passwordstore plugin: vendor FileLock that was removed from ansible-core devel (#6447)
Vendor FileLock that was removed from ansible-core devel.
(cherry picked from commit c58dda14c2)
Co-authored-by: Felix Fontein <felix@fontein.de>
stop passing loader/dataloader since it has been deprecated by ansible (#6074)
* stop passing loader/dataloader since it has been deprecated by ansible
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add changelog fragment
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* explicitly pass None to keep compatibility to older Ansible versions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use try/except to keep things compatible
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Update plugins/lookup/cartesian.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/flattened.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/flattened.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/cartesian.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update changelogs/fragments/6074-loader_in_listify.yml.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit b64929118e)
Co-authored-by: schurzi <github@drachen-server.de>
Clarify Error message when bitwarden vault not unlocked (#5811)
* Clarify Error message when vault not unlocked
You can be logged into the Bitwarden-CLI, but it can still be locked. This took me several hours to debug, since every time I ran 'bw login' it told me, that I am already logged in.
If you run 'bw unlock' without being logged in, you are prompted to log in.
This clarifies the Error occurring and can drastically reduce debugging time, since you don't have to look into the source code to get an understanding of whats wrong.
* RM: negation
Nobody needs negation
* Update function name
* FIX: tests
* ADD: changelog
* Update changelogs/fragments/5811-clarify-bitwarden-error.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit bf117c839c)
Co-authored-by: Christoph <29735603+Chr1s70ph@users.noreply.github.com>
* Clearer error logging in passwordstore lookup
* Add changelog fragment for passwordstore errmsgs
Co-authored-by: Sylvia van Os <sylvia@hackerchick.me>
(cherry picked from commit e4b9e098c7)
Co-authored-by: Jan-Philipp Litza <jplitza@users.noreply.github.com>
* bitwarden: Add field to search for all item attributes, instead of only name.
* bitwarden: Add change to changelog.
* bitwarden: Update changelog entry.
* Update changelogs/fragments/5297-bitwarden-add-search-field.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/bitwarden.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/bitwarden.py
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Ole Pannbacker <opannbacker@cronon.net>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 394647df84)
Co-authored-by: betuxy <72452886+betuxy@users.noreply.github.com>
* Move licenses to LICENSES/, run add-license.py, add LICENSES/MIT.txt.
* Replace 'Copyright:' with 'Copyright'
sed -i 's|Copyright:\(.*\)|Copyright\1|' $(rg -l 'Copyright:')
Co-authored-by: Maxwell G <gotmax@e.email>
(cherry picked from commit 123c7efe5e)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fix returnall for gopass
Gopass was always given the --password flag, despite there being no need for this.
* Add changelog fragment
Co-authored-by: Sylvia van Os <sylvia.van.os@politie.nl>
(cherry picked from commit 3eb29eb4b6)
Co-authored-by: Sylvia van Os <sylvia@hackerchick.me>
with default False for backwards compatibility.
Allows fail-fast behavior on lookup failures instead of returning strings and continuing.
(cherry picked from commit 2662bc881f)
Co-authored-by: Benjamin <1982589+tumbl3w33d@users.noreply.github.com>
* Fix path detection for gopass
As per fc8c9a2286/docs/features.md (initializing-a-password-store), gopass defaults to ~/.local/share/gopass/stores/root for its password store root location.
However, the user can also override this, and this will be stored in the gopass config file (ed7451678c/docs/config.md (configuration-options)).
This patch ensures that the config setting in gopass is respected, falling back to the default gopass path. pass' behaviour remains unchanged.
* Formatting improvements
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add changelog fragment
* Formatting improvement
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
(cherry picked from commit c31e6413f2)
Co-authored-by: Sylvia van Os <sylvia@hackerchick.me>
* Do not ignore tld option in DSV lookup plugin
* add changelog fragment
* Update changelogs/fragments/4911-dsv-honor-tld-option.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 7ffa2b525c)
Co-authored-by: andrii-zakurenyi <85106843+andrii-zakurenyi@users.noreply.github.com>
* passwordstore: Make compatible with shims, add backend config
This allows using the passwordstore plugin with scripts that wrap other
password managers. Also adds an explicit configuration (`backend` in
`ini` and `passwordstore_backend` in `vars`) to set the backend to `pass`
(the default) or `gopass`, which allows using gopass as the backend
without the need of a wrapper script. Please be aware that gopass
support is currently limited, but will work for basic operations.
Includes integrations tests.
Resolves#4766
* Apply suggestions from code review
(cherry picked from commit 006f3bfa89)
Co-authored-by: grembo <freebsd@grem.de>
* Get first found configuration file
There are three valid places to get the configuration.
https://developer.1password.com/docs/cli/about-biometric-unlock#remove-old-account-information
* Use common config class
* Add changelog fragment
* Explicitly use new style classes for Python 2.7 compatibility
This shouldn’t matter for lookups, but does matter for module_utils
and modules since Python 2.7 is still supported on the managed node.
* Update changelogs/fragments/4065-onepassword-config.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add error handling to check correct SDK version installed
* Fix CI errors
* Added changelog fragment
* Changed exeption type
* Update changelogs fragment
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* passwordstore: Add configurable locking
Passwordstore cannot be accessed safely in parallel, which causes
various issues:
- When accessing the same path, multiple different secrets are
returned when the secret didn't exist (missing=create).
- When accessing the same _or different_ paths, multiple pinentry
dialogs will be spawned by gpg-agent sequentially, having to enter
the password for the same gpg key multiple times in a row.
- Due to issues in gpg dependencies, accessing gpg-agent in parallel
is not reliable, causing plays to fail (this can be fixed by adding
`auto-expand-secmem` to _~/.gnupg/gpg-agent.conf_ though).
These problems have been described in various github issues in the past,
e.g., ansible/ansible#23816 and ansible/ansible#27277.
This cannot be worked around in playbooks by users in a non-error-prone
way.
It is addressed by adding new configuration options:
- lock:
- readwrite: Lock all operations
- write: Only lock write operations (default)
- none: Disable locking
- locktimeout: Time to wait for getting a lock (s/m/h suffix)
(defaults to 15m)
These options can also be set in ansible.cfg, e.g.:
[passwordstore_lookup]
lock=readwrite
locktimeout=30s
Also, add a note about modifying gpg-agent.conf.
* Tidy up locking config
There is no reason why lock configuration should be part of self.paramvals.
Now locking and its configuration happen all in one place.
* Change timeout description wording to the suggested value.
* Rearrange plugin setup, apply PR feedback
The passwordstore lookup plugin depends on parsing GnuPG's
error messages in English language. As a result, detection of
a specific error failes when users set a different locale.
This change corrects this by setting the `LANGUAGE` environment
variable to `C` when invoking `pass`, as this only affects
gettext translations.
See
https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html
Given a password stored in _path/to/secret_, requesting the password
_path/to_ will literally return `path/to`. This can lead to using
weak passwords by accident/mess up logic in code, based on the
state of the password store.
This is worked around by applying the same logic `pass` uses:
If a password was returned, check if there is a .gpg file it could
have come from. If not, treat it as missing.
Fixesansible-collections/community.general#4185
* Added token parameter for AccessTokenAuthorizer
Parameters username and password are not required anymore because of
this.
* Added changelog fragments
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* token authorizer is prioritized
token authorizer is prioritized when token parameter is set
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
* domain optional if token not provided
* Updated examples
- `base_url` is required everywhere
- examples for user, name + domain authorization included
- token authorization included
* Update 3327-tss-token-authorization.yml
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add option for retry_servfail
cf. https://dnspython.readthedocs.io/en/latest/resolver-class.html#dns.resolver.Resolver.retry_servfail
Setting this option to `True` allows for the possibility of the lookup plugin to retry and thereby recover from potentially transient lookup failures, which would otherwise cause the task or play to bail with an unrecoverable exception.
* Create 3247-retry_servfail-for-dig
* documentation for `retry_servfail` option
* Rename 3247-retry_servfail-for-dig to 3247-retry_servfail-for-dig.yaml
* fix whitespace
* Update plugins/lookup/dig.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Update plugins/lookup/dig.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* rm try/except block
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Added fix for bug report in issue #3192
* Added changelog fragment
* Typo fix
* Added Importerror to exception - as req by linters
* Moved the conditional import statement to try/except block