2022-08-01 10:00:05 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
2022-08-05 22:12:10 +02:00
|
|
|
# Copyright (c) 2022, Jonathan Lung <lungj@heresjono.com>
|
2022-08-05 12:28:29 +02:00
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2022-08-01 10:00:05 +02:00
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
DOCUMENTATION = """
|
|
|
|
name: bitwarden
|
|
|
|
author:
|
|
|
|
- Jonathan Lung (@lungj) <lungj@heresjono.com>
|
|
|
|
requirements:
|
|
|
|
- bw (command line utility)
|
|
|
|
- be logged into bitwarden
|
2023-06-05 21:18:12 +02:00
|
|
|
- bitwarden vault unlocked
|
2023-06-15 09:29:30 +02:00
|
|
|
- E(BW_SESSION) environment variable set
|
2022-08-01 10:00:05 +02:00
|
|
|
short_description: Retrieve secrets from Bitwarden
|
|
|
|
version_added: 5.4.0
|
|
|
|
description:
|
|
|
|
- Retrieve secrets from Bitwarden.
|
|
|
|
options:
|
|
|
|
_terms:
|
|
|
|
description: Key(s) to fetch values for from login info.
|
|
|
|
required: true
|
|
|
|
type: list
|
|
|
|
elements: str
|
2022-10-01 18:19:39 +02:00
|
|
|
search:
|
2023-12-22 19:32:19 +01:00
|
|
|
description:
|
|
|
|
- Field to retrieve, for example V(name) or V(id).
|
|
|
|
- If set to V(id), only zero or one element can be returned.
|
|
|
|
Use the Jinja C(first) filter to get the only list element.
|
2024-04-20 12:12:45 +02:00
|
|
|
- If set to V(None) or V(''), or if O(_terms) is empty, records are not filtered by fields.
|
2022-10-01 18:19:39 +02:00
|
|
|
type: str
|
|
|
|
default: name
|
|
|
|
version_added: 5.7.0
|
2022-08-01 10:00:05 +02:00
|
|
|
field:
|
2023-01-28 11:28:18 +01:00
|
|
|
description: Field to fetch. Leave unset to fetch whole response.
|
2022-08-01 10:00:05 +02:00
|
|
|
type: str
|
2023-01-28 11:28:18 +01:00
|
|
|
collection_id:
|
|
|
|
description: Collection ID to filter results by collection. Leave unset to skip filtering.
|
|
|
|
type: str
|
|
|
|
version_added: 6.3.0
|
2024-04-20 12:12:45 +02:00
|
|
|
organization_id:
|
|
|
|
description: Organization ID to filter results by organization. Leave unset to skip filtering.
|
|
|
|
type: str
|
|
|
|
version_added: 8.5.0
|
2024-02-25 19:44:37 +01:00
|
|
|
bw_session:
|
|
|
|
description: Pass session key instead of reading from env.
|
|
|
|
type: str
|
|
|
|
version_added: 8.4.0
|
2022-08-01 10:00:05 +02:00
|
|
|
"""
|
|
|
|
|
|
|
|
EXAMPLES = """
|
2023-12-22 19:32:19 +01:00
|
|
|
- name: "Get 'password' from all Bitwarden records named 'a_test'"
|
2022-08-01 10:00:05 +02:00
|
|
|
ansible.builtin.debug:
|
|
|
|
msg: >-
|
|
|
|
{{ lookup('community.general.bitwarden', 'a_test', field='password') }}
|
|
|
|
|
2023-12-22 19:32:19 +01:00
|
|
|
- name: "Get 'password' from Bitwarden record with ID 'bafba515-af11-47e6-abe3-af1200cd18b2'"
|
2022-10-01 18:19:39 +02:00
|
|
|
ansible.builtin.debug:
|
|
|
|
msg: >-
|
2023-12-22 19:32:19 +01:00
|
|
|
{{ lookup('community.general.bitwarden', 'bafba515-af11-47e6-abe3-af1200cd18b2', search='id', field='password') | first }}
|
2022-10-01 18:19:39 +02:00
|
|
|
|
2023-12-22 19:32:19 +01:00
|
|
|
- name: "Get 'password' from all Bitwarden records named 'a_test' from collection"
|
2023-01-28 11:28:18 +01:00
|
|
|
ansible.builtin.debug:
|
|
|
|
msg: >-
|
|
|
|
{{ lookup('community.general.bitwarden', 'a_test', field='password', collection_id='bafba515-af11-47e6-abe3-af1200cd18b2') }}
|
|
|
|
|
2023-12-22 19:32:19 +01:00
|
|
|
- name: "Get list of all full Bitwarden records named 'a_test'"
|
2022-08-01 10:00:05 +02:00
|
|
|
ansible.builtin.debug:
|
|
|
|
msg: >-
|
|
|
|
{{ lookup('community.general.bitwarden', 'a_test') }}
|
2023-01-07 10:28:05 +01:00
|
|
|
|
2023-12-22 19:32:19 +01:00
|
|
|
- name: "Get custom field 'api_key' from all Bitwarden records named 'a_test'"
|
2023-01-07 10:28:05 +01:00
|
|
|
ansible.builtin.debug:
|
|
|
|
msg: >-
|
|
|
|
{{ lookup('community.general.bitwarden', 'a_test', field='api_key') }}
|
2024-02-25 19:44:37 +01:00
|
|
|
|
|
|
|
- name: "Get 'password' from all Bitwarden records named 'a_test', using given session key"
|
|
|
|
ansible.builtin.debug:
|
|
|
|
msg: >-
|
|
|
|
{{ lookup('community.general.bitwarden', 'a_test', field='password', bw_session='bXZ9B5TXi6...') }}
|
2024-03-24 18:04:36 +01:00
|
|
|
|
|
|
|
- name: "Get all Bitwarden records from collection"
|
|
|
|
ansible.builtin.debug:
|
|
|
|
msg: >-
|
|
|
|
{{ lookup('community.general.bitwarden', None, collection_id='bafba515-af11-47e6-abe3-af1200cd18b2') }}
|
2022-08-01 10:00:05 +02:00
|
|
|
"""
|
|
|
|
|
|
|
|
RETURN = """
|
|
|
|
_raw:
|
2023-12-22 19:32:19 +01:00
|
|
|
description:
|
|
|
|
- A one-element list that contains a list of requested fields or JSON objects of matches.
|
|
|
|
- If you use C(query), you get a list of lists. If you use C(lookup) without C(wantlist=true),
|
|
|
|
this always gets reduced to a list of field values or JSON objects.
|
2022-08-01 10:00:05 +02:00
|
|
|
type: list
|
2023-12-22 19:32:19 +01:00
|
|
|
elements: list
|
2022-08-01 10:00:05 +02:00
|
|
|
"""
|
|
|
|
|
|
|
|
from subprocess import Popen, PIPE
|
|
|
|
|
|
|
|
from ansible.errors import AnsibleError
|
|
|
|
from ansible.module_utils.common.text.converters import to_bytes, to_text
|
|
|
|
from ansible.parsing.ajson import AnsibleJSONDecoder
|
|
|
|
from ansible.plugins.lookup import LookupBase
|
|
|
|
|
|
|
|
|
|
|
|
class BitwardenException(AnsibleError):
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
class Bitwarden(object):
|
|
|
|
|
|
|
|
def __init__(self, path='bw'):
|
|
|
|
self._cli_path = path
|
2024-02-25 19:44:37 +01:00
|
|
|
self._session = None
|
2022-08-01 10:00:05 +02:00
|
|
|
|
|
|
|
@property
|
|
|
|
def cli_path(self):
|
|
|
|
return self._cli_path
|
|
|
|
|
2024-02-25 19:44:37 +01:00
|
|
|
@property
|
|
|
|
def session(self):
|
|
|
|
return self._session
|
|
|
|
|
|
|
|
@session.setter
|
|
|
|
def session(self, value):
|
|
|
|
self._session = value
|
|
|
|
|
2022-08-01 10:00:05 +02:00
|
|
|
@property
|
2023-01-22 17:29:11 +01:00
|
|
|
def unlocked(self):
|
2022-08-01 10:00:05 +02:00
|
|
|
out, err = self._run(['status'], stdin="")
|
|
|
|
decoded = AnsibleJSONDecoder().raw_decode(out)[0]
|
|
|
|
return decoded['status'] == 'unlocked'
|
|
|
|
|
|
|
|
def _run(self, args, stdin=None, expected_rc=0):
|
2024-02-25 19:44:37 +01:00
|
|
|
if self.session:
|
|
|
|
args += ['--session', self.session]
|
|
|
|
|
2022-08-01 10:00:05 +02:00
|
|
|
p = Popen([self.cli_path] + args, stdout=PIPE, stderr=PIPE, stdin=PIPE)
|
|
|
|
out, err = p.communicate(to_bytes(stdin))
|
|
|
|
rc = p.wait()
|
|
|
|
if rc != expected_rc:
|
2023-11-11 12:04:53 +01:00
|
|
|
if len(args) > 2 and args[0] == 'get' and args[1] == 'item' and b'Not found.' in err:
|
|
|
|
return 'null', ''
|
2022-08-01 10:00:05 +02:00
|
|
|
raise BitwardenException(err)
|
|
|
|
return to_text(out, errors='surrogate_or_strict'), to_text(err, errors='surrogate_or_strict')
|
|
|
|
|
2024-04-20 12:12:45 +02:00
|
|
|
def _get_matches(self, search_value, search_field, collection_id=None, organization_id=None):
|
2022-08-01 10:00:05 +02:00
|
|
|
"""Return matching records whose search_field is equal to key.
|
|
|
|
"""
|
2023-01-28 11:28:18 +01:00
|
|
|
|
|
|
|
# Prepare set of params for Bitwarden CLI
|
2024-04-20 12:12:45 +02:00
|
|
|
if search_field == 'id':
|
|
|
|
params = ['get', 'item', search_value]
|
2023-11-11 12:04:53 +01:00
|
|
|
else:
|
2024-04-20 12:12:45 +02:00
|
|
|
params = ['list', 'items']
|
|
|
|
if search_value:
|
|
|
|
params.extend(['--search', search_value])
|
2023-01-28 11:28:18 +01:00
|
|
|
|
2024-04-20 12:12:45 +02:00
|
|
|
if collection_id:
|
|
|
|
params.extend(['--collectionid', collection_id])
|
|
|
|
if organization_id:
|
|
|
|
params.extend(['--organizationid', organization_id])
|
2023-01-28 11:28:18 +01:00
|
|
|
|
|
|
|
out, err = self._run(params)
|
2022-08-01 10:00:05 +02:00
|
|
|
|
|
|
|
# This includes things that matched in different fields.
|
|
|
|
initial_matches = AnsibleJSONDecoder().raw_decode(out)[0]
|
2024-03-24 18:04:36 +01:00
|
|
|
|
2024-04-20 12:12:45 +02:00
|
|
|
if search_field == 'id':
|
2023-11-11 12:04:53 +01:00
|
|
|
if initial_matches is None:
|
|
|
|
initial_matches = []
|
|
|
|
else:
|
|
|
|
initial_matches = [initial_matches]
|
2024-03-24 18:04:36 +01:00
|
|
|
|
2024-06-27 12:19:35 +02:00
|
|
|
# Filter to only include results from the right field, if a search is requested by value or field
|
|
|
|
return [item for item in initial_matches
|
|
|
|
if not search_value or not search_field or item.get(search_field) == search_value]
|
2022-08-01 10:00:05 +02:00
|
|
|
|
2024-04-20 12:12:45 +02:00
|
|
|
def get_field(self, field, search_value, search_field="name", collection_id=None, organization_id=None):
|
2023-01-28 11:28:18 +01:00
|
|
|
"""Return a list of the specified field for records whose search_field match search_value
|
|
|
|
and filtered by collection if collection has been provided.
|
2022-08-01 10:00:05 +02:00
|
|
|
|
|
|
|
If field is None, return the whole record for each match.
|
|
|
|
"""
|
2024-04-20 12:12:45 +02:00
|
|
|
matches = self._get_matches(search_value, search_field, collection_id, organization_id)
|
2023-08-11 13:22:26 +02:00
|
|
|
if not field:
|
2023-01-07 10:28:05 +01:00
|
|
|
return matches
|
2023-08-11 13:22:26 +02:00
|
|
|
field_matches = []
|
|
|
|
for match in matches:
|
|
|
|
# if there are no custom fields, then `match` has no key 'fields'
|
|
|
|
if 'fields' in match:
|
|
|
|
custom_field_found = False
|
2023-01-07 10:28:05 +01:00
|
|
|
for custom_field in match['fields']:
|
2023-08-11 13:22:26 +02:00
|
|
|
if field == custom_field['name']:
|
|
|
|
field_matches.append(custom_field['value'])
|
|
|
|
custom_field_found = True
|
|
|
|
break
|
|
|
|
if custom_field_found:
|
|
|
|
continue
|
|
|
|
if 'login' in match and field in match['login']:
|
|
|
|
field_matches.append(match['login'][field])
|
|
|
|
continue
|
|
|
|
if field in match:
|
|
|
|
field_matches.append(match[field])
|
|
|
|
continue
|
2024-03-24 18:04:36 +01:00
|
|
|
|
2023-08-11 13:22:26 +02:00
|
|
|
if matches and not field_matches:
|
|
|
|
raise AnsibleError("field {field} does not exist in {search_value}".format(field=field, search_value=search_value))
|
2024-03-24 18:04:36 +01:00
|
|
|
|
2023-08-11 13:22:26 +02:00
|
|
|
return field_matches
|
2022-08-01 10:00:05 +02:00
|
|
|
|
|
|
|
|
|
|
|
class LookupModule(LookupBase):
|
|
|
|
|
2024-03-24 18:04:36 +01:00
|
|
|
def run(self, terms=None, variables=None, **kwargs):
|
2022-08-01 10:00:05 +02:00
|
|
|
self.set_options(var_options=variables, direct=kwargs)
|
|
|
|
field = self.get_option('field')
|
2022-10-01 18:19:39 +02:00
|
|
|
search_field = self.get_option('search')
|
2023-01-28 11:28:18 +01:00
|
|
|
collection_id = self.get_option('collection_id')
|
2024-04-20 12:12:45 +02:00
|
|
|
organization_id = self.get_option('organization_id')
|
2024-02-25 19:44:37 +01:00
|
|
|
_bitwarden.session = self.get_option('bw_session')
|
|
|
|
|
2023-01-22 17:29:11 +01:00
|
|
|
if not _bitwarden.unlocked:
|
|
|
|
raise AnsibleError("Bitwarden Vault locked. Run 'bw unlock'.")
|
2022-08-01 10:00:05 +02:00
|
|
|
|
2024-03-24 18:04:36 +01:00
|
|
|
if not terms:
|
2024-04-20 12:12:45 +02:00
|
|
|
terms = [None]
|
2024-03-24 18:04:36 +01:00
|
|
|
|
2024-04-20 12:12:45 +02:00
|
|
|
return [_bitwarden.get_field(field, term, search_field, collection_id, organization_id) for term in terms]
|
2022-08-01 10:00:05 +02:00
|
|
|
|
|
|
|
|
|
|
|
_bitwarden = Bitwarden()
|