When parsing a vaulttext blob, use .splitlines()
instead of split(b'\n') to handle \n newlines and
windows style \r\n (CRLF) new lines.
The vaulttext enevelope at this point is just the header line
and a hexlify()'ed blob, so CRLF is a valid newline here.
Fixes#22914
The AnsiBallZ wrapper is transferred to the remote machine with
a filename similar to the Ansible-module it runs. For modules like copy
and tempfile, this can end up conflicting with stdlib modules on the
remote machine depending on how python is setup there. We have a little
bit of code in the wrapper to deal with this by removing the path that
the ansible module resides in from sys.path.
On MacOSX, that code was having a problem. The path the module ends up
in included a symlinked directory so we were looking for a path in
sys.path but we had to look for the unsymlinked path instead.
Fix that by using os.path.realpath() instead of os.path.abspath()
Got removed in arg parsing updates. Now added back in
setup_vault_secrets().
The default value for DEFAULT_VAULT_PASSWORD_FILE was also
set to '~' for some reason, change to to no default.
Add integration tests.
* Added cyberarkpassword lookup plugin
Added cyberarkpassword lookup plugin: It allows to retrieve credentials
(password, sshkey) from CyberArk Digital Vault
* Added Modules: cyberark_authentication & cyberark_user
Added Modules:
- cyberark_authentication: Logon/Logoff to CyberArk Vault
- cyberark_user: user management
These 2 modules use CyberArk Privileged Account Security Web Services
SDK
* Update cyberark_authentication.py
* Update cyberark_user.py
* Removed ternary conditional to comply with 2.4
* Replaced usage of iteritems() for items() to comply with python3
* PEP8 Updates
* Fixed Doc Issues
* Doc Fixes
* More Doc Fixes
* Removing cyberark_user module, and cyberark lookup plugin
for initial approval of PR, and continue with 2 different PRs after PR
#21764 is approved.
* PEP8 Fixes
* Moved cyberark modules to identity category
From IRC #ansible-devel recommendation (@bcoca) I moved cyberark to
identity category so the authorized maintainers can provide feedback
and move it forward.
* Updates based on community_review by bjolivot
- Updated description lines to have full stops in the documentation
section.
- changed file to use delimiter-separated words instead of camel case
- Updated AnsibleModule module_spec parameters to use
mutually_exclusive, required_if and required_together parameters to
avoid manual validation of the parameters.
- Added comments for more readability.
- Removed “required”: false as they are implicit.
- Enhanced check_mode handling.
* PEP8 Updates
* Updates based on IRC Feedback June 6
* Fixed description for token item
* Fixed Documentation RETURN string
* Fixed PEP8 W291 trailing whitespace
* Changes based on feedback from community review
* Added import to_text from ansible.module_utils._text
* Updates based on recommendation from community
* Changed Exception for Error in friendly messages in try/except blocks
* Updates based on community review (bcoca & dagwieers)
* Fixed httplib for python3 (http.client)
If we don't use more than one vault-id, and we use
--ask-vault-pass, instead of using the new vault prompt
format ('Vault password (my_vault_id): ') we use the old
one ('Vault password: ').
This avoids confusing Tower when it needs to detect an
interactive vault password prompt.
This also potentially could allow vault password prompts
to be customized per vault_id.
* Added new module interfaces_file
* interfaces_file: added unit tests
* interfaces_file: added golden files for unit tests
* interfaces_file: moved to system modules
* interfaces_file: fixed code formatting and convention issues
* New module redshift_facts
Gather facts about aws Redshift cluster(s).
* Fix she-bang, PEP8 violations, and ansible metadata.
* Bump version_added to "2.4"
* Fix some typos and add supporting check mode
* Fix type of RETURN fields
Fix type of RETURN fields number_of_nodes and
automated_snapshot_retention_period from integer to int.
* Add traceback information to fail_json()
* ios implementation for net_interface
* ios_interface implementation
* ios_interface integration test
* net_interface integration test for ios and other refactor
* Update boilerplate and minor refactor
* Add command_timeout timer that defines the amount
of time to wait for a command or RPC call before
timing out.
* Remove connect_retries and connect_interval configuration
varaible and replace it with connect_retry_timeout to control
the timeout value of connection to local scoket.
* Make required changes to netowrk action plugins and relevant
network files in module_utils.
* Required documentation changes.
* Fixed Retrieving All IPv4 Addresses on L3 Interfaces
The ios_facts module retrieving the interface subnet, would only get the primary IPv4 address on the interface and would not capture all the secondary IPs (ones that I would be set by "ip address x.x.x.x x.x.x.x secondary").
This was tested and confirmed to work on a Cisco 6500 with IOS 15.1(2)SY6.
* Fixed whitespace and if statement issues for sanity.
* Fixed spacing because sanity.
* Add 2.0-2.3 facts api compat (ansible_facts(), get_all_facts())
These are intended to provide compatibilty for modules that
use 'ansible.module_utils.facts.ansible_facts' and
'ansible.module_utils.facts.get_all_facts' from 2.0-2.3 facts
API.
Fixes#25686
Some related changes/fixes needed to provide the compat api:
* rm ansible.constants import from module_utils.facts.compat
Just use a hard coded default for gather_subset/gather_timeout
instead of trying to load it from non existent config if the
module params dont include it.
* include 'external' collectors in compat ansible_facts()
* Add facter/ohai back to the valid collector classes
facter/ohai had gotten removed from the default_collectors
class used as the default list for all_collector_classes by
setup.py and compat.py
That made gather_subset['facter'] fail.
* Add aggregate parameter validation
aggregate parameter validation will support checking each individual dict
to resolve conditions for aliases, no_log, mutually_exclusive,
required, type check, values, required_together, required_one_of
and required_if conditions in argspec. It will also set default values.
eg:
tasks:
- name: Configure interface attribute with aggregate
net_interface:
aggregate:
- {name: ge-0/0/1, description: test-interface-1, duplex: full, state: present}
- {name: ge-0/0/2, description: test-interface-2, active: False}
register: response
purge: Yes
Usage:
```
from ansible.module_utils.network_common import AggregateCollection
transform = AggregateCollection(module)
param = transform(module.params.get('aggregate'))
```
Aggregate allows supports for `purge` parameter, it will instruct the module
to remove resources from remote device that hasn’t been explicitly
defined in aggregate. This is not supported by with_* iterators
Also, it improves performace as compared to with_* iterator for network device
that has seperate candidate and running datastore.
For with_* iteration the sequence of operartion is
load-config-1 (candidate db) -> commit (running db) -> load_config-2
(candidate db) -> commit (running db) ...
With aggregate the sequence of operation is
load-config-1 (candidate db) -> load-config-2 (candidate db) -> commit
(running db)
As commit is executed only once per task for aggregate it has
huge perfomance benefit for large configurations.
* Fix CI issues
* Fix review comments
* Add support for options validation for aliases, no_log,
mutually_exclusive, required, type check, value check,
required_together, required_one_of and required_if
conditions in sub-argspec.
* Add unit test for options in argspec.
* Reverted aggregate implementaion.
* Minor change
* Add multi-level argspec support
* Multi-level argspec support with module's top most
conditionals options.
* Fix unit test failure
* Add parent context in errors for sub options
* Resolve merge conflict
* Fix CI issue
* Make camel_to_snake work on capitalized plurals
`TargetGroupARNs` should become `target_group_arns`, not
`target_group_ar_ns`
Promote `camel_to_snake` to top layer function but prefix
it with an underscore.
Add tests for improved `_camel_to_snake` function.
Reduce use of `re.compile` as it makes no sense when the
compilation result is not reused.
* Remove unused LooseVersion check
* Fix PLURALs case for camel_to_snake
Also renamed EXPECTED_CAMELIZATION to EXPECTED_SNAKIFICATION
* iosxr implemetation for net_interface
* iosxr_interface implementation
* Add integration test
* iosxr_interface integration test
* net_interface intergration test for iosxr
* update boilerplate
* Added priority attribute for pool members (bigip_pool_member module)
* Line break missing
* Change from 'priority' to 'priority_group'
* Update bigip_pool_member.py
* Update bigip_pool_member.py
Currently socket path is send from `ansible-connection` (running as background
process) over stdout. This can conflict with debug logs that are also send on
stdout resulting in incorrect socket path received by the main process.
To avoid this add a socket path delimiter string which is recevied by
main process and socket path is retrieved based on delimiter string.
This implementation will change in future when ansible-connection
framework is made more robust.
* Add new notification module: BearyChat integration
BearyChat (https://bearychat.com) is a Slack alternative service.
* Remove implicit args and change position of module.fail
* Update the metadata of bearychat module
* Add tests for group in a VPC
* Improve ec2_group output and documentation
Update ec2_group to provide full security group information
Add RETURN documentation to match
* Fix ec2_group creation within a VPC
Ensure VPC ID gets passed when creating security group
* Add test for auto creating SG
* Fix ec2_group auto group creation
* Add backoff to describe_security_groups
Getting LimitExceeded from describe_security_groups is definitely
possible (source: me) so add backoff to increase likelihood of
success.
To ensure that all `describe_security_group` calls are backed off,
remove implicit ones that use `ec2.SecurityGroup`. From there,
the decision to remove the `ec2` boto3 resource and rely on the client
alone makes good sense.
* Tidy up auto created security group
Add resource_prefix to auto created security group and delete
it in the `always` section.
Use YAML argument form for all module parameters
* win_service: added support for paused services
* change pausable service for local computers
* more fixes for older hosts
* sigh
* skip pause tests for Server 2008 as it relies on the service
* Add reference to VNET resource group
When creating a new virtual machine, added new parameter to allow creation of VM in a resource group using virtual network from another resource group
* Fixed white space errors
Was getting compialtion errors with code and just went around and cleaned up extra white spaces and such.
* Re-fixed more white space issues
* Fixed Version Number for new parameter
* specified exceptions
Use clouderror instead of exceptions for finidng virtual network
* Simplified code lines
created a local variable to either use the VNET resource group or the VM resource group and then used whichever was available as a parameter
* fixed syntax issue with newline
...hopefully
* removed superfluous default/required from docs
* fix vm_size default
Archive.py allows you to pass a glob path of files to archive.
This allows end users to glob a dir, and exlude a list of dirs
from the archive which are not necessary.
* initial commit for win_group_member module
* fix variable name change for split_adspath
* correct ordering of examples/return data to match documentation verbiage
* change tests setup/teardown to use new group rather than an inbult group
* New Module: Manage Avi Networks AlertScriptConfig (network/avi/avi_alertscriptconfig)
* updated example to not include python import as it fails sanity test
* ACI module_utils library for ACI modules
This PR includes:
- the ACI argument_spec
- an aci_login function
- an experimental aci_request function
- an aci_response function
- included the ACI team
* New prototype using ACIModule
This PR includes:
- A new ACIModule object with various useful methods
Made the following changes:
* Removed wildcard imports
* Replaced long form of GPL header with short form
* Removed get_exception usage
* Added from __future__ boilerplate
* Adjust division operator to // where necessary
For the following files:
* web_infrastructure modules
* system modules
* linode, lxc, lxd, atomic, cloudscale, dimensiondata, ovh, packet,
profitbricks, pubnub, smartos, softlayer, univention modules
* compat dirs (disabled as its used intentionally)
Absolute path trailing slash handling in absolute directories
find_needle() isn't passing a trailing slash through verbatim. Since
copy uses that to determine if it should copy a directory or just the
files inside of it, we have to detect that and restore it after calling
find_needle()
Fixes#27439
* add_hosts.py: Fix add_host does not recognise 'host' alias
* add_hosts.py: add note in documentation that 'hosts' alias of name parameter is only available on >=2.4
Fixes#13243
** Add --vault-id to name/identify multiple vault passwords
Use --vault-id to indicate id and path/type
--vault-id=prompt # prompt for default vault id password
--vault-id=myorg@prompt # prompt for a vault_id named 'myorg'
--vault-id=a_password_file # load ./a_password_file for default id
--vault-id=myorg@a_password_file # load file for 'myorg' vault id
vault_id's are created implicitly for existing --vault-password-file
and --ask-vault-pass options.
Vault ids are just for UX purposes and bookkeeping. Only the vault
payload and the password bytestring is needed to decrypt a
vault blob.
Replace passing password around everywhere with
a VaultSecrets object.
If we specify a vault_id, mention that in password prompts
Specifying multiple -vault-password-files will
now try each until one works
** Rev vault format in a backwards compatible way
The 1.2 vault format adds the vault_id to the header line
of the vault text. This is backwards compatible with older
versions of ansible. Old versions will just ignore it and
treat it as the default (and only) vault id.
Note: only 2.4+ supports multiple vault passwords, so while
earlier ansible versions can read the vault-1.2 format, it
does not make them magically support multiple vault passwords.
use 1.1 format for 'default' vault_id
Vaulted items that need to include a vault_id will be
written in 1.2 format.
If we set a new DEFAULT_VAULT_IDENTITY, then the default will
use version 1.2
vault will only use a vault_id if one is specified. So if none
is specified and C.DEFAULT_VAULT_IDENTITY is 'default'
we use the old format.
** Changes/refactors needed to implement multiple vault passwords
raise exceptions on decrypt fail, check vault id early
split out parsing the vault plaintext envelope (with the
sha/original plaintext) to _split_plaintext_envelope()
some cli fixups for specifying multiple paths in
the unfrack_paths optparse callback
fix py3 dict.keys() 'dict_keys object is not indexable' error
pluralize cli.options.vault_password_file -> vault_password_files
pluralize cli.options.new_vault_password_file -> new_vault_password_files
pluralize cli.options.vault_id -> cli.options.vault_ids
** Add a config option (vault_id_match) to force vault id matching.
With 'vault_id_match=True' and an ansible
vault that provides a vault_id, then decryption will require
that a matching vault_id is required. (via
--vault-id=my_vault_id@password_file, for ex).
In other words, if the config option is true, then only
the vault secrets with matching vault ids are candidates for
decrypting a vault. If option is false (the default), then
all of the provided vault secrets will be selected.
If a user doesn't want all vault secrets to be tried to
decrypt any vault content, they can enable this option.
Note: The vault id used for the match is not encrypted or
cryptographically signed. It is just a label/id/nickname used
for referencing a specific vault secret.