configure

#!/usr/bin/env python
# This script runs setup for Ansible Tower.
# It determines how Tower is to be installed, gives the proper command,
# and then executes the command if asked.

import httplib
import json
import optparse
import os
import random
import re
import shutil
import socket
import subprocess
import sys
import textwrap
from copy import copy
from datetime import datetime
from getpass import getpass

CURDIR = os.path.realpath(os.path.dirname(__file__))
os.chdir(CURDIR)

# --------------
# Print Function
# --------------

def _(text, file=sys.stdout, width=79, nl=1):
    """A more utilitarian print function for printing help text and error
    messages for Tower setup.
    """
    text = text.strip('\n')

    # If this is a multi-line string, break it out and dedent it, then
    # process each line individually (for fill).
    if '\n' in text:
        text = textwrap.dedent(text)
    text = text.split('\n')

    # Iterate over each line, apply the fill, and write it out to the
    # file.
    for i, line in zip(range(0, len(text)), text):
        file.write(textwrap.fill(line, width=width))
        if i < len(text) - 1:
            file.write('\n')

    # Print newlines.
    for i in range(0, nl):
        file.write('\n')

def newline(number=1, file=sys.stdout):
    return _('', nl=number, file=file)


def parse_hostname(hostname):
    """Return the protocol and hostname."""
    protocol = 'http' if hostname.count(':') == 1 else 'https'
    if '://' in hostname:
        protocol, hostname = hostname.split('://')
    if hostname.count(':') >= 3:
        hostname = '[%s]' % hostname
    return protocol, hostname


def tower_installed_at(hostname):
    """Return True if Tower is installed at a given hostname, False
    otherwise.
    """
    protocol, hostname = parse_hostname(hostname)
    try:
        r, c = http_request('%s://%s/api/v1/' % (protocol, hostname))
        if c is None:
            return False
        if r.status < 400:
            # Try to ensure that this mostly looks like a Tower API front page.
            # This is fake-able, but we likely don't care.
            keys = ['authtoken', 'config', 'me', 'users', 'jobs',
                    'unified_jobs']
            if all([k in c for k in keys]):
                return True
    except socket.error:
        pass

    # It must not be a Tower machine.
    return False


# ---------------------
# HTTP Request Function
# ---------------------
# This script needs to minimize dependencies, so using requests isn't really
# an option, sadly.
def http_request(url, method='GET', decode_json=True):
    # Parse out the full URL into individual pieces.
    protocol, stuff = url.split('://')
    host = stuff.split('/')[0]
    uri = '/' + '/'.join(stuff.split('/')[1:])

    # Make a connection object and perform the request.
    Connection = httplib.HTTPConnection
    if protocol == 'https':
        Connection = httplib.HTTPSConnection
    conn = Connection(host)

    # Make the request.
    conn.request(method, url)
    response = conn.getresponse()
    content = None
    if response.status < 300:
        content = response.read()
        if decode_json:
            content = json.loads(content)
    return response, content


# ---------------------
# Get Password Function
# ---------------------
def get_password(prompt, autogenerate=False, allow_blank=False):
    """Get a password, and require that it be alphanumeric."""

    # Is this a case where we do not care what the password is;
    # we simply need to have one?
    # If so, just auto-generate a random, 40 character password.
    if autogenerate:
        # Avoid use of ambiguous characters like "I" or "l".
        chars = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789'

        # Generate and return a random password.
        return ''.join([random.choice(chars) for i in range(0, 40)])

    # Okay, we are asking for a password. Get the user to
    # specify it.
    answer = ''
    while not answer:
        answer = getpass(prompt).strip()

        # Sanity check: Is the password blank?
        # If so, complain.
        if not answer:
            if allow_blank:
                return ''
            else:
                _('The password cannot be blank.')
                continue

        # Sanity check: Is the password alphanumeric? If so, complain.
        if not re.match(r'^[\w\d_]+$', answer):
            _('Please enter an alphanumeric password.')
            answer = ''
            continue

    # We are done; return the password.
    return answer


# -------------
# Prerequisites
# -------------

# Sanity check: Test to ensure that Ansible is installed.
try:
    proc = subprocess.Popen(['ansible', '--version'],
                            stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    proc.wait()
    returncode = int(proc.returncode)
except OSError:
    returncode = 255


# If there is a non-zero return code, it means Ansible is not installed
# on this machine.
if returncode > 0:
    _("""
        Ansible is not installed on this machine.
        You must install Ansible before you can install Tower.

        For guidance on installing Ansible, consult
        http://docs.ansible.com/intro_installation.html
    """, file=sys.stderr)
    sys.exit(32)


# Sanity check: Ensure that Ansible is at least 1.7.
version_check = proc.stdout.read()
version_str = version_check.strip().split('\n')[0].split(' ')[-1]
version = tuple([int(i) for i in version_str.split('.')
                 if re.match(r'^[\d]$', i)])
if version < (1, 7):
    _("""
        Ansible is installed on this machine, but is too old (version %s).
        Ansible Tower setup requires at least Ansible 1.7. Please upgrade.

        For guidance on installing Ansible, consult
        http://docs.ansible.com/intro_installation.html
    """ % version_str, file=sys.stderr)
    sys.exit(33)

# Sanity check: Test to ensure that PyYAML is installed.
try:
    import yaml
except ImportError:
    _("""
        PyYAML is not installed on this machine.
        This should have been installed alongside Ansible, and must be
        installed in order to install Tower.
    """, file=sys.stderr)
    sys.exit(32)


# -------------
# Initial Setup
# -------------
timestamp = datetime.now()
log_dir = '/var/log/tower'
log_file = '%s/setup-%s.log' % (log_dir, timestamp.strftime('%F-%T'))

conf = {}
private_key_path = None
dirty = False


# --------------
# Option Parsing
# --------------
parser = optparse.OptionParser()
parser.add_option('-o', '--options-file', dest='options_file', default='',
                                          metavar='FILE')
parser.add_option('-l', '--local', dest='local', default=False,
                                   action='store_true')
parser.add_option('-A', '--no-autogenerate', dest='autogenerate', default=True,
                                             action='store_false')
parser.add_option('--no-secondary-prompt', dest='no_secondaries',
                                           default=False, action='store_true')
cli_opts, cli_args = parser.parse_args()

# Sanity check: It does not make sense to use both --options-file and --local.
if cli_opts.options_file and cli_opts.local:
    _('ERROR: Cannot specify both --options-file and --local.',
      file=sys.stderr)
    sys.exit(64)

# ------------
# Setup Wizard
# ------------

# Output stuff to introduce Tower and the guided wizard.
_("""
-------------------------------------------
Welcome to the Ansible Tower Install Wizard
-------------------------------------------

This wizard will guide you through the setup process.
""", nl=2)

# There may be an options file that the user is using.
# If so, then we don't go through the asking of questions that the options
# file already knows about.
if cli_opts.options_file:
    options_file = cli_opts.options_file
    options_file = os.path.realpath(os.path.expanduser(options_file))

    # Sanity check: Does the specified file actually exist?
    # If it doesn't, complain.
    if not os.path.isfile(options_file):
        sys.stderr.write('Setup options file %s does not exist or is not '
                         'readable.\n' % options_file)
        sys.exit(40)

    # Read in options from options file.
    with open(options_file, 'r') as stream:
        conf = yaml.load(stream)

# If the user specified `--local`, then that implies certain options:
if cli_opts.local:
    _('LOCAL INSTALLATION')
    _('You are installing Ansible Tower on this machine, using an internal '
      'database.', nl=2)
    conf['primary_machine'] = 'localhost'
    conf['database'] = 'internal'
    already_installed = tower_installed_at('localhost')
    dirty = True

# Okay, any options available from the file have been loaded.
# Ask any remaining questions we need to ask to be able to run setup.
#
# The first question is which machine this setup is being done on.
if not conf.get('primary_machine', None):
    _('PRIMARY TOWER MACHINE')
    _('Tower can be installed (or upgraded) on this machine, or onto a remote '
      'machine that is reachable by SSH.', nl=2)
    _('Note: If using the High Availability features of Tower, you must use '
      'DNS resolvable hostnames or IP addresses (do not use "localhost").',
      nl=2)
    _('Enter the hostname or IP to configure Ansible Tower')
    primary_machine = raw_input('(default: localhost): ')

    # If it's still empty, use localhost.
    if not primary_machine.strip():
        _('Installing Tower on localhost.')
        primary_machine = 'localhost'
    conf['primary_machine'] = primary_machine
    dirty = True

    newline()

# Determine whether Tower is already installed on this machine.
# If this is not a fresh install, then none of these other options are
# relevant, and the existing Tower install knows what it is doing.
already_installed = tower_installed_at(conf['primary_machine'])

# If Tower is already installed, check to see if we are on version >= 2.1.
# If we are, then we may have an HA configuration, and want to upgrade the
# entire system as a whole.
if already_installed:
    protocol, target = parse_hostname(conf['primary_machine'])
    r, c = http_request('%s://%s/api/v1/ping/' % (protocol, target))
    if r.status < 400:
        already_installed = tuple([int(re.sub(r'[\D]', '', i))
                                   for i in c['version'].split('.')])
        if str(c['role']) == 'secondary':
            conf['primary_machine'] = c['instances']['primary']

        # Tower >= 2.1 is already installed.
        # Get our database settings from the Tower instance itself.
        if c['ha']:
            conf['database'] = 'external'
            conf['secondary_machines'] = copy(c['instances']['secondaries'])
        else:
            conf['database'] = 'internal'
    else:
        conf['database'] = 'internal'
        


# If this is a primary Tower installation, then get the database information
# we need to perform the install.
if not already_installed and not conf.get('database', None):
    _('DATABASE')
    _('Tower can use an internal database installed on the Tower machine, '
      'or an external PostgreSQL database. An external database could be '
      "a hosted database, such as Amazon's RDS.", nl=2)
    _('An internal database is fine for most situations. However, to use '
      'the High Availability features of Tower, an external database is '
      'required.', nl=2)
    _('If using an external database, the database (but not the necessary '
      'tables) must already exist.', nl=2)
    while not conf.get('database', None):
        db = raw_input('Will this installation use an (i)nternal or '
                       '(e)xternal database? ')
        if db.lower() in ('i', 'l', 'internal', 'local'):
            conf['database'] = 'internal'
        elif db.lower() in ('e', 'external'):
            conf['database'] = 'external'
        else:
            _('Please enter internal or external.')
        dirty = True
    newline()

# If this is using an external database, then we need to get connection
# details and prove that the database is accessible.
if not already_installed and conf['database'] == 'external':
    # Ask for each individual database element.
    while not conf.get('pg_host', None):
        conf['pg_host'] = raw_input('Enter the PostgreSQL host: ')
        dirty = True
    while not conf.get('pg_database', None):
        conf['pg_database'] = raw_input('Enter the PostgreSQL database '
                                        'name: ')
        dirty = True
    while not conf.get('pg_username', None):
        conf['pg_username'] = raw_input('Enter the PostgreSQL user: ')
        dirty = True
    if not 'pg_password' in conf:
        conf['pg_password'] = get_password('Enter the PostgreSQL password: ',
                                           allow_blank=True)
        dirty = True
    while not conf.get('pg_port', None):
        conf['pg_port'] = raw_input('Enter the PostgreSQL port '
                                    '(default 5432): ')
        if not conf['pg_port']:
            conf['pg_port'] = 5432
        try:
            conf['pg_port'] = int(conf['pg_port'])
        except ValueError:
            conf['pg_port'] = None
            _('PostgreSQL port must be an integer.')
        dirty = True
    newline()

    # Verify that the connection details are valid.
    # We're only able to do this if the psql client program is installed,
    # and there's every reason to believe it may not be.
    try:
        import psycopg2
        conn = psycopg2.connect(
            database=conf['pg_database'],
            host=conf['pg_host'],
            password=conf['pg_password'],
            port=conf['pg_port'],
            user=conf['pg_username'],
        )
    except ImportError:
        _('Warning: psycopg2 is not installed on this machine. '
          'We will assume these credentials are correct. You may see '
          'playbook errors later if they are not.', file=sys.stderr, nl=2)
        _('You may edit tower_setup_conf.yml prior to running the '
          'setup.sh command to make changes after completing this wizard.')
    except psycopg2.OperationalError as ex:
        _('Error: Unable to connect to the database.', file=sys.stderr)
        _('The error we got when we tried was:\n\n%s' % str(ex),
          file=sys.stderr, nl=2)
        sys.exit(1)

    newline()


# Give the user the opportunity to add zero or more secondary modules.
if not cli_opts.no_secondaries and conf.get('database', None) == 'external':
    conf.setdefault('secondary_machines', [])

    _('SECONDARY MACHINES')
    _('You may optionally elect to add any number of secondary machines, '
      'on which Ansible Tower will also be installed (in secondary mode).')
    if conf['secondary_machines']:
        _('You already have the following secondary machine(s): %s' %
          ', '.join(conf['secondary_machines']))
    
    # Ask if we want to enter secondary machines at all.
    addsec = None
    while addsec not in ('y', 'n', 'yes', 'no'):
        addsec = raw_input('Add secondary machines (y/n)? ').lower()
        if addsec in ('y', 'n', 'yes', 'no'):
            newline()
        else:
            _('Please enter (y)es or (n)o.')

    # If secondary machines are desired, add as many as needed.
    if addsec in ('y', 'yes'):
        conf.setdefault('secondary_machines', [])
        _('Enter the hostname or IP of secondary machines. If you are done '
          'adding machines, enter an empty line.')
        done = False
        while not done:
            sec = raw_input('Hostname or IP: ')
            if not sec.strip():
                done = True
            else:
                conf['secondary_machines'].append(sec)
                dirty = True
        newline()


# Check to see if any secondaries are not installed.
# If not, then we still need to ask for some passwords.
all_secondaries_installed = all([tower_installed_at(i) for i in
                                 conf.get('secondary_machines', [])])

# If this is using an *internal* database and is not an upgrade, then we
# need to have the initial PostgreSQL password to set.
if not already_installed or not all_secondaries_installed:
    _('PASSWORDS')
    if not already_installed:
        _('For security reasons, since this is a new install, you must specify'
          ' the following application passwords.', nl=2)
    else:
        _('At least one secondary machine is new and does not have Tower '
          'already installed. Therefore, we will need you to provide some '
          'application passwords.', nl=2)

    # Admin password and PostgreSQL password only are required if
    # this is a new primary machine, or if they are not already provided.
    if not already_installed:
        if 'admin_password' not in conf:
            conf['admin_password'] = get_password(
                'Enter the desired Ansible Tower admin user password: ',
            )
            dirty = True
    if not already_installed and conf['database'] == 'internal':
        if 'pg_password' not in conf:
            conf['pg_password'] = get_password(
                'Enter the desired PostgreSQL password: ',
                autogenerate=cli_opts.autogenerate,
            )
            dirty = True

    # If any secondary machines are new, it is a sufficient condition
    # to require a Redis and Munin password, as these are independent from
    # machine to machine.
    if 'redis_password' not in conf:
        conf['redis_password'] = get_password(
            'Enter the desired Redis password: ',
            autogenerate=cli_opts.autogenerate,
        )
        dirty = True
    if 'munin_password' not in conf:
        conf['munin_password'] = get_password('Enter the desired Munin '
                                              'password: ')
        dirty = True
    newline()


# Give the user an opportunity to add SSH credentials, in case the defaults
# are not appropriate.
if conf['primary_machine'] not in ('localhost', '127.0.0.1'):
    # Determine what the SSH user is.
    if 'ansible_ssh_user' not in conf:
        _('CONNECTION INFORMATION')
        ssh_user = raw_input('Enter the SSH user to connect with '
                             '(default: root): ')
        if ssh_user.strip() in ('', 'root'):
            conf['ansible_ssh_user'] = 'root'
            dirty = True
        else:
            conf['ansible_ssh_user'] = ssh_user
            dirty = True
        newline()

    # If the user is not root, then we need to determine the mechanism for
    # getting root access (sudo or su). Do so.
    if conf['ansible_ssh_user'] != 'root':
        _('Root access is required to install Tower.')
        while 'ansible_sudo' not in conf and 'ansible_su' not in conf:
            method = raw_input('Will you use (1) sudo or (2) su? ')
            if method.lower().strip() in ('1', 'sudo'):
                conf['ansible_sudo'] = True
                dirty = True
            elif method.lower().strip() in ('2', 'su'):
                conf['ansible_su'] = True
                dirty = True
            else:
                _('Please enter (1) sudo or (2) su.')
        newline()

        # Ask if a password is required for sudo/su.
        method = 'sudo'
        if conf.get('ansible_su', False):
            method = 'su'
        while 'ansible_ask_%s_pass' % method not in conf:
            needpass = raw_input('Will %s require a password (y/N)? ' % method)
            if needpass.lower().strip() in ('', 'no', 'n'):
                conf['ansible_ask_%s_pass' % method] = False
                dirty = True
            elif needpass.lower().strip() in ('yes', 'y'):
                conf['ansible_ask_%s_pass' % method] = True
                dirty = True
        newline()

    # Determine if we are using SSH host keys. If we are not, then the
    # next step will be to determine the password situation.
    while 'using_ssh_host_keys' not in conf:
        host_keys = raw_input('Will you be using SSH keys (Y/n)? ')
        if host_keys.lower().strip() in ('y', 'yes', ''):
            conf['using_ssh_host_keys'] = True
            dirty = True
        elif host_keys.lower().strip() in ('n', 'no'):
            conf['using_ssh_host_keys'] = False
            conf['ansible_ask_pass'] = True
            dirty = True
        else:
            _('Please enter (y)es or (n)o.')
    newline()

    # If we are using SSH host keys, we need to ask for the path to the key
    # so that we can tell the user to ssh-add it.
    #
    # N.B. We only ask for this information if we are already in "dirty" mode.
    # If we are loading from a known file, then the key is probably already
    # added. More importantly, asking for this every time will break QA
    # automation.
    if conf['using_ssh_host_keys'] and dirty:
        while not private_key_path:
            private_key_path = raw_input('Please specify the path to the SSH '
                                         'private key: ')
            if not os.path.isfile(os.path.expanduser(private_key_path)):
                private_key_path = None
                _('File does not exist!')
        newline()


# -------------
# Review & Save
# -------------

if dirty:
    _('REVIEW')

    if already_installed:
        _('You are UPGRADING an existing Tower installation on %s.' %
          conf['primary_machine'], nl=2)
    else:
        _('You selected the following options:', nl=2)

        # Primary machine
        _('The primary Tower machine is: %s' % conf['primary_machine'])

        # Database
        _('Tower will operate on an %s database.' %
          conf['database'].upper())
        if conf['database'] == 'external':
            _('  host: %s' % conf['pg_host'])
            _('  database: %s' % conf['pg_database'])
            _('  user: %s' % conf['pg_username'])
            _('  password: ********')
            _('  port: %d' % conf['pg_port'])

        # Secondary machines.
        if conf.get('secondary_machines', None):
            _('Additional secondary machines:')
            for sm in conf['secondary_machines']:
                _('  - %s' % sm)

        # SSH user.
        if conf.get('ansible_ssh_user', None):
            _('Using SSH user: %s' % conf['ansible_ssh_user'])

    newline()

    # Get confirmation from the user that the settings they provided
    # were correct.
    confirm = ''
    while confirm.lower() not in ('yes', 'y'):
        confirm = raw_input('Are these settings correct (y/n)? ')
        if confirm.lower() in ('no', 'n'):
            _('Exiting. Rerun ./configure to re-configure.')
            sys.exit(10)

    # Write out the settings to a YAML file.
    #
    # Exception: Don't write secondary_machines; these are dealt with by the
    # inventory.
    conf_to_write = dict(conf)
    conf_to_write.pop('secondary_machines', None)
    with open('%s/tower_setup_conf.yml' % CURDIR, 'w') as stream:
        yaml.dump(conf_to_write, stream=stream, default_flow_style=False)
    _('Settings saved to tower_setup_conf.yml.')
    newline()


    # Collate all the hosts together in preperation for making an
    # inventory file.
    hosts = {'primary': [], 'secondary': []}
    hosts['primary'].append(conf['primary_machine'])
    hosts['secondary'] += conf.get('secondary_machines', [])

    # Put together the appropriate inventory file.
    inventory_file = ''
    if hosts['primary']:
        inventory_file += '[primary]\n%s\n\n' % '\n'.join(hosts['primary'])
    if hosts['secondary']:
        inventory_file += '[secondary]\n%s\n\n' % '\n'.join(hosts['secondary'])
    inventory_file += '[all:children]\n'
    for k, v in hosts.items():
        if v:
            inventory_file += '%s\n' % k

    # Output the inventory file to disk.
    with open('%s/inventory' % CURDIR, 'w') as f:
        f.write(inventory_file)

else:
    _('The configuration provided in %s appears complete.' % options_file)
    newline()


# ------------------------
# ansible-playbook command
# ------------------------

_('FINISHED!')
_('You have completed the setup wizard. You may execute the installation of '
  'Ansible Tower by issuing the following command: ', nl=2)

if conf['primary_machine'].lower() in ('localhost', '127.0.0.1'):
    _('sudo ./setup.sh', nl=2)
else:
    # If we are using SSH keys and have a private key file, then provide
    # the starting commands to add that key.
    if private_key_path:
        _('# Add your SSH key to SSH agent.')
        _('# You may be asked to enter your SSH unlock key password to '
          'do this.')
        _('ssh-agent bash')
        _('ssh-add %s' % private_key_path)

    # There may be extra arguments that need to be passed on the command
    # line. If there are, parse them out here.
    extra_args = []
    for ea in (('p', 'ask_pass'), ('s', 'ask_sudo_pass'),
               ('u', 'ask_su_pass')):
        # This may or may not be an argument that we even have. If it is
        # not, just skip it.
        if not conf.get('ansible_%s' % ea[1], False):
            continue

        # Okay, add this argument to extra_args.
        extra_args.append('-%s' % ea[0])

    # Print the final command.
    _('./setup.sh %s' % ' '.join(extra_args), nl=2)