Add Thycotic DevOps Secrets Vault lookup plugin (#90)

* Add the Thycotic DevOps Secrets Vault lookup plugin. * Update plugins/lookup/dsv.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Update plugins/lookup/dsv.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Update plugins/lookup/dsv.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Fix import error check per code review. * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Add a unittest for plugins/lookup/dsv.py * Add copyrights. * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Fixed formatting bug in test_dsv.py * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2024-09-14 20:13:21 +02:00 · 2020-07-13 01:45:07 -04:00 · 2020-07-13 01:45:07 -04:00 · a424ee71e3
commit a424ee71e3
parent 4c6e2f2a40
2 changed files with 181 additions and 0 deletions
--- a/plugins/lookup/dsv.py
+++ b/plugins/lookup/dsv.py
@ -0,0 +1,138 @@
+# -*- coding: utf-8 -*-
+# Copyright: (c) 2020, Adam Migus <adam@migus.org>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = r"""
+lookup: dsv
+author: Adam Migus (adam@migus.org)
+short_description: Get secrets from Thycotic DevOps Secrets Vault
+version_added: 1.0.0
+description:
+    - Uses the Thycotic DevOps Secrets Vault Python SDK to get Secrets from a
+      DSV I(tenant) using a I(client_id) and I(client_secret).
+requirements:
+    - python-dsv-sdk - https://pypi.org/project/python-dsv-sdk/
+options:
+    _terms:
+        description: The path to the secret, e.g. C(/staging/servers/web1).
+        required: true
+    tenant:
+        description: The first format parameter in the default I(url_template).
+        env:
+            - name: DSV_TENANT
+        ini:
+            - section: dsv_lookup
+              key: tenant
+        required: true
+    tld:
+        default: com
+        description: The top-level domain of the tenant; the second format
+            parameter in the default I(url_template).
+        env:
+            - name: DSV_TLD
+        ini:
+            - section: dsv_lookup
+              key: tld
+        required: false
+    client_id:
+        description: The client_id with which to request the Access Grant.
+        env:
+            - name: DSV_CLIENT_ID
+        ini:
+            - section: dsv_lookup
+              key: client_id
+        required: true
+    client_secret:
+        description: The client secret associated with the specific I(client_id).
+        env:
+            - name: DSV_CLIENT_SECRET
+        ini:
+            - section: dsv_lookup
+              key: client_secret
+        required: true
+    url_template:
+        default: https://{}.secretsvaultcloud.{}/v1
+        description: The path to prepend to the base URL to form a valid REST
+            API request.
+        env:
+            - name: DSV_URL_TEMPLATE
+        ini:
+            - section: dsv_lookup
+              key: url_template
+        required: false
+"""
+
+RETURN = r"""
+_list:
+    description:
+        - One or more JSON responses to C(GET /secrets/{path}).
+        - See U(https://dsv.thycotic.com/api/index.html#operation/getSecret).
+"""
+
+EXAMPLES = r"""
+- hosts: localhost
+  vars:
+      secret: "{{ lookup('community.general.dsv', '/test/secret') }}"
+  tasks:
+      - debug:
+          msg: 'the password is {{ secret["data"]["password"] }}'
+"""
+
+from ansible.errors import AnsibleError, AnsibleOptionsError
+
+sdk_is_missing = False
+
+try:
+    from thycotic.secrets.vault import (
+        SecretsVault,
+        SecretsVaultError,
+    )
+except ImportError:
+    sdk_is_missing = True
+
+from ansible.utils.display import Display
+from ansible.plugins.lookup import LookupBase
+
+
+display = Display()
+
+
+class LookupModule(LookupBase):
+    @staticmethod
+    def Client(vault_parameters):
+        return SecretsVault(**vault_parameters)
+
+    def run(self, terms, variables, **kwargs):
+        if sdk_is_missing:
+            raise AnsibleError("python-dsv-sdk must be installed to use this plugin")
+
+        self.set_options(var_options=variables, direct=kwargs)
+
+        vault = LookupModule.Client(
+            **{
+                "tenant": self.get_option("tenant"),
+                "client_id": self.get_option("client_id"),
+                "client_secret": self.get_option("client_secret"),
+                "url_template": self.get_option("url_template"),
+            }
+        )
+        result = []
+
+        for term in terms:
+            display.debug("dsv_lookup term: %s" % term)
+            try:
+                path = term.lstrip("[/:]")
+
+                if path == "":
+                    raise AnsibleOptionsError("Invalid secret path: %s" % term)
+
+                display.vvv(u"DevOps Secrets Vault GET /secrets/%s" % path)
+                result.append(vault.get_secret_json(path))
+            except SecretsVaultError as error:
+                raise AnsibleError(
+                    "DevOps Secrets Vault lookup failure: %s" % error.message
+                )
+        return result
--- a/tests/unit/plugins/lookup/test_dsv.py
+++ b/tests/unit/plugins/lookup/test_dsv.py
@ -0,0 +1,43 @@
+# -*- coding: utf-8 -*-
+# (c) 2020, Adam Migus <adam@migus.org>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# Make coding more python3-ish
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+from ansible_collections.community.general.tests.unit.compat.unittest import TestCase
+from ansible_collections.community.general.tests.unit.compat.mock import (
+    patch,
+    MagicMock,
+)
+from ansible_collections.community.general.plugins.lookup import dsv
+from ansible.plugins.loader import lookup_loader
+
+
+class MockSecretsVault(MagicMock):
+    RESPONSE = '{"foo": "bar"}'
+
+    def get_secret_json(self, path):
+        return self.RESPONSE
+
+
+class TestLookupModule(TestCase):
+    def setUp(self):
+        dsv.sdk_is_missing = False
+        self.lookup = lookup_loader.get("community.general.dsv")
+
+    @patch(
+        "ansible_collections.community.general.plugins.lookup.dsv.LookupModule.Client",
+        MockSecretsVault(),
+    )
+    def test_get_secret_json(self):
+        self.assertListEqual(
+            [MockSecretsVault.RESPONSE],
+            self.lookup.run(
+                ["/dummy"],
+                [],
+                **{"tenant": "dummy", "client_id": "dummy", "client_secret": "dummy", }
+            ),
+        )