From d58fd11546cd378ff4eba6227adc10f8c06c386a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@fretlink.com>
Date: Fri, 25 Feb 2022 18:14:29 +0100
Subject: Add an option to remove existing keys that are not declared in
 ansible

---
 README.md           |  4 ++++
 defaults/main.yml   |  1 +
 dhall/package.dhall |  2 ++
 files/fetch_keys.sh | 22 ++++++++++++++++++++++
 tasks/key.yml       | 30 ++++++++++++++++++++++++++++++
 tasks/keys.yml      | 43 ++++++++++++++++++++++---------------------
 tasks/main.yml      |  3 +--
 7 files changed, 82 insertions(+), 23 deletions(-)
 create mode 100755 files/fetch_keys.sh
 create mode 100644 tasks/key.yml

diff --git a/README.md b/README.md
index 8a5f903..9962610 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,10 @@ Role Variables
 * `rundeck_remove_missing` Whether to delete jobs present in rundeck and not in file. Defaults to true.
 * `rundeck_jobs_group` the group of job to check for removal
 * `rundeck_ignore_creation_errors` whether to ignore job creation error. Default to true to follow the 200 status given by rundeck API
+* `rundeck_jobs_keys` a list of keys to import in rundeck. Each key is a dict with a `path`, a `value` and a `type` as declared in [https://docs.rundeck.com/3.0.x/api/index.html#upload-keys]().
+* `rundeck_keys_scoped_by_project` scope each key by project (In a project/ProjectName subdirectory)
+* `rundeck_keys_scoped_by_group` scope each key by group. Defaults to true if the group is defined, false otherwise
+* `rundeck_remove_missing_keys` remove keys that are not declared in ansible (possibly restrained to the scope defined above)
 
 A [dhall](https://dhall-lang.org/) Type representing the roles' variables is available in the `./dhall/Config.dhall` file to help you configure your projects with some type checking.
 
diff --git a/defaults/main.yml b/defaults/main.yml
index dc73d56..c3f0967 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 rundeck_api_version: 26
 rundeck_remove_missing: true
+rundeck_remove_missing_keys: false
 rundeck_ignore_creation_error: true
 rundeck_keys_scoped_by_project: true
 rundeck_jobs_keys: []
diff --git a/dhall/package.dhall b/dhall/package.dhall
index 7ada0dc..4e3b668 100644
--- a/dhall/package.dhall
+++ b/dhall/package.dhall
@@ -10,6 +10,7 @@ let Config =
           , rundeck_api_token : Text
           , rundeck_api_version : Optional Natural
           , rundeck_remove_missing : Optional Bool
+          , rundeck_remove_missing_keys : Optional Bool
           , rundeck_ignore_creation_error : Optional Bool
           , rundeck_jobs_group : Optional Text
           , rundeck_jobs_keys : List Key
@@ -19,6 +20,7 @@ let Config =
       , default =
         { rundeck_api_version = Some 26
         , rundeck_remove_missing = Some True
+        , rundeck_remove_missing_keys = Some False
         , rundeck_ignore_creation_error = Some True
         , rundeck_jobs_group = None Text
         , rundeck_jobs_keys = [] : List Key
diff --git a/files/fetch_keys.sh b/files/fetch_keys.sh
new file mode 100755
index 0000000..e15dc12
--- /dev/null
+++ b/files/fetch_keys.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+BASE_URL="$1"
+TOKEN="$2"
+BASE_PATH="$3"
+
+list_path_rec() {
+  path="$1"
+  result=$(curl -ks "$BASE_URL/storage/$path?authtoken=$TOKEN")
+
+  case "$(echo "$result" | jq -r .type)" in
+    "file") echo "$result" | jq -r .path | sed -e "s@^$BASE_PATH/@@"
+      ;;
+    "directory")
+      echo "$result" | jq -r ".resources[]|.path" | while read p; do list_path_rec "$p"; done
+      ;;
+  esac
+}
+
+list_path_rec "$BASE_PATH"
diff --git a/tasks/key.yml b/tasks/key.yml
new file mode 100644
index 0000000..aa2b2d9
--- /dev/null
+++ b/tasks/key.yml
@@ -0,0 +1,30 @@
+---
+- name: Build scoped path
+  set_fact:
+    rundeck_key_full_path: "{{ rundeck_keys_base_path }}/{{ item.path }}"
+
+- name: Check key existence
+  uri:
+    url: "{{ rundeck_api_url }}/{{ rundeck_api_version }}/storage/keys/{{ rundeck_key_full_path }}"
+    method: GET
+    headers:
+      Accept: application/json
+      X-Rundeck-Auth-Token: "{{ rundeck_api_token }}"
+    status_code: [200, 404]
+  register: rundeck_existing_key
+
+- name: Set method
+  set_fact:
+    rundeck_key_uri_method: "{{ (rundeck_existing_key.status == 404) | ternary('POST', 'PUT') }}"
+
+- name: Import key
+  uri:
+    url: "{{ rundeck_api_url }}/{{ rundeck_api_version }}/storage/keys/{{ rundeck_key_full_path }}"
+    method: "{{ rundeck_key_uri_method }}"
+    headers:
+      Accept: application/json
+      Content-Type: "{{ item.type }}"
+      X-Rundeck-Auth-Token: "{{ rundeck_api_token }}"
+    status_code: [200, 201]
+    body: "{{ item.value }}"
+    body_format: raw
diff --git a/tasks/keys.yml b/tasks/keys.yml
index 98c6136..7ca0904 100644
--- a/tasks/keys.yml
+++ b/tasks/keys.yml
@@ -1,33 +1,34 @@
 ---
-- name: Build scoped path
+- name: Set scope variables
   set_fact:
-    rundeck_key_full_path: "{{ rundeck_keys_scoped_by_project | default(true) | ternary('project/' + rundeck_project + '/' + key_group_path, key_group_path) }}"
+    rundeck_keys_base_path: "{{ rundeck_keys_scoped_by_project | default(true) | ternary('project/' + rundeck_project + '/' + rundeck_keys_group_path, rundeck_keys_group_path) }}"
   vars:
     group_name: "{{ rundeck_jobs_group | default('') }}"
-    key_group_path: "{{ rundeck_keys_scoped_by_group | default((group_name|length) > 0) | ternary(group_name + '/' + item.path, item.path) }}"
+    rundeck_keys_group_path: "{{ rundeck_keys_scoped_by_group | default((group_name|length) > 0) | ternary(group_name, '') }}"
 
-- name: Check key existence
-  uri:
-    url: "{{ rundeck_api_url }}/{{ rundeck_api_version }}/storage/keys/{{ rundeck_key_full_path }}"
-    method: GET
-    headers:
-      Accept: application/json
-      X-Rundeck-Auth-Token: "{{ rundeck_api_token }}"
-    status_code: [200, 404]
-  register: rundeck_existing_key
+- name: Include rundeck key
+  include_tasks: key.yml
+  with_items: "{{ rundeck_jobs_keys }}"
+
+- name: Get all stored keys
+  script:
+    cmd: "{{ role_path }}/files/fetch_keys.sh {{ rundeck_api_url }}/{{ rundeck_api_version }} {{ rundeck_api_token }} keys/{{ rundeck_keys_base_path }}"
+  register: rundeck_existing_keys
+  when: rundeck_remove_missing_keys
 
-- name: Set method
+- name: "Prepare list of keys to remove"
   set_fact:
-    rundeck_key_uri_method: "{{ (rundeck_existing_key.status == 404) | ternary('POST', 'PUT') }}"
+    rundeck_existing_keys: "{{ rundeck_existing_keys.stdout_lines | list }}"
+    rundeck_known_keys: "{{ rundeck_jobs_keys | map(attribute='path') | list }}"
+  when: rundeck_remove_missing_keys
 
-- name: Import key
+- name: "Remove jobs not declared"
   uri:
-    url: "{{ rundeck_api_url }}/{{ rundeck_api_version }}/storage/keys/{{ rundeck_key_full_path }}"
-    method: "{{ rundeck_key_uri_method }}"
+    url: "{{ rundeck_api_url }}/{{ rundeck_api_version }}/storage/keys/{{ rundeck_keys_base_path }}/{{ item }}"
+    method: DELETE
     headers:
       Accept: application/json
-      Content-Type: "{{ item.type }}"
       X-Rundeck-Auth-Token: "{{ rundeck_api_token }}"
-    status_code: [200, 201]
-    body: "{{ item.value }}"
-    body_format: raw
+    status_code: [204, 404]
+  with_items: "{{ rundeck_existing_keys | difference(rundeck_known_keys) }}"
+  when: rundeck_remove_missing_keys
diff --git a/tasks/main.yml b/tasks/main.yml
index 644fef0..955d0a9 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -4,7 +4,6 @@
   tags:
     - rundeck-jobs
 - name: Include rundeck keys
-  include_tasks: keys.yml
   tags:
     - rundeck-keys
-  with_items: "{{ rundeck_jobs_keys }}"
+  include_tasks: keys.yml
-- 
cgit v1.2.3