win_credential: new module to manage credentials (#48840)

* win_credential_manager: new module to manage credentials * fix sanity issues and removed CredSSP references * renamed module to win_credential * fix typo on test variable * fix sanity ignore line
2025-07-02 14:40:19 -07:00 · 2018-11-22 06:55:48 +10:00 · 2018-11-22 06:55:48 +10:00 · 8e92cca139
commit 8e92cca139
parent 10af3874b5
10 changed files with 2104 additions and 0 deletions
--- a/lib/ansible/modules/windows/win_credential.py
+++ b/lib/ansible/modules/windows/win_credential.py
@ -0,0 +1,218 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2018, Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'community'}
+
+DOCUMENTATION = r'''
+---
+module: win_credential
+version_added: '2.8'
+short_description: Manages Windows Credentials in the Credential Manager
+description:
+- Used to create and remove Windows Credentials in the Credential Manager.
+- This module can manage both standard username/password credentials as well as
+  certificate credentials.
+options:
+  alias:
+    description:
+    - Adds an alias for the credential.
+    - Typically this is the NetBIOS name of a host if I(name) is set to the DNS
+      name.
+    type: str
+  attributes:
+    description:
+    - A list of dicts that set application specific attributes for a
+      credential.
+    - When set, existing attributes will be compared to the list as a whole,
+      any differences means all attributes will be replaced.
+    suboptions:
+      name:
+        description:
+        - The key for the attribute.
+        - This is not a unique identifier as multiple attributes can have the
+          same key.
+        required: True
+      data:
+        description:
+        - The value for the attribute.
+        type: str
+      data_format:
+        description:
+        - Controls the input type for I(data).
+        - If C(text), I(data) is a text string that is UTF-8 encoded to bytes.
+        - If C(base64), I(data) is a base64 string that is base64 decoded to
+          bytes.
+        type: str
+        choices:
+        - base64
+        - text
+        default: text
+  comment:
+    description:
+    - A user defined comment for the credential.
+    type: str
+  name:
+    description:
+    - The target that identifies the server or servers that the credential is
+      to be used for.
+    - If the value can be a NetBIOS name, DNS server name, DNS host name suffix
+      with a wildcard character (C(*)), a NetBIOS of DNS domain name that
+      contains a wildcard character sequence, or an asterisk.
+    - See C(TargetName) in U(https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentiala)
+      for more details on what this value can be.
+    - This is used with I(type) to produce a unique credential.
+    required: True
+    type: str
+  persistence:
+    description:
+    - Defines the persistence of the credential.
+    - If C(local), the credential will persist for all logons of the same user
+      on the same host.
+    - C(enterprise) is the same as C(local) but the credential is visible to
+      the same domain user when running on other hosts and not just localhost.
+    type: str
+    choices:
+    - enterprise
+    - local
+    default: local
+  secret:
+    description:
+    - The secret for the credential.
+    - When omitted, then no secret is used for the credential if a new
+      credentials is created.
+    - When I(type) is a password type, this is the password for I(username).
+    - When I(type) is a certificate type, this is the pin for the certificate.
+    type: str
+  secret_format:
+    description:
+    - Controls the input type for I(secret).
+    - If C(text), I(secret) is a text string that is UTF-8 encoded to bytes.
+    - If C(base64), I(secret) is a base64 string that is base64 decoded to
+      bytes.
+    type: str
+    choices:
+    - base64
+    - text
+    default: text
+  state:
+    description:
+    - When C(absent), the credential specified by I(name) and I(type) is
+      removed.
+    - When C(present), the credential specified by I(name) and I(type) is
+      removed.
+    type: str
+    choices:
+    - absent
+    - present
+    default: present
+  type:
+    description:
+    - The type of credential to store.
+    - This is used with I(name) to produce a unique credential.
+    - When the type is a C(domain) type, the credential is used by Microsoft
+      authentication packages like Negotiate.
+    - When the type is a C(generic) type, the credential is not used by any
+      particular authentication package.
+    - It is recommended to use a C(domain) type as only authentication
+      providers can access the secret.
+    required: True
+    type: str
+    choices:
+    - domain_password
+    - domain_certificate
+    - generic_password
+    - generic_certificate
+  update_secret:
+    description:
+    - When C(always), the secret will always be updated if they differ.
+    - When C(on_create), the secret will only be checked/updated when it is
+      first created.
+    - If the secret cannot be retrieved and this is set to C(always), the
+      module will always result in a change.
+    type: str
+    choices:
+    - always
+    - on_create
+    default: always
+  username:
+    description:
+    - When I(type) is a password type, then this is the username to store for
+      the credential.
+    - When I(type) is a credential type, then this is the thumbprint as a hex
+      string of the certificate to use.
+    - When C(type=domain_password), this should be in the form of a Netlogon
+      (DOMAIN\Username) or a UPN (username@DOMAIN).
+    - If using a certificate thumbprint, the certificate must exist in the
+      C(CurrentUser\My) certificate store for the executing user.
+    type: str
+notes:
+- This module requires to be run with C(become) so it can access the
+  user's credential store.
+- There can only be one credential per host and type. if a second credential is
+  defined that uses the same host and type, then the original credential is
+  overwritten.
+author:
+- Jordan Borean (@jborean93)
+'''
+
+EXAMPLES = r'''
+- name: Create a local only credential
+  win_credential:
+    name: server.domain.com
+    type: domain_password
+    username: DOMAIN\username
+    secret: Password01
+    state: present
+
+- name: Remove a credential
+  win_credential:
+    name: server.domain.com
+    type: domain_password
+    state: absent
+
+- name: Create a credential with full values
+  win_credential:
+    name: server.domain.com
+    type: domain_password
+    alias: server
+    username: username@DOMAIN.COM
+    secret: Password01
+    comment: Credential for server.domain.com
+    persistence: enterprise
+    attributes:
+    - name: Source
+      data: Ansible
+    - name: Unique Identifier
+      data: Y3VzdG9tIGF0dHJpYnV0ZQ==
+      data_format: base64
+
+- name: Create a certificate credential
+  win_credential:
+    name: '*.domain.com'
+    type: domain_certificate
+    username: 0074CC4F200D27DC3877C24A92BA8EA21E6C7AF4
+    state: present
+
+- name: Create a generic credential
+  win_credential:
+    name: smbhost
+    type: generic_password
+    username: smbuser
+    password: smbuser
+    state: present
+
+- name: Remove a generic credential
+  win_credential:
+    name: smbhost
+    type: generic_password
+    state: absent
+'''
+
+RETURN = r'''
+#
+'''