finallycoffee/proxmox
finallycoffee/proxmox
5
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

chore: WIP

Browse Source
This commit is contained in:
transcaffeine 2022-08-14 15:54:01 +02:00
parent eade48f914
commit 5e51eaf9f3
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
5 changed files with 471 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
plugins/module_utils/proxmox_datacenter_acl.py Normal file
View File

@ -0,0 +1,77 @@
import dataclasses
from dataclasses import dataclass, field
from typing import List, Tuple
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo
@dataclass(frozen=True)
class ProxmoxACL:
path: str
role: str
propagate: bool = True
user: str = None
group: str = None
token: str = None
def get_acls(auth_info: ProxmoxAuthInfo) -> List['ProxmoxACL']:
acl_answer = _proxmox_request('get', '/access/acl', auth_info).json()
return list(map(
lambda r: ProxmoxACL(r['path'], r['roleid'], r['propagate'],
(r['ugid'] if (r['type'] == 'user') else None),
(r['ugid'] if (r['type'] == 'group') else None),
(r['ugid'] if (r['type'] == 'token') else None)),
acl_answer['data']
))
def set_acl(auth_info: ProxmoxAuthInfo, acl: ProxmoxACL, dry_run: bool, state: str = 'present') -> Tuple[dict, dict]:
existing_acls = get_acls(auth_info)
# find existing acl matching the specified one
try:
existing_acl = [x for x in existing_acls if x == acl][0]
except:
existing_acl = None
if state == 'present':
acl_spec = _acl_to_dict(acl) | {
'propagate': acl.propagate
}
if not dry_run:
acl_res = _proxmox_request('put', f"/access/acl", auth_info, data=acl_spec)
acl_res.raise_for_status()
if acl_res.ok and acl_res.json()['success'] == 1:
new_acl = acl
else:
new_acl = acl
elif state == 'exact':
# Also match on propagate and remove ACLs which match in all fields except propagation
pass
else:
# ACL to be removed
if not dry_run:
acl_spec = _acl_to_dict(acl) | {
'delete': 1
}
acl_res = _proxmox_request('put', '/access/acl', auth_info, data=acl_spec)
acl_res.raise_for_status()
if acl_res.ok:
new_acl = None
else:
new_acl = None
return dataclasses.asdict(existing_acl) if existing_acl else None, dataclasses.asdict(new_acl) if new_acl else None
def _acl_to_dict(acl: ProxmoxACL) -> dict:
acl_spec = {
'path': acl.path,
'roles': acl.role,
}
if acl.user:
acl_spec['users'] = acl.user
if acl.group:
acl_spec['groups'] = acl.group
if acl.token:
acl_spec['tokens'] = acl.token
return acl_spec

19
plugins/module_utils/proxmox_datacenter_group.py Normal file
View File

@ -0,0 +1,19 @@
from dataclasses import dataclass, field
from typing import List, Tuple
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo
@dataclass(frozen=True)
class ProxmoxGroup:
name: str
members: List = field(default_factory=lambda: [])
comment: str = None
def get_groups(auth_info: ProxmoxAuthInfo) -> List['ProxmoxGroups']:
group_answer = _proxmox_request('get', '/access/groups', auth_info).json()
return list(map(
lambda r: ProxmoxGroup(r['groupid'], r['users'].split(','), r.get('comment', '')),
group_answer['data']
))

63
plugins/module_utils/proxmox_datacenter_role.py Normal file
View File

@ -0,0 +1,63 @@
from dataclasses import dataclass, field
from typing import List, Tuple
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo
@dataclass(frozen=True)
class ProxmoxRole:
name: str
privileges: List = field(default_factory=lambda: [])
built_in: bool = False
def get_roles(auth_info: ProxmoxAuthInfo) -> List['ProxmoxRoles']:
role_answer = _proxmox_request('get', '/access/roles', auth_info).json()
return list(map(
lambda r: ProxmoxRole(r['roleid'], r['privs'].split(','), bool(r.get('special', False)) is True),
role_answer['data']
))
def set_role_data(auth_info: ProxmoxAuthInfo, role: str, privileges: list[str], dry_run: bool, state: str = 'present') -> Tuple[dict, dict]:
existing_role = _proxmox_request('get', f"/access/roles/{role}", auth_info)
existing_role_data = existing_role.json()['data']
new_role_data = ''
if state == 'present' or state == 'exact':
if existing_role.ok:
# When state is present, we only append all listed privs to existing roles,
# otherwise we set the role's permission list directly
changeset = {
'privs': ','.join(privileges),
'append': False if (state == 'exact') else True
}
if not dry_run:
role_res = _proxmox_request('put', f"/access/roles/{role}", auth_info, data=changeset)
role_res.raise_for_status()
else:
# For new roles, state being exact or present is the same thing
if not dry_run:
role_res = _proxmox_request('post', '/access/roles', auth_info, data=({
'roleId': role,
'privs': ','.join(privileges)
}))
role_res.raise_for_status()
if not dry_run:
if role_res.ok:
new_role_data = _proxmox_request('get', f"/access/roles/{role}", auth_info).json()['data']
else:
new_role_data = {'role': role, 'privs': privileges}
else:
if existing_role.ok:
existing_role_data = existing_role.json()['data']
if not dry_run:
role_res = _proxmox_request('delete', f"/access/role/{role}", auth_info)
role_res.raise_for_status()
if role_res.ok:
new_role_data = None
else:
new_role_data = None
else:
new_role_data = None
return existing_role_data, new_role_data

185
plugins/modules/acl.py Normal file
View File

@ -0,0 +1,185 @@
#!/usr/bin/python
# coding: utf-8
# (c) 2022, Johanna Dorothea Reichmann <transcaffeine@finally.coffee>
__metaclass__ = type
import traceback
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import *
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import *
LIB_IMP_ERR = None
try:
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import set_acl
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import ProxmoxACL
HAS_LIB = True
except:
HAS_LIB = False
LIB_IMP_ERR = traceback.format_exc()
DOCUMENTATION = r'''
---
module: acl
author:
- Johanna Dorothea Reichmann (transcaffeine@finally.coffee)
requirements:
- python >= 3.9
short_description: Configures an access control list in a proxmox node
description:
- "Configue access control lists in a proxmox instance"
options:
proxmox_instance:
description: Location of the proxmox API with scheme, domain name/ip and port, e.g. https://localhost:8006
type: str
required: true
proxmox_api_token_id:
description: The token ID containing username, realm and token name (format: user@realm!name)
type: str
required: true
proxmox_api_secret:
description: The secret
type: str
required: true
proxmox_api_verify_cert:
description: If the certificate presented for `proxmox_instance_url` should be verified
type: bool
required: false
default: true
path:
description: Path to which access should be granted. Must be a valid proxmox access control path
type: str
required: true
role:
description: The role which the user/group/token should be added to when they match the ACL
type: str
required: true
group:
description: The group to match on the ACL. Must be a valid proxmox group id
type: str
required: false
user:
description: The user to match on the ACL. Must be a valid proxmox user id
type: str
required: false
token:
description: The token to match on the ACL. Must be a valid proxmox token id
type: str
required: false
propagate:
description: Wether to allow inheriting permissions or not.
type: bool
default: true
required: false
state:
description: >-
If the access control list should be present, absent or exact. When state is exact,
the value of `propagate` is also considered, and if an existing access control rule is found
which only differs in the value of `propagate`, the old rule is removed by the module,
essentially replacing it.
type: str
choices: [present, exact, absent]
default: present
required: false
'''
EXAMPLES = r'''
- name: Configure an admin group from LDAP as proxmox global admins
finallycoffee.proxmox.acl:
proxmox_instance: https://my.proxmox-node.local:8006
promox_api_token_id: root@pam!token
proxmox_api_secret: supersecuretokencontent
path: /
roles: Administrator
groups: proxmox-admins-openldap
propagate: true
state: present
- name: Configure an LDAP user to use their own VM
finallycoffee.proxmox.realm:
proxmox_instance: https://my.proxmox-node.local:8006
promox_api_token_id: root@pam!token
proxmox_api_secret: supersecuretokencontent
path: /vms/1000
roles: PVEVMUser
groups: myusername-openldap
state: present
'''
RETURN = r'''
acl:
description: The updated/created access control list
returned: always
type: complex
'''
def main():
_ = dict
module = AnsibleModule(
argument_spec=_(
proxmox_instance=_(required=True, type='str'),
proxmox_api_token_id=_(required=True, type='str'),
proxmox_api_secret=_(type='str', required=True, no_log=True),
proxmox_api_verify_cert=_(type='bool', required=False, default=True),
path=_(required=True, type='str'),
role=_(required=True, type='str'),
group=_(required=False, type='str'),
user=_(required=False, type='str'),
token=_(required=False, type='str'),
propagate=_(required=False, default=True, type='bool'),
state=_(type='str', required=False, default='present', choices=['present', 'exact', 'absent'])
),
supports_check_mode=True
)
result = _(
changed=False,
diff={},
message=''
)
realms = []
try:
acl_spec = ProxmoxACL(
module.params['path'],
module.params['role'],
module.params['propagate'],
module.params.get('user', None),
module.params.get('group', None),
module.params.get('token', None),
)
acl_change = set_acl(ProxmoxAuthInfo(
module.params['proxmox_instance'],
module.params['proxmox_api_token_id'],
module.params['proxmox_api_secret'],
module.params['proxmox_api_verify_cert'],
),
acl_spec,
module.check_mode,
module.params['state'])
except IOError as owie:
result['msg'] = owie
module.exit_json(**result)
diff_excluded_keys = []
result['acl'] = acl_change[1]
result['diff'] = {
'before_header': f"{acl_change[0].get('role', module.params['role'])}@{acl_change[0].get('path', module.params['path'])}" if acl_change[0] else acl_change[0],
'after_header': f"{acl_change[1].get('role', module.params['role'])}@{acl_change[1].get('path', module.params['path'])}" if acl_change[1] else acl_change[1],
'before': {k: v for k, v in acl_change[0].items() if k not in diff_excluded_keys} if acl_change[0] else acl_change[0],
'after': {k: v for k, v in acl_change[1].items() if k not in diff_excluded_keys} if acl_change[1] else acl_change[1],
}
# TODO: Needs special handling for state=exact
result['changed'] = acl_change[0] != acl_change[1]
module.exit_json(**result)
if __name__ == '__main__':
main()

127
plugins/modules/role_info.py Normal file
View File

@ -0,0 +1,127 @@
#!/usr/bin/python
# coding: utf-8
# (c) 2022, Johanna Dorothea Reichmann <transcaffeine@finally.coffee>
__metaclass__ = type
import dataclasses
import traceback
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import *
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_role import *
DOCUMENTATION = r'''
---
module: role_info
author:
- Johanna Dorothea Reichmann (transcaffeine@finally.coffee)
requirements:
- python >= 3.9
short_description: Get configured and builtin roles of a proxmox node
description:
- "Lists all configured roles in a proxmox instance"
options:
proxmox_instance:
description: Location of the proxmox API with scheme, domain name/ip and port, e.g. https://localhost:8006
type: str
required: true
proxmox_api_token_id:
description: The token ID containing username, realm and token name (format: user@realm!name)
type: str
required: true
proxmox_api_secret:
description: The secret
type: str
required: true
proxmox_api_verify_cert:
description: If the certificate presented for `proxmox_instance_url` should be verified
type: bool
required: false
default: true
role:
description: Role to retrieve information about. If left omitted, return all roles
type: str
required: false
'''
EXAMPLES = r'''
- name: Retrieve all roles
finallycoffee.proxmox.role_info:
proxmox_instance: https://my.proxmox-node.local:8006
promox_api_token_id: root@pam!token
proxmox_api_secret: supersecuretokencontent
- name: Retrieve role information for 'PVEAdmin'
finallycoffee.proxmox.role_info:
proxmox_instance: https://my.proxmox-node.local:8006
promox_api_token_id: root@pam!token
proxmox_api_secret: supersecuretokencontent
role: PVEAdmin
'''
RETURN = r'''
roles:
description: The retrieved roles
returned: When roles were found (matching the filter)
type: list
elements: dict[str, dict[str], bool]
role:
description: The role's name (`.name`) and privileges (`.privileges`)
returned: When a single role was queried
type: dict[str, list[str]]
'''
def main():
_ = dict
module = AnsibleModule(
argument_spec=_(
proxmox_instance=_(required=True, type='str'),
proxmox_api_token_id=_(required=True, type='str'),
proxmox_api_secret=_(type='str', required=True, no_log=True),
proxmox_api_verify_cert=_(type='bool', required=False, default=True),
role=_(required=False, type='str'),
),
supports_check_mode=True
)
result = _(
changed=False,
diff={},
message=''
)
roles = []
try:
roles = get_roles(ProxmoxAuthInfo(
module.params['proxmox_instance'],
module.params['proxmox_api_token_id'],
module.params['proxmox_api_secret'],
module.params['proxmox_api_verify_cert'],
))
except IOError as owie:
result['msg'] = owie
module.exit_json(**result)
result['roles'] = list(
map(lambda r: dataclasses.asdict(r),
filter(lambda r: r.name == module.params['role']
if module.params['role'] is not None
else True,
roles)
)
)
if module.params['role'] is not None:
result['role'] = dataclasses.asdict(
list(filter(lambda r: r.name == module.params['role'], roles))[0]
)
module.exit_json(**result)
if __name__ == '__main__':
main()