# Copyright:: Copyright (c) 2018 eGlobalTech, Inc., all rights reserved
#
# Licensed under the BSD-3 license (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License in the root of the project or at
#
# http://egt-labs.com/mu/LICENSE.html
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module MU
class Cloud
class Azure
# A user as configured in {MU::Config::BasketofKittens::roles}
class Role < MU::Cloud::Role
# Initialize this cloud resource object. Calling +super+ will invoke the initializer defined under {MU::Cloud}, which should set the attribtues listed in {MU::Cloud::PUBLIC_ATTRS} as well as applicable dependency shortcuts, like @vpc, for us.
# @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
def initialize(**args)
super
if !mu_name.nil?
@mu_name = mu_name
@cloud_id = Id.new(cloud_desc.id) if @cloud_id
else
@mu_name ||= @deploy.getResourceName(@config["name"], max_length: 31)
end
end
# Called automatically by {MU::Deploy#createResources}
def create
end
# Called automatically by {MU::Deploy#createResources}
def groom
end
# Return the metadata for this user configuration
# @return [Hash]
def notify
description = MU.structToHash(cloud_desc)
if description
description.delete(:etag)
return description
end
{
}
end
# Does this resource type exist as a global (cloud-wide) artifact, or
# is it localized to a region/zone?
# @return [Boolean]
def self.isGlobal?
false
end
# Denote whether this resource implementation is experiment, ready for
# testing, or ready for production use.
def self.quality
MU::Cloud::ALPHA
end
# Assign this role object to a given principal (create a RoleAssignment)
# @param principal_id [MU::Cloud::Azure::Id]
def assignTo(principal_id)
MU::Cloud::Azure::Role.assignTo(principal_id, role_id: @cloud_id)
end
# Assign a role to a particular principal (create a RoleAssignment). We
# support multiple ways of referring to a role
# @param principal [MU::Cloud::Azure::Id]
def self.assignTo(principal, role_name: nil, role_id: nil, credentials: nil)
# XXX subscription might need extraction
if !role_name and !role_id
raise MuError, "Role.assignTo requries one of role_name, role_id, or permissions in order to look up roles for association"
end
existing = MU::Cloud::Azure.authorization(credentials: credentials).role_assignments.list()
roles = MU::Cloud::Azure::Role.find(cloud_id: role_id, role_name: role_name, credentials: credentials)
role = roles.values.first # XXX handle failures and multiples
assign_obj = MU::Cloud::Azure.authorization(:RoleAssignmentCreateParameters, model_version: "V2018_09_01_preview").new
assign_obj.principal_id = principal
assign_obj.principal_type = "ServicePrincipal"
assign_obj.role_definition_id = role.id
# TODO this should defintiely be configurable, and for most Mu
# deploy resources will be scoped to the resource group level
scope = "/subscriptions/"+MU::Cloud::Azure.default_subscription(credentials)
role_name = begin
role.role_name
rescue NoMethodError
role.properties.role_name
end
used_ids = []
existing.each { |ext_assignment|
used_ids << ext_assignment.name
if ext_assignment.role_definition_id == role.id and
ext_assignment.scope == scope and
ext_assignment.principal_id == principal
return
end
}
guid = nil
begin
guid = MU::Cloud::Azure.genGUID
end while used_ids.include?(guid)
MU.log "Assigning role '#{role_name}' to principal #{principal}", details: assign_obj
MU::Cloud::Azure.authorization(credentials: credentials).role_assignments.create(
scope,
guid,
assign_obj
)
end
@@role_list_cache = {}
@@role_list_semaphore = Mutex.new
# Locate and return cloud provider descriptors of this resource type
# which match the provided parameters, or all visible resources if no
# filters are specified. At minimum, implementations of +find+ must
# honor +credentials+ and +cloud_id+ arguments. We may optionally
# support other search methods, such as +tag_key+ and +tag_value+, or
# cloud-specific arguments like +project+. See also {MU::MommaCat.findStray}.
# @param args [Hash]: Hash of named arguments passed via Ruby's double-splat
# @return [Hash]: The cloud provider's complete descriptions of matching resources
def self.find(**args)
found = {}
sub_id = MU::Cloud::Azure.default_subscription(args[:credentials])
scope = "/subscriptions/"+sub_id
if args[:cloud_id]
id_str = args[:cloud_id].is_a?(MU::Cloud::Azure::Id) ? args[:cloud_id].name : args[:cloud_id]
begin
resp = MU::Cloud::Azure.authorization(credentials: args[:credentials]).role_definitions.get(scope, id_str)
found[Id.new(resp.id)] = resp
rescue MsRestAzure::AzureOperationError
# this is fine, we're doing a blind search after all
end
else
@@role_list_semaphore.synchronize {
if !@@role_list_cache[scope]
@@role_list_cache[scope] = Hash[MU::Cloud::Azure.authorization(credentials: args[:credentials]).role_definitions.list(scope).map { |r| [Id.new(r.id), r] }]
end
}
if args[:role_name]
@@role_list_cache[scope].values.each { |role|
begin
if role.role_name == args[:role_name]
found[Id.new(role.id)] = role
break
end
rescue NoMethodError
if role.properties.role_name == args[:role_name]
found[Id.new(role.id)] = role
break
end
end
}
else
found = @@role_list_cache[scope].dup
end
end
found
end
# Stub method. Azure resources are cleaned up by removing the parent
# resource group.
# @return [void]
def self.cleanup(**args)
end
# Cloud-specific configuration properties.
# @param _config [MU::Config]: The calling MU::Config object
# @return [Array]: List of required fields, and json-schema Hash of cloud-specific configuration parameters for this resource
def self.schema(_config)
toplevel_required = []
schema = {
}
[toplevel_required, schema]
end
# Cloud-specific pre-processing of {MU::Config::BasketofKittens::roles}, bare and unvalidated.
# @param role [Hash]: The resource to process and validate
# @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member
# @return [Boolean]: True if validation succeeded, False otherwise
def self.validateConfig(role, _configurator)
ok = true
role['region'] ||= MU::Cloud::Azure.myRegion(role['credentials'])
ok
end
end
end
end
end