-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
KSM-471 * Added an action plugin to delete record from the Vault. * Update the pinned KSM SDK module * Unpinned Ansible version so it is tested against latest version.
- Loading branch information
1 parent
a8187c3
commit 453e778
Showing
11 changed files
with
249 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 2 additions & 2 deletions
4
...eeper_secrets_manager_ansible/ansible_galaxy/tower_execution_environment/requirements.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
importlib_metadata | ||
keeper-secrets-manager-core>=16.6.0 | ||
keeper-secrets-manager-helper>=1.0.4 | ||
keeper-secrets-manager-core>=16.6.2 | ||
keeper-secrets-manager-helper |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
95 changes: 95 additions & 0 deletions
95
...ts_manager_ansible/keeper_secrets_manager_ansible/plugins/action_plugins/keeper_remove.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
# -*- coding: utf-8 -*- | ||
# _ __ | ||
# | |/ /___ ___ _ __ ___ _ _ (R) | ||
# | ' </ -_) -_) '_ \/ -_) '_| | ||
# |_|\_\___\___| .__/\___|_| | ||
# |_| | ||
# | ||
# Keeper Secrets Manager | ||
# Copyright 2021 Keeper Security Inc. | ||
# Contact: [email protected] | ||
# | ||
|
||
from ansible.plugins.action import ActionBase | ||
from ansible.errors import AnsibleError | ||
from ansible.utils.display import Display | ||
from keeper_secrets_manager_ansible import KeeperAnsible | ||
|
||
DOCUMENTATION = r''' | ||
--- | ||
module: keeper_remove | ||
short_description: Remove a secret from the vault. | ||
version_added: "1.2.1" | ||
description: | ||
- Remove a secret from the vault. | ||
author: | ||
- John Walstra | ||
options: | ||
uid: | ||
description: | ||
- The UID of the Keeper Vault record. | ||
type: str | ||
required: no | ||
title: | ||
description: | ||
- The Title of the Keeper Vault record. | ||
type: str | ||
required: no | ||
version_added: '1.2.0' | ||
cache: | ||
description: | ||
- The cache registered by keeper_get_records_cache. | ||
- Used to lookup Keeper Vault record by title. | ||
type: str | ||
required: no | ||
version_added: '1.2.0' | ||
''' | ||
|
||
EXAMPLES = r''' | ||
- name: Remove secret using UID. | ||
keeper_remove: | ||
uid: XXX | ||
- name: Remove secret using title. | ||
keeper_remove: | ||
title: XXXXXXXXX | ||
''' | ||
|
||
RETURN = r''' | ||
existed: | ||
description: Indicates that the record did exist in the Vault. | ||
returned: success | ||
sample: | | ||
{ | ||
"existed": True | ||
}, | ||
''' | ||
|
||
display = Display() | ||
|
||
|
||
class ActionModule(ActionBase): | ||
|
||
def run(self, tmp=None, task_vars=None): | ||
super(ActionModule, self).run(tmp, task_vars) | ||
|
||
if task_vars is None: | ||
task_vars = {} | ||
|
||
keeper = KeeperAnsible(task_vars=task_vars, action_module=self) | ||
|
||
cache = self._task.args.get("cache") | ||
|
||
uid = self._task.args.get("uid") | ||
title = self._task.args.pop("title", None) | ||
if uid is None and title is None: | ||
raise AnsibleError("The uid and title are blank. keeper_get requires one to be set.") | ||
if uid is not None and title is not None: | ||
raise AnsibleError("The uid and title are both set. keeper_get requires one to be set, but not both.") | ||
|
||
keeper.remove_record(uids=uid, titles=title, cache=cache) | ||
|
||
return {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
ansible | ||
importlib_metadata | ||
keeper-secrets-manager-core>=16.4.1 | ||
keeper-secrets-manager-helper>=1.0.4 | ||
keeper-secrets-manager-core>=16.6.2 | ||
keeper-secrets-manager-helper |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletions
14
integration/keeper_secrets_manager_ansible/tests/ansible_example/playbooks/keeper_remove.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# vim: set shiftwidth=2 tabstop=2 softtabstop=-1 expandtab: | ||
--- | ||
- name: Keeper Remove | ||
hosts: "my_systems" | ||
gather_facts: no | ||
|
||
tasks: | ||
- name: "Remove By UID" | ||
keeper_remove: | ||
uid: "{{ uid }}" | ||
|
||
- name: "Remove By Title" | ||
keeper_remove: | ||
title: "{{ title }}" |
36 changes: 36 additions & 0 deletions
36
...on/keeper_secrets_manager_ansible/tests/ansible_example/playbooks/keeper_remove_cache.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# vim: set shiftwidth=2 tabstop=2 softtabstop=-1 expandtab: | ||
--- | ||
- name: Keeper Remove Cache | ||
hosts: "my_systems" | ||
gather_facts: no | ||
|
||
tasks: | ||
- name: Generate a Keeper Record Cache secret | ||
keeper_password: | ||
length: 64 | ||
register: keeper_record_cache_secret | ||
# no_log: True | ||
|
||
- name: Store the Keeper Record Cache secret into variables. | ||
set_fact: | ||
keeper_record_cache_secret: "{{ keeper_record_cache_secret.password }}" | ||
# no_log: True | ||
|
||
- name: Cache records. Will use keeper_record_cache_secret from above. | ||
keeper_cache_records: | ||
uids: | ||
- "{{ uid }}" | ||
titles: | ||
- "{{ title }}" | ||
register: my_records | ||
# no_log: True | ||
|
||
- name: "Remove By UID" | ||
keeper_remove: | ||
cache: "{{ my_records.cache }}" | ||
uid: "{{ uid }}" | ||
|
||
- name: "Remove By Title" | ||
keeper_remove: | ||
cache: "{{ my_records.cache }}" | ||
title: "{{ title }}" |
68 changes: 68 additions & 0 deletions
68
integration/keeper_secrets_manager_ansible/tests/keeper_remove_test.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
import unittest | ||
from unittest.mock import patch | ||
from keeper_secrets_manager_core.mock import Record, Response | ||
from .ansible_test_framework import AnsibleTestFramework | ||
import tempfile | ||
|
||
|
||
|
||
mock_record_1 = Record(title="Record 1", record_type="login") | ||
mock_record_1.field("password", "PASS 1") | ||
mock_record_2 = Record(title="Record 2", record_type="login") | ||
mock_record_2.field("password", "PASS 2") | ||
|
||
mock_response_1 = Response() | ||
mock_response_1.add_record(record=mock_record_1) | ||
mock_response_1.add_record(record=mock_record_2) | ||
mock_response_1.add_record(record=mock_record_1) | ||
mock_response_1.add_record(record=mock_record_2) | ||
|
||
|
||
mock_response_2 = Response() | ||
mock_response_2.add_record(record=mock_record_1) | ||
mock_response_2.add_record(record=mock_record_2) | ||
mock_response_2.add_record(record=mock_record_1) | ||
mock_response_2.add_record(record=mock_record_2) | ||
|
||
|
||
class KeeperRemoveTest(unittest.TestCase): | ||
|
||
def test_keeper_remove(self): | ||
|
||
with patch(f'keeper_secrets_manager_core.SecretsManager.delete_secret') as mock_delete: | ||
mock_delete.return_value = None | ||
|
||
with tempfile.TemporaryDirectory() as temp_dir: | ||
a = AnsibleTestFramework( | ||
playbook="keeper_remove.yml", | ||
vars={ | ||
"tmp_dir": temp_dir, | ||
"uid": mock_record_1.uid, | ||
"title": mock_record_2.title | ||
}, | ||
mock_responses=[mock_response_1] | ||
) | ||
result, out, err = a.run() | ||
self.assertEqual(result["ok"], 2, "2 things didn't happen") | ||
self.assertEqual(result["failed"], 0, "failed was not 0") | ||
self.assertEqual(result["changed"], 0, "0 things didn't change") | ||
|
||
def test_keeper_remove_cache(self): | ||
|
||
with patch(f'keeper_secrets_manager_core.SecretsManager.delete_secret') as mock_delete: | ||
mock_delete.return_value = None | ||
|
||
with tempfile.TemporaryDirectory() as temp_dir: | ||
a = AnsibleTestFramework( | ||
playbook="keeper_remove_cache.yml", | ||
vars={ | ||
"tmp_dir": temp_dir, | ||
"uid": mock_record_1.uid, | ||
"title": mock_record_2.title | ||
}, | ||
mock_responses=[mock_response_2] | ||
) | ||
result, out, err = a.run() | ||
self.assertEqual(result["ok"], 5, "5 things didn't happen") | ||
self.assertEqual(result["failed"], 0, "failed was not 0") | ||
self.assertEqual(result["changed"], 0, "0 things didn't change") |