Update API users creation as an Ansible task

bedfd63d · bow · cd29f35f · bedfd63d · bedfd63d · bedfd63d
Commit bedfd63d authored Jan 25, 2016 by bow
--- a/deployment/ansible-role-mongodb/defaults/main.yml
+++ b/deployment/ansible-role-mongodb/defaults/main.yml
@@ -9,6 +9,8 @@ mongodb_user_admin_password: userAdmin

 mongodb_users: []

+mongodb_sentinel_users: []
+
 ## System options ##
 # MongoDB package name (mongodb-org for vendor, mongodb for apt)
 mongodb_package: mongodb-org

--- a/deployment/ansible-role-mongodb/files/dbIndexSetup.js
+++ b/deployment/ansible-role-mongodb/files/dbIndexSetup.js
@@ -59,23 +59,3 @@ if (missingIndex(db.references.getIndexes(), refIndex)) {
  db.references.createIndex(refIndex, {"unique": true});
  print("index created: reference");
 }
-
-// NOTE: must be kept in sync with User in the source code
-// TODO: store this in as ansible variables
-var devUser = {
-    id: "dev",
-    email: "dev@sentinel.org",
-    // log2 10 hashing round of `dev`
-    hashedPassword: "$2a$10$dNNzi9ieIj1Lk/ED184tPOHJeYDCIc/9bvCJUggC8Gl.4d4pEsdn6",
-    activeKey: "dev",
-    verified: true,
-    isAdmin: true,
-    creationTimeUtc: new Date()
-}
-var query = Object.assign({}, devUser);
-delete query.creationTimeUtc;
-var existingUserCount = db.users.find(query).count();
-if (existingUserCount === 0) {
-  print("user added: dev");
-  db.users.insert(devUser);
-}
--- a/deployment/ansible-role-mongodb/tasks/config_db.yml
+++ b/deployment/ansible-role-mongodb/tasks/config_db.yml
@@ -9,3 +9,25 @@
  when: mongodb_js_index_script is defined
  register: js_index_script
  changed_when: js_index_script.stdout != ""
+
+- name: check if api users exist
+  shell: "/usr/bin/mongo --quiet -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --authenticationDatabase admin --eval \"db.users.find({id: '{{ item.id }}'}).count()\" sentinel || true"
+  register: api_users_exist
+  changed_when: api_users_exist.stdout != "1" or api_users_exist.rc != 0
+  with_items:
+    - "{{ mongodb_sentinel_users }}"
+  when: mongodb_sentinel_users is defined and mongodb_sentinel_users
+
+- name: copy users config script if required
+  template: src=sentinelUsersSetup.js.j2 dest={{ mongodb_misc_dir }}/sentinelUsersSetup.js owner={{ mongodb_user }} group={{ mongodb_user }} mode=0600
+  when: api_users_exist|changed
+
+- name: run api users config script if required
+  shell: /usr/bin/mongo --quiet 127.0.0.1:27017/sentinel {{ mongodb_misc_dir }}/sentinelUsersSetup.js -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --authenticationDatabase admin
+  register: api_users
+  changed_when: api_users.stdout != ""
+  when: api_users_exist|changed
+
+- name: remove api users config script if present
+  file: path={{ mongodb_misc_dir }}/sentinelUsersSetup.js state=absent
+  when: api_users_exist|changed
--- a/deployment/ansible-role-mongodb/templates/sentinelUsersSetup.js.j2
+++ b/deployment/ansible-role-mongodb/templates/sentinelUsersSetup.js.j2
+// {{ ansible_managed }}
+
+// NOTE: must be kept in sync with User in the source code
+
+var addUserIfNotExist = function(user) {
+  var query = Object.assign({}, user);
+  delete query.creationTimeUtc;
+  delete query.hashedPassword;
+  var existingUserCount = db.users.find(query).count();
+  if (existingUserCount === 0) {
+    db.users.insert(user);
+    print("user added: ".concat(user.id));
+  }
+}
+
+var users = [
+{% for user in mongodb_sentinel_users %}
+  {
+    id: "{{ user.id }}",
+    email: "{{ user.email }}",
+    hashedPassword: "{{ user.hashed_password }}",
+    activeKey: "{{ user.active_key }}",
+    verified: {{ user.verified|to_nice_json }},
+    isAdmin: {{ user.is_admin|to_nice_json }},
+    creationTimeUtc: new Date()
+  }{% if not loop.last %},{% endif %}
+{% endfor %}
+];
+
+users.forEach(addUserIfNotExist);
--- a/deployment/ansible-role-sentinel/filter_plugins/custom.py
+++ b/deployment/ansible-role-sentinel/filter_plugins/custom.py
+# Custom Ansible filter plugin for Sentinel deployment.
+#
+# This file is part of Sentinel.
+#
+# Copyright (c) 2015 Leiden University Medical Center and contributors
+#                    (see AUTHORS.md file for details).
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from passlib.hash import bcrypt
+
+
+def hashpw(string, rounds=10):
+    """Encrypts the given string using bcrypt, with 10 rounds by default."""
+    return bcrypt.encrypt(string, rounds=rounds)
+
+
+class FilterModule(object):
+
+    """Custom Sentinel Jinja2 filter plugin."""
+
+    def filters(self):
+        """Exposes the custom filters to the Jinja2 environment."""
+        return {'hashpw': hashpw}
--- a/deployment/ansible-role-sentinel/vars/main.yml
+++ b/deployment/ansible-role-sentinel/vars/main.yml
@@ -13,3 +13,13 @@ mongodb_users:
    name: "{{ mongodb_user_sentinel_name }}"
    password: "{{ mongodb_user_sentinel_password }}"
    roles: readWrite
+
+# Sentinel API admin user. #
+mongodb_sentinel_users:
+  # The default admin user
+  - id: dev
+    email: dev@sentinel.dev
+    hashed_password: "{{ 'dev'|hashpw }}"
+    active_key: dev
+    verified: yes
+    is_admin: yes
--- a/requirements-deploy.txt
+++ b/requirements-deploy.txt
 ansible==2.0.0.2
+bcrypt==2.0.0
+passlib==1.6.5