add support for systemd creds encrypt/decrypt (#9383)

* add support for systemd creds encrypt/decrypt Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * add __metaclass__ Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * Python 2.7 issues Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * update version_added and ci test aliases Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * switch to container Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * run tests in docker as well Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * move tasks into tasks/ Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * no need to call echo Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * lint and add become: Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * dont append a newline Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * don't clean newlines Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * only use module name Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * clean Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * change msg to value Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * add return values Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * update attributes and description Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * Update plugins/modules/systemd_creds_decrypt.py Co-authored-by: Felix Fontein <felix@fontein.de> * set newline default Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * Update plugins/modules/systemd_creds_encrypt.py Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Update plugins/modules/systemd_creds_encrypt.py Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Update plugins/modules/systemd_creds_encrypt.py Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * update required and spelling Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * use single backslash Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> --------- Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2025-07-24 22:00:22 -07:00 · 2024-12-29 21:15:57 +01:00 · 2024-12-29 21:15:57 +01:00 · 482a90e8b4
commit 482a90e8b4
parent d887930e49
7 changed files with 445 additions and 0 deletions
--- a/tests/integration/targets/systemd_creds_decrypt/aliases
+++ b/tests/integration/targets/systemd_creds_decrypt/aliases
@ -0,0 +1,11 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/root
+
+azp/posix/1
+skip/aix
+skip/freebsd
+skip/osx
+skip/macos
--- a/tests/integration/targets/systemd_creds_decrypt/tasks/main.yaml
+++ b/tests/integration/targets/systemd_creds_decrypt/tasks/main.yaml
@ -0,0 +1,58 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Test systemd_creds_decrypt
+  when:
+    - ansible_systemd.version is defined
+    - ansible_systemd.version | int >= 250
+  block:
+    - name: Encrypt secret
+      become: true
+      systemd_creds_encrypt:
+        name: api
+        not_after: +48hr
+        secret: access_token
+      register: encrypted_api_secret
+
+    - name: Print the encrypted secret
+      ansible.builtin.debug:
+        msg: "{{ encrypted_api_secret }}"
+
+    - name: Decrypt secret
+      community.general.systemd_creds_decrypt:
+        name: api
+        newline: false
+        secret: "{{ encrypted_api_secret.value }}"
+      register: decrypted_secret
+
+    - name: Print the decrypted secret
+      ansible.builtin.debug:
+        msg: "{{ decrypted_secret }}"
+
+    - name: Assert that the decrypted secret is the same as the original secret
+      ansible.builtin.assert:
+        that:
+          - decrypted_secret.value == 'access_token'
+        fail_msg: "Decrypted secret is not the same as the original secret"
+        success_msg: "Decrypted secret is the same as the original secret"
+
+    - name: Decrypt secret into hex
+      community.general.systemd_creds_decrypt:
+        name: api
+        newline: false
+        secret: "{{ encrypted_api_secret.value }}"
+        transcode: hex
+      register: decrypted_secret_hex
+
+    - name: Print the trancoded decrypted secret
+      ansible.builtin.debug:
+        msg: "{{ decrypted_secret_hex }}"
+
+    - name: Assert that the decrypted secret is the same as the original secret
+      ansible.builtin.assert:
+        that:
+          - decrypted_secret_hex.value == '6163636573735f746f6b656e'
+        fail_msg: "Decrypted secret is not the same as the original secret"
+        success_msg: "Decrypted secret is the same as the original secret"
--- a/tests/integration/targets/systemd_creds_encrypt/aliases
+++ b/tests/integration/targets/systemd_creds_encrypt/aliases
@ -0,0 +1,11 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/root
+
+azp/posix/1
+skip/aix
+skip/freebsd
+skip/osx
+skip/macos
--- a/tests/integration/targets/systemd_creds_encrypt/tasks/main.yaml
+++ b/tests/integration/targets/systemd_creds_encrypt/tasks/main.yaml
@ -0,0 +1,55 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Test systemd_creds_encrypt
+  when:
+    - ansible_systemd.version is defined
+    - ansible_systemd.version | int >= 250
+  block:
+    - name: Encrypt secret
+      become: true
+      systemd_creds_encrypt:
+        name: db
+        not_after: +48hr
+        secret: access_token
+      register: encrypted_secret
+
+    - name: Assert encrypted secret output is base64 encoded
+      ansible.builtin.assert:
+        that:
+          - encrypted_secret.value | b64decode
+        fail_msg: "Encrypted secret is not base64 encoded"
+        success_msg: "Encrypted secret is base64 encoded"
+
+    - name: Print the encrypted secret
+      ansible.builtin.debug:
+        msg: "{{ encrypted_secret }}"
+
+    - name: Assert that SetCredentialEncrypted message is not in the output
+      ansible.builtin.assert:
+        that:
+          - '"SetCredentialEncrypted" not in encrypted_secret.value'
+        fail_msg: "SetCredentialEncrypted is in the output"
+        success_msg: "SetCredentialEncrypted is not in the output"
+
+    - name: Encrypt secret
+      become: true
+      community.general.systemd_creds_encrypt:
+        name: web
+        not_after: +5y
+        pretty: true
+        secret: token
+      register: pretty_encrypted_secret
+
+    - name: Pretty print the encrypted secret
+      ansible.builtin.debug:
+        msg: "{{ pretty_encrypted_secret }}"
+
+    - name: Assert that SetCredentialEncrypted message is in the output
+      ansible.builtin.assert:
+        that:
+          - '"SetCredentialEncrypted=web: " in pretty_encrypted_secret.value'
+        fail_msg: "SetCredentialEncrypted is not in the output"
+        success_msg: "SetCredentialEncrypted is in the output"