mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-24 21:14:00 -07:00 
			
		
		
		
	
		
			Some checks are pending
		
		
	
	EOL CI / EOL Sanity (Ⓐ2.17) (push) Waiting to run
				
			EOL CI / EOL Units (Ⓐ2.17+py3.10) (push) Waiting to run
				
			EOL CI / EOL Units (Ⓐ2.17+py3.12) (push) Waiting to run
				
			EOL CI / EOL Units (Ⓐ2.17+py3.7) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+alpine319+py:azp/posix/1/) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+alpine319+py:azp/posix/2/) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+alpine319+py:azp/posix/3/) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+fedora39+py:azp/posix/1/) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+fedora39+py:azp/posix/2/) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+fedora39+py:azp/posix/3/) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+ubuntu2004+py:azp/posix/1/) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+ubuntu2004+py:azp/posix/2/) (push) Waiting to run
				
			EOL CI / EOL I (Ⓐ2.17+ubuntu2004+py:azp/posix/3/) (push) Waiting to run
				
			nox / Run extra sanity tests (push) Waiting to run
				
			* Adjust all __future__ imports: for i in $(grep -REl "__future__.*absolute_import" plugins/ tests/); do sed -e 's/from __future__ import .*/from __future__ import annotations/g' -i $i; done * Remove all UTF-8 encoding specifications for Python source files: for i in $(grep -REl '[-][*]- coding: utf-8 -[*]-' plugins/ tests/); do sed -e '/^# -\*- coding: utf-8 -\*-/d' -i $i; done * Remove __metaclass__ = type: for i in $(grep -REl '__metaclass__ = type' plugins/ tests/); do sed -e '/^__metaclass__ = type/d' -i $i; done
		
			
				
	
	
		
			191 lines
		
	
	
	
		
			6.2 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			191 lines
		
	
	
	
		
			6.2 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| # Copyright (c) 2017, Edward Nunez <edward.nunez@cyberark.com>
 | |
| # Copyright (c) 2017 Ansible Project
 | |
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 | |
| # SPDX-License-Identifier: GPL-3.0-or-later
 | |
| from __future__ import annotations
 | |
| 
 | |
| DOCUMENTATION = r"""
 | |
| author: Unknown (!UNKNOWN)
 | |
| name: cyberarkpassword
 | |
| short_description: Get secrets from CyberArk AIM
 | |
| requirements:
 | |
|   - CyberArk AIM tool installed
 | |
| description:
 | |
|   - Get secrets from CyberArk AIM.
 | |
| options:
 | |
|   _command:
 | |
|     description: Cyberark CLI utility.
 | |
|     type: string
 | |
|     env:
 | |
|       - name: AIM_CLIPASSWORDSDK_CMD
 | |
|     default: '/opt/CARKaim/sdk/clipasswordsdk'
 | |
|   appid:
 | |
|     description: Defines the unique ID of the application that is issuing the password request.
 | |
|     type: string
 | |
|     required: true
 | |
|   query:
 | |
|     description: Describes the filter criteria for the password retrieval.
 | |
|     type: string
 | |
|     required: true
 | |
|   output:
 | |
|     description:
 | |
|       - Specifies the desired output fields separated by commas.
 | |
|       - 'They could be: Password, PassProps.<property>, PasswordChangeInProcess.'
 | |
|     type: string
 | |
|     default: 'password'
 | |
|   _extra:
 | |
|     description: For extra_params values please check parameters for clipasswordsdk in CyberArk's "Credential Provider and
 | |
|       ASCP Implementation Guide".
 | |
| notes:
 | |
|   - For Ansible on Windows, please change the -parameters (C(-p), C(-d), and C(-o)) to /parameters (C(/p), C(/d), and C(/o))
 | |
|     and change the location of C(CLIPasswordSDK.exe).
 | |
| """
 | |
| 
 | |
| EXAMPLES = r"""
 | |
| - name: passing options to the lookup
 | |
|   ansible.builtin.debug:
 | |
|     msg: '{{ lookup("community.general.cyberarkpassword", cyquery) }}'
 | |
|   vars:
 | |
|     cyquery:
 | |
|       appid: "app_ansible"
 | |
|       query: "safe=CyberArk_Passwords;folder=root;object=AdminPass"
 | |
|       output: "Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess"
 | |
| 
 | |
| 
 | |
| - name: used in a loop
 | |
|   ansible.builtin.debug:
 | |
|     msg: "{{item}}"
 | |
|   with_community.general.cyberarkpassword:
 | |
|     appid: 'app_ansible'
 | |
|     query: 'safe=CyberArk_Passwords;folder=root;object=AdminPass'
 | |
|     output: 'Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess'
 | |
| """
 | |
| 
 | |
| RETURN = r"""
 | |
| _result:
 | |
|   description: A list containing one dictionary.
 | |
|   type: list
 | |
|   elements: dictionary
 | |
|   contains:
 | |
|     password:
 | |
|       description:
 | |
|         - The actual value stored.
 | |
|     passprops:
 | |
|       description: Properties assigned to the entry.
 | |
|       type: dictionary
 | |
|     passwordchangeinprocess:
 | |
|       description: Did the password change?
 | |
| """
 | |
| 
 | |
| import os
 | |
| import subprocess
 | |
| from subprocess import PIPE
 | |
| from subprocess import Popen
 | |
| 
 | |
| from ansible.errors import AnsibleError
 | |
| from ansible.plugins.lookup import LookupBase
 | |
| from ansible.module_utils.common.text.converters import to_bytes, to_native
 | |
| from ansible.utils.display import Display
 | |
| 
 | |
| display = Display()
 | |
| 
 | |
| CLIPASSWORDSDK_CMD = os.getenv('AIM_CLIPASSWORDSDK_CMD', '/opt/CARKaim/sdk/clipasswordsdk')
 | |
| 
 | |
| 
 | |
| class CyberarkPassword:
 | |
| 
 | |
|     def __init__(self, appid=None, query=None, output=None, **kwargs):
 | |
| 
 | |
|         self.appid = appid
 | |
|         self.query = query
 | |
|         self.output = output
 | |
| 
 | |
|         # Support for Generic parameters to be able to specify
 | |
|         # FailRequestOnPasswordChange, Queryformat, Reason, etc.
 | |
|         self.extra_parms = []
 | |
|         for key, value in kwargs.items():
 | |
|             self.extra_parms.append('-p')
 | |
|             self.extra_parms.append(f"{key}={value}")
 | |
| 
 | |
|         if self.appid is None:
 | |
|             raise AnsibleError("CyberArk Error: No Application ID specified")
 | |
|         if self.query is None:
 | |
|             raise AnsibleError("CyberArk Error: No Vault query specified")
 | |
| 
 | |
|         if self.output is None:
 | |
|             # If no output is specified, return at least the password
 | |
|             self.output = "password"
 | |
|         else:
 | |
|             # To avoid reference issues/confusion to values, all
 | |
|             # output 'keys' will be in lowercase.
 | |
|             self.output = self.output.lower()
 | |
| 
 | |
|         self.b_delimiter = b"@#@"  # Known delimiter to split output results
 | |
| 
 | |
|     def get(self):
 | |
| 
 | |
|         result_dict = {}
 | |
| 
 | |
|         try:
 | |
|             all_parms = [
 | |
|                 CLIPASSWORDSDK_CMD,
 | |
|                 'GetPassword',
 | |
|                 '-p', f'AppDescs.AppID={self.appid}',
 | |
|                 '-p', f'Query={self.query}',
 | |
|                 '-o', self.output,
 | |
|                 '-d', self.b_delimiter]
 | |
|             all_parms.extend(self.extra_parms)
 | |
| 
 | |
|             b_credential = b""
 | |
|             b_all_params = [to_bytes(v) for v in all_parms]
 | |
|             tmp_output, tmp_error = Popen(b_all_params, stdout=PIPE, stderr=PIPE, stdin=PIPE).communicate()
 | |
| 
 | |
|             if tmp_output:
 | |
|                 b_credential = to_bytes(tmp_output)
 | |
| 
 | |
|             if tmp_error:
 | |
|                 raise AnsibleError(f"ERROR => {tmp_error} ")
 | |
| 
 | |
|             if b_credential and b_credential.endswith(b'\n'):
 | |
|                 b_credential = b_credential[:-1]
 | |
| 
 | |
|             output_names = self.output.split(",")
 | |
|             output_values = b_credential.split(self.b_delimiter)
 | |
| 
 | |
|             for i in range(len(output_names)):
 | |
|                 if output_names[i].startswith("passprops."):
 | |
|                     if "passprops" not in result_dict:
 | |
|                         result_dict["passprops"] = {}
 | |
|                     output_prop_name = output_names[i][10:]
 | |
|                     result_dict["passprops"][output_prop_name] = to_native(output_values[i])
 | |
|                 else:
 | |
|                     result_dict[output_names[i]] = to_native(output_values[i])
 | |
| 
 | |
|         except subprocess.CalledProcessError as e:
 | |
|             raise AnsibleError(e.output)
 | |
|         except OSError as e:
 | |
|             raise AnsibleError(f"ERROR - AIM not installed or clipasswordsdk not in standard location. ERROR=({e.errno}) => {e.strerror} ")
 | |
| 
 | |
|         return [result_dict]
 | |
| 
 | |
| 
 | |
| class LookupModule(LookupBase):
 | |
| 
 | |
|     """
 | |
|     USAGE:
 | |
| 
 | |
|     """
 | |
| 
 | |
|     def run(self, terms, variables=None, **kwargs):
 | |
|         display.vvvv(f"{terms}")
 | |
|         if isinstance(terms, list):
 | |
|             return_values = []
 | |
|             for term in terms:
 | |
|                 display.vvvv(f"Term: {term}")
 | |
|                 cyberark_conn = CyberarkPassword(**term)
 | |
|                 return_values.append(cyberark_conn.get())
 | |
|             return return_values
 | |
|         else:
 | |
|             cyberark_conn = CyberarkPassword(**terms)
 | |
|             result = cyberark_conn.get()
 | |
|             return result
 |