add support for systemd creds encrypt/decrypt (#9383)

* add support for systemd creds encrypt/decrypt

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* add __metaclass__

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* Python 2.7 issues

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* update version_added and ci test aliases

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* switch to container

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* run tests in docker as well

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* move tasks into tasks/

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* no need to call echo

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* lint and add become:

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* dont append a newline

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* don't clean newlines

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* only use module name

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* clean

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* change msg to value

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* add return values

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* update attributes and description

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* Update plugins/modules/systemd_creds_decrypt.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* set newline default

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* Update plugins/modules/systemd_creds_encrypt.py

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>

* Update plugins/modules/systemd_creds_encrypt.py

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>

* Update plugins/modules/systemd_creds_encrypt.py

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>

* update required and spelling

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

* use single backslash

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

---------

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2024-12-29 21:15:57 +01:00 committed by GitHub
commit 482a90e8b4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 445 additions and 0 deletions

View file

@ -0,0 +1,11 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
needs/root
azp/posix/1
skip/aix
skip/freebsd
skip/osx
skip/macos

View file

@ -0,0 +1,58 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Test systemd_creds_decrypt
when:
- ansible_systemd.version is defined
- ansible_systemd.version | int >= 250
block:
- name: Encrypt secret
become: true
systemd_creds_encrypt:
name: api
not_after: +48hr
secret: access_token
register: encrypted_api_secret
- name: Print the encrypted secret
ansible.builtin.debug:
msg: "{{ encrypted_api_secret }}"
- name: Decrypt secret
community.general.systemd_creds_decrypt:
name: api
newline: false
secret: "{{ encrypted_api_secret.value }}"
register: decrypted_secret
- name: Print the decrypted secret
ansible.builtin.debug:
msg: "{{ decrypted_secret }}"
- name: Assert that the decrypted secret is the same as the original secret
ansible.builtin.assert:
that:
- decrypted_secret.value == 'access_token'
fail_msg: "Decrypted secret is not the same as the original secret"
success_msg: "Decrypted secret is the same as the original secret"
- name: Decrypt secret into hex
community.general.systemd_creds_decrypt:
name: api
newline: false
secret: "{{ encrypted_api_secret.value }}"
transcode: hex
register: decrypted_secret_hex
- name: Print the trancoded decrypted secret
ansible.builtin.debug:
msg: "{{ decrypted_secret_hex }}"
- name: Assert that the decrypted secret is the same as the original secret
ansible.builtin.assert:
that:
- decrypted_secret_hex.value == '6163636573735f746f6b656e'
fail_msg: "Decrypted secret is not the same as the original secret"
success_msg: "Decrypted secret is the same as the original secret"

View file

@ -0,0 +1,11 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
needs/root
azp/posix/1
skip/aix
skip/freebsd
skip/osx
skip/macos

View file

@ -0,0 +1,55 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Test systemd_creds_encrypt
when:
- ansible_systemd.version is defined
- ansible_systemd.version | int >= 250
block:
- name: Encrypt secret
become: true
systemd_creds_encrypt:
name: db
not_after: +48hr
secret: access_token
register: encrypted_secret
- name: Assert encrypted secret output is base64 encoded
ansible.builtin.assert:
that:
- encrypted_secret.value | b64decode
fail_msg: "Encrypted secret is not base64 encoded"
success_msg: "Encrypted secret is base64 encoded"
- name: Print the encrypted secret
ansible.builtin.debug:
msg: "{{ encrypted_secret }}"
- name: Assert that SetCredentialEncrypted message is not in the output
ansible.builtin.assert:
that:
- '"SetCredentialEncrypted" not in encrypted_secret.value'
fail_msg: "SetCredentialEncrypted is in the output"
success_msg: "SetCredentialEncrypted is not in the output"
- name: Encrypt secret
become: true
community.general.systemd_creds_encrypt:
name: web
not_after: +5y
pretty: true
secret: token
register: pretty_encrypted_secret
- name: Pretty print the encrypted secret
ansible.builtin.debug:
msg: "{{ pretty_encrypted_secret }}"
- name: Assert that SetCredentialEncrypted message is in the output
ansible.builtin.assert:
that:
- '"SetCredentialEncrypted=web: " in pretty_encrypted_secret.value'
fail_msg: "SetCredentialEncrypted is not in the output"
success_msg: "SetCredentialEncrypted is in the output"