1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

tss lookup plugin - Fetch secret by path (#6881)

* Added support to fetch secret by path

* Fixed linting issue

* Fixed PR comments

* Chnaged description of secret path
This commit is contained in:
delinea-sagar 2023-07-14 13:43:14 -04:00 committed by GitHub
parent 4b382ed1df
commit 3e56da5371
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 18 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- tss lookup plugin - allow to fetch secret by path. Previously, we could not fetch secret by path but now use ``secret_path`` option to indicate to fetch secret by secret path (https://github.com/ansible-collections/community.general/pull/6881).

View file

@ -26,6 +26,11 @@ options:
description: The integer ID of the secret.
required: true
type: int
secret_path:
description: Indicate a full path of secret including folder and secret name when the secret ID is set to 0.
required: false
type: str
version_added: 7.2.0
fetch_secret_ids_from_folder:
description:
- Boolean flag which indicates whether secret ids are in a folder is fetched by folder ID or not.
@ -221,6 +226,29 @@ EXAMPLES = r"""
the secret id's are {{
secret
}}
# If secret ID is 0 and secret_path has value then secret is fetched by secret path
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
0,
secret_path='\folderName\secretName'
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
"""
import abc
@ -231,32 +259,23 @@ from ansible.plugins.lookup import LookupBase
from ansible.utils.display import Display
try:
from delinea.secrets.server import SecretServer, SecretServerError
from delinea.secrets.server import SecretServer, SecretServerError, PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer, AccessTokenAuthorizer
HAS_TSS_SDK = True
HAS_DELINEA_SS_SDK = True
HAS_TSS_AUTHORIZER = True
except ImportError:
try:
from thycotic.secrets.server import SecretServer, SecretServerError
from thycotic.secrets.server import SecretServer, SecretServerError, PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer, AccessTokenAuthorizer
HAS_TSS_SDK = True
HAS_DELINEA_SS_SDK = False
HAS_TSS_AUTHORIZER = True
except ImportError:
SecretServer = None
SecretServerError = None
HAS_TSS_SDK = False
HAS_DELINEA_SS_SDK = False
try:
from thycotic.secrets.server import PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer, AccessTokenAuthorizer
HAS_TSS_AUTHORIZER = True
except ImportError:
try:
from delinea.secrets.server import PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer, AccessTokenAuthorizer
HAS_TSS_AUTHORIZER = True
except ImportError:
PasswordGrantAuthorizer = None
DomainPasswordGrantAuthorizer = None
AccessTokenAuthorizer = None
@ -278,13 +297,21 @@ class TSSClient(object):
else:
return TSSClientV0(**server_parameters)
def get_secret(self, term, fetch_file_attachments, file_download_path):
def get_secret(self, term, secret_path, fetch_file_attachments, file_download_path):
display.debug("tss_lookup term: %s" % term)
secret_id = self._term_to_secret_id(term)
display.vvv(u"Secret Server lookup of Secret with ID %d" % secret_id)
if secret_id == 0 and secret_path:
fetch_secret_by_path = True
display.vvv(u"Secret Server lookup of Secret with path %s" % secret_path)
else:
fetch_secret_by_path = False
display.vvv(u"Secret Server lookup of Secret with ID %d" % secret_id)
if fetch_file_attachments:
obj = self._client.get_secret(secret_id, fetch_file_attachments)
if fetch_secret_by_path:
obj = self._client.get_secret_by_path(secret_path, fetch_file_attachments)
else:
obj = self._client.get_secret(secret_id, fetch_file_attachments)
for i in obj['items']:
if file_download_path and os.path.isdir(file_download_path):
if i['isFile']:
@ -302,7 +329,10 @@ class TSSClient(object):
raise AnsibleOptionsError("File download path does not exist")
return obj
else:
return self._client.get_secret_json(secret_id)
if fetch_secret_by_path:
return self._client.get_secret_by_path(secret_path, False)
else:
return self._client.get_secret_json(secret_id)
def get_secret_ids_by_folderid(self, term):
display.debug("tss_lookup term: %s" % term)
@ -399,6 +429,14 @@ class LookupModule(LookupBase):
else:
raise AnsibleError("latest python-tss-sdk must be installed to use this plugin")
else:
return [tss.get_secret(term, self.get_option("fetch_attachments"), self.get_option("file_download_path")) for term in terms]
return [
tss.get_secret(
term,
self.get_option("secret_path"),
self.get_option("fetch_attachments"),
self.get_option("file_download_path"),
)
for term in terms
]
except SecretServerError as error:
raise AnsibleError("Secret Server lookup failure: %s" % error.message)