Add task to update PE Master group rules

This commit introduces a new private task to update
the AND conditional for the pe_compiler auth role in
the PE Master node group, changing it to regex match
for any *_compiler role. The task ensures that the
group rules are simplified and display more correctly
on the PE console.

Author: petergmurphy

manifests/setup/legacy_compiler_group.pp

@@ -10,8 +10,7 @@
 
   node_group { 'PE Legacy Compiler':
     ensure         => 'present',
-    parent         => 'PE Master',
-    purge_behavior => 'classes',
+    parent         => 'PE Infrastructure',
     rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
     classes        => {
       'puppet_enterprise::profile::master' => {
@@ -26,7 +25,6 @@
   node_group { 'PE Legacy Compiler Group A':
     ensure         => 'present',
     parent         => 'PE Legacy Compiler',
-    purge_behavior => 'classes',
     rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],

manifests/setup/node_manager.pp

@@ -77,10 +77,6 @@
     parent    => 'PE Infrastructure',
     data      => $compiler_pool_address_data,
     variables => { 'pe_master' => true },
-    rule      => ['or',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
-    ],
   }
 
   # PE Compiler group comes from default PE and already has the pe compiler role

plans/convert.pp

@@ -333,5 +333,7 @@
 # lint:endignore
   }
 
+  run_task('peadm::update_pe_master_rules', $primary_target)
+
   return("Conversion to peadm Puppet Enterprise ${arch['architecture']} completed.")
 }

plans/install.pp

@@ -143,6 +143,8 @@
     final_agent_state                => $final_agent_state,
   )
 
+  run_task('peadm::update_pe_master_rules', $primary_host)
+
   # Return a string banner reporting on what was done
   return([$install_result, $configure_result])
 }

tasks/update_pe_master_rules.json

@@ -0,0 +1,8 @@
+{
+  "description": "Updates the PE Master group rules to replace pe_compiler with a regex match for any *_compiler role",
+  "input_method": "stdin",
+  "private": true,
+  "implementations": [
+    {"name": "update_pe_master_rules.rb"}
+  ]
+} 

tasks/update_pe_master_rules.rb

@@ -0,0 +1,107 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'net/https'
+require 'puppet'
+
+# UpdatePeMasterRules task class
+class UpdatePeMasterRules
+  def initialize(params)
+    @params = params
+  end
+
+  def https_client
+    client = Net::HTTP.new(Puppet.settings[:certname], 4433)
+    client.use_ssl = true
+    client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
+    client
+  end
+
+  def get_pe_master_group_id
+    net = https_client
+    res = net.get('/classifier-api/v1/groups')
+
+    unless res.code == '200'
+      raise "Failed to fetch groups: HTTP #{res.code} - #{res.body}"
+    end
+
+    groups = JSON.parse(res.body)
+    pe_master_group = groups.find { |group| group['name'] == 'PE Master' }
+    
+    raise "Could not find PE Master group" unless pe_master_group
+    pe_master_group['id']
+  rescue JSON::ParserError => e
+    raise "Invalid JSON response from server: #{e.message}"
+  rescue StandardError => e
+    raise "Error fetching PE Master group ID: #{e.message}"
+  end
+
+  def get_current_rules(group_id)
+    net = https_client
+    url = "/classifier-api/v1/groups/#{group_id}/rules"
+    req = Net::HTTP::Get.new(url)
+    res = net.request(req)
+
+    unless res.code == '200'
+      raise "Failed to fetch rules: HTTP #{res.code} - #{res.body}"
+    end
+
+    JSON.parse(res.body)['rule']
+  rescue JSON::ParserError => e
+    raise "Invalid JSON response from server: #{e.message}"
+  rescue StandardError => e
+    raise "Error fetching rules: #{e.message}"
+  end
+
+  def update_rules(group_id)
+    net = https_client
+    begin
+      current_rules = get_current_rules(group_id)
+      
+      # Find the specific "and" rule for pe_compiler and transform it to match any *_compiler role
+      old_rule = ['and', ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler']]
+      new_rule = ['and', ['~', ['trusted', 'extensions', 'pp_auth_role'], '.*_compiler$']]
+      
+      # Replace the old rule with the new rule if it exists
+      new_rules = current_rules.map { |rule| rule == old_rule ? new_rule : rule }
+      
+      # Update the group with the modified rules
+      url = "/classifier-api/v1/groups/#{group_id}"
+      req = Net::HTTP::Post.new(url)
+      req['Content-Type'] = 'application/json'
+      req.body = { rule: new_rules }.to_json
+
+      res = net.request(req)
+
+      case res.code
+      when '200', '201', '204'
+        puts "Successfully transformed pe_compiler rule to match any *_compiler role in group #{group_id}"
+      else
+        begin
+          error_body = JSON.parse(res.body.to_s)
+          raise "Failed to update rules: #{error_body['kind'] || error_body}"
+        rescue JSON::ParserError
+          raise "Invalid response from server (status #{res.code}): #{res.body}"
+        end
+      end
+    rescue StandardError => e
+      raise "Error during rules update: #{e.message}"
+    end
+  end
+
+  def execute!
+    group_id = get_pe_master_group_id
+    update_rules(group_id)
+  end
+end
+
+# Run the task unless an environment flag has been set
+unless ENV['RSPEC_UNIT_TEST_MODE']
+  Puppet.initialize_settings
+  task = UpdatePeMasterRules.new(JSON.parse(STDIN.read))
+  task.execute!
+end