From dc8d076a251e213687f9ff1ff3d3ecc7010103f2 Mon Sep 17 00:00:00 2001
From: Martin Vician <vician@users.noreply.github.com>
Date: Tue, 14 Sep 2021 12:34:59 +0100
Subject: [PATCH] tss: add option for token authorization (#3327)

* Added token parameter for AccessTokenAuthorizer

Parameters username and password are not required anymore because of
this.

* Added changelog fragments

* Apply suggestions from code review

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

* token authorizer is prioritized

token authorizer is prioritized when token parameter is set

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

* domain optional if token not provided

* Updated examples

- `base_url` is required everywhere
- examples for user, name + domain authorization included
- token authorization included

* Update 3327-tss-token-authorization.yml

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
---
 .../3327-tss-token-authorization.yml          |  4 ++
 plugins/lookup/tss.py                         | 70 ++++++++++++++-----
 2 files changed, 57 insertions(+), 17 deletions(-)
 create mode 100644 changelogs/fragments/3327-tss-token-authorization.yml

diff --git a/changelogs/fragments/3327-tss-token-authorization.yml b/changelogs/fragments/3327-tss-token-authorization.yml
new file mode 100644
index 0000000000..5d9f56cb72
--- /dev/null
+++ b/changelogs/fragments/3327-tss-token-authorization.yml
@@ -0,0 +1,4 @@
+minor_changes:
+  - tss lookup plugin - added ``token`` parameter for token authorization;
+    ``username`` and ``password`` are optional when ``token`` is provided
+    (https://github.com/ansible-collections/community.general/pull/3327).
diff --git a/plugins/lookup/tss.py b/plugins/lookup/tss.py
index fe6042e130..3b561e94fc 100644
--- a/plugins/lookup/tss.py
+++ b/plugins/lookup/tss.py
@@ -36,19 +36,20 @@ options:
         ini:
             - section: tss_lookup
               key: username
-        required: true
     password:
-        description: The password associated with the supplied username.
+        description:
+            - The password associated with the supplied username.
+            - Required when I(token) is not provided.
         env:
             - name: TSS_PASSWORD
         ini:
             - section: tss_lookup
               key: password
-        required: true
     domain:
         default: ""
         description:
           - The domain with which to request the OAuth2 Access Grant.
+          - Optional when I(token) is not provided.
           - Requires C(python-tss-sdk) version 1.0.0 or greater.
         env:
             - name: TSS_DOMAIN
@@ -57,6 +58,17 @@ options:
               key: domain
         required: false
         version_added: 3.6.0
+    token:
+        description:
+          - Existing token for Thycotic authorizer.
+          - If provided, I(username) and I(password) are not needed.
+          - Requires C(python-tss-sdk) version 1.0.0 or greater.
+        env:
+            - name: TSS_TOKEN
+        ini:
+            - section: tss_lookup
+              key: token
+        version_added: 3.7.0
     api_path_uri:
         default: /api/v1
         description: The path to append to the base URL to form a valid REST
@@ -83,18 +95,6 @@ _list:
 """
 
 EXAMPLES = r"""
-- hosts: localhost
-  vars:
-      secret: "{{ lookup('community.general.tss', 1) }}"
-  tasks:
-      - ansible.builtin.debug:
-          msg: >
-            the password is {{
-              (secret['items']
-                | items2dict(key_name='slug',
-                             value_name='itemValue'))['password']
-            }}
-
 - hosts: localhost
   vars:
       secret: >-
@@ -116,10 +116,39 @@ EXAMPLES = r"""
                              value_name='itemValue'))['password']
             }}
 
+- hosts: localhost
+  vars:
+      secret: >-
+        {{
+            lookup(
+                'community.general.tss',
+                102,
+                base_url='https://secretserver.domain.com/SecretServer/',
+                username='user.name',
+                password='password',
+                domain='domain'
+            )
+        }}
+  tasks:
+      - ansible.builtin.debug:
+          msg: >
+            the password is {{
+              (secret['items']
+                | items2dict(key_name='slug',
+                             value_name='itemValue'))['password']
+            }}
+
 - hosts: localhost
   vars:
       secret_password: >-
-        {{ ((lookup('community.general.tss', 1) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password'] }}"
+        {{
+            ((lookup(
+                'community.general.tss',
+                102,
+                base_url='https://secretserver.domain.com/SecretServer/',
+                token='thycotic_access_token',
+            )  | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
+        }}
   tasks:
       - ansible.builtin.debug:
           msg: the password is {{ secret_password }}
@@ -142,12 +171,13 @@ except ImportError:
     HAS_TSS_SDK = False
 
 try:
-    from thycotic.secrets.server import PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer
+    from thycotic.secrets.server import PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer, AccessTokenAuthorizer
 
     HAS_TSS_AUTHORIZER = True
 except ImportError:
     PasswordGrantAuthorizer = None
     DomainPasswordGrantAuthorizer = None
+    AccessTokenAuthorizer = None
     HAS_TSS_AUTHORIZER = False
 
 
@@ -209,6 +239,11 @@ class TSSClientV1(TSSClient):
 
     @staticmethod
     def _get_authorizer(**server_parameters):
+        if server_parameters.get("token"):
+            return AccessTokenAuthorizer(
+                server_parameters["token"],
+            )
+
         if server_parameters.get("domain"):
             return DomainPasswordGrantAuthorizer(
                 server_parameters["base_url"],
@@ -238,6 +273,7 @@ class LookupModule(LookupBase):
             username=self.get_option("username"),
             password=self.get_option("password"),
             domain=self.get_option("domain"),
+            token=self.get_option("token"),
             api_path_uri=self.get_option("api_path_uri"),
             token_path_uri=self.get_option("token_path_uri"),
         )