* Fix path detection for gopass
As per fc8c9a2286/docs/features.md (initializing-a-password-store), gopass defaults to ~/.local/share/gopass/stores/root for its password store root location.
However, the user can also override this, and this will be stored in the gopass config file (ed7451678c/docs/config.md (configuration-options)).
This patch ensures that the config setting in gopass is respected, falling back to the default gopass path. pass' behaviour remains unchanged.
* Formatting improvements
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add changelog fragment
* Formatting improvement
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* Do not ignore tld option in DSV lookup plugin
* add changelog fragment
* Update changelogs/fragments/4911-dsv-honor-tld-option.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* passwordstore: Make compatible with shims, add backend config
This allows using the passwordstore plugin with scripts that wrap other
password managers. Also adds an explicit configuration (`backend` in
`ini` and `passwordstore_backend` in `vars`) to set the backend to `pass`
(the default) or `gopass`, which allows using gopass as the backend
without the need of a wrapper script. Please be aware that gopass
support is currently limited, but will work for basic operations.
Includes integrations tests.
Resolves#4766
* Apply suggestions from code review
* Remove support for the DLV record as the registry was decomissioned
The DLV registry was decomissioned in 2017 (https://www.isc.org/blogs/dlv/) so it's high time we remove support for DLV records.
* Remove DLV deprecation.
Co-authored-by: Felix Fontein <felix@fontein.de>
* Get first found configuration file
There are three valid places to get the configuration.
https://developer.1password.com/docs/cli/about-biometric-unlock#remove-old-account-information
* Use common config class
* Add changelog fragment
* Explicitly use new style classes for Python 2.7 compatibility
This shouldn’t matter for lookups, but does matter for module_utils
and modules since Python 2.7 is still supported on the managed node.
* Update changelogs/fragments/4065-onepassword-config.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add error handling to check correct SDK version installed
* Fix CI errors
* Added changelog fragment
* Changed exeption type
* Update changelogs fragment
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* passwordstore: Add configurable locking
Passwordstore cannot be accessed safely in parallel, which causes
various issues:
- When accessing the same path, multiple different secrets are
returned when the secret didn't exist (missing=create).
- When accessing the same _or different_ paths, multiple pinentry
dialogs will be spawned by gpg-agent sequentially, having to enter
the password for the same gpg key multiple times in a row.
- Due to issues in gpg dependencies, accessing gpg-agent in parallel
is not reliable, causing plays to fail (this can be fixed by adding
`auto-expand-secmem` to _~/.gnupg/gpg-agent.conf_ though).
These problems have been described in various github issues in the past,
e.g., ansible/ansible#23816 and ansible/ansible#27277.
This cannot be worked around in playbooks by users in a non-error-prone
way.
It is addressed by adding new configuration options:
- lock:
- readwrite: Lock all operations
- write: Only lock write operations (default)
- none: Disable locking
- locktimeout: Time to wait for getting a lock (s/m/h suffix)
(defaults to 15m)
These options can also be set in ansible.cfg, e.g.:
[passwordstore_lookup]
lock=readwrite
locktimeout=30s
Also, add a note about modifying gpg-agent.conf.
* Tidy up locking config
There is no reason why lock configuration should be part of self.paramvals.
Now locking and its configuration happen all in one place.
* Change timeout description wording to the suggested value.
* Rearrange plugin setup, apply PR feedback
The passwordstore lookup plugin depends on parsing GnuPG's
error messages in English language. As a result, detection of
a specific error failes when users set a different locale.
This change corrects this by setting the `LANGUAGE` environment
variable to `C` when invoking `pass`, as this only affects
gettext translations.
See
https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html
Given a password stored in _path/to/secret_, requesting the password
_path/to_ will literally return `path/to`. This can lead to using
weak passwords by accident/mess up logic in code, based on the
state of the password store.
This is worked around by applying the same logic `pass` uses:
If a password was returned, check if there is a .gpg file it could
have come from. If not, treat it as missing.
Fixesansible-collections/community.general#4185
* Added token parameter for AccessTokenAuthorizer
Parameters username and password are not required anymore because of
this.
* Added changelog fragments
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* token authorizer is prioritized
token authorizer is prioritized when token parameter is set
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
* domain optional if token not provided
* Updated examples
- `base_url` is required everywhere
- examples for user, name + domain authorization included
- token authorization included
* Update 3327-tss-token-authorization.yml
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add option for retry_servfail
cf. https://dnspython.readthedocs.io/en/latest/resolver-class.html#dns.resolver.Resolver.retry_servfail
Setting this option to `True` allows for the possibility of the lookup plugin to retry and thereby recover from potentially transient lookup failures, which would otherwise cause the task or play to bail with an unrecoverable exception.
* Create 3247-retry_servfail-for-dig
* documentation for `retry_servfail` option
* Rename 3247-retry_servfail-for-dig to 3247-retry_servfail-for-dig.yaml
* fix whitespace
* Update plugins/lookup/dig.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Update plugins/lookup/dig.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* rm try/except block
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Added fix for bug report in issue #3192
* Added changelog fragment
* Typo fix
* Added Importerror to exception - as req by linters
* Moved the conditional import statement to try/except block
* Updated the plugin to reflect breaking changes introduced in the underlying SDK v1.0.0 update.
* Added Changelog fragment
* Updates based on feedback/review
* Added newline to pass CI
* Added whitepace for linter
* Update changelogs/fragments/3139-tss-lookup-plugin-update-to-make-compatible-with-sdk-v1.yml
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* added utf-8 markers to all .py files in plugins/filter
* added utf-8 markers to all .py files in plugins/inventory
* added utf-8 markers to all .py files in plugins/lookup
* Wire token param into consul_api #2124
* Update changelogs/fragments/2124-consul_kv-pass-token.yml
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* #2124 renamed release fragment to match pr, removed parse_params.
* putting look back in, do some linting #2124
* try more linting
* linting
* try overwriting defaults in parse_params with get_option vals, instead of removing that function completely.
* Revert "back to start, from 2nd approach: allow keyword arguments via parse_params for compatibility."
This reverts commit 748be8e366.
* Revert " linting"
This reverts commit 1d57374c3e.
* Revert " try more linting"
This reverts commit 91c8d06e6a.
* Revert "putting look back in, do some linting #2124"
This reverts commit 87eeec7180.
* Revert " #2124 renamed release fragment to match pr, removed parse_params."
This reverts commit d2869b2f22.
* Revert "Update changelogs/fragments/2124-consul_kv-pass-token.yml"
This reverts commit c50b1cf9d4.
* Revert "Wire token param into consul_api #2124"
This reverts commit b60b6433a8.
* minimal chnages for this PR relative to current upstream.
* superfluous newline in changlog fragment.
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Add ability to ignore error on missing pass file to allow processing the
output further via another filters (mainly the default filter) without
updating the pass file itself.
It also contains the option to create the pass file, like the option
create=true does.
Finally, it also allows to issue a warning only, if the pass file is not
found.
* Add dependent lookup plugin.
* Use correct YAML booleans.
* Began complete rewrite.
* Only match start of error msg.
* Improve tests.
* Work around old Jinja2 versions.
* Fix metadata.
* Fix filter name.
* convert string returned by plugin to unicode
* add changelog fragment
* fix changelog format
* fix changelog format yet again
Co-authored-by: Anubhav Chakraborty <anubchak@cisco.com>
* with_filetree: use splitext for compatibility with template
The example code given deploys files with their .j2 extensions intact, which is probably not what you want.
* Explain how templates interact with splitext|first
* Update plugins/lookup/filetree.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Don't encourage setting the mode of symlinks
On ext4, maybe most filesystems, symlinks always have the artificial mode of 0777, and `chmod $mode $symlink` *writes through* the symlink to its target file.
An effect of this is that if you deploy a file and a symlink to it (e.g. this common situation: /etc/nginx/sites-available/default and /etc/nginx/sites-enabled/default -> ../sites-available/default) then `with_filetree` will forever first deploy the file with the right mode, then corrupt its mode to 0777, and every redeploy will see a change to fix, forever in a loop.
Probably `file:` should refuse `mode:` on `state: link`s, but in the meantime, avoid recommending it in `filetree`
* Use `follow: false` instead of just the mode.
This should be more cross-compatible.
https://github.com/ansible-collections/community.general/pull/2285#discussion_r616571873
* Update plugins/lookup/filetree.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adding another example for tss lookup
A more detailed example using self-hosted secrets server as investigated in #1943
* Update plugins/lookup/tss.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Better line breaking
* Update plugins/lookup/tss.py
Seconded!
Co-authored-by: Felix Fontein <felix@fontein.de>
* Remove newline to pass tests
* Update plugins/lookup/tss.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* fix passwordstore.py to be compatible with gopass.
...even when used with create=true.
The same output snippet matches for both, `pass` and `gopass`, but while `pass` returns `1` on a non-existant password, `gopass` returns `10`, or `11`, depending on whether a similar named password was stored.
So I'd propose to change `e.returncode == 1` to `e.returncode != 0` to cover both cases here.
What do you think?
* Update passwordstore.py, fix typo
* Add changelog fragment.
* Update changelogs/fragments/1589-passwordstore-fix-passwordstore.py-to-be-compatible-with-gopass.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update changelogs/fragments/1589-passwordstore-fix-passwordstore.py-to-be-compatible-with-gopass.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Find the password field out of the fields list
With the command line utility `op` version 1.8, the password field exists, while the fields list is empty. This will look for the desired field without it being listed in the fields list.
* Add changelog fragment
* Update changelogs/fragments/1610-bugfix-onepassword-lookup-plugin.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/onepassword.py
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update tss.py - multiline for an example
Extended line runs past the side of the browser window
* Moved multiline to after the msg.
Cannot believe I missed that again.
* Updated tss.py
Using > as multiline joiner with spaces
* Remove Google cloud plugins migrated to community.google
* Remove another symlink
* Fix typo for community.general version
* Update changelogs/fragments/1319-google-migration-removal.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update changelogs/fragments/1319-google-migration-removal.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add fragment for inventory script
* fix yaml formatting
* adjust past relnotes in accordance with removal of google plugins
Co-authored-by: Felix Fontein <felix@fontein.de>
* Added umask option to passwordstore lookup plugin.
* Added umask documentation and changelog fragment.
* Added default values to paramvals within the run method.
* removed blank lines (PEP8)
* Update changelogs/fragments/lookup-passwordstore-umask.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/passwordstore.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update changelogs/fragments/lookup-passwordstore-umask.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* passwordstore lookup plugin: changelog fragment update
* passing environment variables to subprocess.Popen()
* Update plugins/lookup/passwordstore.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* rm trailing whitespace
* Don't force default umask in the plugin, pass will take care of this.
* remove default from the documentation string
* remove trailing whitespaces
* prevent KeyErrors when checking if key exits in paramvals.
* Update plugins/lookup/passwordstore.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fix for TypeError
* revert back to old directory test
Co-authored-by: bratw0rst <c.chmiel@speakup.nl>
Co-authored-by: Felix Fontein <felix@fontein.de>
As per the plugin documentation and the Hashicorp Vault documentation (https://www.vaultproject.io/docs/auth/approle#secretid)
secret_id is not mandatory.
Moreover, using this lookup plugin without a secret_id used to work in
Ansible 2.9.
Co-authored-by: Jonathan Piron <jonathanpiron@gmail.com>
* Add support for Hashicorp Vault JWT auth
* Add support for HashiCorp Vault JWT auth (continued)
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
Co-authored-by: Mike Brancato <mike@mikebrancato.com>
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
* callback_type -> type.
* Mark authors as unknown.
* Add author field forgotten in #627.
* Fix author entries.
* Add author field forgotten in #127.
* Fix some types.
As per https://learn.hashicorp.com/tutorials/vault/namespaces, setting VAULT_NAMESPACE env var is a completely supported mechanism to make all vault command use said namespace, so hashi_vault lookup function should do the same.
Co-authored-by: Holt Wilkins <hwilkins@palantir.com>
* Fix deprecation of callables.
* Fix various sanity errors.
* Revert callback_type -> type transform.
* Fix stat_result times: these are float according to https://github.com/python/typeshed/blob/master/stdlib/3/os/__init__.pyi
* Apply suggestions from code review
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Add the Thycotic Secret Server lookup plugin.
* Update plugins/lookup/tss.py
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Fix import error check per code review.
* Apply suggestions from code review
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Trivial changes based on suggestions from code review.
* Add a unittest for plugins/lookup/tss.py
* Add copyrights.
* Fixed formatting bug in test_tss.py
* Fix formatting bugs in tss.py and test_tss.py
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* - Redirecting to correct collection
- Removing the plugin and adding changelog and deprecation
* Making suggested changes
* Earlier version on leftovers
* Update changelogs/fragments/cyberarkconjur-removal.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* suppress exceptions for optional env variables
* Options handling switched to "get_option" approach
* Put back _raw option for documentation purposes
* Fix url option description
* remove ini section
* Docs fixed
* force rebuild to fix aix tests
* Point returned in order to have full sentence in description
* Add general arguments fix information to changelog fragments
* Add PR link to changelog fragments
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fix port/scheme handlng in case they weren't provided in URL argument
* Add argument type for url
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Denis Savenko <denis.savenko@tonicforhealth.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adjust deprecation versions.
* Remove redirects that are already made in ansible/ansible's ansible_builtin_runtime.yml
* Remove modules that were moved to the google.cloud collection according to ansible/ansible's ansible_builtin_runtime.yml.
* The _info module is in google.cloud.
* The gcp doc_fragment is a copy of the one in google.cloud and is only used by one lookup. Mark as deprecated/internal.
* Remove entries of modules that no longer exist.
* Update ignore.txt.
* Try to fix test.
* Remove debug output.
* Add version_added: 1.0.0 for all new features added before pre-ansible-base.
* Add version_added: 1.0.0 for all new features.
* Next release will be 0.2.0
* Fix error.
* Remove unnecessary warnings.
* add sops lookup plugin
* fix pylint
* fix undefined encrypted_file variable
* decode sops output as text by default
* add variable to control decrypted content print in logs
* use Sops class decryption method
* lookup should return text, use appropriate ansible facility
* use ansible.module_utils._text.to_native
As required by Ansible documentation on [raising errors][raising-errors]
from plugins, use to_native to wrap errors to ensure string compatibility
between Python versions.
[raising-errors]: https://docs.ansible.com/ansible/latest/dev_guide/developing_plugins.html#id3
* use with_items instead of with_file in sops lookup documentation
[with_file][with-file], per Ansible documentation, returns the content of
the file. As sops is not able to decrypt a string by itself but requires
the file is passed as argument, passing the content breaks the lookup
plugin as reported by [here][bug-report].
[with_items][with-items] should be used instead.
[with-file]: https://docs.ansible.com/ansible/2.4/playbooks_loops.html#looping-over-files
[with-items]: https://docs.ansible.com/ansible/2.4/playbooks_loops.html#standard-loops
[bug-report]: https://github.com/ansible/ansible/pull/59639#issuecomment-540803722
* uniform sops exception handling between plugins
* Apply suggestions from code review
Co-Authored-By: Felix Fontein <felix@fontein.de>
* remove sops lookup plugin print option
Is no longer possible to print the decrypted secrets directly from this
plugin, but `debug` module can be used instead.
* add github handle to author
* add setup_sops integration target
* extract sops module
* add lookup_sops integration tests
* use sops module
* Update plugins/module_utils/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/module_utils/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/module_utils/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/module_utils/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update test/integration/targets/lookup_sops/tasks/ubuntu.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/module_utils/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update test/integration/targets/lookup_sops/files/simple.sops.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adding aliases file
* Emtpy spaces
* Update plugins/lookup/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update test/integration/targets/lookup_sops/tasks/ubuntu.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/sops.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update test/integration/targets/lookup_sops/tasks/ubuntu.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update test/integration/targets/lookup_sops/tasks/ubuntu.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* gpg -> gnupg2
* with_items -> loop
* Move error logic to module_utils.
* Make Sops.decrypt() also handle errors and decode output.
* Improve error handling.
* Improve example formatting.
* Reorganize tests.
* Add test.
* Remove version_added.
Co-authored-by: Edoardo Tenani <edoardo.tenani@protonmail.com>
Co-authored-by: Edoardo Tenani <edoardo.tenani@gmail.com>
Co-authored-by: Edoardo T <endorama@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>