1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Onepassword lookup add service accounts (#6660)

* add service account token and bypass required fields when service account token is set

* add token to base class

* add Info

* add service_account_token

* add service_account_token

* add documentation

* add service_account_token

* fix E111: indentation is not a multiple of 4

* fix lint problems

* Update plugins/lookup/onepassword_raw.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/onepassword_info.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/lookup/onepassword.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* add changelog fragment

* change type service_account_token to align to domain option

* add fragment value

* Update changelogs/fragments/6660-onepassword-lookup-service-account.yaml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/lookup/onepassword.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* remove service_account_token from onepassword_info.py

* adjust V1 to raise error if service_account_token is set

* adjust V1 to raise error if service_account_token is set

* adjust V1 to raise error if service_account_token is set

* adjust if assert_logged_in

* Update plugins/lookup/onepassword.py

Co-authored-by: Sam Doran <github@samdoran.com>

* Update plugins/lookup/onepassword.py

Co-authored-by: Sam Doran <github@samdoran.com>

* remove double return

* remove new line

* remove new line

* remove new line

* remove spaces

* remove new line

* remove spaces

* Update plugins/lookup/onepassword_raw.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* add _check_required_params

* Update plugins/lookup/onepassword.py

Co-authored-by: Sam Doran <github@samdoran.com>

* Update plugins/lookup/onepassword.py

Co-authored-by: Sam Doran <github@samdoran.com>

* remove _check_required_params

* remove spaces

* Update plugins/lookup/onepassword.py

Co-authored-by: Sam Doran <github@samdoran.com>

* remove code

---------

Co-authored-by: Jan Sagurna <jan.sagurna@sag-solutions.com>
Co-authored-by: Jan Sagurna <58932831+jansagurna@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Sam Doran <github@samdoran.com>
This commit is contained in:
Dominik Haßelkuss 2023-06-15 19:18:12 +02:00 committed by GitHub
parent eff0cb0ed9
commit 473e557c2f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 5 deletions

View file

@ -0,0 +1,3 @@
minor_changes:
- onepassword lookup plugin - add service account support (https://github.com/ansible-collections/community.general/issues/6635, https://github.com/ansible-collections/community.general/pull/6660).
- onepassword_raw lookup plugin - add service account support (https://github.com/ansible-collections/community.general/issues/6635, https://github.com/ansible-collections/community.general/pull/6660).

View file

@ -42,6 +42,12 @@ DOCUMENTATION = '''
description: The username used to sign in. description: The username used to sign in.
secret_key: secret_key:
description: The secret key used when performing an initial sign in. description: The secret key used when performing an initial sign in.
service_account_token:
description:
- The access key for a service account.
- Only works with 1Password CLI version 2 or later.
type: str
version_added: 7.1.0
vault: vault:
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults. description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
notes: notes:
@ -113,12 +119,13 @@ from ansible_collections.community.general.plugins.module_utils.onepassword impo
class OnePassCLIBase(with_metaclass(abc.ABCMeta, object)): class OnePassCLIBase(with_metaclass(abc.ABCMeta, object)):
bin = "op" bin = "op"
def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None): def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None, service_account_token=None):
self.subdomain = subdomain self.subdomain = subdomain
self.domain = domain self.domain = domain
self.username = username self.username = username
self.master_password = master_password self.master_password = master_password
self.secret_key = secret_key self.secret_key = secret_key
self.service_account_token = service_account_token
self._path = None self._path = None
self._version = None self._version = None
@ -295,6 +302,10 @@ class OnePassCLIv1(OnePassCLIBase):
return not bool(rc) return not bool(rc)
def full_signin(self): def full_signin(self):
if self.service_account_token:
raise AnsibleLookupError(
"1Password CLI version 1 does not support Service Accounts. Please use version 2 or later.")
required_params = [ required_params = [
"subdomain", "subdomain",
"username", "username",
@ -472,6 +483,13 @@ class OnePassCLIv2(OnePassCLIBase):
return "" return ""
def assert_logged_in(self): def assert_logged_in(self):
if self.service_account_token:
args = ["whoami"]
environment_update = {"OP_SERVICE_ACCOUNT_TOKEN": self.service_account_token}
rc, out, err = self._run(args, environment_update=environment_update)
return not bool(rc)
args = ["account", "list"] args = ["account", "list"]
if self.subdomain: if self.subdomain:
account = "{subdomain}.{domain}".format(subdomain=self.subdomain, domain=self.domain) account = "{subdomain}.{domain}".format(subdomain=self.subdomain, domain=self.domain)
@ -517,6 +535,13 @@ class OnePassCLIv2(OnePassCLIBase):
args = ["item", "get", item_id, "--format", "json"] args = ["item", "get", item_id, "--format", "json"]
if vault is not None: if vault is not None:
args += ["--vault={0}".format(vault)] args += ["--vault={0}".format(vault)]
if self.service_account_token:
if vault is None:
raise AnsibleLookupError("'vault' is required with 'service_account_token'")
environment_update = {"OP_SERVICE_ACCOUNT_TOKEN": self.service_account_token}
return self._run(args, environment_update=environment_update)
if token is not None: if token is not None:
args += [to_bytes("--session=") + token] args += [to_bytes("--session=") + token]
@ -533,12 +558,14 @@ class OnePassCLIv2(OnePassCLIBase):
class OnePass(object): class OnePass(object):
def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None): def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None,
service_account_token=None):
self.subdomain = subdomain self.subdomain = subdomain
self.domain = domain self.domain = domain
self.username = username self.username = username
self.secret_key = secret_key self.secret_key = secret_key
self.master_password = master_password self.master_password = master_password
self.service_account_token = service_account_token
self.logged_in = False self.logged_in = False
self.token = None self.token = None
@ -551,7 +578,7 @@ class OnePass(object):
for cls in OnePassCLIBase.__subclasses__(): for cls in OnePassCLIBase.__subclasses__():
if cls.supports_version == version.split(".")[0]: if cls.supports_version == version.split(".")[0]:
try: try:
return cls(self.subdomain, self.domain, self.username, self.secret_key, self.master_password) return cls(self.subdomain, self.domain, self.username, self.secret_key, self.master_password, self.service_account_token)
except TypeError as e: except TypeError as e:
raise AnsibleLookupError(e) raise AnsibleLookupError(e)
@ -614,8 +641,9 @@ class LookupModule(LookupBase):
username = self.get_option("username") username = self.get_option("username")
secret_key = self.get_option("secret_key") secret_key = self.get_option("secret_key")
master_password = self.get_option("master_password") master_password = self.get_option("master_password")
service_account_token = self.get_option("service_account_token")
op = OnePass(subdomain, domain, username, secret_key, master_password) op = OnePass(subdomain, domain, username, secret_key, master_password, service_account_token)
op.assert_logged_in() op.assert_logged_in()
values = [] values = []

View file

@ -39,6 +39,12 @@ DOCUMENTATION = '''
description: The username used to sign in. description: The username used to sign in.
secret_key: secret_key:
description: The secret key used when performing an initial sign in. description: The secret key used when performing an initial sign in.
service_account_token:
description:
- The access key for a service account.
- Only works with 1Password CLI version 2 or later.
type: string
version_added: 7.1.0
vault: vault:
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults. description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
notes: notes:
@ -89,8 +95,9 @@ class LookupModule(LookupBase):
username = self.get_option("username") username = self.get_option("username")
secret_key = self.get_option("secret_key") secret_key = self.get_option("secret_key")
master_password = self.get_option("master_password") master_password = self.get_option("master_password")
service_account_token = self.get_option("service_account_token")
op = OnePass(subdomain, domain, username, secret_key, master_password) op = OnePass(subdomain, domain, username, secret_key, master_password, service_account_token)
op.assert_logged_in() op.assert_logged_in()
values = [] values = []