mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-25 13:34:01 -07:00 
			
		
		
		
	[PR #9580/25a262bd backport][stable-10] Create onepassword_ssh_key plugin (#9632)
		
	Create `onepassword_ssh_key` plugin (#9580) * add 1password_ssh_key lookup * refactor * Delete onepassword_ssh_key.py * Revert "Delete onepassword_ssh_key.py" This reverts commite17ff7e232. * Delete onepassword_ssh_key.py * add tests * add test license * cleanup * refactor * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * fix indentation * fix RETURN indentation * use get_option to get ssh_format * linting * update project year in copyright * add plugin to BOTMETA.yml * use OnePassCLIv2's get_raw and use OnePass's token --------- Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit25a262bdcf) Co-authored-by: Mohammed Babelly <mohammed@nevercode.io>
This commit is contained in:
		
					parent
					
						
							
								8e2fa624e0
							
						
					
				
			
			
				commit
				
					
						04b68c296b
					
				
			
		
					 6 changed files with 252 additions and 0 deletions
				
			
		
							
								
								
									
										2
									
								
								.github/BOTMETA.yml
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/BOTMETA.yml
									
										
									
									
										vendored
									
									
								
							|  | @ -307,6 +307,8 @@ files: | |||
|   $lookups/onepassword_raw.py: | ||||
|     ignore: scottsb | ||||
|     maintainers: azenk | ||||
|   $lookups/onepassword_ssh_key.py: | ||||
|     maintainers: mohammedbabelly20 | ||||
|   $lookups/passwordstore.py: {} | ||||
|   $lookups/random_pet.py: | ||||
|     maintainers: Akasurde | ||||
|  |  | |||
							
								
								
									
										124
									
								
								plugins/lookup/onepassword_ssh_key.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										124
									
								
								plugins/lookup/onepassword_ssh_key.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,124 @@ | |||
| # -*- coding: utf-8 -*- | ||||
| # Copyright (c) 2025, Ansible Project | ||||
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) | ||||
| # SPDX-License-Identifier: GPL-3.0-or-later | ||||
| 
 | ||||
| from __future__ import annotations | ||||
| 
 | ||||
| DOCUMENTATION = """ | ||||
| name: onepassword_ssh_key | ||||
| author: | ||||
|   - Mohammed Babelly (@mohammedbabelly20) | ||||
| requirements: | ||||
|   - C(op) 1Password command line utility version 2 or later. | ||||
| short_description: Fetch SSH keys stored in 1Password | ||||
| version_added: "10.3.0" | ||||
| description: | ||||
|   - P(community.general.onepassword_ssh_key#lookup) wraps C(op) command line utility to fetch SSH keys from 1Password. | ||||
| notes: | ||||
|   - By default, it returns the private key value in PKCS#8 format, unless O(ssh_format=true) is passed. | ||||
|   - The pluging works only for C(SSHKEY) type items. | ||||
|   - This plugin requires C(op) version 2 or later. | ||||
| 
 | ||||
| options: | ||||
|   _terms: | ||||
|     description: Identifier(s) (case-insensitive UUID or name) of item(s) to retrieve. | ||||
|     required: true | ||||
|     type: list | ||||
|     elements: string | ||||
|   ssh_format: | ||||
|     description: Output key in SSH format if V(true). Otherwise, outputs in the default format (PKCS#8). | ||||
|     default: false | ||||
|     type: bool | ||||
| 
 | ||||
| extends_documentation_fragment: | ||||
|   - community.general.onepassword | ||||
|   - community.general.onepassword.lookup | ||||
| """ | ||||
| 
 | ||||
| EXAMPLES = """ | ||||
| - name: Retrieve the private SSH key from 1Password | ||||
|   ansible.builtin.debug: | ||||
|     msg: "{{ lookup('community.general.onepassword_ssh_key', 'SSH Key', ssh_format=true) }}" | ||||
| """ | ||||
| 
 | ||||
| RETURN = """ | ||||
| _raw: | ||||
|   description: Private key of SSH keypair. | ||||
|   type: list | ||||
|   elements: string | ||||
| """ | ||||
| import json | ||||
| 
 | ||||
| from ansible_collections.community.general.plugins.lookup.onepassword import ( | ||||
|     OnePass, | ||||
|     OnePassCLIv2, | ||||
| ) | ||||
| from ansible.errors import AnsibleLookupError | ||||
| from ansible.plugins.lookup import LookupBase | ||||
| 
 | ||||
| 
 | ||||
| class OnePassCLIv2SSHKey(OnePassCLIv2): | ||||
| 
 | ||||
|     def get_ssh_key(self, item_id, vault=None, token=None, ssh_format=False): | ||||
|         rc, out, err = self.get_raw(item_id, vault=vault, token=token) | ||||
| 
 | ||||
|         data = json.loads(out) | ||||
| 
 | ||||
|         if data.get("category") != "SSH_KEY": | ||||
|             raise AnsibleLookupError(f"Item {item_id} is not an SSH key") | ||||
| 
 | ||||
|         private_key_field = next( | ||||
|             ( | ||||
|                 field | ||||
|                 for field in data.get("fields", {}) | ||||
|                 if field.get("id") == "private_key" and field.get("type") == "SSHKEY" | ||||
|             ), | ||||
|             None, | ||||
|         ) | ||||
|         if not private_key_field: | ||||
|             raise AnsibleLookupError(f"No private key found for item {item_id}.") | ||||
| 
 | ||||
|         if ssh_format: | ||||
|             return ( | ||||
|                 private_key_field.get("ssh_formats", {}) | ||||
|                 .get("openssh", {}) | ||||
|                 .get("value", "") | ||||
|             ) | ||||
|         return private_key_field.get("value", "") | ||||
| 
 | ||||
| 
 | ||||
| class LookupModule(LookupBase): | ||||
|     def run(self, terms, variables=None, **kwargs): | ||||
|         self.set_options(var_options=variables, direct=kwargs) | ||||
| 
 | ||||
|         ssh_format = self.get_option("ssh_format") | ||||
|         vault = self.get_option("vault") | ||||
|         subdomain = self.get_option("subdomain") | ||||
|         domain = self.get_option("domain", "1password.com") | ||||
|         username = self.get_option("username") | ||||
|         secret_key = self.get_option("secret_key") | ||||
|         master_password = self.get_option("master_password") | ||||
|         service_account_token = self.get_option("service_account_token") | ||||
|         account_id = self.get_option("account_id") | ||||
|         connect_host = self.get_option("connect_host") | ||||
|         connect_token = self.get_option("connect_token") | ||||
| 
 | ||||
|         op = OnePass( | ||||
|             subdomain=subdomain, | ||||
|             domain=domain, | ||||
|             username=username, | ||||
|             secret_key=secret_key, | ||||
|             master_password=master_password, | ||||
|             service_account_token=service_account_token, | ||||
|             account_id=account_id, | ||||
|             connect_host=connect_host, | ||||
|             connect_token=connect_token, | ||||
|             cli_class=OnePassCLIv2SSHKey, | ||||
|         ) | ||||
|         op.assert_logged_in() | ||||
| 
 | ||||
|         return [ | ||||
|             op._cli.get_ssh_key(term, vault, token=op.token, ssh_format=ssh_format) | ||||
|             for term in terms | ||||
|         ] | ||||
|  | @ -293,3 +293,39 @@ MOCK_ENTRIES = { | |||
|         }, | ||||
|     ], | ||||
| } | ||||
| 
 | ||||
| SSH_KEY_MOCK_ENTRIES = [ | ||||
|     # loads private key in PKCS#8 format by default | ||||
|     { | ||||
|         "vault_name": "Personal", | ||||
|         "queries": ["ssh key"], | ||||
|         "expected": [ | ||||
|             "-----BEGIN PRIVATE KEY-----\n..........=\n-----END PRIVATE KEY-----\n" | ||||
|         ], | ||||
|         "output": load_file("ssh_key_output.json"), | ||||
|     }, | ||||
|     # loads private key in PKCS#8 format becasue ssh_format=false | ||||
|     { | ||||
|         "vault_name": "Personal", | ||||
|         "queries": ["ssh key"], | ||||
|         "kwargs": { | ||||
|             "ssh_format": False, | ||||
|         }, | ||||
|         "expected": [ | ||||
|             "-----BEGIN PRIVATE KEY-----\n..........=\n-----END PRIVATE KEY-----\n" | ||||
|         ], | ||||
|         "output": load_file("ssh_key_output.json"), | ||||
|     }, | ||||
|     # loads private key in ssh format | ||||
|     { | ||||
|         "vault_name": "Personal", | ||||
|         "queries": ["ssh key"], | ||||
|         "kwargs": { | ||||
|             "ssh_format": True, | ||||
|         }, | ||||
|         "expected": [ | ||||
|             "-----BEGIN OPENSSH PRIVATE KEY-----\r\n.....\r\n-----END OPENSSH PRIVATE KEY-----\r\n" | ||||
|         ], | ||||
|         "output": load_file("ssh_key_output.json"), | ||||
|     }, | ||||
| ] | ||||
|  |  | |||
|  | @ -0,0 +1,57 @@ | |||
| { | ||||
|     "id": "wdtryfeh3jlx2dlanqgg4dqxmy", | ||||
|     "title": "ssh key", | ||||
|     "version": 1, | ||||
|     "vault": { | ||||
|       "id": "5auhrjy66hc7ndhe2wvym6gadv", | ||||
|       "name": "Personal" | ||||
|     }, | ||||
|     "category": "SSH_KEY", | ||||
|     "last_edited_by": "LSGPJERUYBH7BFPHMZ2KKGL6AU", | ||||
|     "created_at": "2025-01-10T16:57:16Z", | ||||
|     "updated_at": "2025-01-10T16:57:16Z", | ||||
|     "additional_information": "SHA256:frHmQAgblahD5HHgNj2O714", | ||||
|     "fields": [ | ||||
|       { | ||||
|         "id": "public_key", | ||||
|         "type": "STRING", | ||||
|         "label": "public key", | ||||
|         "value": "ssh-ed255.....", | ||||
|         "reference": "op://Personal/ssh key/public key" | ||||
|       }, | ||||
|       { | ||||
|         "id": "fingerprint", | ||||
|         "type": "STRING", | ||||
|         "label": "fingerprint", | ||||
|         "value": "SHA256:frHmQAgy7zBKeFDxHMW0QltZ/5O4N8gD5HHgNj2O614", | ||||
|         "reference": "op://Personal/ssh key/fingerprint" | ||||
|       }, | ||||
|       { | ||||
|         "id": "private_key", | ||||
|         "type": "SSHKEY", | ||||
|         "label": "private key", | ||||
|         "value": "-----BEGIN PRIVATE KEY-----\n..........=\n-----END PRIVATE KEY-----\n", | ||||
|         "reference": "op://Personal/ssh key/private key", | ||||
|         "ssh_formats": { | ||||
|           "openssh": { | ||||
|             "reference": "op://Personal/ssh key/private key?ssh-format=openssh", | ||||
|             "value": "-----BEGIN OPENSSH PRIVATE KEY-----\r\n.....\r\n-----END OPENSSH PRIVATE KEY-----\r\n" | ||||
|           } | ||||
|         } | ||||
|       }, | ||||
|       { | ||||
|         "id": "key_type", | ||||
|         "type": "STRING", | ||||
|         "label": "key type", | ||||
|         "value": "ed25519", | ||||
|         "reference": "op://Personal/ssh key/key type" | ||||
|       }, | ||||
|       { | ||||
|         "id": "notesPlain", | ||||
|         "type": "STRING", | ||||
|         "purpose": "NOTES", | ||||
|         "label": "notesPlain", | ||||
|         "reference": "op://Personal/ssh key/notesPlain" | ||||
|       } | ||||
|     ] | ||||
|   } | ||||
|  | @ -0,0 +1,3 @@ | |||
| GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) | ||||
| SPDX-License-Identifier: GPL-3.0-or-later | ||||
| SPDX-FileCopyrightText: 2025, Ansible Project | ||||
							
								
								
									
										30
									
								
								tests/unit/plugins/lookup/test_onepassword_ssh_key.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								tests/unit/plugins/lookup/test_onepassword_ssh_key.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,30 @@ | |||
| # Copyright (c) 2025 Ansible Project | ||||
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) | ||||
| # SPDX-License-Identifier: GPL-3.0-or-later | ||||
| 
 | ||||
| from __future__ import (absolute_import, division, print_function) | ||||
| __metaclass__ = type | ||||
| 
 | ||||
| import json | ||||
| import pytest | ||||
| 
 | ||||
| from .onepassword_common import SSH_KEY_MOCK_ENTRIES | ||||
| 
 | ||||
| from ansible.plugins.loader import lookup_loader | ||||
| 
 | ||||
| 
 | ||||
| @pytest.mark.parametrize( | ||||
|     ("vault", "queries", "kwargs", "output", "expected"), | ||||
|     ( | ||||
|         (item["vault_name"], item["queries"], item.get("kwargs", {}), item["output"], item["expected"]) | ||||
|         for item in SSH_KEY_MOCK_ENTRIES | ||||
|     ) | ||||
| ) | ||||
| def test_ssh_key(mocker, vault, queries, kwargs, output, expected): | ||||
|     mocker.patch("ansible_collections.community.general.plugins.lookup.onepassword.OnePass.assert_logged_in", return_value=True) | ||||
|     mocker.patch("ansible_collections.community.general.plugins.lookup.onepassword.OnePassCLIBase._run", return_value=(0, json.dumps(output), "")) | ||||
| 
 | ||||
|     op_lookup = lookup_loader.get("community.general.onepassword_ssh_key") | ||||
|     result = op_lookup.run(queries, vault=vault, **kwargs) | ||||
| 
 | ||||
|     assert result == expected | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue