Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support more scenarios #1

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Support more scenarios #1

wants to merge 6 commits into from

Conversation

weshouman
Copy link

Support the following

  • Scenarios where multi strings are templated.
  • Use of array of elements alongside with the default values.
  • logout method.
  • Many more methods.

@weshouman
Use localhost to connect to the synology
24e1b1a 
Ansible already executes the scripts from inside the host machines,
 which will always make the localhost to be the synology machine.
Using the 127.0.0.1 instead of any supplied input saves from mistakenly using an unresolvable uri by synology
 thus avoid sending the GET request with the username and password in the URI to a foreign nslookup
Also enable usage of a customized synology port through synology_dsm_port
@weshouman
Cleanup, add comments and fix dict modificaion-while-iterating
4e44c90
@weshouman
Allow use of templated multi-strings, for the compound element.
3d4f509
@weshouman
Support detection of deeper failures, ie: occuring in user creation s…
e28debe 
…cenario.
@weshouman
Add filters to be used to for fine-grained array-constructions within…
67b5079 
… strings.
@weshouman
Major restructure for the tasks
3a6d4dc 
Add logout, create user, delete user and many more webapi tasks.
Structure the defaults into directories.
@agaffney
Copy link
Owner

agaffney commented Apr 6, 2020

The main feedback that I have on this is that there's no way to disable the application of a bunch of this new configuration. For example, for the mail settings, there's no options other than disabling mail or actually configuring everything. I don't really have a good suggestion for how to implement the third option of leaving it alone, though.

@weshouman
Copy link
Author

Keeping some settings untouched shall be done with a check for each setting whether it's configured for the task or not.
This could be implemented by eliminating the use of multi-strings for the compound settings and (of course we know each option whether optional or not, ie: have a clear API)

Note: some options could be tricky, ie: password and __CiPhErTeXt, one and only of them is required for the user creation.

rlenferink
rlenferink reviewed Jun 10, 2020
View reviewed changes
tasks/core/user/create.yml
deny: false
custom: false
permissions:
- share_dir: "shared_dir1"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this correct? Shouldn’t this be a list of shares which the user should have access to?

The 3 mentioned shares seem like boilerplate shares.

tasks/core/user/create.yml
quotas_defaults:
quota: 0
quotas:
- share_dir: "shared_dir1"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Boilerplate ?

tasks/core/user/create.yml
user_name: "{{ synology_dsm_new_user_name }}"
group_name: "{{ item }}"
with_list:
- group1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Boilerplate? Shouldn’t this be configurable?

defaults/main/user_delete.yml
@@ -0,0 +1,4 @@
---
synology_dsm_users_to_delete:
- "to_be_deleted_user1"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Preferably default this to an empty list:

synology_dsm_users_to_delete: []

defaults/main/user_create.yml
@@ -0,0 +1,9 @@
---
synology_dsm_new_user_name: automated_user1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not have this as e.g. a dict?

synology_dsm_users:
  automated_user1:
    description: Automatically created test user
    email: ""
    cnt_chg_pw: false
    expired: normal
    notify_by_email: false
    send_pw: false
    pass: dXNlX2Ffc3Ryb25nX3Bhc3N3b3JkX2xpa2VfdGhpcw==
  automated_user2:
    # etc

Multiple users can be specified this way.

tasks/core/user/_create.yml
"password": "{{ synology_dsm_new_user_pass | b64decode }}"
}
]

Copy link

@rlenferink rlenferink Jun 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If changing this to a list add:

loop: “{{ (synology_dsm_users | default({})) | dict2items }}”

tasks/core/user/_create.yml
"api": "SYNO.Core.User",
"method": "create",
"version": "1",
"name": "{{ synology_dsm_new_user_name }}",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the loop added update this section:

"name":             "{{ item.key }}",
"description":      "{{ item.value.description }}",

tasks/core/user/_set.yml
"email": "{{ user_email }}",
"expired": "{{ user_expiration }}",
"cannot_chg_passwd": {{ user_cnt_chg_pw | to_json }},
"password": "{{ user_pass | b64decode }}"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why b64decode passwords? If it’s just to obscure the password I suggest to use Ansible Vault for storing the password in a variable (will be decrypted when running Ansible). Base64 can be decoded by anyone.

Info: https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml

defaults/main/login.yml
synology_dsm_login_pass: dXNlX2Ffc3Ryb25nX3Bhc3N3b3JkX2xpa2VfdGhpcw==

# NOTE: for passwords, use a base64 hash, in example:
# ```echo -n use_a_strong_password_like_this | base64```
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same note as somewhere else. Why base64? That isn’t secure when checking into version control. Better to use Ansible Vault: https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml

If the action_plugin is the only place which needs it in base64 isn’t it possible to encode it in the python file?

@rlenferink
Copy link

Are you planning on completing the task/vpnserver stuff? Otherwise it might be better to remove the empty files.

FYI: I don’t need it as I have my vpn configured on pfSense.

@rlenferink
Copy link

The main feedback that I have on this is that there's no way to disable the application of a bunch of this new configuration. For example, for the mail settings, there's no options other than disabling mail or actually configuring everything. I don't really have a good suggestion for how to implement the third option of leaving it alone, though.

The suggestion I have is to put sensible defaults in place. The default should be the same as after a fresh installation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rlenferink rlenferink rlenferink left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@weshouman @agaffney @rlenferink