mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Add Thycotic DevOps Secrets Vault lookup plugin (#90)
* Add the Thycotic DevOps Secrets Vault lookup plugin. * Update plugins/lookup/dsv.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Update plugins/lookup/dsv.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Update plugins/lookup/dsv.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Fix import error check per code review. * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Add a unittest for plugins/lookup/dsv.py * Add copyrights. * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Fixed formatting bug in test_dsv.py * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
parent
4c6e2f2a40
commit
a424ee71e3
2 changed files with 181 additions and 0 deletions
138
plugins/lookup/dsv.py
Normal file
138
plugins/lookup/dsv.py
Normal file
|
@ -0,0 +1,138 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Copyright: (c) 2020, Adam Migus <adam@migus.org>
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
from __future__ import absolute_import, division, print_function
|
||||
|
||||
__metaclass__ = type
|
||||
|
||||
DOCUMENTATION = r"""
|
||||
lookup: dsv
|
||||
author: Adam Migus (adam@migus.org)
|
||||
short_description: Get secrets from Thycotic DevOps Secrets Vault
|
||||
version_added: 1.0.0
|
||||
description:
|
||||
- Uses the Thycotic DevOps Secrets Vault Python SDK to get Secrets from a
|
||||
DSV I(tenant) using a I(client_id) and I(client_secret).
|
||||
requirements:
|
||||
- python-dsv-sdk - https://pypi.org/project/python-dsv-sdk/
|
||||
options:
|
||||
_terms:
|
||||
description: The path to the secret, e.g. C(/staging/servers/web1).
|
||||
required: true
|
||||
tenant:
|
||||
description: The first format parameter in the default I(url_template).
|
||||
env:
|
||||
- name: DSV_TENANT
|
||||
ini:
|
||||
- section: dsv_lookup
|
||||
key: tenant
|
||||
required: true
|
||||
tld:
|
||||
default: com
|
||||
description: The top-level domain of the tenant; the second format
|
||||
parameter in the default I(url_template).
|
||||
env:
|
||||
- name: DSV_TLD
|
||||
ini:
|
||||
- section: dsv_lookup
|
||||
key: tld
|
||||
required: false
|
||||
client_id:
|
||||
description: The client_id with which to request the Access Grant.
|
||||
env:
|
||||
- name: DSV_CLIENT_ID
|
||||
ini:
|
||||
- section: dsv_lookup
|
||||
key: client_id
|
||||
required: true
|
||||
client_secret:
|
||||
description: The client secret associated with the specific I(client_id).
|
||||
env:
|
||||
- name: DSV_CLIENT_SECRET
|
||||
ini:
|
||||
- section: dsv_lookup
|
||||
key: client_secret
|
||||
required: true
|
||||
url_template:
|
||||
default: https://{}.secretsvaultcloud.{}/v1
|
||||
description: The path to prepend to the base URL to form a valid REST
|
||||
API request.
|
||||
env:
|
||||
- name: DSV_URL_TEMPLATE
|
||||
ini:
|
||||
- section: dsv_lookup
|
||||
key: url_template
|
||||
required: false
|
||||
"""
|
||||
|
||||
RETURN = r"""
|
||||
_list:
|
||||
description:
|
||||
- One or more JSON responses to C(GET /secrets/{path}).
|
||||
- See U(https://dsv.thycotic.com/api/index.html#operation/getSecret).
|
||||
"""
|
||||
|
||||
EXAMPLES = r"""
|
||||
- hosts: localhost
|
||||
vars:
|
||||
secret: "{{ lookup('community.general.dsv', '/test/secret') }}"
|
||||
tasks:
|
||||
- debug:
|
||||
msg: 'the password is {{ secret["data"]["password"] }}'
|
||||
"""
|
||||
|
||||
from ansible.errors import AnsibleError, AnsibleOptionsError
|
||||
|
||||
sdk_is_missing = False
|
||||
|
||||
try:
|
||||
from thycotic.secrets.vault import (
|
||||
SecretsVault,
|
||||
SecretsVaultError,
|
||||
)
|
||||
except ImportError:
|
||||
sdk_is_missing = True
|
||||
|
||||
from ansible.utils.display import Display
|
||||
from ansible.plugins.lookup import LookupBase
|
||||
|
||||
|
||||
display = Display()
|
||||
|
||||
|
||||
class LookupModule(LookupBase):
|
||||
@staticmethod
|
||||
def Client(vault_parameters):
|
||||
return SecretsVault(**vault_parameters)
|
||||
|
||||
def run(self, terms, variables, **kwargs):
|
||||
if sdk_is_missing:
|
||||
raise AnsibleError("python-dsv-sdk must be installed to use this plugin")
|
||||
|
||||
self.set_options(var_options=variables, direct=kwargs)
|
||||
|
||||
vault = LookupModule.Client(
|
||||
**{
|
||||
"tenant": self.get_option("tenant"),
|
||||
"client_id": self.get_option("client_id"),
|
||||
"client_secret": self.get_option("client_secret"),
|
||||
"url_template": self.get_option("url_template"),
|
||||
}
|
||||
)
|
||||
result = []
|
||||
|
||||
for term in terms:
|
||||
display.debug("dsv_lookup term: %s" % term)
|
||||
try:
|
||||
path = term.lstrip("[/:]")
|
||||
|
||||
if path == "":
|
||||
raise AnsibleOptionsError("Invalid secret path: %s" % term)
|
||||
|
||||
display.vvv(u"DevOps Secrets Vault GET /secrets/%s" % path)
|
||||
result.append(vault.get_secret_json(path))
|
||||
except SecretsVaultError as error:
|
||||
raise AnsibleError(
|
||||
"DevOps Secrets Vault lookup failure: %s" % error.message
|
||||
)
|
||||
return result
|
43
tests/unit/plugins/lookup/test_dsv.py
Normal file
43
tests/unit/plugins/lookup/test_dsv.py
Normal file
|
@ -0,0 +1,43 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# (c) 2020, Adam Migus <adam@migus.org>
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
# Make coding more python3-ish
|
||||
from __future__ import absolute_import, division, print_function
|
||||
|
||||
__metaclass__ = type
|
||||
|
||||
from ansible_collections.community.general.tests.unit.compat.unittest import TestCase
|
||||
from ansible_collections.community.general.tests.unit.compat.mock import (
|
||||
patch,
|
||||
MagicMock,
|
||||
)
|
||||
from ansible_collections.community.general.plugins.lookup import dsv
|
||||
from ansible.plugins.loader import lookup_loader
|
||||
|
||||
|
||||
class MockSecretsVault(MagicMock):
|
||||
RESPONSE = '{"foo": "bar"}'
|
||||
|
||||
def get_secret_json(self, path):
|
||||
return self.RESPONSE
|
||||
|
||||
|
||||
class TestLookupModule(TestCase):
|
||||
def setUp(self):
|
||||
dsv.sdk_is_missing = False
|
||||
self.lookup = lookup_loader.get("community.general.dsv")
|
||||
|
||||
@patch(
|
||||
"ansible_collections.community.general.plugins.lookup.dsv.LookupModule.Client",
|
||||
MockSecretsVault(),
|
||||
)
|
||||
def test_get_secret_json(self):
|
||||
self.assertListEqual(
|
||||
[MockSecretsVault.RESPONSE],
|
||||
self.lookup.run(
|
||||
["/dummy"],
|
||||
[],
|
||||
**{"tenant": "dummy", "client_id": "dummy", "client_secret": "dummy", }
|
||||
),
|
||||
)
|
Loading…
Reference in a new issue