{ schedule_target_status | default(current_schedules_asset_value.enabled) }}
     unified_job_template: "{{ current_schedules_asset_value.summary_fields.unified_job_template.name }}"
 {% if current_schedules_asset_value.summary_fields.inventory is defined %}
     inventory: "{{ current_schedules_asset_value.summary_fields.inventory.name }}"

@@ -0,0 +1,29 @@
+{% if first_team_role | default(true) | bool %}
+---
+controller_roles:
+{% endif %}
+    teams:
+{% for team in team_role.team %}
+      - "{{ team }}"
+{% endfor %}
+{% if team_role.resource_type[0] is match('organization') %}
+    organizations:
+      - "{{ team_role.resource_name }}"
+{% elif team_role.resource_type[0] is match('team') %}
+    target_teams:
+      - "{{ team_role.resource_name }}"
+{% elif team_role.resource_type[0] is match('job_template') %}
+    job_template: "{{ team_role.resource_name }}"
+{% elif team_role.resource_type[0] is match('inventory') %}
+    inventory: "{{ team_role.resource_name }}"
+{% elif team_role.resource_type[0] is match('workflow_job_template') %}
+    workflow: "{{ team_role.resource_name }}"
+{% elif team_role.resource_type[0] is match('project') %}
+    project: "{{ team_role.resource_name }}"
+{% elif team_role.resource_type[0] is match('credential') %}
+    credential: "{{ team_role.resource_name }}"
+{% endif %}
+    role: "{% if team_role.role | lower == 'approve' %}approval{% else %}{{ team_role.role | lower | regex_replace(' ', '_') }}{% endif %}"
+{% if last_team_role | default(true) | bool %}
+...
+{% endif %}
@@ -0,0 +1,29 @@
+{% if first_user_role | default(true) | bool %}
+---
+controller_roles:
+{% endif %}
+    users:
+{% for user in user_role.user %}
+      - "{{ user }}"
+{% endfor %}
+{% if user_role.resource_type[0] is match('organization') %}
+    organizations:
+      - "{{ user_role.resource_name }}"
+{% elif user_role.resource_type[0] is match('user') %}
+    target_users:
+      - "{{ user_role.resource_name }}"
+{% elif user_role.resource_type[0] is match('job_template') %}
+    job_template: "{{ user_role.resource_name }}"
+{% elif user_role.resource_type[0] is match('inventory') %}
+    inventory: "{{ user_role.resource_name }}"
+{% elif user_role.resource_type[0] is match('workflow_job_template') %}
+    workflow: "{{ user_role.resource_name }}"
+{% elif user_role.resource_type[0] is match('project') %}
+    project: "{{ user_role.resource_name }}"
+{% elif user_role.resource_type[0] is match('credential') %}
+    credential: "{{ user_role.resource_name }}"
+{% endif %}
+    role: "{% if user_role.role | lower == 'approve' %}approval{% else %}{{ user_role.role | lower | regex_replace(' ', '_') }}{% endif %}"
+{% if last_user_role | default(true) | bool %}
+...
+{% endif %}