1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/plugins/lookup/onepassword_raw.py

115 lines
4.7 KiB
Python
Raw Normal View History

2020-03-09 10:11:07 +01:00
# -*- coding: utf-8 -*-
# Copyright (c) 2018, Scott Buchanan <sbuchanan@ri.pn>
# Copyright (c) 2016, Andrew Zenk <azenk@umn.edu> (lastpass.py used as starting point)
# Copyright (c) 2018, Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
2020-03-09 10:11:07 +01:00
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = '''
2021-01-12 07:12:03 +01:00
name: onepassword_raw
2020-03-09 10:11:07 +01:00
author:
- Scott Buchanan (@scottsb)
- Andrew Zenk (@azenk)
- Sam Doran (@samdoran)
requirements:
- C(op) 1Password command line utility. See U(https://support.1password.com/command-line/)
short_description: fetch an entire item from 1Password
description:
- P(community.general.onepassword_raw#lookup) wraps C(op) command line utility to fetch an entire item from 1Password.
2020-03-09 10:11:07 +01:00
options:
_terms:
description: identifier(s) (UUID, name, or domain; case-insensitive) of item(s) to retrieve.
2022-09-06 20:42:17 +02:00
required: true
2020-03-09 10:11:07 +01:00
master_password:
description: The password used to unlock the specified vault.
aliases: ['vault_password']
section:
description: Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section.
subdomain:
description: The 1Password subdomain to authenticate against.
domain:
description: Domain of 1Password.
version_added: 6.0.0
default: '1password.com'
type: str
account_id:
description: The account ID to target.
type: str
version_added: 7.5.0
2020-03-09 10:11:07 +01:00
username:
description: The username used to sign in.
secret_key:
description: The secret key used when performing an initial sign in.
[PR #6660/473e557c backport][stable-7] Onepassword lookup add service accounts (#6710) Onepassword lookup add service accounts (#6660) * add service account token and bypass required fields when service account token is set * add token to base class * add Info * add service_account_token * add service_account_token * add documentation * add service_account_token * fix E111: indentation is not a multiple of 4 * fix lint problems * Update plugins/lookup/onepassword_raw.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/onepassword_info.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/onepassword.py Co-authored-by: Felix Fontein <felix@fontein.de> * add changelog fragment * change type service_account_token to align to domain option * add fragment value * Update changelogs/fragments/6660-onepassword-lookup-service-account.yaml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/onepassword.py Co-authored-by: Felix Fontein <felix@fontein.de> * remove service_account_token from onepassword_info.py * adjust V1 to raise error if service_account_token is set * adjust V1 to raise error if service_account_token is set * adjust V1 to raise error if service_account_token is set * adjust if assert_logged_in * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * remove double return * remove new line * remove new line * remove new line * remove spaces * remove new line * remove spaces * Update plugins/lookup/onepassword_raw.py Co-authored-by: Felix Fontein <felix@fontein.de> * add _check_required_params * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * remove _check_required_params * remove spaces * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * remove code --------- Co-authored-by: Jan Sagurna <jan.sagurna@sag-solutions.com> Co-authored-by: Jan Sagurna <58932831+jansagurna@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Sam Doran <github@samdoran.com> (cherry picked from commit 473e557c2f31425495fa5deed514835bdc508315) Co-authored-by: Dominik Haßelkuss <Domi-cc@users.noreply.github.com>
2023-06-15 20:38:19 +02:00
service_account_token:
description:
- The access key for a service account.
- Only works with 1Password CLI version 2 or later.
type: string
version_added: 7.1.0
2020-03-09 10:11:07 +01:00
vault:
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
notes:
- This lookup will use an existing 1Password session if one exists. If not, and you have already
performed an initial sign in (meaning C(~/.op/config exists)), then only the O(master_password) is required.
You may optionally specify O(subdomain) in this scenario, otherwise the last used subdomain will be used by C(op).
- This lookup can perform an initial login by providing O(subdomain), O(username), O(secret_key), and O(master_password).
- Can target a specific account by providing the O(account_id).
2020-03-09 10:11:07 +01:00
- Due to the B(very) sensitive nature of these credentials, it is B(highly) recommended that you only pass in the minimal credentials
needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength
to the 1Password master password.
- This lookup stores potentially sensitive data from 1Password as Ansible facts.
Facts are subject to caching if enabled, which means this data could be stored in clear text
on disk or in a database.
onepassword - Support v2 (#4728) * Begin building out separate classes to support different op cli versions Create separet base classes for each major version. Define the main interface in the base class. Create methods for getting the current version and instantiating the appropriate class based on the found version. * First pass at mostly working CLI version classes * Correct mismathched parameters * Update _run() method to allow updating enviroment This allows passing in the app secret as an env var, which is more secure than using a command line arg. * Continuing to improve the interface * Tear existing tests down to the studs These tests were based off of the LastPass unit tests. I’m going to just start from scratch given the new plugin code is vastly diffenent. * Fix sanity test * CLI config file path can be None * Improve required param checking - only report missing params - use proper grammer based on number of missing params * Change assert_logged_in() method return value Return a boolean value indicating whether or not account is signed in * Improve full login for v2 Have to do a bit of a dance to avoid hitting the interactive prompt if there are no accounts configured. * Remove unused methods * Add some tests * Fix linting errors * Move fixtures to separate file * Restructure mock test data and add more tests * Add boilerplate * Add test scenario for op v2 and increase coverage * Fix up copyright statements * Test v1 and v2 in all cases * Use a more descriptive variable name * Use docstrings rather than pass in abstract class This adds coverage to abstract methods with the least amount of hackery. * Increase test coverage for CLI classes * Sort test parameters to avoid collection errors * Update version tested in docs * Revere test parameter sorting for now The parameters need to be sorted to avoid the issue in older Python versions in CI, but I’m having trouble working out how to do that currently. * Allow passing kwargs to the lookup module under test * Favor label over id for v2 when looking for values Add tests * Display a warning for section on op v2 or greater There is no “value” in section fields. If we wanted to support sections in v2, we would also have to allow specifying the field name in order to override “value”. * Move test cases to their own file Getting a bit unwieldy having it in the test file * Move output into JSON files fore easier reuse * Switch to using get_options() * Add licenses for fixture files * Use get_option() since get_options() was added in Ansible Core 2.12 * Rearrange fixtures * Add changelog * Move common classes to module_utils * Move common classes back to lookup The plugin relies on AnsibleLookupError() quite a bit which is not available in module code. Remove use of display for errors since section isn’t actually deprecated. * Properly handle sections Still room for improvement, but this is at least a start. * Remove some comments that won’t be addressed * Make test gathering more deterministic to avoid failures * Update changelog fragment * Simple fix for making tests reliable
2022-11-06 11:32:35 +01:00
- Tested with C(op) version 2.7.0
2020-03-09 10:11:07 +01:00
'''
EXAMPLES = """
- name: Retrieve all data about Wintermute
ansible.builtin.debug:
var: lookup('community.general.onepassword_raw', 'Wintermute')
2020-03-09 10:11:07 +01:00
- name: Retrieve all data about Wintermute when not signed in to 1Password
ansible.builtin.debug:
var: lookup('community.general.onepassword_raw', 'Wintermute', subdomain='Turing', vault_password='DmbslfLvasjdl')
2020-03-09 10:11:07 +01:00
"""
RETURN = """
_raw:
description: field data requested
type: list
elements: dict
2020-03-09 10:11:07 +01:00
"""
import json
from ansible_collections.community.general.plugins.lookup.onepassword import OnePass
from ansible.plugins.lookup import LookupBase
class LookupModule(LookupBase):
def run(self, terms, variables=None, **kwargs):
onepassword - Support v2 (#4728) * Begin building out separate classes to support different op cli versions Create separet base classes for each major version. Define the main interface in the base class. Create methods for getting the current version and instantiating the appropriate class based on the found version. * First pass at mostly working CLI version classes * Correct mismathched parameters * Update _run() method to allow updating enviroment This allows passing in the app secret as an env var, which is more secure than using a command line arg. * Continuing to improve the interface * Tear existing tests down to the studs These tests were based off of the LastPass unit tests. I’m going to just start from scratch given the new plugin code is vastly diffenent. * Fix sanity test * CLI config file path can be None * Improve required param checking - only report missing params - use proper grammer based on number of missing params * Change assert_logged_in() method return value Return a boolean value indicating whether or not account is signed in * Improve full login for v2 Have to do a bit of a dance to avoid hitting the interactive prompt if there are no accounts configured. * Remove unused methods * Add some tests * Fix linting errors * Move fixtures to separate file * Restructure mock test data and add more tests * Add boilerplate * Add test scenario for op v2 and increase coverage * Fix up copyright statements * Test v1 and v2 in all cases * Use a more descriptive variable name * Use docstrings rather than pass in abstract class This adds coverage to abstract methods with the least amount of hackery. * Increase test coverage for CLI classes * Sort test parameters to avoid collection errors * Update version tested in docs * Revere test parameter sorting for now The parameters need to be sorted to avoid the issue in older Python versions in CI, but I’m having trouble working out how to do that currently. * Allow passing kwargs to the lookup module under test * Favor label over id for v2 when looking for values Add tests * Display a warning for section on op v2 or greater There is no “value” in section fields. If we wanted to support sections in v2, we would also have to allow specifying the field name in order to override “value”. * Move test cases to their own file Getting a bit unwieldy having it in the test file * Move output into JSON files fore easier reuse * Switch to using get_options() * Add licenses for fixture files * Use get_option() since get_options() was added in Ansible Core 2.12 * Rearrange fixtures * Add changelog * Move common classes to module_utils * Move common classes back to lookup The plugin relies on AnsibleLookupError() quite a bit which is not available in module code. Remove use of display for errors since section isn’t actually deprecated. * Properly handle sections Still room for improvement, but this is at least a start. * Remove some comments that won’t be addressed * Make test gathering more deterministic to avoid failures * Update changelog fragment * Simple fix for making tests reliable
2022-11-06 11:32:35 +01:00
self.set_options(var_options=variables, direct=kwargs)
2020-03-09 10:11:07 +01:00
onepassword - Support v2 (#4728) * Begin building out separate classes to support different op cli versions Create separet base classes for each major version. Define the main interface in the base class. Create methods for getting the current version and instantiating the appropriate class based on the found version. * First pass at mostly working CLI version classes * Correct mismathched parameters * Update _run() method to allow updating enviroment This allows passing in the app secret as an env var, which is more secure than using a command line arg. * Continuing to improve the interface * Tear existing tests down to the studs These tests were based off of the LastPass unit tests. I’m going to just start from scratch given the new plugin code is vastly diffenent. * Fix sanity test * CLI config file path can be None * Improve required param checking - only report missing params - use proper grammer based on number of missing params * Change assert_logged_in() method return value Return a boolean value indicating whether or not account is signed in * Improve full login for v2 Have to do a bit of a dance to avoid hitting the interactive prompt if there are no accounts configured. * Remove unused methods * Add some tests * Fix linting errors * Move fixtures to separate file * Restructure mock test data and add more tests * Add boilerplate * Add test scenario for op v2 and increase coverage * Fix up copyright statements * Test v1 and v2 in all cases * Use a more descriptive variable name * Use docstrings rather than pass in abstract class This adds coverage to abstract methods with the least amount of hackery. * Increase test coverage for CLI classes * Sort test parameters to avoid collection errors * Update version tested in docs * Revere test parameter sorting for now The parameters need to be sorted to avoid the issue in older Python versions in CI, but I’m having trouble working out how to do that currently. * Allow passing kwargs to the lookup module under test * Favor label over id for v2 when looking for values Add tests * Display a warning for section on op v2 or greater There is no “value” in section fields. If we wanted to support sections in v2, we would also have to allow specifying the field name in order to override “value”. * Move test cases to their own file Getting a bit unwieldy having it in the test file * Move output into JSON files fore easier reuse * Switch to using get_options() * Add licenses for fixture files * Use get_option() since get_options() was added in Ansible Core 2.12 * Rearrange fixtures * Add changelog * Move common classes to module_utils * Move common classes back to lookup The plugin relies on AnsibleLookupError() quite a bit which is not available in module code. Remove use of display for errors since section isn’t actually deprecated. * Properly handle sections Still room for improvement, but this is at least a start. * Remove some comments that won’t be addressed * Make test gathering more deterministic to avoid failures * Update changelog fragment * Simple fix for making tests reliable
2022-11-06 11:32:35 +01:00
vault = self.get_option("vault")
subdomain = self.get_option("subdomain")
domain = self.get_option("domain", "1password.com")
username = self.get_option("username")
secret_key = self.get_option("secret_key")
master_password = self.get_option("master_password")
[PR #6660/473e557c backport][stable-7] Onepassword lookup add service accounts (#6710) Onepassword lookup add service accounts (#6660) * add service account token and bypass required fields when service account token is set * add token to base class * add Info * add service_account_token * add service_account_token * add documentation * add service_account_token * fix E111: indentation is not a multiple of 4 * fix lint problems * Update plugins/lookup/onepassword_raw.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/onepassword_info.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/onepassword.py Co-authored-by: Felix Fontein <felix@fontein.de> * add changelog fragment * change type service_account_token to align to domain option * add fragment value * Update changelogs/fragments/6660-onepassword-lookup-service-account.yaml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/onepassword.py Co-authored-by: Felix Fontein <felix@fontein.de> * remove service_account_token from onepassword_info.py * adjust V1 to raise error if service_account_token is set * adjust V1 to raise error if service_account_token is set * adjust V1 to raise error if service_account_token is set * adjust if assert_logged_in * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * remove double return * remove new line * remove new line * remove new line * remove spaces * remove new line * remove spaces * Update plugins/lookup/onepassword_raw.py Co-authored-by: Felix Fontein <felix@fontein.de> * add _check_required_params * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * remove _check_required_params * remove spaces * Update plugins/lookup/onepassword.py Co-authored-by: Sam Doran <github@samdoran.com> * remove code --------- Co-authored-by: Jan Sagurna <jan.sagurna@sag-solutions.com> Co-authored-by: Jan Sagurna <58932831+jansagurna@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Sam Doran <github@samdoran.com> (cherry picked from commit 473e557c2f31425495fa5deed514835bdc508315) Co-authored-by: Dominik Haßelkuss <Domi-cc@users.noreply.github.com>
2023-06-15 20:38:19 +02:00
service_account_token = self.get_option("service_account_token")
account_id = self.get_option("account_id")
2020-03-09 10:11:07 +01:00
op = OnePass(subdomain, domain, username, secret_key, master_password, service_account_token, account_id)
2020-03-09 10:11:07 +01:00
op.assert_logged_in()
values = []
for term in terms:
data = json.loads(op.get_raw(term, vault))
values.append(data)
onepassword - Support v2 (#4728) * Begin building out separate classes to support different op cli versions Create separet base classes for each major version. Define the main interface in the base class. Create methods for getting the current version and instantiating the appropriate class based on the found version. * First pass at mostly working CLI version classes * Correct mismathched parameters * Update _run() method to allow updating enviroment This allows passing in the app secret as an env var, which is more secure than using a command line arg. * Continuing to improve the interface * Tear existing tests down to the studs These tests were based off of the LastPass unit tests. I’m going to just start from scratch given the new plugin code is vastly diffenent. * Fix sanity test * CLI config file path can be None * Improve required param checking - only report missing params - use proper grammer based on number of missing params * Change assert_logged_in() method return value Return a boolean value indicating whether or not account is signed in * Improve full login for v2 Have to do a bit of a dance to avoid hitting the interactive prompt if there are no accounts configured. * Remove unused methods * Add some tests * Fix linting errors * Move fixtures to separate file * Restructure mock test data and add more tests * Add boilerplate * Add test scenario for op v2 and increase coverage * Fix up copyright statements * Test v1 and v2 in all cases * Use a more descriptive variable name * Use docstrings rather than pass in abstract class This adds coverage to abstract methods with the least amount of hackery. * Increase test coverage for CLI classes * Sort test parameters to avoid collection errors * Update version tested in docs * Revere test parameter sorting for now The parameters need to be sorted to avoid the issue in older Python versions in CI, but I’m having trouble working out how to do that currently. * Allow passing kwargs to the lookup module under test * Favor label over id for v2 when looking for values Add tests * Display a warning for section on op v2 or greater There is no “value” in section fields. If we wanted to support sections in v2, we would also have to allow specifying the field name in order to override “value”. * Move test cases to their own file Getting a bit unwieldy having it in the test file * Move output into JSON files fore easier reuse * Switch to using get_options() * Add licenses for fixture files * Use get_option() since get_options() was added in Ansible Core 2.12 * Rearrange fixtures * Add changelog * Move common classes to module_utils * Move common classes back to lookup The plugin relies on AnsibleLookupError() quite a bit which is not available in module code. Remove use of display for errors since section isn’t actually deprecated. * Properly handle sections Still room for improvement, but this is at least a start. * Remove some comments that won’t be addressed * Make test gathering more deterministic to avoid failures * Update changelog fragment * Simple fix for making tests reliable
2022-11-06 11:32:35 +01:00
2020-03-09 10:11:07 +01:00
return values