1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

tss: add option for token authorization (#3327) (#3372)

* Added token parameter for AccessTokenAuthorizer

Parameters username and password are not required anymore because of
this.

* Added changelog fragments

* Apply suggestions from code review

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

* token authorizer is prioritized

token authorizer is prioritized when token parameter is set

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

* domain optional if token not provided

* Updated examples

- `base_url` is required everywhere
- examples for user, name + domain authorization included
- token authorization included

* Update 3327-tss-token-authorization.yml

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit dc8d076a25)

Co-authored-by: Martin Vician <vician@users.noreply.github.com>
This commit is contained in:
patchback[bot] 2021-09-14 19:49:51 +02:00 committed by GitHub
parent 68458fd8aa
commit bc0edf7d55
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 57 additions and 17 deletions

View file

@ -0,0 +1,4 @@
minor_changes:
- tss lookup plugin - added ``token`` parameter for token authorization;
``username`` and ``password`` are optional when ``token`` is provided
(https://github.com/ansible-collections/community.general/pull/3327).

View file

@ -36,19 +36,20 @@ options:
ini: ini:
- section: tss_lookup - section: tss_lookup
key: username key: username
required: true
password: password:
description: The password associated with the supplied username. description:
- The password associated with the supplied username.
- Required when I(token) is not provided.
env: env:
- name: TSS_PASSWORD - name: TSS_PASSWORD
ini: ini:
- section: tss_lookup - section: tss_lookup
key: password key: password
required: true
domain: domain:
default: "" default: ""
description: description:
- The domain with which to request the OAuth2 Access Grant. - The domain with which to request the OAuth2 Access Grant.
- Optional when I(token) is not provided.
- Requires C(python-tss-sdk) version 1.0.0 or greater. - Requires C(python-tss-sdk) version 1.0.0 or greater.
env: env:
- name: TSS_DOMAIN - name: TSS_DOMAIN
@ -57,6 +58,17 @@ options:
key: domain key: domain
required: false required: false
version_added: 3.6.0 version_added: 3.6.0
token:
description:
- Existing token for Thycotic authorizer.
- If provided, I(username) and I(password) are not needed.
- Requires C(python-tss-sdk) version 1.0.0 or greater.
env:
- name: TSS_TOKEN
ini:
- section: tss_lookup
key: token
version_added: 3.7.0
api_path_uri: api_path_uri:
default: /api/v1 default: /api/v1
description: The path to append to the base URL to form a valid REST description: The path to append to the base URL to form a valid REST
@ -83,18 +95,6 @@ _list:
""" """
EXAMPLES = r""" EXAMPLES = r"""
- hosts: localhost
vars:
secret: "{{ lookup('community.general.tss', 1) }}"
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost - hosts: localhost
vars: vars:
secret: >- secret: >-
@ -116,10 +116,39 @@ EXAMPLES = r"""
value_name='itemValue'))['password'] value_name='itemValue'))['password']
}} }}
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password',
domain='domain'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost - hosts: localhost
vars: vars:
secret_password: >- secret_password: >-
{{ ((lookup('community.general.tss', 1) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password'] }}" {{
((lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token',
) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
}}
tasks: tasks:
- ansible.builtin.debug: - ansible.builtin.debug:
msg: the password is {{ secret_password }} msg: the password is {{ secret_password }}
@ -142,12 +171,13 @@ except ImportError:
HAS_TSS_SDK = False HAS_TSS_SDK = False
try: try:
from thycotic.secrets.server import PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer from thycotic.secrets.server import PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer, AccessTokenAuthorizer
HAS_TSS_AUTHORIZER = True HAS_TSS_AUTHORIZER = True
except ImportError: except ImportError:
PasswordGrantAuthorizer = None PasswordGrantAuthorizer = None
DomainPasswordGrantAuthorizer = None DomainPasswordGrantAuthorizer = None
AccessTokenAuthorizer = None
HAS_TSS_AUTHORIZER = False HAS_TSS_AUTHORIZER = False
@ -209,6 +239,11 @@ class TSSClientV1(TSSClient):
@staticmethod @staticmethod
def _get_authorizer(**server_parameters): def _get_authorizer(**server_parameters):
if server_parameters.get("token"):
return AccessTokenAuthorizer(
server_parameters["token"],
)
if server_parameters.get("domain"): if server_parameters.get("domain"):
return DomainPasswordGrantAuthorizer( return DomainPasswordGrantAuthorizer(
server_parameters["base_url"], server_parameters["base_url"],
@ -238,6 +273,7 @@ class LookupModule(LookupBase):
username=self.get_option("username"), username=self.get_option("username"),
password=self.get_option("password"), password=self.get_option("password"),
domain=self.get_option("domain"), domain=self.get_option("domain"),
token=self.get_option("token"),
api_path_uri=self.get_option("api_path_uri"), api_path_uri=self.get_option("api_path_uri"),
token_path_uri=self.get_option("token_path_uri"), token_path_uri=self.get_option("token_path_uri"),
) )