mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Added cyberarkpassword lookup plugin (#21857)
* Added cyberarkpassword lookup plugin Added cyberarkpassword lookup plugin: It allows to retrieve credentials (password, sshkey) from CyberArk Digital Vault
This commit is contained in:
parent
bf4858d042
commit
d50d65d448
2 changed files with 167 additions and 5 deletions
|
@ -45,10 +45,10 @@ The Password Lookup
|
||||||
A great alternative to the password lookup plugin, if you don't need to generate random passwords on a per-host basis, would be to use :doc:`playbooks_vault`. Read the documentation there and consider using it first, it will be more desirable for most applications.
|
A great alternative to the password lookup plugin, if you don't need to generate random passwords on a per-host basis, would be to use :doc:`playbooks_vault`. Read the documentation there and consider using it first, it will be more desirable for most applications.
|
||||||
|
|
||||||
``password`` generates a random plaintext password and stores it in
|
``password`` generates a random plaintext password and stores it in
|
||||||
a file at a given filepath.
|
a file at a given filepath.
|
||||||
|
|
||||||
(Docs about crypted save modes are pending)
|
(Docs about crypted save modes are pending)
|
||||||
|
|
||||||
If the file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set
|
If the file exists previously, it will retrieve its contents, behaving just like with_file. Usage of variables like "{{ inventory_hostname }}" in the filepath can be used to set
|
||||||
up random passwords per host (which simplifies password management in 'host_vars' variables).
|
up random passwords per host (which simplifies password management in 'host_vars' variables).
|
||||||
|
|
||||||
|
@ -609,6 +609,3 @@ These macros are evaluated each time they are used in a task (or template)::
|
||||||
Have a question? Stop by the google group!
|
Have a question? Stop by the google group!
|
||||||
`irc.freenode.net <http://irc.freenode.net>`_
|
`irc.freenode.net <http://irc.freenode.net>`_
|
||||||
#ansible IRC chat channel
|
#ansible IRC chat channel
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
165
lib/ansible/plugins/lookup/cyberarkpassword.py
Normal file
165
lib/ansible/plugins/lookup/cyberarkpassword.py
Normal file
|
@ -0,0 +1,165 @@
|
||||||
|
# (c) 2017, Edward Nunez <edward.nunez@cyberark.com>
|
||||||
|
#
|
||||||
|
# This file is part of Ansible
|
||||||
|
#
|
||||||
|
# Ansible is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# Ansible is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
from __future__ import (absolute_import, division, print_function)
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
|
from subprocess import PIPE
|
||||||
|
from subprocess import Popen
|
||||||
|
|
||||||
|
from ansible.errors import AnsibleError
|
||||||
|
from ansible.plugins.lookup import LookupBase
|
||||||
|
from ansible.parsing.splitter import parse_kv
|
||||||
|
from ansible.module_utils._text import to_text
|
||||||
|
|
||||||
|
try:
|
||||||
|
from __main__ import display
|
||||||
|
except ImportError:
|
||||||
|
from ansible.utils.display import Display
|
||||||
|
display = Display()
|
||||||
|
|
||||||
|
CLIPASSWORDSDK_CMD = os.getenv('AIM_CLIPASSWORDSDK_CMD', '/opt/CARKaim/sdk/clipasswordsdk')
|
||||||
|
|
||||||
|
|
||||||
|
class CyberarkPassword:
|
||||||
|
|
||||||
|
def __init__(self, appid=None, query=None, output=None, **kwargs):
|
||||||
|
|
||||||
|
self.appid = appid
|
||||||
|
self.query = query
|
||||||
|
self.output = output
|
||||||
|
|
||||||
|
# Support for Generic parameters to be able to specify
|
||||||
|
# FailRequestOnPasswordChange, Queryformat, Reason, etc.
|
||||||
|
self.extra_parms = []
|
||||||
|
for key, value in kwargs.items():
|
||||||
|
self.extra_parms.append('-p')
|
||||||
|
self.extra_parms.append("%s=%s" % (key, value))
|
||||||
|
|
||||||
|
if self.appid is None:
|
||||||
|
raise AnsibleError("CyberArk Error: No Application ID specified")
|
||||||
|
if self.query is None:
|
||||||
|
raise AnsibleError("CyberArk Error: No Vault query specified")
|
||||||
|
|
||||||
|
if self.output is None:
|
||||||
|
# If no output is specified, return at least the password
|
||||||
|
self.output = "password"
|
||||||
|
else:
|
||||||
|
# To avoid reference issues/confusion to values, all
|
||||||
|
# output 'keys' will be in lowercase.
|
||||||
|
self.output = self.output.lower()
|
||||||
|
|
||||||
|
self.delimiter = "@#@" # Known delimiter to split output results
|
||||||
|
|
||||||
|
def get(self):
|
||||||
|
|
||||||
|
result_dict = {}
|
||||||
|
|
||||||
|
try:
|
||||||
|
all_parms = [
|
||||||
|
CLIPASSWORDSDK_CMD,
|
||||||
|
'GetPassword',
|
||||||
|
'-p', 'AppDescs.AppID=%s' % self.appid,
|
||||||
|
'-p', 'Query=%s' % self.query,
|
||||||
|
'-o', self.output,
|
||||||
|
'-d', self.delimiter]
|
||||||
|
all_parms.extend(self.extra_parms)
|
||||||
|
|
||||||
|
credential = ""
|
||||||
|
tmp_output, tmp_error = Popen(all_parms, stdout=PIPE, stderr=PIPE, stdin=PIPE).communicate()
|
||||||
|
|
||||||
|
if tmp_output:
|
||||||
|
credential = tmp_output
|
||||||
|
|
||||||
|
if tmp_error:
|
||||||
|
raise AnsibleError("ERROR => %s " % (tmp_error))
|
||||||
|
|
||||||
|
if credential and credential.endswith(b'\n'):
|
||||||
|
credential = credential[:-1]
|
||||||
|
|
||||||
|
output_names = self.output.split(",")
|
||||||
|
output_values = credential.split(self.delimiter)
|
||||||
|
|
||||||
|
for i in range(len(output_names)):
|
||||||
|
if output_names[i].startswith("passprops."):
|
||||||
|
if "passprops" not in result_dict:
|
||||||
|
result_dict["passprops"] = {}
|
||||||
|
output_prop_name = output_names[i][10:]
|
||||||
|
result_dict["passprops"][output_prop_name] = output_values[i]
|
||||||
|
else:
|
||||||
|
result_dict[output_names[i]] = output_values[i]
|
||||||
|
|
||||||
|
except subprocess.CalledProcessError as e:
|
||||||
|
raise AnsibleError(e.output)
|
||||||
|
except OSError as e:
|
||||||
|
raise AnsibleError("ERROR - AIM not installed or clipasswordsdk not in standard location. ERROR=(%s) => %s " % (to_text(e.errno), e.strerror))
|
||||||
|
|
||||||
|
return [result_dict]
|
||||||
|
|
||||||
|
|
||||||
|
class LookupModule(LookupBase):
|
||||||
|
|
||||||
|
"""
|
||||||
|
USAGE:
|
||||||
|
|
||||||
|
{{ lookup("cyberarkpassword", {"appid": "app_ansible", "query": "safe=CyberArk_Passwords;folder=root;object=AdminPass",
|
||||||
|
"output": "Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess"}) }}
|
||||||
|
|
||||||
|
OR
|
||||||
|
|
||||||
|
with_cyberarkpassword:
|
||||||
|
appid: 'app_ansible'
|
||||||
|
query: 'safe=CyberArk_Passwords;folder=root;object=AdminPass'
|
||||||
|
output: 'Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess'
|
||||||
|
|
||||||
|
|
||||||
|
It Requires CyberArk AIM Installed, and /opt/CARKaim/sdk/clipasswordsdk in place or set environment variable AIM_CLIPASSWORDSDK_CMD to the AIM
|
||||||
|
CLI Password SDK executable.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
appid (str): Defines the unique ID of the application that is issuing the password request.
|
||||||
|
query (str): Describes the filter criteria for the password retrieval.
|
||||||
|
output (str): Specifies the desired output fields separated by commas. They could be: Password, PassProps.<property>, PasswordChangeInProcess
|
||||||
|
Optionally, you can specify extra parameters recognized by clipasswordsdk (like FailRequestOnPasswordChange, Queryformat, Reason, etc.)
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
dict: A dictionary with 'password' as key for the credential, passprops.<property>, passwordchangeinprocess
|
||||||
|
If the specified property does not exist for this password, the value <na> will be returned for this property.
|
||||||
|
If the value of the specified property is empty, <null> will be returned.
|
||||||
|
|
||||||
|
|
||||||
|
for extra_parms values please check parameters for clipasswordsdk in CyberArk's "Credential Provider and ASCP Implementation Guide"
|
||||||
|
|
||||||
|
For Ansible on windows, please change the -parameters (-p, -d, and -o) to /parameters (/p, /d, and /o) and change the location of CLIPasswordSDK.exe
|
||||||
|
"""
|
||||||
|
|
||||||
|
def run(self, terms, variables=None, **kwargs):
|
||||||
|
|
||||||
|
display.vvvv(terms)
|
||||||
|
if isinstance(terms, list):
|
||||||
|
return_values = []
|
||||||
|
for term in terms:
|
||||||
|
display.vvvv("Term: %s" % term)
|
||||||
|
cyberark_conn = CyberarkPassword(**term)
|
||||||
|
return_values.append(cyberark_conn.get())
|
||||||
|
return return_values
|
||||||
|
else:
|
||||||
|
cyberark_conn = CyberarkPassword(**terms)
|
||||||
|
result = cyberark_conn.get()
|
||||||
|
return result
|
Loading…
Reference in a new issue