Merge pull request #13 from sebastian-luna-valero/groups-roles

Generalize the building of eduPersonEntitlement
grycap · Sep 5, 2024 · 69c2183 · 69c2183
2 parents 950d21a + c854f92
commit 69c2183
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 6 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,2 +1,9 @@
 ssh_oidc_my_vo: false
-ssh_oidc_other_vos: ''
+ssh_oidc_other_vos_namespace: urn:mace:egi.eu
+ssh_oidc_other_vos_name: ''
+ssh_oidc_other_vos_groups: ''
+#example:
+#ssh_oidc_other_vos_groups:
+#- my.group
+ssh_oidc_other_vos_role: member
+ssh_oidc_other_vos_authority: aai.egi.eu
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -25,6 +25,8 @@
     - name: "Include grycap.motley-cue"
       include_role:
         name: "ansible-role-motley-cue"
+      vars:
+        ssh_oidc_other_vos_name: "vo.test.eu"
 
 
 #    - slurp: src=/etc/docker/daemon.json

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -76,10 +76,34 @@
     command_env: "{{ command_env | combine ({ 'SSH_AUTHORISE_OTHERS_IN_MY_VO' : 1 }) }}"
   when: ssh_oidc_my_vo
 
-- name: set SSH_AUTHORISE_VOS
-  set_fact:
-    command_env: "{{ command_env | combine ({ 'SSH_AUTHORISE_VOS' : ['urn:mace:egi.eu:group:{{ssh_oidc_other_vos}}:role=member#aai.egi.eu'] }) }}"
-  when: ssh_oidc_other_vos != ''
+- block:
+
+  # Refernce:
+  # https://docs.egi.eu/users/aai/check-in/vos/expressing-vo-information/
+  - name: set eduPersonEntitlement
+    set_fact:
+      eduPersonEntitlement: >-
+        {{ssh_oidc_other_vos_namespace}}
+        :group
+        :{{ssh_oidc_other_vos_name}}
+        {%for group in ssh_oidc_other_vos_groups %}
+        :{{group}}
+        {% endfor %}
+        {% if ssh_oidc_other_vos_role != '' %}
+        :role={{ssh_oidc_other_vos_role}}
+        {% endif %}
+        #{{ssh_oidc_other_vos_authority}}
+
+  - name: Clean up and show eduPersonEntitlement that will be used
+    debug:
+      msg: "{{ eduPersonEntitlement | replace(' ','') }}"
+    register: eduPersonEntitlement_trimmed
+
+  - name: set SSH_AUTHORISE_VOS
+    set_fact:
+      command_env: "{{ command_env | combine ({ 'SSH_AUTHORISE_VOS' : ['{{ eduPersonEntitlement_trimmed.msg }}'] }) }}"
+
+  when: ssh_oidc_other_vos_name != ''
 
 - name: Use python3.8 in Ubuntu 18.08
   lineinfile:
@@ -102,7 +126,6 @@
   command: contextualise_ssh_server {{OIDC_ACCESS_TOKEN}}
   args:
     chdir: /opt/motley_cue
-    creates: /opt/motley_cue/motley_cue.conf
   register: contextualise_ssh_server
   when: OIDC_ACCESS_TOKEN is defined
   environment: "{{command_env}}"