Vh8ddlmZmZmZeZdZdZdZddl Z ddl Z ddl m Z m Z ddlmZddlmZdd lmZ dd lmZmZmZmZmZd Zd Zd ZeZej@e jBGd de"Z#Gdde#Z$Gdde#Z%GddeZ&y#e$r4 dd lmZmZmZmZmZd Zd Zd Zn#e$rdZdZd Zd ZdZdZdZd ZYnwxYwYwxYw))absolute_importdivisionprint_functiona name: tss author: Adam Migus (@amigus) short_description: Get secrets from Thycotic Secret Server version_added: 1.0.0 description: - Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with O(username) and O(password) on the REST API at O(base_url). - When using self-signed certificates the environment variable E(REQUESTS_CA_BUNDLE) can be set to a file containing the trusted certificates (in C(.pem) format). - For example, C(export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt'). requirements: - python-tss-sdk - https://pypi.org/project/python-tss-sdk/ options: _terms: description: The integer ID of the secret. required: true type: list elements: int secret_path: description: Indicate a full path of secret including folder and secret name when the secret ID is set to 0. required: false type: str version_added: 7.2.0 fetch_secret_ids_from_folder: description: - Boolean flag which indicates whether secret IDs are in a folder is fetched by folder ID or not. - V(true) then the terms will be considered as a folder IDs. Otherwise (default), they are considered as secret IDs. required: false type: bool version_added: 7.1.0 fetch_attachments: description: - Boolean flag which indicates whether attached files will get downloaded or not. - The download will only happen if O(file_download_path) has been provided. required: false type: bool version_added: 7.0.0 file_download_path: description: Indicate the file attachment download location. required: false type: path version_added: 7.0.0 base_url: description: The base URL of the server, for example V(https://localhost/SecretServer). type: string env: - name: TSS_BASE_URL ini: - section: tss_lookup key: base_url required: true username: description: The username with which to request the OAuth2 Access Grant. type: string env: - name: TSS_USERNAME ini: - section: tss_lookup key: username password: description: - The password associated with the supplied username. - Required when O(token) is not provided. type: string env: - name: TSS_PASSWORD ini: - section: tss_lookup key: password domain: default: "" description: - The domain with which to request the OAuth2 Access Grant. - Optional when O(token) is not provided. - Requires C(python-tss-sdk) version 1.0.0 or greater. type: string env: - name: TSS_DOMAIN ini: - section: tss_lookup key: domain required: false version_added: 3.6.0 token: description: - Existing token for Thycotic authorizer. - If provided, O(username) and O(password) are not needed. - Requires C(python-tss-sdk) version 1.0.0 or greater. type: string env: - name: TSS_TOKEN ini: - section: tss_lookup key: token version_added: 3.7.0 api_path_uri: default: /api/v1 description: The path to append to the base URL to form a valid REST API request. type: string env: - name: TSS_API_PATH_URI required: false token_path_uri: default: /oauth2/token description: The path to append to the base URL to form a valid OAuth2 Access Grant request. type: string env: - name: TSS_TOKEN_PATH_URI required: false z _list: description: - The JSON responses to C(GET /secrets/{id}). - See U(https://updates.thycotic.net/secretserver/restapiguide/TokenAuth/#operation--secrets--id--get). type: list elements: dict a. - hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 102, base_url='https://secretserver.domain.com/SecretServer/', username='user.name', password='password' ) }} tasks: - ansible.builtin.debug: msg: > the password is {{ (secret['items'] | items2dict(key_name='slug', value_name='itemValue'))['password'] }} - hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 102, base_url='https://secretserver.domain.com/SecretServer/', username='user.name', password='password', domain='domain' ) }} tasks: - ansible.builtin.debug: msg: > the password is {{ (secret['items'] | items2dict(key_name='slug', value_name='itemValue'))['password'] }} - hosts: localhost vars: secret_password: >- {{ ((lookup( 'community.general.tss', 102, base_url='https://secretserver.domain.com/SecretServer/', token='thycotic_access_token', ) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password'] }} tasks: - ansible.builtin.debug: msg: the password is {{ secret_password }} # Private key stores into certificate file which is attached with secret. # If fetch_attachments=True then private key file will be download on specified path # and file content will display in debug message. - hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 102, fetch_attachments=True, file_download_path='/home/certs', base_url='https://secretserver.domain.com/SecretServer/', token='thycotic_access_token' ) }} tasks: - ansible.builtin.debug: msg: > the private key is {{ (secret['items'] | items2dict(key_name='slug', value_name='itemValue'))['private-key'] }} # If fetch_secret_ids_from_folder=true then secret IDs are in a folder is fetched based on folder ID - hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 102, fetch_secret_ids_from_folder=true, base_url='https://secretserver.domain.com/SecretServer/', token='thycotic_access_token' ) }} tasks: - ansible.builtin.debug: msg: > the secret id's are {{ secret }} # If secret ID is 0 and secret_path has value then secret is fetched by secret path - hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 0, secret_path='\folderName\secretName' base_url='https://secretserver.domain.com/SecretServer/', username='user.name', password='password' ) }} tasks: - ansible.builtin.debug: msg: >- the password is {{ (secret['items'] | items2dict(key_name='slug', value_name='itemValue'))['password'] }} N) AnsibleErrorAnsibleOptionsError)six) LookupBase)Display) SecretServerSecretServerErrorPasswordGrantAuthorizerDomainPasswordGrantAuthorizerAccessTokenAuthorizerTFcNeZdZdZedZdZdZedZedZ y) TSSClientcd|_y)N)_client)selfs h/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/general/plugins/lookup/tss.py__init__zTSSClient.__init__&s  c :tr tdi|Stdi|S)N)HAS_TSS_AUTHORIZER TSSClientV1 TSSClientV0server_parameterss r from_paramszTSSClient.from_params)s# 3!23 33!23 3rc tjd||j|}|dk(r|rd}tjd|nd}tjd||r|r|jj ||}n|jj ||}|dD]}|rtjj|rk|ds* |d j} ttjj||d d |d d 5} | j| dddd|d <td|S|r|jj |dS|jj%|S#1swYVxYw#t$rtd|d t $rtj#d|d YwxYw#d|d <wxYw)Ntss_lookup term: rTz)Secret Server lookup of Secret with path Fz'Secret Server lookup of Secret with ID itemsisFile itemValueid_slugwbzFailed to download z Could not read file content for z*** Not Valid For Display ***z!File download path does not exist)displaydebug_term_to_secret_idvvvrget_secret_by_path get_secretospathisdircontentopenjoinwrite ValueErrorrAttributeErrorwarningget_secret_json) rterm secret_pathfetch_file_attachmentsfile_download_path secret_idfetch_secret_by_pathobji file_contentfs rr.zTSSClient.get_secret0s )$01++D1 >k#' KKCK=Q R#( KKA)M N !#ll55kCYZll--i9OP\ S%"''--8J*K{ M+,[>+A+AL!%bggll3E#d)TUVWX^V_U`Ga&bdh!i6mn ! 56.MAkN-.QRR SJ#||66{EJJ||33I>>66)Y"58KAfI;6W"XX-\#OO.NqQWyk,Z[\.MAkNs=AF E>)F >F F  =G G  G  G  Gctjd||j|}tjd||jj |S)Nr!z3Secret Server lookup of Secret id's with Folder ID )r)r*_term_to_folder_idr,rget_secret_ids_by_folderid)rr: folder_ids rrFz$TSSClient.get_secret_ids_by_folderidUsO )$01++D1  I)UV||66yAArcJ t|S#t$r tdwxYw)NzSecret ID must be an integerintr6rr:s rr+zTSSClient._term_to_secret_id\/ Ft9  F%&DE E F "cJ t|S#t$r tdwxYw)NzFolder ID must be an integerrIrKs rrEzTSSClient._term_to_folder_idcrLrMN) __name__ __module__ __qualname__r staticmethodrr.rFr+rErrrrr$sS44 #?JBFF FFrrceZdZfdZxZS)rc tt| |jdr t dt |d|d|d|d|d|_y)NdomainzFThe 'domain' option requires 'python-tss-sdk' version 1.0.0 or greaterbase_urlusernamepassword api_path_uritoken_path_uri)superrrgetrr r)rr __class__s rrzTSSClientV0.__init__ls_ k4)+   *gh h# j ) j ) j ) n - . /   r)rOrPrQr __classcell__r]s@rrrks    rrc.eZdZfdZedZxZS)rc ~tt| |jdi|}t |d||d|_y)NrVrYr)r[rr_get_authorizerr r)rr authorizerr]s rrzTSSClientV1.__init__|sD k4)+)T))>,=> # j ):7H7X  rc |jdrt|dS|jdrt|d|d|d|d|dSt|d|d|d|dS)NtokenrUrVrWrXrZ)r\rrr rs rrbzTSSClientV1._get_authorizers   )(!'*    *0!*-!*-!(+!*-!"23  ' j ) j ) j ) . /   r)rOrPrQrrRrbr^r_s@rrr{s   rrceZdZdZy) LookupModulec ts td|j||tj |j d|j d|j d|j d|j d|j d|j d  } |j d r0t r|Dcgc]}|j|c}Std |Dcgc]C}|j||j d |j d|j dEc}Scc}wcc}w#t$r}td|jd}~wwxYw)Nz3python-tss-sdk must be installed to use this plugin) var_optionsdirectrVrWrXrUrerYrZ)rVrWrXrUrerYrZfetch_secret_ids_from_folderz:latest python-tss-sdk must be installed to use this pluginr;fetch_attachmentsr=zSecret Server lookup failure: ) HAS_TSS_SDKr set_optionsrr get_optionHAS_DELINEA_SS_SDKrFr.r message)rterms variableskwargstssr:errors rrunzLookupModule.runsSTU U Yv>##__Z0__Z0__Z0??8,//'*8??+;<$  Q=>%MRSTC::4@SS&'cdd!& NN 6(;<(<=  T! Q!? OP P Qs=+ED;E!E0AE8E; E E+E&&E+N)rOrPrQrwrrrrgrgs!Qrrg)' __future__rrrtype __metaclass__ DOCUMENTATIONRETURNEXAMPLESabcr/ansible.errorsrransible.module_utilsransible.plugins.lookupr ansible.utils.displayr delinea.secrets.serverr r r rrrmrpr ImportErrorthycotic.secrets.serverr) add_metaclassABCMetaobjectrrrrgrrrrs6 A@ n ` ~ @ <$-)#VVK& )3;;CFCF CFL  )   ) B"Q:"Q[## [ [ "! #   ""&(,% $"##s5BC#B87C8C CCCC