mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
[PR #6660/473e557c backport][stable-7] Onepassword lookup add service accounts (#6710)
Onepassword lookup add service accounts (#6660)
* add service account token and bypass required fields when service account token is set
* add token to base class
* add Info
* add service_account_token
* add service_account_token
* add documentation
* add service_account_token
* fix E111: indentation is not a multiple of 4
* fix lint problems
* Update plugins/lookup/onepassword_raw.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/onepassword_info.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/onepassword.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* add changelog fragment
* change type service_account_token to align to domain option
* add fragment value
* Update changelogs/fragments/6660-onepassword-lookup-service-account.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/onepassword.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* remove service_account_token from onepassword_info.py
* adjust V1 to raise error if service_account_token is set
* adjust V1 to raise error if service_account_token is set
* adjust V1 to raise error if service_account_token is set
* adjust if assert_logged_in
* Update plugins/lookup/onepassword.py
Co-authored-by: Sam Doran <github@samdoran.com>
* Update plugins/lookup/onepassword.py
Co-authored-by: Sam Doran <github@samdoran.com>
* remove double return
* remove new line
* remove new line
* remove new line
* remove spaces
* remove new line
* remove spaces
* Update plugins/lookup/onepassword_raw.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* add _check_required_params
* Update plugins/lookup/onepassword.py
Co-authored-by: Sam Doran <github@samdoran.com>
* Update plugins/lookup/onepassword.py
Co-authored-by: Sam Doran <github@samdoran.com>
* remove _check_required_params
* remove spaces
* Update plugins/lookup/onepassword.py
Co-authored-by: Sam Doran <github@samdoran.com>
* remove code
---------
Co-authored-by: Jan Sagurna <jan.sagurna@sag-solutions.com>
Co-authored-by: Jan Sagurna <58932831+jansagurna@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Sam Doran <github@samdoran.com>
(cherry picked from commit 473e557c2f
)
Co-authored-by: Dominik Haßelkuss <Domi-cc@users.noreply.github.com>
This commit is contained in:
parent
34c4b1f367
commit
bee530b6cc
3 changed files with 43 additions and 5 deletions
|
@ -0,0 +1,3 @@
|
||||||
|
minor_changes:
|
||||||
|
- onepassword lookup plugin - add service account support (https://github.com/ansible-collections/community.general/issues/6635, https://github.com/ansible-collections/community.general/pull/6660).
|
||||||
|
- onepassword_raw lookup plugin - add service account support (https://github.com/ansible-collections/community.general/issues/6635, https://github.com/ansible-collections/community.general/pull/6660).
|
|
@ -42,6 +42,12 @@ DOCUMENTATION = '''
|
||||||
description: The username used to sign in.
|
description: The username used to sign in.
|
||||||
secret_key:
|
secret_key:
|
||||||
description: The secret key used when performing an initial sign in.
|
description: The secret key used when performing an initial sign in.
|
||||||
|
service_account_token:
|
||||||
|
description:
|
||||||
|
- The access key for a service account.
|
||||||
|
- Only works with 1Password CLI version 2 or later.
|
||||||
|
type: str
|
||||||
|
version_added: 7.1.0
|
||||||
vault:
|
vault:
|
||||||
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
|
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
|
||||||
notes:
|
notes:
|
||||||
|
@ -113,12 +119,13 @@ from ansible_collections.community.general.plugins.module_utils.onepassword impo
|
||||||
class OnePassCLIBase(with_metaclass(abc.ABCMeta, object)):
|
class OnePassCLIBase(with_metaclass(abc.ABCMeta, object)):
|
||||||
bin = "op"
|
bin = "op"
|
||||||
|
|
||||||
def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None):
|
def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None, service_account_token=None):
|
||||||
self.subdomain = subdomain
|
self.subdomain = subdomain
|
||||||
self.domain = domain
|
self.domain = domain
|
||||||
self.username = username
|
self.username = username
|
||||||
self.master_password = master_password
|
self.master_password = master_password
|
||||||
self.secret_key = secret_key
|
self.secret_key = secret_key
|
||||||
|
self.service_account_token = service_account_token
|
||||||
|
|
||||||
self._path = None
|
self._path = None
|
||||||
self._version = None
|
self._version = None
|
||||||
|
@ -295,6 +302,10 @@ class OnePassCLIv1(OnePassCLIBase):
|
||||||
return not bool(rc)
|
return not bool(rc)
|
||||||
|
|
||||||
def full_signin(self):
|
def full_signin(self):
|
||||||
|
if self.service_account_token:
|
||||||
|
raise AnsibleLookupError(
|
||||||
|
"1Password CLI version 1 does not support Service Accounts. Please use version 2 or later.")
|
||||||
|
|
||||||
required_params = [
|
required_params = [
|
||||||
"subdomain",
|
"subdomain",
|
||||||
"username",
|
"username",
|
||||||
|
@ -472,6 +483,13 @@ class OnePassCLIv2(OnePassCLIBase):
|
||||||
return ""
|
return ""
|
||||||
|
|
||||||
def assert_logged_in(self):
|
def assert_logged_in(self):
|
||||||
|
if self.service_account_token:
|
||||||
|
args = ["whoami"]
|
||||||
|
environment_update = {"OP_SERVICE_ACCOUNT_TOKEN": self.service_account_token}
|
||||||
|
rc, out, err = self._run(args, environment_update=environment_update)
|
||||||
|
|
||||||
|
return not bool(rc)
|
||||||
|
|
||||||
args = ["account", "list"]
|
args = ["account", "list"]
|
||||||
if self.subdomain:
|
if self.subdomain:
|
||||||
account = "{subdomain}.{domain}".format(subdomain=self.subdomain, domain=self.domain)
|
account = "{subdomain}.{domain}".format(subdomain=self.subdomain, domain=self.domain)
|
||||||
|
@ -517,6 +535,13 @@ class OnePassCLIv2(OnePassCLIBase):
|
||||||
args = ["item", "get", item_id, "--format", "json"]
|
args = ["item", "get", item_id, "--format", "json"]
|
||||||
if vault is not None:
|
if vault is not None:
|
||||||
args += ["--vault={0}".format(vault)]
|
args += ["--vault={0}".format(vault)]
|
||||||
|
|
||||||
|
if self.service_account_token:
|
||||||
|
if vault is None:
|
||||||
|
raise AnsibleLookupError("'vault' is required with 'service_account_token'")
|
||||||
|
environment_update = {"OP_SERVICE_ACCOUNT_TOKEN": self.service_account_token}
|
||||||
|
return self._run(args, environment_update=environment_update)
|
||||||
|
|
||||||
if token is not None:
|
if token is not None:
|
||||||
args += [to_bytes("--session=") + token]
|
args += [to_bytes("--session=") + token]
|
||||||
|
|
||||||
|
@ -533,12 +558,14 @@ class OnePassCLIv2(OnePassCLIBase):
|
||||||
|
|
||||||
|
|
||||||
class OnePass(object):
|
class OnePass(object):
|
||||||
def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None):
|
def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None,
|
||||||
|
service_account_token=None):
|
||||||
self.subdomain = subdomain
|
self.subdomain = subdomain
|
||||||
self.domain = domain
|
self.domain = domain
|
||||||
self.username = username
|
self.username = username
|
||||||
self.secret_key = secret_key
|
self.secret_key = secret_key
|
||||||
self.master_password = master_password
|
self.master_password = master_password
|
||||||
|
self.service_account_token = service_account_token
|
||||||
|
|
||||||
self.logged_in = False
|
self.logged_in = False
|
||||||
self.token = None
|
self.token = None
|
||||||
|
@ -551,7 +578,7 @@ class OnePass(object):
|
||||||
for cls in OnePassCLIBase.__subclasses__():
|
for cls in OnePassCLIBase.__subclasses__():
|
||||||
if cls.supports_version == version.split(".")[0]:
|
if cls.supports_version == version.split(".")[0]:
|
||||||
try:
|
try:
|
||||||
return cls(self.subdomain, self.domain, self.username, self.secret_key, self.master_password)
|
return cls(self.subdomain, self.domain, self.username, self.secret_key, self.master_password, self.service_account_token)
|
||||||
except TypeError as e:
|
except TypeError as e:
|
||||||
raise AnsibleLookupError(e)
|
raise AnsibleLookupError(e)
|
||||||
|
|
||||||
|
@ -614,8 +641,9 @@ class LookupModule(LookupBase):
|
||||||
username = self.get_option("username")
|
username = self.get_option("username")
|
||||||
secret_key = self.get_option("secret_key")
|
secret_key = self.get_option("secret_key")
|
||||||
master_password = self.get_option("master_password")
|
master_password = self.get_option("master_password")
|
||||||
|
service_account_token = self.get_option("service_account_token")
|
||||||
|
|
||||||
op = OnePass(subdomain, domain, username, secret_key, master_password)
|
op = OnePass(subdomain, domain, username, secret_key, master_password, service_account_token)
|
||||||
op.assert_logged_in()
|
op.assert_logged_in()
|
||||||
|
|
||||||
values = []
|
values = []
|
||||||
|
|
|
@ -39,6 +39,12 @@ DOCUMENTATION = '''
|
||||||
description: The username used to sign in.
|
description: The username used to sign in.
|
||||||
secret_key:
|
secret_key:
|
||||||
description: The secret key used when performing an initial sign in.
|
description: The secret key used when performing an initial sign in.
|
||||||
|
service_account_token:
|
||||||
|
description:
|
||||||
|
- The access key for a service account.
|
||||||
|
- Only works with 1Password CLI version 2 or later.
|
||||||
|
type: string
|
||||||
|
version_added: 7.1.0
|
||||||
vault:
|
vault:
|
||||||
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
|
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
|
||||||
notes:
|
notes:
|
||||||
|
@ -89,8 +95,9 @@ class LookupModule(LookupBase):
|
||||||
username = self.get_option("username")
|
username = self.get_option("username")
|
||||||
secret_key = self.get_option("secret_key")
|
secret_key = self.get_option("secret_key")
|
||||||
master_password = self.get_option("master_password")
|
master_password = self.get_option("master_password")
|
||||||
|
service_account_token = self.get_option("service_account_token")
|
||||||
|
|
||||||
op = OnePass(subdomain, domain, username, secret_key, master_password)
|
op = OnePass(subdomain, domain, username, secret_key, master_password, service_account_token)
|
||||||
op.assert_logged_in()
|
op.assert_logged_in()
|
||||||
|
|
||||||
values = []
|
values = []
|
||||||
|
|
Loading…
Reference in a new issue