mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-24 13:04:00 -07:00 
			
		
		
		
	[PR #9580/25a262bd backport][stable-10] Create onepassword_ssh_key plugin (#9632)
		
	Create `onepassword_ssh_key` plugin (#9580) * add 1password_ssh_key lookup * refactor * Delete onepassword_ssh_key.py * Revert "Delete onepassword_ssh_key.py" This reverts commite17ff7e232. * Delete onepassword_ssh_key.py * add tests * add test license * cleanup * refactor * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * fix indentation * fix RETURN indentation * use get_option to get ssh_format * linting * update project year in copyright * add plugin to BOTMETA.yml * use OnePassCLIv2's get_raw and use OnePass's token --------- Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit25a262bdcf) Co-authored-by: Mohammed Babelly <mohammed@nevercode.io>
This commit is contained in:
		
					parent
					
						
							
								8e2fa624e0
							
						
					
				
			
			
				commit
				
					
						04b68c296b
					
				
			
		
					 6 changed files with 252 additions and 0 deletions
				
			
		
							
								
								
									
										124
									
								
								plugins/lookup/onepassword_ssh_key.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										124
									
								
								plugins/lookup/onepassword_ssh_key.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,124 @@ | |||
| # -*- coding: utf-8 -*- | ||||
| # Copyright (c) 2025, Ansible Project | ||||
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) | ||||
| # SPDX-License-Identifier: GPL-3.0-or-later | ||||
| 
 | ||||
| from __future__ import annotations | ||||
| 
 | ||||
| DOCUMENTATION = """ | ||||
| name: onepassword_ssh_key | ||||
| author: | ||||
|   - Mohammed Babelly (@mohammedbabelly20) | ||||
| requirements: | ||||
|   - C(op) 1Password command line utility version 2 or later. | ||||
| short_description: Fetch SSH keys stored in 1Password | ||||
| version_added: "10.3.0" | ||||
| description: | ||||
|   - P(community.general.onepassword_ssh_key#lookup) wraps C(op) command line utility to fetch SSH keys from 1Password. | ||||
| notes: | ||||
|   - By default, it returns the private key value in PKCS#8 format, unless O(ssh_format=true) is passed. | ||||
|   - The pluging works only for C(SSHKEY) type items. | ||||
|   - This plugin requires C(op) version 2 or later. | ||||
| 
 | ||||
| options: | ||||
|   _terms: | ||||
|     description: Identifier(s) (case-insensitive UUID or name) of item(s) to retrieve. | ||||
|     required: true | ||||
|     type: list | ||||
|     elements: string | ||||
|   ssh_format: | ||||
|     description: Output key in SSH format if V(true). Otherwise, outputs in the default format (PKCS#8). | ||||
|     default: false | ||||
|     type: bool | ||||
| 
 | ||||
| extends_documentation_fragment: | ||||
|   - community.general.onepassword | ||||
|   - community.general.onepassword.lookup | ||||
| """ | ||||
| 
 | ||||
| EXAMPLES = """ | ||||
| - name: Retrieve the private SSH key from 1Password | ||||
|   ansible.builtin.debug: | ||||
|     msg: "{{ lookup('community.general.onepassword_ssh_key', 'SSH Key', ssh_format=true) }}" | ||||
| """ | ||||
| 
 | ||||
| RETURN = """ | ||||
| _raw: | ||||
|   description: Private key of SSH keypair. | ||||
|   type: list | ||||
|   elements: string | ||||
| """ | ||||
| import json | ||||
| 
 | ||||
| from ansible_collections.community.general.plugins.lookup.onepassword import ( | ||||
|     OnePass, | ||||
|     OnePassCLIv2, | ||||
| ) | ||||
| from ansible.errors import AnsibleLookupError | ||||
| from ansible.plugins.lookup import LookupBase | ||||
| 
 | ||||
| 
 | ||||
| class OnePassCLIv2SSHKey(OnePassCLIv2): | ||||
| 
 | ||||
|     def get_ssh_key(self, item_id, vault=None, token=None, ssh_format=False): | ||||
|         rc, out, err = self.get_raw(item_id, vault=vault, token=token) | ||||
| 
 | ||||
|         data = json.loads(out) | ||||
| 
 | ||||
|         if data.get("category") != "SSH_KEY": | ||||
|             raise AnsibleLookupError(f"Item {item_id} is not an SSH key") | ||||
| 
 | ||||
|         private_key_field = next( | ||||
|             ( | ||||
|                 field | ||||
|                 for field in data.get("fields", {}) | ||||
|                 if field.get("id") == "private_key" and field.get("type") == "SSHKEY" | ||||
|             ), | ||||
|             None, | ||||
|         ) | ||||
|         if not private_key_field: | ||||
|             raise AnsibleLookupError(f"No private key found for item {item_id}.") | ||||
| 
 | ||||
|         if ssh_format: | ||||
|             return ( | ||||
|                 private_key_field.get("ssh_formats", {}) | ||||
|                 .get("openssh", {}) | ||||
|                 .get("value", "") | ||||
|             ) | ||||
|         return private_key_field.get("value", "") | ||||
| 
 | ||||
| 
 | ||||
| class LookupModule(LookupBase): | ||||
|     def run(self, terms, variables=None, **kwargs): | ||||
|         self.set_options(var_options=variables, direct=kwargs) | ||||
| 
 | ||||
|         ssh_format = self.get_option("ssh_format") | ||||
|         vault = self.get_option("vault") | ||||
|         subdomain = self.get_option("subdomain") | ||||
|         domain = self.get_option("domain", "1password.com") | ||||
|         username = self.get_option("username") | ||||
|         secret_key = self.get_option("secret_key") | ||||
|         master_password = self.get_option("master_password") | ||||
|         service_account_token = self.get_option("service_account_token") | ||||
|         account_id = self.get_option("account_id") | ||||
|         connect_host = self.get_option("connect_host") | ||||
|         connect_token = self.get_option("connect_token") | ||||
| 
 | ||||
|         op = OnePass( | ||||
|             subdomain=subdomain, | ||||
|             domain=domain, | ||||
|             username=username, | ||||
|             secret_key=secret_key, | ||||
|             master_password=master_password, | ||||
|             service_account_token=service_account_token, | ||||
|             account_id=account_id, | ||||
|             connect_host=connect_host, | ||||
|             connect_token=connect_token, | ||||
|             cli_class=OnePassCLIv2SSHKey, | ||||
|         ) | ||||
|         op.assert_logged_in() | ||||
| 
 | ||||
|         return [ | ||||
|             op._cli.get_ssh_key(term, vault, token=op.token, ssh_format=ssh_format) | ||||
|             for term in terms | ||||
|         ] | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue