From 40c65812f43d48faec88e5696aceeb5ce919516c Mon Sep 17 00:00:00 2001
From: to-bar <46519524+to-bar@users.noreply.github.com>
Date: Fri, 11 Dec 2020 16:51:46 +0100
Subject: [PATCH] Fix ownership of preflight_facts.yml (#1902)

* Fix ownership of preflight_facts.yml or print instruction

* Update changelog
---
 CHANGELOG-0.9.md                              |  1 +
 .../roles/preflight_facts/defaults/main.yml   |  2 ++
 .../tasks/fix-facts-file-ownership.yml        | 26 ++++++++++++++++
 .../roles/preflight_facts/tasks/main.yml      |  2 +-
 .../roles/preflight_facts/tasks/store.yml     | 31 ++++++++++++++++++-
 5 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/defaults/main.yml
 create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/fix-facts-file-ownership.yml

diff --git a/CHANGELOG-0.9.md b/CHANGELOG-0.9.md
index 5224a6fe94..4db7fb96f0 100644
--- a/CHANGELOG-0.9.md
+++ b/CHANGELOG-0.9.md
@@ -20,6 +20,7 @@
 - [#1834](https://github.com/epiphany-platform/epiphany/issues/1834) - Kafka - Disable debug logging and make this option configurable
 - [#1888](https://github.com/epiphany-platform/epiphany/issues/1888) - epicli upgrade of cluster created by Epiphany v0.5 may fail
 - [#1884](https://github.com/epiphany-platform/epiphany/issues/1884) - Prometheus is not able to scrape metrics from AKS/EKS nodes
+- [#1887](https://github.com/epiphany-platform/epiphany/issues/1887) - epicli upgrade of cluster created by Epiphany v0.6 fails on "Store preflight facts" task
 
 ### Updated
 
diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/defaults/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/defaults/main.yml
new file mode 100644
index 0000000000..9b54773275
--- /dev/null
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+facts_file_path: "{{ vault_location }}/../preflight_facts.yml"
diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/fix-facts-file-ownership.yml b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/fix-facts-file-ownership.yml
new file mode 100644
index 0000000000..28b8cdbc68
--- /dev/null
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/fix-facts-file-ownership.yml
@@ -0,0 +1,26 @@
+---
+- name: Handle permission issue when preflight_facts.yml is owned by root (or unexpected user)
+  delegate_to: localhost
+  run_once: true
+  become: false
+  block:
+    - name: Try to change ownership of preflight_facts.yml file
+      become: true
+      file:
+        path: "{{ facts_file_path }}"
+        owner: "{{ current_local_user }}"
+      register: chown_result
+      failed_when:
+        - chown_result.rc is defined
+        - chown_result.rc != 0
+        - not 'password is required' in chown_result.module_stderr
+
+    - name: Fail with instruction what to do
+      fail:
+        msg: >-
+          The '{{ current_local_user }}' user has no permission to run sudo without a password.
+          Run the following command manually, then rerun epicli:
+          sudo chown {{ current_local_user }} {{ facts_file_path }}
+      when:
+        - chown_result.module_stderr is defined
+        - "'password is required' in chown_result.module_stderr"
diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/main.yml
index 927e11a7be..c95eced697 100644
--- a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/main.yml
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/main.yml
@@ -2,4 +2,4 @@
 # This role is designed to be called as meta-dependency.
 
 - name: Load preflight facts
-  include_vars: "{{ vault_location }}/../preflight_facts.yml"
+  include_vars: "{{ facts_file_path }}"
diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/store.yml b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/store.yml
index 54bf79a940..6e3bb72aeb 100644
--- a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/store.yml
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/store.yml
@@ -1,12 +1,41 @@
 ---
 - include_tasks: kubernetes.yml
 
+# When upgrading cluster created by Epiphany v0.6, the preflight_facts.yml may exist and be owned by root.
+- name: Check if owner of preflight_facts.yml has to be changed
+  delegate_to: localhost
+  become: false
+  run_once: true
+  block:
+    - name: Get properties of preflight_facts.yml file
+      stat:
+        path: "{{ facts_file_path }}"
+        get_attributes: false
+        get_checksum: false
+        get_mime: false
+      register: stat_facts_file
+
+    - name: Get local user
+      command: whoami
+      register: command_whoami
+      changed_when: false
+      when: stat_facts_file.stat.exists
+
+- include_tasks: fix-facts-file-ownership.yml
+  run_once: true
+  vars:
+    current_local_user: "{{ command_whoami.stdout }}"
+  when:
+    - stat_facts_file.stat.pw_name is defined
+    - stat_facts_file.stat.pw_name != current_local_user
+    - stat_facts_file.stat.mode != '0640' or not stat_facts_file.stat.writeable
+
 - name: Store preflight facts
   delegate_to: localhost
   become: false
   run_once: true
   copy:
-    dest: "{{ vault_location }}/../preflight_facts.yml"
+    dest: "{{ facts_file_path }}"
     mode: u=rw,g=r,o=
     content: |
       # This file is managed by ansible. >>> DO NOT EDIT! <<<