Vh FddlmZmZmZeZddgddZdZdZdZ dd l m Z dd l m Z dd lmZdd lmZdd lmZddlmZddlZddlZeZgdZgdZdZdddddddddddd Zdd d!d"d#d$d%d&d'd(d)d* Zd+Zd,Z d-Z!d.Z"d/Z#d7d0Z$ed1fd2Z%d3Z&d4Z'd5Z(e)d6k(re(yy)8)absolute_importdivisionprint_functionz1.1preview community)metadata_versionstatus supported_bya --- module: cyberark_account short_description: Module for CyberArk Account object creation, deletion, modification, and password retrieval using PAS Web Services SDK. author: - CyberArk BizDev (@cyberark-bizdev) - Edward Nunez (@enunez-cyberark) - James Stutes (@jimmyjamcabd) version_added: '1.0.0' description: - Creates a URI for adding, deleting, modifying, and retrieving a privileged credential within the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK. options: state: description: - Assert the desired state of the account C(present) to create or update and account object. Set to C(absent) for deletion of an account object. Set to C(retrieve) to get the account object including the password. required: false default: present choices: [present, absent, retrieve] type: str logging_level: description: - Parameter used to define the level of troubleshooting output to the C(logging_file) value. required: false choices: [NOTSET, DEBUG, INFO] type: str logging_file: description: - Setting the log file name and location for troubleshooting logs. required: false default: /tmp/ansible_cyberark.log type: str api_base_url: description: - A string containing the base URL of the server hosting CyberArk's Privileged Account Security Web Services SDK. - Example U(https:///PasswordVault/api/) required: false type: str validate_certs: description: - If C(false), SSL certificate chain will not be validated. This should only set to C(true) if you have a root CA certificate installed on each node. required: false default: true type: bool cyberark_session: description: - Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark.pas.cyberark_authentication) module for an example of cyberark_session. required: true type: dict identified_by: description: - When an API call is made to Get Accounts, often times the default parameters passed will identify more than one account. This parameter is used to confidently identify a single account when the default query can return multiple results. required: false default: username,address,platform_id type: str safe: description: - The safe in the Vault where the privileged account is to be located. required: true type: str platform_id: description: - The PolicyID of the Platform that is to be managing the account required: false type: str address: description: - The address of the endpoint where the privileged account is located. required: false type: str name: description: - The ObjectID of the account required: false type: str secret_type: description: - The value that identifies what type of account it will be. required: false default: password choices: [password, key] type: str secret: description: - The initial password for the creation of the account required: false type: str new_secret: description: - The new secret/password to be stored in CyberArk Vault. type: str username: description: - The username associated with the account. required: false type: str secret_management: description: - Set of parameters associated with the management of the credential. required: false type: dict suboptions: automatic_management_enabled: description: - Parameter that indicates whether the CPM will manage the password or not. default: false type: bool manual_management_reason: description: - String value indicating why the CPM will NOT manage the password. type: str management_action: description: - CPM action flag to be placed on the account object for credential rotation. choices: [change, change_immediately, reconcile] type: str new_secret: description: - The actual password value that will be assigned for the CPM action to be taken. type: str perform_management_action: description: - C(always) will perform the management action in every action. - C(on_create) will only perform the management action right after the account is created. choices: [always, on_create] default: always type: str remote_machines_access: description: - Set of parameters for defining PSM endpoint access targets. required: false type: dict suboptions: remote_machines: description: - List of targets allowed for this account. type: str access_restricted_to_remote_machines: description: - Whether or not to restrict access only to specified remote machines. type: bool platform_account_properties: description: - Object containing key-value pairs to associate with the account, as defined by the account platform. These properties are validated against the mandatory and optional properties of the specified platform's definition. Optional properties that do not exist on the account will not be returned here. Internal properties are not returned. required: false type: dict suboptions: KEY: description: - Freeform key value associated to the mandatory or optional property assigned to the specified Platform's definition. aliases: [Port, ExtrPass1Name, database] type: str ac - name: Logon to CyberArk Vault using PAS Web Services SDK cyberark.pas.cyberark_authentication: api_base_url: "http://components.cyberark.local" validate_certs: false username: "bizdev" password: "Cyberark1" - name: Creating an Account using the PAS WebServices SDK cyberark.pas.cyberark_account: logging_level: DEBUG identified_by: "address,username" safe: "Test" address: "cyberark.local" username: "administrator-x" platform_id: WinServerLocal secret: "@N&Ibl3!" platform_account_properties: LogonDomain: "cyberark" OwnerName: "ansible_user" secret_management: automatic_management_enabled: true state: present cyberark_session: "{{ cyberark_session }}" register: cyberarkaction - name: Rotate credential via reconcile and providing the password to be changed to cyberark.pas.cyberark_account: identified_by: "address,username" safe: "Domain_Admins" address: "prod.cyberark.local" username: "admin" platform_id: WinDomain platform_account_properties: LogonDomain: "PROD" secret_management: new_secret: "Ama123ah12@#!Xaamdjbdkl@#112" management_action: "reconcile" automatic_management_enabled: true state: present cyberark_session: "{{ cyberark_session }}" register: reconcileaccount - name: Update password only in VAULT cyberark.pas.cyberark_account: identified_by: "address,username" safe: "Domain_Admins" address: "prod.cyberark.local" username: "admin" platform_id: Generic new_secret: "Ama123ah12@#!Xaamdjbdkl@#112" state: present cyberark_session: "{{ cyberark_session }}" register: updateaccount - name: Retrieve account and password cyberark.pas.cyberark_account: identified_by: "address,username" safe: "Domain_Admins" address: "prod.cyberark.local" username: "admin" state: retrieve cyberark_session: "{{ cyberark_session }}" register: retrieveaccount - name: Logoff from CyberArk Vault cyberark.pas.cyberark_authentication: state: absent cyberark_session: "{{ cyberark_session }}" a, changed: description: - Identify if the playbook run resulted in a change to the account in any way. returned: always type: bool failed: description: Whether playbook run resulted in a failure of any kind. returned: always type: bool status_code: description: Result HTTP Status code. returned: success type: int sample: "200, 201, -1, 204" result: description: A json dump of the resulting action. returned: success type: complex contains: address: description: - The adress of the endpoint where the privileged account is located. returned: successful addition and modification type: str sample: dev.local createdTime: description: - Timeframe calculation of the timestamp of account creation. returned: successful addition and modification type: int sample: "1567824520" id: description: Internal ObjectID for the account object identified returned: successful addition and modification type: int sample: "25_21" name: description: The external ObjectID of the account returned: successful addition and modification type: str sample: - Operating System-WinServerLocal-cyberark.local-administrator platformAccountProperties: description: - Object containing key-value pairs to associate with the account, as defined by the account platform. returned: successful addition and modification type: complex contains: KEY VALUE: description: - Object containing key-value pairs to associate with the account, as defined by the account platform. returned: successful addition and modification type: str sample: - "LogonDomain": "cyberark" - "Port": "22" platformId: description: - The PolicyID of the Platform that is to be managing the account. returned: successful addition and modification type: str sample: WinServerLocal safeName: description: - The safe in the Vault where the privileged account is to be located. returned: successful addition and modification type: str sample: Domain_Admins secretManagement: description: - Set of parameters associated with the management of the credential. returned: successful addition and modification type: complex contains: automaticManagementEnabled: description: - Parameter that indicates whether the CPM will manage the password or not. returned: successful addition and modification type: bool lastModifiedTime: description: - Timeframe calculation of the timestamp of account modification. returned: successful addition and modification type: int sample: "1567824520" manualManagementReason: description: - Reason for disabling automatic management of the account returned: if C(automaticManagementEnabled) is set to false type: str sample: This is a static account secretType: description: - The value that identifies what type of account it will be returned: successful addition and modification type: list sample: - key - password userName: description: The username associated with the account returned: successful addition and modification type: str sample: administrator )to_text) AnsibleModule)open_url) HTTPError)quote) HTTPExceptionN) state api_base_urlvalidate_certscyberark_session identified_by logging_level logging_file new_secret#secret_management.management_actionsecret_management.new_secretmanagement_actionz+secret_management.perform_management_action) createdTimeidnamelastModifiedTimesafeName secretTypesecretNO_VALUEuserNamer platformIdr!platformAccountPropertiessecretManagementmanualManagementReasonautomaticManagementEnabledremoteMachinesAccess accessRestrictedToRemoteMachinesremoteMachines) usernamesafe platform_id secret_typeplatform_account_propertiessecret_managementmanual_management_reasonautomatic_management_enabledremote_machines_access$access_restricted_to_remote_machinesremote_machinesr-r.r/r0r1r2r3r4r5#access_testricted_to_remoteMachinesr7) r$r r%r!r&r'r(r)r*r+r,ct|tr|t|k(St|trt||k(S||k(SN) isinstancestr)existing parameters q/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py equal_valuer@s?(C 3y>)) Is #8} ))9$$c X tjd|jd}|d}|d}d|i}d}d}d}d |d z} d |d d d} dgi} t|jj D]} | t vs |j| |j| } t | t| }t ||t|j }|tvsl| t| tri}i}i}t| j D]}| d|}|t vs| |}t |t|}t |||t|j ni}d|d|}|Wtjd||||tk(r|j||in@|>t||s2|j||in||tk7r|j||itjd|||tt|j dkDr| djdd|z|dtt|j dkDr| djdd|z|dt|dkDs| djdd|z|d7|L| tk(r| djdd|zdnLt|| s@| djd| d|zdn$| tk7r| djd| d|zdtjd| | |t| ddk7r3|j rGtjdtjdt#j$| d|i}d }d}ntjd!tjd"t| dt#j$| | dD]}|g} tjd#t#j$|gt'|| z|| t#j$||$}dt#j(|j+i}d }|j-}|||fS#t.t0f$rc}t|t.rt#j2|}n t5|}|j7d%|| d&||| |j8'Yd}~d}~wt:$r1}|j7d(|| d)t5||| d'Yd}~:d}~wwxYw)*NzUpdating AccountrrrresultFPATCH/PasswordVault/api/Accounts/%srapplication/jsontoken$CyberArk/1.0 (Ansible; cyberark.pas)z Content-Type Authorizationz User-Agent Operationsdefault)keys./zCchild_module_parm_value: %s child_existing_account_value=%s path=%sz'parameter_name=%s value=%s existing=%sraddz/%s)oppathvaluereplaceremove)rSrT)rSrUrTz+Proceeding with Update Account (CHECK_MODE)zOperations => %sTzProceeding with Update Accountz)Processing invidual operations (%d) => %sz ==> %smethodheadersdatarzYError while performing update_account.Please validate parameters provided. *** end_point= ==> msgpayloadrZ status_codez=Unknown error while performing update_account. *** end_point= )loggingdebugparamslistrOansible_specific_parametersreferenced_valuecyberark_reference_fieldnamescyberark_fixed_propertiesr;dict removal_valueupdater@lenappend check_modejsondumpsr loadsreadgetcoderrloadr fail_jsoncode Exception)moduleexisting_accountrrrrCchangedlast_status_code HTTPMethod end_pointrZr_parameter_namemodule_parm_valuecyberark_property_nameexisting_account_value replacingaddingremovingchild_parm_namenested_parm_namechild_module_parm_valuechild_cyberark_property_namechild_existing_account_value path_value operationindividual_payloadresponsehttp_exceptionresunknown_exceptions r?update_accountrs MM$%}}%78#N3L%&67N( )FGJ03CD3III+)'2<G R Gv}}1134K "= = n-9 & n = %5 =~& "&6& *//12& " &-FF$0Z%t6!#IF!H+/0A0F0F0H+I@6Do+V(+3NN6G6X3;K / =(7<8 ,14J,J!"+m; -44&+):(-0F(FMMA&(9;QQKZ 7< !Q&    MMG H MM,djj.A B 01FG!  MM: ; MM;GL)* 7#  %\20  &/[".MM)TZZ -DE'$y0) '!ZZ(:;'5  H' 8==?(CDF"G'/'7'7'9$0 d V- ..A"=1!.)<"ii7%n5$$ ,Y= !3 '$2$7$7%  ! $$ ,Y@Q8RT!3 '$&%   s&1BQ??T)AS,, T)8&T$$T)c tjd|jd}|d}|d}i}d}d}d|dd d }d |jd i}t|jj D]l} | t vs |j| t | t| } t|j| tri|| <t|j| j D]t} t | t| } tjd| | | | | dz| zt vs=|j| | Pt|j| | td|| | <vnh| tvr-t|j| td} | B| tk7r9| || <n3t|j| td} | | tk7r | |t| <tjd| otjdtj| |jrtjddddidfStjdt!||z||tj||}dtj"|j%i}d||j'fS#t(t*f$rb}t|t(rtj,|}n t/|}|j1d||d||||j2Yd}~yd}~wt4$r0}|j1d||dt/|||dYd}~yd}~wwxYw)NzAdding AccountrrrPOSTz/PasswordVault/api/AccountsrGrHrIrJr r.rMzOparameter_name =%s.%s cyberark_property_name=%s cyberark_child_property_name=%srPFTzparameter_name =%szAdd Account Payload => %sz(Proceeding with Add Account (CHECK_MODE)rCrDzProceeding with Add AccountrXzVError while performing add_account.Please validate parameters provided. *** end_point=r\r]z:Unknown error while performing add_account. *** end_point=ra)rbrcrdrerOrfrgrhr;rjdeep_get_emptyrkrprqror rrrsrtrrrur rvrwrx)ryrrrrCr}r~rZr_rrdict_keycyberark_child_property_namerrrrrs r? add_accountrs MM"#}}%78#N3L%&67NFJ-I+)'2<G 6==01Gv}}11349@ "= = n-9%5 =~& "&--7>24./ $V]]>%B%G%G%I JH3C "?40MM>' .4 ',x7:;"MM.9(CO%"MM.98VU 678'2")FF(0 ~vu)%*5->. *)1 ~vt)%*5->. 9.I MM. ?s9@v MM-tzz'/BC0    MMD E8T*B/ / MM7 8y(!ZZ(- H 8==? ;%s key=>%s,z KeyError %s) splitrgrhrmrerOrbrcjoinKeyErrorr r)r dotted_pathrNuse_reference_table result_dctkey key_fieldes r?rr sJ  % I",6 4 )*+q0 MM1joo/01  Z__%6 779%_  !"-<    MM- 4& N  sB#C D )C<4D<Dc |tjd|jdjd}tjdt j |d|jvr3|jd$t dt |jdznd}d}|D].}|tvs ||dzndt|j|d d }0tjd |tjd ||jd }|d}|d}d}|"| d|dt |j}n|d|jz}nd|z}tjd|d|ddd} tjd|z|zt||zd| |} | j} t j| } tjdt j | | ddk(rd d| jfSd} d}| dD]}tjd t j |d }|D]c}t||d }tjd!|||t|j|d |d k7r|t|j|d d k(rd"}ad }n|s| d#z} ||}tjd$| t j || d#kDr|jd%| z&y| d#k(|| jfS#tt f$r\}|j"d'k(rd d|j"fcYd}~S|jd(||d)t%|| |j"*Yd}~yd}~wt&$r/}|jd+||d,t%|| d-*Yd}~yd}~wwxYw).NzFinding AccountrrzIdentified_by: %sr.z safeName eq  NOT FOUNDFzSearch_String => %szSafe Filter => %srrrz#/PasswordVault/api/accounts?filter=z&search=z%/PasswordVault/api/accounts?search=%sz%/PasswordVault/api/accounts?filter=%szEnd Point => %srGrHrIrJz Executing: GETrz RESULT => %scountrrUzAcct Record => %szYComparing field %s | record_field_name=%s record_field_value=%s module.params_value=%sTz&How Many: %d First Record Found => %szTError while performing get_account. Too many rows (%d) found matching your criteria!)r^izVError while performing get_account.Please validate parameters provided. *** end_point=r\rz:Unknown error while performing get_account. *** end_point=rarD)rbrcrdrrprqrrfrlstripr rsrrrtrvrrrwr rx)ryidentified_by_fields safe_filter search_stringrrrrr~rZr result_string accounts_datahow_manyfirst_record_foundaccount_recordfoundrecord_field_valuerrs r? get_accountr-s MM#$!==9??D MM%tzz2F'GH V]] "v}}V'<'H nfmmF&; <<  M% 3 3'4'@ #bH{EBM MM'7 MM%{3}}%78#N3L%&67NI [%<  -&&( )   "<AUAUAWX ;{K  MM#Y/+)'2<G Z  ml2Y>? 9 $)  !   =1  ndjj&?@  !Q &4!1!1!34 4H!% "/"8 < 14::n3MN1E)1.%)U&MMM* {C *[8*#FMM5+uMN!% %'('!|H)1-;*5 <8 MM8 -.  !|  K !!A '98;K;K;MNN } %   # %4!4!45 5    $Y0GI  *//       G4E,FH     sK;BLB!L3L;ALLN;)NN; /N N; %N66N;c tjd|jd}|d}|d}|}d}d|dz}d|d d d } t||z||| } | j j d } | j dr| jds|jd||d|d| dd} | |d<tjdd|| jfS#ttf$rc} d} t| trtj| } n t| } |jd||d| || j Yd} ~ yd} ~ wt"$r/} |jd||dt| |dYd} ~ yd} ~ wwxYw)NzRetrieving Passwordrrrrz0/PasswordVault/api/Accounts/%s/Password/RetrieverrGrHrIrJrzutf-8"ziError while performing retrieve_password.The returned value was not formatted as expected. *** end_point=rarD)r^rZ status_cooderpasswordzPassword RetrievedFrz\Error while performing retrieve_password.Please validate parameters provided. *** end_point=r\rz@Unknown error while performing retrieve_password. *** end_point=)rbrcrdr rsdecode startswithendswithrvrtrrr;rprur rwrx)ryrzrrrrCr}r~rZrrrrrs r?retrieve_passwordrs MM'(}}%78#N3L%&67N FJBEUVZE[[I+)'2<G :  9 $)  ==?))'2##C(X->->s-C   1=iI   Ab>%z *+vx//122 } %  ni 0))N+C.)C4@CQ&++       G4E,FH     s&BC$$F 3AE F %FF c iddgdddddgddd dd d d d didddd ddddddddddddddddddddddddddddddd gdd!d"ddddd#ddddd$dddd%ddddd d didgd&dddd'dd(d)gd)dd*dd+d,ddd did did-d.d/dddi}t|d0}|jd1tj|jd |jd1tjd2|jd}t |\}}}tj d3|rd4nd5|d}d6|i}|dk(r|rt||\}}}nt|\}}}d)}d%t|jjvr1|jd%} | d7t| jvr| d7}tj d8tj||d)k(s|d(k(rI|sGt||d6\} } } | r2d}n/|r|d9k(rt||\}}}n|r|d:k(rt||\}}}|j!|||;y)%srr)r{rCr`)r rdrb basicConfiginforrcrrrerOrprqrrr exit_json) fieldsryrrrr`r{rCrr2 account_reset no_resultno_status_codes r?mainrs<8  < %4OP < 3NO< < 6f=< vN< 5 < T51!<" E59#<$ u5%<& UE2'<( "E*!  )<4 uetD5<6 5%4H7<8 69<: #$1.4UO!L&(-=! +X6'.") ;<f !$*E?9?8H# g<v &E6'Jw<F|T JF }}_%1]]>2&--:X  LL"# MM' "E+6v+>(UNK MM(U' [G 'F  -;FN-S *Wfk-8-@ *Wfk$,! $v}}'9'9';"< < & .A B  ,1LPT!&&(Q2->/-)  lDJJv$67 $ 0 % 4U9Px(: 6]I~ 5H$)7)O&&+ 5J&):6>)R&&+ WVMrA__main__)NN)* __future__rrrr __metaclass__ANSIBLE_METADATA DOCUMENTATIONEXAMPLESRETURNansible.module_utils._textr ansible.module_utils.basicr ansible.module_utils.urlsr +ansible.module_utils.six.moves.urllib.errorr+ansible.module_utils.six.moves.urllib.parser*ansible.module_utils.six.moves.http_clientrrprbobjectrrfrirkrhansible_reference_fieldnamesr@rrrrrgrrrr__name__rrAr?rs0 CB k y vE Nr j/4.A=D     #>+ 8$@4,N' !!>+8"@4(M' %g/TB J?D#DS(.4 FG TK \tNn zFrA