Adding _remove_permissions_from_roles() and extracting parts of repo_role() into shared methods.

[scriptsrc]

Adding _remove_permissions_from_roles() and extracting parts of repo_role() into shared methods.

Also updates the policy size checking to correctly remove all whitespace before checking the size.

Need a code review with @mcpeak.

[mcpeak]

please keep this in alphabetical order grouped by import type (stdlib, third party libs, module imports)

[mcpeak]

The comment says validate policies remain under the limit but you return True when the size exceeds the limit.

[mcpeak]

I'd prefer putting the hook calling here so it's easier to see that it's happening.

[mcpeak]

Is permissions here a single permission? A list of permissions? It's called permissions but below you reference "the selected permission".

[mcpeak]

roles seems like a list of roles but it's a filename, make the variable name consistent.

[mcpeak]

From a user perspective, where is the file supposed to come from? Do we want to provide other options to find the roles since we have a database?

[JohnVonNeumann]

In line with #44 should all new functions be following a standard around docstrings? Is this a situation where development should start as it means to go on?

[JohnVonNeumann]

nit: alphabetise the imports

[scriptsrc]

Should probably have flake8 enforce import order if it's something we care about.

[scriptsrc]

But yes, as @mcpeak pointed this out, I will fix.

[JohnVonNeumann]

can this block be cleaned up using some variables for the various times/periods so that the arithmetic is easier to understand from a first look.

ie:

last_updated_time = datetime.datetime.strptime(aa_service['lastUpdated'], '%a, %d %b %Y %H:%M:%S %Z')
current_time = datetime.datetime.now()
expiration_time = datetime.timedelta(days=max_days_old)

        if( last_updated_time < current_time - expiration_time):
                old_aa_data_services.append(aa_service['serviceName'])

Probably need to play with var names, I'm tired and not picking the correct words/context for the block, but you get the idea of what I'm trying to convey.

[scriptsrc]

This was originally inline for the repo_role() method. I refactored it into it's own method thinking I would need this code for the main method that I am adding, but it turns out that I don't. I'll move this back into repo_role(), but won't be otherwise fixing the naming.

Not in this PR, anyways.

[scriptsrc]

Thank you @JohnVonNeumann and @mcpeak for the review. I'll work on many of these items for this PR. Others are broader concerns that I may follow up on in other PRs.

Again, thanks.

[coveralls]

Coverage increased (+3.4%) to 58.221% when pulling 0dc1149 on remove_specific_permission into ea37f65 on master.

[scriptsrc]

Things I think I've completed:

• _check_inline_policy_size() method name & return value not aligned.
• import order now different
• Permission used singular and plural in new code (make all plural)
• Role filename variable not well named
• Get find_roles_with_permission() to optionally output to a format that can be used with remove_permissions_from_roles()
• Regularize docstrings for new methods.
• move hook to upper level method
• Move the contents of _check_access_advisor_age() back into repo_role() (No need to pull this into a separate method now.)

Todo:

• Update Documentation to describe the new flow
• Look at writing unit tests for this new flow
• Functional tests (deploy and make sure old things and new things still work)

[scriptsrc]

This PR has been put through it's paces in our test environment.

• update_role_cache
• display_role_cache
• display_role
• repo_role
• rollback_role
• find_roles_with_permissions
• remove_permissions_from_roles

Seems to work as expected.

Future work may be to have the remove_permissions_from_roles flow not touch statements or policies that don't have the provided permission. Right now it will expand the wildcards on those otherwise unrelated statements, which cause problems with the policy size limit.