Merge pull request #3605 from kwoodson/oc_adm_policy_user_fix

Merged by openshift-bot

roles/lib_openshift/library/oc_adm_policy_group.py

@@ -1908,6 +1908,28 @@ class PolicyGroup(OpenShiftCLI):
         self.verbose = verbose
         self._rolebinding = None
         self._scc = None
+        self._cluster_policy_bindings = None
+        self._policy_bindings = None
+
+    @property
+    def policybindings(self):
+        if self._policy_bindings is None:
+            results = self._get('clusterpolicybindings', None)
+            if results['returncode'] != 0:
+                raise OpenShiftCLIError('Could not retrieve policybindings')
+            self._policy_bindings = results['results'][0]['items'][0]
+
+        return self._policy_bindings
+
+    @property
+    def clusterpolicybindings(self):
+        if self._cluster_policy_bindings is None:
+            results = self._get('clusterpolicybindings', None)
+            if results['returncode'] != 0:
+                raise OpenShiftCLIError('Could not retrieve clusterpolicybindings')
+            self._cluster_policy_bindings = results['results'][0]['items'][0]
+
+        return self._cluster_policy_bindings
 
     @property
     def role_binding(self):
@@ -1948,18 +1970,24 @@ class PolicyGroup(OpenShiftCLI):
 
     def exists_role_binding(self):
         ''' return whether role_binding exists '''
-        results = self.get()
-        if results['returncode'] == 0:
-            self.role_binding = RoleBinding(results['results'][0])
-            if self.role_binding.find_group_name(self.config.config_options['group']['value']) != None:
-                return True
+        bindings = None
+        if self.config.config_options['resource_kind']['value'] == 'cluster-role':
+            bindings = self.clusterpolicybindings
+        else:
+            bindings = self.policybindings
 
+        if bindings is None:
             return False
 
-        elif self.config.config_options['name']['value'] in results['stderr'] and '" not found' in results['stderr']:
-            return False
+        for binding in bindings['roleBindings']:
+            _rb = binding['roleBinding']
+            if _rb['roleRef']['name'] == self.config.config_options['name']['value'] and \
+                    _rb['groupNames'] is not None and \
+                    self.config.config_options['group']['value'] in _rb['groupNames']:
+                self.role_binding = binding
+                return True
 
-        return results
+        return False
 
     def exists_scc(self):
         ''' return whether scc exists '''

roles/lib_openshift/library/oc_adm_policy_user.py

@@ -1907,6 +1907,28 @@ class PolicyUser(OpenShiftCLI):
         self.verbose = verbose
         self._rolebinding = None
         self._scc = None
+        self._cluster_policy_bindings = None
+        self._policy_bindings = None
+
+    @property
+    def policybindings(self):
+        if self._policy_bindings is None:
+            results = self._get('clusterpolicybindings', None)
+            if results['returncode'] != 0:
+                raise OpenShiftCLIError('Could not retrieve policybindings')
+            self._policy_bindings = results['results'][0]['items'][0]
+
+        return self._policy_bindings
+
+    @property
+    def clusterpolicybindings(self):
+        if self._cluster_policy_bindings is None:
+            results = self._get('clusterpolicybindings', None)
+            if results['returncode'] != 0:
+                raise OpenShiftCLIError('Could not retrieve clusterpolicybindings')
+            self._cluster_policy_bindings = results['results'][0]['items'][0]
+
+        return self._cluster_policy_bindings
 
     @property
     def role_binding(self):
@@ -1929,36 +1951,37 @@ class PolicyUser(OpenShiftCLI):
         self._scc = scc
 
     def get(self):
-        '''fetch the desired kind'''
+        '''fetch the desired kind
+
+           This is only used for scc objects.
+           The {cluster}rolebindings happen in exists.
+        '''
         resource_name = self.config.config_options['name']['value']
         if resource_name == 'cluster-reader':
             resource_name += 's'
 
-        # oc adm policy add-... creates policy bindings with the name
-        # "[resource_name]-binding", however some bindings in the system
-        # simply use "[resource_name]". So try both.
-
-        results = self._get(self.config.kind, resource_name)
-        if results['returncode'] == 0:
-            return results
-
-        # Now try -binding naming convention
-        return self._get(self.config.kind, resource_name + "-binding")
+        return self._get(self.config.kind, resource_name)
 
     def exists_role_binding(self):
         ''' return whether role_binding exists '''
-        results = self.get()
-        if results['returncode'] == 0:
-            self.role_binding = RoleBinding(results['results'][0])
-            if self.role_binding.find_user_name(self.config.config_options['user']['value']) != None:
-                return True
+        bindings = None
+        if self.config.config_options['resource_kind']['value'] == 'cluster-role':
+            bindings = self.clusterpolicybindings
+        else:
+            bindings = self.policybindings
 
+        if bindings is None:
             return False
 
-        elif self.config.config_options['name']['value'] in results['stderr'] and '" not found' in results['stderr']:
-            return False
+        for binding in bindings['roleBindings']:
+            _rb = binding['roleBinding']
+            if _rb['roleRef']['name'] == self.config.config_options['name']['value'] and \
+                    _rb['userNames'] is not None and \
+                    self.config.config_options['user']['value'] in _rb['userNames']:
+                self.role_binding = binding
+                return True
 
-        return results
+        return False
 
     def exists_scc(self):
         ''' return whether scc exists '''

roles/lib_openshift/src/class/oc_adm_policy_group.py

@@ -41,6 +41,28 @@ class PolicyGroup(OpenShiftCLI):
         self.verbose = verbose
         self._rolebinding = None
         self._scc = None
+        self._cluster_policy_bindings = None
+        self._policy_bindings = None
+
+    @property
+    def policybindings(self):
+        if self._policy_bindings is None:
+            results = self._get('clusterpolicybindings', None)
+            if results['returncode'] != 0:
+                raise OpenShiftCLIError('Could not retrieve policybindings')
+            self._policy_bindings = results['results'][0]['items'][0]
+
+        return self._policy_bindings
+
+    @property
+    def clusterpolicybindings(self):
+        if self._cluster_policy_bindings is None:
+            results = self._get('clusterpolicybindings', None)
+            if results['returncode'] != 0:
+                raise OpenShiftCLIError('Could not retrieve clusterpolicybindings')
+            self._cluster_policy_bindings = results['results'][0]['items'][0]
+
+        return self._cluster_policy_bindings
 
     @property
     def role_binding(self):
@@ -81,18 +103,24 @@ class PolicyGroup(OpenShiftCLI):
 
     def exists_role_binding(self):
         ''' return whether role_binding exists '''
-        results = self.get()
-        if results['returncode'] == 0:
-            self.role_binding = RoleBinding(results['results'][0])
-            if self.role_binding.find_group_name(self.config.config_options['group']['value']) != None:
-                return True
+        bindings = None
+        if self.config.config_options['resource_kind']['value'] == 'cluster-role':
+            bindings = self.clusterpolicybindings
+        else:
+            bindings = self.policybindings
 
+        if bindings is None:
             return False
 
-        elif self.config.config_options['name']['value'] in results['stderr'] and '" not found' in results['stderr']:
-            return False
+        for binding in bindings['roleBindings']:
+            _rb = binding['roleBinding']
+            if _rb['roleRef']['name'] == self.config.config_options['name']['value'] and \
+                    _rb['groupNames'] is not None and \
+                    self.config.config_options['group']['value'] in _rb['groupNames']:
+                self.role_binding = binding
+                return True
 
-        return results
+        return False
 
     def exists_scc(self):
         ''' return whether scc exists '''

roles/lib_openshift/src/class/oc_adm_policy_user.py

@@ -40,6 +40,28 @@ class PolicyUser(OpenShiftCLI):
         self.verbose = verbose
         self._rolebinding = None
         self._scc = None
+        self._cluster_policy_bindings = None
+        self._policy_bindings = None
+
+    @property
+    def policybindings(self):
+        if self._policy_bindings is None:
+            results = self._get('clusterpolicybindings', None)
+            if results['returncode'] != 0:
+                raise OpenShiftCLIError('Could not retrieve policybindings')
+            self._policy_bindings = results['results'][0]['items'][0]
+
+        return self._policy_bindings
+
+    @property
+    def clusterpolicybindings(self):
+        if self._cluster_policy_bindings is None:
+            results = self._get('clusterpolicybindings', None)
+            if results['returncode'] != 0:
+                raise OpenShiftCLIError('Could not retrieve clusterpolicybindings')
+            self._cluster_policy_bindings = results['results'][0]['items'][0]
+
+        return self._cluster_policy_bindings
 
     @property
     def role_binding(self):
@@ -62,36 +84,37 @@ class PolicyUser(OpenShiftCLI):
         self._scc = scc
 
     def get(self):
-        '''fetch the desired kind'''
+        '''fetch the desired kind
+
+           This is only used for scc objects.
+           The {cluster}rolebindings happen in exists.
+        '''
         resource_name = self.config.config_options['name']['value']
         if resource_name == 'cluster-reader':
             resource_name += 's'
 
-        # oc adm policy add-... creates policy bindings with the name
-        # "[resource_name]-binding", however some bindings in the system
-        # simply use "[resource_name]". So try both.
-
-        results = self._get(self.config.kind, resource_name)
-        if results['returncode'] == 0:
-            return results
-
-        # Now try -binding naming convention
-        return self._get(self.config.kind, resource_name + "-binding")
+        return self._get(self.config.kind, resource_name)
 
     def exists_role_binding(self):
         ''' return whether role_binding exists '''
-        results = self.get()
-        if results['returncode'] == 0:
-            self.role_binding = RoleBinding(results['results'][0])
-            if self.role_binding.find_user_name(self.config.config_options['user']['value']) != None:
-                return True
+        bindings = None
+        if self.config.config_options['resource_kind']['value'] == 'cluster-role':
+            bindings = self.clusterpolicybindings
+        else:
+            bindings = self.policybindings
 
+        if bindings is None:
             return False
 
-        elif self.config.config_options['name']['value'] in results['stderr'] and '" not found' in results['stderr']:
-            return False
+        for binding in bindings['roleBindings']:
+            _rb = binding['roleBinding']
+            if _rb['roleRef']['name'] == self.config.config_options['name']['value'] and \
+                    _rb['userNames'] is not None and \
+                    self.config.config_options['user']['value'] in _rb['userNames']:
+                self.role_binding = binding
+                return True
 
-        return results
+        return False
 
     def exists_scc(self):
         ''' return whether scc exists '''