mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
Fixes password behavior on Vault module.
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
This commit is contained in:
Rafael Guterres Jeffman
@@ -41,7 +41,7 @@ Example inventory file
|
||||
ipaserver.test.local
|
||||
```
|
||||
|
||||
Example playbook to make sure vault is present:
|
||||
Example playbook to make sure vault is present (by default, vault type is `symmetric`):
|
||||
|
||||
```yaml
|
||||
---
|
||||
@@ -53,8 +53,7 @@ Example playbook to make sure vault is present:
|
||||
- ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
vault_password: MyVaultPassword123
|
||||
password: SomeVAULTpassword
|
||||
description: A standard private vault.
|
||||
```
|
||||
|
||||
@@ -124,13 +123,31 @@ Example playbook to make sure vault data is present in a symmetric vault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
vault_password: MyVaultPassword123
|
||||
vault_data: >
|
||||
password: SomeVAULTpassword
|
||||
data: >
|
||||
Data archived.
|
||||
More data archived.
|
||||
action: member
|
||||
```
|
||||
|
||||
Example playbook to retrieve vault data from a symmetric vault:
|
||||
|
||||
```yaml
|
||||
---
|
||||
- name: Playbook to handle vaults
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
password: SomeVAULTpassword
|
||||
retrieve: true
|
||||
action: member
|
||||
```
|
||||
|
||||
Example playbook to make sure vault data is absent in a symmetric vault:
|
||||
|
||||
```yaml
|
||||
@@ -144,7 +161,7 @@ Example playbook to make sure vault data is absent in a symmetric vault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
vault_password: MyVaultPassword123
|
||||
password: SomeVAULTpassword
|
||||
action: member
|
||||
state: absent
|
||||
```
|
||||
@@ -178,8 +195,12 @@ Variable | Description | Required
|
||||
`name` \| `cn` | The list of vault name strings. | yes
|
||||
`description` | The vault description string. | no
|
||||
`nomembers` | Suppress processing of membership attributes. (bool) | no
|
||||
`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
|
||||
`vault_salt` \| `ipavaultsalt` | Vault salt. | no
|
||||
`password ` \| `vault_password` \| `ipavaultpassword` | Vault password. | no
|
||||
`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
|
||||
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
|
||||
`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
|
||||
`private_key_file` \| `vault_private_key_file` | Path to file with private key. | no
|
||||
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
|
||||
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
|
||||
`user` \| `username` | Any user can own one or more user vaults. | no
|
||||
`service` | Any service can own one or more service vaults. | no
|
||||
@@ -187,7 +208,10 @@ Variable | Description | Required
|
||||
`users` | Users that are members of the vault. | no
|
||||
`groups` | Groups that are member of the vault. | no
|
||||
`services` | Services that are member of the vault. | no
|
||||
`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
|
||||
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
|
||||
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
|
||||
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
|
||||
`retrieve` | If set to True, retrieve data stored in the vault. (bool) | no
|
||||
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
|
||||
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
|
||||
|
||||
|
||||
18
playbooks/vault/change-password-symmetric-vault.yml
Normal file
18
playbooks/vault/change-password-symmetric-vault.yml
Normal file
@@ -0,0 +1,18 @@
|
||||
---
|
||||
- name: Playbook to change password of symmetric vault.
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
|
||||
tasks:
|
||||
- name: Create vault.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
password: SomeVAULTpassword
|
||||
- name: Change vault passord.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
password: SomeVAULTpassword
|
||||
new_password: SomeNEWpassword
|
||||
@@ -9,6 +9,6 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
vault_password: MyVaultPassword123
|
||||
vault_password: SomeVAULTpassword
|
||||
vault_data: The world of π is half rounded.
|
||||
action: member
|
||||
|
||||
@@ -9,5 +9,4 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
vault_password: MyVaultPassword123
|
||||
vault_type: symmetric
|
||||
vault_password: SomeVAULTpassword
|
||||
|
||||
1
playbooks/vault/password.txt
Normal file
1
playbooks/vault/password.txt
Normal file
@@ -0,0 +1 @@
|
||||
SomeVAULTpassword
|
||||
27
playbooks/vault/private.pem
Normal file
27
playbooks/vault/private.pem
Normal file
@@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEArM5/f6dd/YIm/a9eoGVTW8jobEgrf9PXRA3aHsA7kJo6fB18
|
||||
HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJeqXESZ+gVCVmigRzmKWK2ad9agmY
|
||||
SiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGsZIDG+WVES5W89K+L0bwVjq4tshhe
|
||||
DMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4fh0fGk5tbIYa0bhwMUpL+WHOm6nbd
|
||||
+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZkUmk3apMnzknNaTqguAQdTn79G8P
|
||||
qrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJdwIDAQABAoIBAA6e9iit14UAgx4J
|
||||
vX7is9fbOtcWkB+jo94NMfxSFXgZpIMl139oQMqK97KjxsHqAaDVe7mMLH5EP96J
|
||||
7M3O5g4rgl0cVWtpMrDQyZsLvqDFzBWxtCHqVPAruumUZhsSJ3lROQro8ag/w5bf
|
||||
5tC5ogVq4+rsB4hBphgp1jGrsUM+E8O7DXXFH68F8WgBi725WvcjnbI9irkb0Gcq
|
||||
1bCPJwN3fA1i2VWiRwVYWbNTWnDoNM9ZdYYxK0kuUkD+QtreycWPf9V49lvUi1Vp
|
||||
FVNmBUDvGK3K1MwbgXRwOXhacY7Ptjkdvaeb2Qcu5RjTkruGhzUYsOP3p/cw+wKV
|
||||
vzQqceECgYEA5Wz7V2SlRa2r//z+ETQkJfENJ0KDnCb0pMClCQh3jTNPA6DbhiMk
|
||||
FTkcoNbqcpTiVSlvhh6TKscSgqYQUjQ/OqyG7SkjKVjQ72j5beQLxiLTtUyj1OmP
|
||||
Xh9cWJXx8iQ+45cPon+kMOAIiTwiB3mmFRfQjIGve1DPUo9J+NZ4XdECgYEAwNKg
|
||||
OdGYxxKtCrXVz1mdg6PDlV8qh7nxxZbPch+aMIQl1+oTCgSiw8oOYEd8g0HOdV6t
|
||||
1G+IWhvPxiiWy3/AE0QhgoKk2GUsSjWSMLcJbaUzDoEHFjTLjecRlqdzo7qxRXqB
|
||||
meN4L5WJYKnLC482K7hvufS+uo5fB5qwPmt13McCgYAe4TVPRP+tyjttYCr+O8tl
|
||||
w/UmRKCcQu4Iwtkzxwz4V2CaN2t0uYQgyygcSfESbRGtrr8RCUp7poHKTfnCZr/f
|
||||
8NrUTwYpiYfNwY5ZCSnAiG2AaIlgnfMrEwOF9OC028YPMgTrtUxvO6hKeGqIIQqG
|
||||
qkbqsoXhDjZpgVnOgWeAEQKBgGuiZ0w/IqAlXbC31fUb2iBMfvXXnJ8M/dfFGmFj
|
||||
IKfqbFF9WUljUxQlqya1YNzIFB5STohiBeP+2FmN+Lb5xdc7VdVLZgdhWnrGMqe8
|
||||
1Kd+6uQyxCjyKZo5nQjSymtf4GqfOs8TOdieCYSK40u9koiPONa9tuXeaU+OWslN
|
||||
JQqrAoGBAJ3MKOvsnQzuZVP2vz0ZqLwIE3XjRiFGveVpizq4hwOVeuNsV08JvA0t
|
||||
pueNIy9klPScFc9OUdiZWkEX09BwJkVIrOHotuSB8AStO5UAntNnuyWLJEFC4Uq4
|
||||
GpB8lbj9jkxSKaU7X3Gac23K9JL8euLh7E7rPuZRYa6mYN4nbKqu
|
||||
-----END RSA PRIVATE KEY-----
|
||||
9
playbooks/vault/public.pem
Normal file
9
playbooks/vault/public.pem
Normal file
@@ -0,0 +1,9 @@
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArM5/f6dd/YIm/a9eoGVT
|
||||
W8jobEgrf9PXRA3aHsA7kJo6fB18HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJ
|
||||
eqXESZ+gVCVmigRzmKWK2ad9agmYSiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGs
|
||||
ZIDG+WVES5W89K+L0bwVjq4tshheDMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4f
|
||||
h0fGk5tbIYa0bhwMUpL+WHOm6nbd+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZ
|
||||
kUmk3apMnzknNaTqguAQdTn79G8PqrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJ
|
||||
dwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
19
playbooks/vault/retrive-data-asymmetric-vault.yml
Normal file
19
playbooks/vault/retrive-data-asymmetric-vault.yml
Normal file
@@ -0,0 +1,19 @@
|
||||
---
|
||||
- name: Tests
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
gather_facts: True
|
||||
|
||||
tasks:
|
||||
- name: Retrieve data from assymetric vault with a private key file.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
private_key_file: private.pem
|
||||
retrieve: True
|
||||
register: result
|
||||
- debug:
|
||||
msg: "Data: {{ result.data }}"
|
||||
- debug:
|
||||
msg: "Decoded Data: {{ result.data | b64decode }}"
|
||||
18
playbooks/vault/retrive-data-symmetric-vault.yml
Normal file
18
playbooks/vault/retrive-data-symmetric-vault.yml
Normal file
@@ -0,0 +1,18 @@
|
||||
---
|
||||
- name: Tests
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
gather_facts: True
|
||||
|
||||
tasks:
|
||||
- name: Retrieve data from symmetric vault.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
password: SomeVAULTpassword
|
||||
retrieve: yes
|
||||
action: member
|
||||
register: result
|
||||
- debug:
|
||||
msg: "{{ result.data | b64decode }}"
|
||||
22
playbooks/vault/vault-is-present-with-password-file.yml
Normal file
22
playbooks/vault/vault-is-present-with-password-file.yml
Normal file
@@ -0,0 +1,22 @@
|
||||
---
|
||||
- name: Tests
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
gather_facts: True
|
||||
|
||||
tasks:
|
||||
- copy:
|
||||
src: "{{ playbook_dir }}/password.txt"
|
||||
dest: "{{ ansible_env.HOME }}/password.txt"
|
||||
owner: "{{ ansible_user }}"
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0600
|
||||
- ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
vault_type: symmetric
|
||||
vault_password_file: "{{ ansible_env.HOME }}/password.txt"
|
||||
- file:
|
||||
path: "{{ ansible_env.HOME }}/password.txt"
|
||||
state: absent
|
||||
27
playbooks/vault/vault-is-present-with-public-key-file.yml
Normal file
27
playbooks/vault/vault-is-present-with-public-key-file.yml
Normal file
@@ -0,0 +1,27 @@
|
||||
---
|
||||
#
|
||||
# Example keys for this playbook were generated with the commands:
|
||||
# $ openssl genrsa -out private.pem 2048
|
||||
# $ openssl rsa -in private.pem -pubout > public.pem
|
||||
#
|
||||
- name: Tests
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
gather_facts: True
|
||||
|
||||
tasks:
|
||||
- copy:
|
||||
src: "{{ playbook_dir }}/public.pem"
|
||||
dest: "{{ ansible_env.HOME }}/public.pem"
|
||||
owner: "{{ ansible_user }}"
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0600
|
||||
- ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: admin
|
||||
vault_type: asymmetric
|
||||
vault_public_key_file: "{{ ansible_env.HOME }}/public.pem"
|
||||
- file:
|
||||
path: "{{ ansible_env.HOME }}/public.pem"
|
||||
state: absent
|
||||
@@ -1427,7 +1427,6 @@ def main():
|
||||
temp_kdestroy(ccache_dir, ccache_name)
|
||||
|
||||
# Done
|
||||
|
||||
ansible_module.exit_json(changed=changed, user=exit_args)
|
||||
|
||||
|
||||
|
||||
@@ -45,21 +45,41 @@ options:
|
||||
description:
|
||||
description: The vault description
|
||||
required: false
|
||||
vault_public_key:
|
||||
description: Base64 encoded public key.
|
||||
public_key:
|
||||
description: Base64 encode public key.
|
||||
required: false
|
||||
type: list
|
||||
aliases: ["ipavaultpublickey"]
|
||||
vault_salt:
|
||||
description: Vault salt.
|
||||
type: string
|
||||
aliases: ["ipavaultpublickey", "vault_public_key"]
|
||||
public_key_file:
|
||||
description: Path to file with public key.
|
||||
required: false
|
||||
type: list
|
||||
aliases: ["ipavaultsalt"]
|
||||
vault_password:
|
||||
type: string
|
||||
aliases: ["vault_public_key_file"]
|
||||
private_key:
|
||||
description: Base64 encode private key.
|
||||
required: false
|
||||
type: string
|
||||
aliases: ["ipavaultprivatekey", "vault_private_key"]
|
||||
private_key_file:
|
||||
description: Path to file with private key.
|
||||
required: false
|
||||
type: string
|
||||
aliases: ["vault_private_key_file"]
|
||||
password:
|
||||
description: password to be used on symmetric vault.
|
||||
required: false
|
||||
type: string
|
||||
aliases: ["ipavaultpassword"]
|
||||
aliases: ["ipavaultpassword", "vault_password"]
|
||||
password_file:
|
||||
description: file with password to be used on symmetric vault.
|
||||
required: false
|
||||
type: string
|
||||
aliases: ["ipavaultpassword", "vault_password"]
|
||||
salt:
|
||||
description: Vault salt.
|
||||
required: false
|
||||
type: list
|
||||
aliases: ["ipavaultsalt", "vault_salt"]
|
||||
vault_type:
|
||||
description: Vault types are based on security level.
|
||||
required: true
|
||||
@@ -79,11 +99,6 @@ options:
|
||||
description: Vault is shared.
|
||||
required: false
|
||||
type: boolean
|
||||
vault_data:
|
||||
description: Data to be stored in the vault.
|
||||
required: false
|
||||
type: string
|
||||
aliases: ["ipavaultdata"]
|
||||
owners:
|
||||
description: Users that are owners of the container.
|
||||
required: false
|
||||
@@ -100,6 +115,25 @@ options:
|
||||
description: Services that are member of the container.
|
||||
required: false
|
||||
type: list
|
||||
data:
|
||||
description: Data to be stored in the vault.
|
||||
required: false
|
||||
type: string
|
||||
aliases: ["ipavaultdata", "vault_data"]
|
||||
in:
|
||||
description: Path to file with data to be stored in the vault.
|
||||
required: false
|
||||
type: string
|
||||
aliases: ["datafile_in"]
|
||||
out:
|
||||
description: Path to file to store data retrieved from the vault.
|
||||
required: false
|
||||
type: string
|
||||
aliases: ["datafile_out"]
|
||||
retrieve:
|
||||
description: If set to True, retrieve data stored in the vault.
|
||||
required: false
|
||||
type: bool
|
||||
action:
|
||||
description: Work on vault or member level.
|
||||
default: vault
|
||||
@@ -118,9 +152,9 @@ EXAMPLES = """
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
vault_password: MyVaultPassword123
|
||||
vault_salt: MTIzNDU2Nzg5MAo=
|
||||
vault_type: symmetric
|
||||
password: SomeVAULTpassword
|
||||
salt: MTIzNDU2Nzg5MAo=
|
||||
|
||||
# Ensure group ipausers is a vault member.
|
||||
- ipavault:
|
||||
@@ -182,12 +216,24 @@ EXAMPLES = """
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
vault_password: MyVaultPassword123
|
||||
vault_data: >
|
||||
password: SomeVAULTpassword
|
||||
data: >
|
||||
Data archived.
|
||||
More data archived.
|
||||
action: member
|
||||
|
||||
# Retrieve data archived from a symmetric vault
|
||||
- ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: admin
|
||||
password: SomeVAULTpassword
|
||||
retrieve: yes
|
||||
action: member
|
||||
register: result
|
||||
- debug:
|
||||
msg: "{{ result.data | b64decode }}"
|
||||
|
||||
# Ensure vault symvault is absent
|
||||
- ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
@@ -202,7 +248,7 @@ EXAMPLES = """
|
||||
username: user01
|
||||
description: An asymmetric vault
|
||||
vault_type: asymmetric
|
||||
vault_public_key:
|
||||
public_key:
|
||||
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
|
||||
HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
|
||||
9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
|
||||
@@ -215,11 +261,20 @@ EXAMPLES = """
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: admin
|
||||
vault_data: >
|
||||
data: >
|
||||
Data archived.
|
||||
More data archived.
|
||||
action: member
|
||||
|
||||
# Retrive data archived in an asymmetric vault
|
||||
- ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: admin
|
||||
retrieve: yes
|
||||
private_key:
|
||||
|
||||
|
||||
# Ensure asymmetric vault is absent.
|
||||
- ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
@@ -233,6 +288,7 @@ RETURN = """
|
||||
"""
|
||||
|
||||
import os
|
||||
from base64 import b64encode, b64decode
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
|
||||
temp_kdestroy, valid_creds, api_connect, api_command, \
|
||||
@@ -265,7 +321,8 @@ def find_vault(module, name, username, service, shared):
|
||||
|
||||
|
||||
def gen_args(description, username, service, shared, vault_type, salt,
|
||||
public_key, vault_data):
|
||||
password, password_file, public_key, public_key_file, vault_data,
|
||||
datafile_in, datafile_out):
|
||||
_args = {}
|
||||
|
||||
if description is not None:
|
||||
@@ -281,9 +338,11 @@ def gen_args(description, username, service, shared, vault_type, salt,
|
||||
if salt is not None:
|
||||
_args['ipavaultsalt'] = salt
|
||||
if public_key is not None:
|
||||
_args['ipavaultpublickey'] = public_key
|
||||
if vault_data is not None:
|
||||
_args['data'] = vault_data.encode('utf-8')
|
||||
_args['ipavaultpublickey'] = b64decode(public_key.encode('utf-8'))
|
||||
if public_key_file is not None:
|
||||
with open(public_key_file, 'r') as keyfile:
|
||||
keydata = keyfile.read()
|
||||
_args['ipavaultpublickey'] = keydata.strip().encode('utf-8')
|
||||
|
||||
return _args
|
||||
|
||||
@@ -306,7 +365,8 @@ def gen_member_args(args, users, groups, services):
|
||||
return _args
|
||||
|
||||
|
||||
def data_storage_args(args, data, password):
|
||||
def data_storage_args(args, data, password, password_file, private_key,
|
||||
private_key_file, retrieve, datafile_in, datafile_out):
|
||||
_args = {}
|
||||
|
||||
if 'username' in args:
|
||||
@@ -318,55 +378,117 @@ def data_storage_args(args, data, password):
|
||||
|
||||
if password is not None:
|
||||
_args['password'] = password
|
||||
if password_file is not None:
|
||||
_args['password_file'] = password_file
|
||||
|
||||
_args['data'] = data
|
||||
if private_key is not None:
|
||||
_args['private_key'] = private_key
|
||||
if private_key_file is not None:
|
||||
_args['private_key_file'] = private_key_file
|
||||
|
||||
if datafile_in is not None:
|
||||
_args['in'] = datafile_in
|
||||
else:
|
||||
if data is None:
|
||||
_args['data'] = b''
|
||||
else:
|
||||
_args['data'] = data.encode('utf-8')
|
||||
|
||||
if datafile_out is not None:
|
||||
_args['out'] = datafile_out
|
||||
|
||||
if private_key_file is not None:
|
||||
_args['private_key_file'] = private_key_file
|
||||
|
||||
return _args
|
||||
|
||||
|
||||
def check_parameters(module, state, action, description, username, service,
|
||||
shared, users, groups, services, owners, ownergroups,
|
||||
ownerservices, vault_type, salt, password, public_key,
|
||||
vault_data):
|
||||
ownerservices, vault_type, salt, password, password_file,
|
||||
public_key, public_key_file, private_key,
|
||||
private_key_file, retrieve, vault_data, datafile_in,
|
||||
datafile_out):
|
||||
invalid = []
|
||||
if state == "present":
|
||||
if action == "member":
|
||||
invalid = ['description', 'public_key', 'salt']
|
||||
|
||||
for param in invalid:
|
||||
if vars()[param] is not None:
|
||||
if salt is not None:
|
||||
if vault_type is not None and vault_type != "symmetric":
|
||||
module.fail_json(
|
||||
msg="Argument '%s' can not be used with action '%s'" %
|
||||
(param, action))
|
||||
msg="Attribute `salt` can only be used with `symmetric` "
|
||||
"vaults.")
|
||||
if not any([password, password_file]):
|
||||
module.fail_json(
|
||||
msg="Value of `salt` can only modified by providing "
|
||||
"vault password.")
|
||||
if action == "member":
|
||||
invalid = ['description']
|
||||
|
||||
if not retrieve:
|
||||
if datafile_out is not None:
|
||||
module.fail_json(
|
||||
msg="Retrieve must be enabled to use datafile_out.")
|
||||
|
||||
if any([private_key, private_key_file]):
|
||||
module.fail_json(
|
||||
msg="Attributes private_key and private_key_file can only "
|
||||
"be used when retrieving data from asymmetric vaults.")
|
||||
else:
|
||||
check = ['description', 'salt', 'datafile_in', 'users', 'groups',
|
||||
'owners', 'ownergroups', 'public_key', 'public_key_file',
|
||||
'vault_data']
|
||||
|
||||
for arg in check:
|
||||
if vars()[arg] is not None:
|
||||
module.fail_json(
|
||||
msg="`%s` cannot be used with `retrieve`." % arg)
|
||||
|
||||
elif state == "absent":
|
||||
invalid = ['description', 'salt']
|
||||
invalid = ['description', 'salt', 'vault_type', 'private_key',
|
||||
'private_key_file', 'retrieve', 'datafile_in',
|
||||
'datafile_out', 'vault_data']
|
||||
|
||||
if action == "vault":
|
||||
invalid.extend(['users', 'groups', 'services', 'owners',
|
||||
'ownergroups', 'ownerservices', 'password',
|
||||
'public_key'])
|
||||
'password_file', 'public_key', 'public_key_file'])
|
||||
|
||||
for arg in invalid:
|
||||
if vars()[arg] is not None:
|
||||
module.fail_json(
|
||||
msg="Argument '%s' can not be used with action '%s'" %
|
||||
(arg, state))
|
||||
for arg in invalid:
|
||||
if vars()[arg] is not None:
|
||||
module.fail_json(
|
||||
msg="Argument '%s' can not be used with state '%s', "
|
||||
"action '%s'" % (arg, state, action))
|
||||
|
||||
|
||||
def check_encryption_params(module, state, vault_type, password, public_key,
|
||||
vault_data, res_find):
|
||||
def check_encryption_params(module, state, vault_type, salt, password,
|
||||
password_file, public_key, public_key_file,
|
||||
private_key, private_key_file, retrieve,
|
||||
vault_data, datafile_in, datafile_out, res_find):
|
||||
vault_type_invalid = []
|
||||
if state == "present":
|
||||
if vault_type == "symmetric":
|
||||
if password is None \
|
||||
and (vault_data is not None or res_find is None):
|
||||
if vault_type == "standard":
|
||||
vault_type_invalid = ['public_key', 'public_key_file', 'password',
|
||||
'password_file', 'salt']
|
||||
|
||||
if vault_type is None or vault_type == "symmetric":
|
||||
vault_type_invalid = ['public_key', 'public_key_file',
|
||||
'private_key', 'private_key_file']
|
||||
if not any([password, password_file]):
|
||||
module.fail_json(
|
||||
msg="Vault password required for symmetric vault.")
|
||||
msg="Symmetric vault requires password or password_file "
|
||||
"to store data.")
|
||||
|
||||
if vault_type == "asymmetric":
|
||||
if public_key is None and res_find is None:
|
||||
vault_type_invalid = ['password', 'password_file']
|
||||
if not any([public_key, public_key_file]) and res_find is None:
|
||||
module.fail_json(
|
||||
msg="Public Key required for asymmetric vault.")
|
||||
msg="Assymmetric vault requires public_key "
|
||||
"or public_key_file to store data.")
|
||||
|
||||
for param in vault_type_invalid:
|
||||
if vars()[param] is not None:
|
||||
module.fail_json(
|
||||
msg="Argument '%s' cannot be used with vault type '%s'" %
|
||||
(param, vault_type or 'symmetric'))
|
||||
|
||||
|
||||
def main():
|
||||
@@ -379,16 +501,24 @@ def main():
|
||||
name=dict(type="list", aliases=["cn"], default=None,
|
||||
required=True),
|
||||
|
||||
# present
|
||||
|
||||
description=dict(required=False, type="str", default=None),
|
||||
vault_type=dict(type="str", aliases=["ipavaulttype"],
|
||||
default=None, required=False,
|
||||
choices=["standard", "symmetric", "asymmetric"]),
|
||||
vault_public_key=dict(type="str", required=False, default=None,
|
||||
aliases=['ipavaultpublickey']),
|
||||
aliases=['ipavaultpublickey', 'public_key']),
|
||||
vault_public_key_file=dict(type="str", required=False,
|
||||
default=None,
|
||||
aliases=['public_key_file']),
|
||||
vault_private_key=dict(
|
||||
type="str", required=False, default=None, no_log=True,
|
||||
aliases=['ipavaultprivatekey', 'private_key']),
|
||||
vault_private_key_file=dict(type="str", required=False,
|
||||
default=None,
|
||||
aliases=['private_key_file']),
|
||||
retrieve=dict(type="bool", required=False, default=None),
|
||||
vault_salt=dict(type="str", required=False, default=None,
|
||||
aliases=['ipavaultsalt']),
|
||||
aliases=['ipavaultsalt', 'salt']),
|
||||
username=dict(type="str", required=False, default=None,
|
||||
aliases=['user']),
|
||||
service=dict(type="str", required=False, default=None),
|
||||
@@ -402,10 +532,16 @@ def main():
|
||||
ownergroups=dict(required=False, type='list', default=None),
|
||||
ownerservices=dict(required=False, type='list', default=None),
|
||||
vault_data=dict(type="str", required=False, default=None,
|
||||
aliases=['ipavaultdata']),
|
||||
no_log=True, aliases=['ipavaultdata', 'data']),
|
||||
datafile_in=dict(type="str", required=False, default=None,
|
||||
aliases=['in']),
|
||||
datafile_out=dict(type="str", required=False, default=None,
|
||||
aliases=['out']),
|
||||
vault_password=dict(type="str", required=False, default=None,
|
||||
no_log=True, aliases=['ipavaultpassword']),
|
||||
|
||||
aliases=['ipavaultpassword', 'password'],
|
||||
no_log=True),
|
||||
vault_password_file=dict(type="str", required=False, default=None,
|
||||
no_log=False, aliases=['password_file']),
|
||||
# state
|
||||
action=dict(type="str", default="vault",
|
||||
choices=["vault", "data", "member"]),
|
||||
@@ -413,7 +549,10 @@ def main():
|
||||
choices=["present", "absent"]),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
mutually_exclusive=[['username', 'service', 'shared']],
|
||||
mutually_exclusive=[['username', 'service', 'shared'],
|
||||
['datafile_in', 'vault_data'],
|
||||
['vault_password', 'vault_password_file'],
|
||||
['vault_public_key', 'vault_public_key_file']],
|
||||
)
|
||||
|
||||
ansible_module._ansible_debug = True
|
||||
@@ -441,12 +580,22 @@ def main():
|
||||
vault_type = module_params_get(ansible_module, "vault_type")
|
||||
salt = module_params_get(ansible_module, "vault_salt")
|
||||
password = module_params_get(ansible_module, "vault_password")
|
||||
password_file = module_params_get(ansible_module, "vault_password_file")
|
||||
public_key = module_params_get(ansible_module, "vault_public_key")
|
||||
public_key_file = module_params_get(ansible_module,
|
||||
"vault_public_key_file")
|
||||
private_key = module_params_get(ansible_module, "vault_private_key")
|
||||
private_key_file = module_params_get(ansible_module,
|
||||
"vault_private_key_file")
|
||||
|
||||
vault_data = module_params_get(ansible_module, "vault_data")
|
||||
|
||||
datafile_in = module_params_get(ansible_module, "datafile_in")
|
||||
datafile_out = module_params_get(ansible_module, "datafile_out")
|
||||
|
||||
retrieve = module_params_get(ansible_module, "retrieve")
|
||||
|
||||
action = module_params_get(ansible_module, "action")
|
||||
# state
|
||||
state = module_params_get(ansible_module, "state")
|
||||
|
||||
# Check parameters
|
||||
@@ -466,7 +615,9 @@ def main():
|
||||
check_parameters(ansible_module, state, action, description, username,
|
||||
service, shared, users, groups, services, owners,
|
||||
ownergroups, ownerservices, vault_type, salt, password,
|
||||
public_key, vault_data)
|
||||
password_file, public_key, public_key_file, private_key,
|
||||
private_key_file, retrieve, vault_data, datafile_in,
|
||||
datafile_out)
|
||||
# Init
|
||||
|
||||
changed = False
|
||||
@@ -492,7 +643,10 @@ def main():
|
||||
|
||||
# Generate args
|
||||
args = gen_args(description, username, service, shared, vault_type,
|
||||
salt, public_key, vault_data)
|
||||
salt, password, password_file, public_key,
|
||||
public_key_file, vault_data, datafile_in,
|
||||
datafile_out)
|
||||
pwdargs = None
|
||||
|
||||
# Set default vault_type if needed.
|
||||
if vault_type is None and vault_data is not None:
|
||||
@@ -503,8 +657,11 @@ def main():
|
||||
args['ipavaulttype'] = vault_type = "symmetric"
|
||||
|
||||
# verify data encription args
|
||||
check_encryption_params(ansible_module, state, vault_type,
|
||||
password, public_key, vault_data, res_find)
|
||||
check_encryption_params(ansible_module, state, vault_type, salt,
|
||||
password, password_file, public_key,
|
||||
public_key_file, private_key,
|
||||
private_key_file, retrieve, vault_data,
|
||||
datafile_in, datafile_out, res_find)
|
||||
|
||||
# Create command
|
||||
if state == "present":
|
||||
@@ -518,16 +675,13 @@ def main():
|
||||
if not compare_args_ipa(ansible_module, args,
|
||||
res_find):
|
||||
commands.append([name, "vault_mod_internal", args])
|
||||
else:
|
||||
if 'ipavaultsault' not in args:
|
||||
args['ipavaultsalt'] = os.urandom(32)
|
||||
commands.append([name, "vault_add_internal", args])
|
||||
# archive empty data to set password
|
||||
pwdargs = data_storage_args(
|
||||
args, args.get('data', ''), password)
|
||||
commands.append([name, "vault_archive", pwdargs])
|
||||
|
||||
# Set res_find to empty dict for next step # noqa
|
||||
else:
|
||||
commands.append([name, "vault_add_internal", args])
|
||||
if vault_type != 'standard' and vault_data is None:
|
||||
vault_data = ''
|
||||
|
||||
# Set res_find to empty dict for next steps
|
||||
res_find = {}
|
||||
|
||||
# Generate adittion and removal lists
|
||||
@@ -576,6 +730,10 @@ def main():
|
||||
commands.append(
|
||||
[name, 'vault_remove_owner', owner_del_args])
|
||||
|
||||
if vault_type == 'symmetric' \
|
||||
and 'ipavaultsalt' not in args:
|
||||
args['ipavaultsalt'] = os.urandom(32)
|
||||
|
||||
elif action in "member":
|
||||
# Add users and groups
|
||||
if any([users, groups, services]):
|
||||
@@ -587,10 +745,16 @@ def main():
|
||||
ownerservices)
|
||||
commands.append([name, 'vault_add_owner', owner_args])
|
||||
|
||||
if vault_data is not None:
|
||||
data_args = data_storage_args(
|
||||
args, args.get('data', ''), password)
|
||||
commands.append([name, 'vault_archive', data_args])
|
||||
pwdargs = data_storage_args(
|
||||
args, vault_data, password, password_file,
|
||||
private_key, private_key_file, retrieve, datafile_in,
|
||||
datafile_out)
|
||||
if any([vault_data, datafile_in]):
|
||||
commands.append([name, "vault_archive", pwdargs])
|
||||
if retrieve:
|
||||
if 'data' in pwdargs:
|
||||
del pwdargs['data']
|
||||
commands.append([name, "vault_retrieve", pwdargs])
|
||||
|
||||
elif state == "absent":
|
||||
if 'ipavaulttype' in args:
|
||||
@@ -629,6 +793,9 @@ def main():
|
||||
|
||||
if command == 'vault_archive':
|
||||
changed = 'Archived data into' in result['summary']
|
||||
elif command == 'vault_retrieve':
|
||||
exit_args['data'] = b64encode(result['result']['data'])
|
||||
changed = False
|
||||
else:
|
||||
if "completed" in result:
|
||||
if result["completed"] > 0:
|
||||
|
||||
1
tests/vault/in.txt
Normal file
1
tests/vault/in.txt
Normal file
@@ -0,0 +1 @@
|
||||
Another World.
|
||||
1
tests/vault/password.txt
Normal file
1
tests/vault/password.txt
Normal file
@@ -0,0 +1 @@
|
||||
SomeVAULTpassword
|
||||
27
tests/vault/private.pem
Normal file
27
tests/vault/private.pem
Normal file
@@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEArM5/f6dd/YIm/a9eoGVTW8jobEgrf9PXRA3aHsA7kJo6fB18
|
||||
HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJeqXESZ+gVCVmigRzmKWK2ad9agmY
|
||||
SiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGsZIDG+WVES5W89K+L0bwVjq4tshhe
|
||||
DMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4fh0fGk5tbIYa0bhwMUpL+WHOm6nbd
|
||||
+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZkUmk3apMnzknNaTqguAQdTn79G8P
|
||||
qrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJdwIDAQABAoIBAA6e9iit14UAgx4J
|
||||
vX7is9fbOtcWkB+jo94NMfxSFXgZpIMl139oQMqK97KjxsHqAaDVe7mMLH5EP96J
|
||||
7M3O5g4rgl0cVWtpMrDQyZsLvqDFzBWxtCHqVPAruumUZhsSJ3lROQro8ag/w5bf
|
||||
5tC5ogVq4+rsB4hBphgp1jGrsUM+E8O7DXXFH68F8WgBi725WvcjnbI9irkb0Gcq
|
||||
1bCPJwN3fA1i2VWiRwVYWbNTWnDoNM9ZdYYxK0kuUkD+QtreycWPf9V49lvUi1Vp
|
||||
FVNmBUDvGK3K1MwbgXRwOXhacY7Ptjkdvaeb2Qcu5RjTkruGhzUYsOP3p/cw+wKV
|
||||
vzQqceECgYEA5Wz7V2SlRa2r//z+ETQkJfENJ0KDnCb0pMClCQh3jTNPA6DbhiMk
|
||||
FTkcoNbqcpTiVSlvhh6TKscSgqYQUjQ/OqyG7SkjKVjQ72j5beQLxiLTtUyj1OmP
|
||||
Xh9cWJXx8iQ+45cPon+kMOAIiTwiB3mmFRfQjIGve1DPUo9J+NZ4XdECgYEAwNKg
|
||||
OdGYxxKtCrXVz1mdg6PDlV8qh7nxxZbPch+aMIQl1+oTCgSiw8oOYEd8g0HOdV6t
|
||||
1G+IWhvPxiiWy3/AE0QhgoKk2GUsSjWSMLcJbaUzDoEHFjTLjecRlqdzo7qxRXqB
|
||||
meN4L5WJYKnLC482K7hvufS+uo5fB5qwPmt13McCgYAe4TVPRP+tyjttYCr+O8tl
|
||||
w/UmRKCcQu4Iwtkzxwz4V2CaN2t0uYQgyygcSfESbRGtrr8RCUp7poHKTfnCZr/f
|
||||
8NrUTwYpiYfNwY5ZCSnAiG2AaIlgnfMrEwOF9OC028YPMgTrtUxvO6hKeGqIIQqG
|
||||
qkbqsoXhDjZpgVnOgWeAEQKBgGuiZ0w/IqAlXbC31fUb2iBMfvXXnJ8M/dfFGmFj
|
||||
IKfqbFF9WUljUxQlqya1YNzIFB5STohiBeP+2FmN+Lb5xdc7VdVLZgdhWnrGMqe8
|
||||
1Kd+6uQyxCjyKZo5nQjSymtf4GqfOs8TOdieCYSK40u9koiPONa9tuXeaU+OWslN
|
||||
JQqrAoGBAJ3MKOvsnQzuZVP2vz0ZqLwIE3XjRiFGveVpizq4hwOVeuNsV08JvA0t
|
||||
pueNIy9klPScFc9OUdiZWkEX09BwJkVIrOHotuSB8AStO5UAntNnuyWLJEFC4Uq4
|
||||
GpB8lbj9jkxSKaU7X3Gac23K9JL8euLh7E7rPuZRYa6mYN4nbKqu
|
||||
-----END RSA PRIVATE KEY-----
|
||||
9
tests/vault/public.pem
Normal file
9
tests/vault/public.pem
Normal file
@@ -0,0 +1,9 @@
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArM5/f6dd/YIm/a9eoGVT
|
||||
W8jobEgrf9PXRA3aHsA7kJo6fB18HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJ
|
||||
eqXESZ+gVCVmigRzmKWK2ad9agmYSiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGs
|
||||
ZIDG+WVES5W89K+L0bwVjq4tshheDMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4f
|
||||
h0fGk5tbIYa0bhwMUpL+WHOm6nbd+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZ
|
||||
kUmk3apMnzknNaTqguAQdTn79G8PqrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJ
|
||||
dwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
@@ -3,10 +3,31 @@
|
||||
- name: Test vault
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
gather_facts: false
|
||||
# Need to gather facts for ansible_env.
|
||||
gather_facts: true
|
||||
|
||||
tasks:
|
||||
|
||||
- name: Copy password file to target host.
|
||||
copy:
|
||||
src: "{{ playbook_dir }}/password.txt"
|
||||
dest: "{{ ansible_env.HOME }}/password.txt"
|
||||
|
||||
- name: Copy public key file to target host.
|
||||
copy:
|
||||
src: "{{ playbook_dir }}/public.pem"
|
||||
dest: "{{ ansible_env.HOME }}/public.pem"
|
||||
|
||||
- name: Copy private key file to target host.
|
||||
copy:
|
||||
src: "{{ playbook_dir }}/private.pem"
|
||||
dest: "{{ ansible_env.HOME }}/private.pem"
|
||||
|
||||
- name: Copy input data file to target host.
|
||||
copy:
|
||||
src: "{{ playbook_dir }}/in.txt"
|
||||
dest: "{{ ansible_env.HOME }}/in.txt"
|
||||
|
||||
- name: Ensure user vaults are absent
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
@@ -118,7 +139,7 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
vault_password: MyVaultPassword123
|
||||
vault_password: SomeVAULTpassword
|
||||
vault_type: symmetric
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
@@ -128,7 +149,7 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
vault_password: MyVaultPassword123
|
||||
vault_password: SomeVAULTpassword
|
||||
vault_type: symmetric
|
||||
register: result
|
||||
failed_when: result.changed
|
||||
@@ -138,9 +159,8 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
vault_password: MyVaultPassword123
|
||||
vault_password: SomeVAULTpassword
|
||||
vault_data: Hello World.
|
||||
action: member
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
@@ -149,9 +169,8 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
vault_password: MyVaultPassword123
|
||||
vault_password: SomeVAULTpassword
|
||||
vault_data: The world of π is half rounded.
|
||||
action: member
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
@@ -173,19 +192,113 @@
|
||||
register: result
|
||||
failed_when: result.changed
|
||||
|
||||
- name: Ensure symmetric vault is present
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
vault_password: SomeVAULTpassword
|
||||
vault_type: symmetric
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
- name: Ensure symmetric vault is present, with a different password
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
vault_password: SomeOtherVAULTpassword
|
||||
vault_type: symmetric
|
||||
register: result
|
||||
failed_when: result.changed
|
||||
|
||||
- name: Ensure symmetric vault is absent
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
state: absent
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
|
||||
- name: Ensure symmetric vault is present, with password from file.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
vault_password_file: "{{ ansible_env.HOME }}/password.txt"
|
||||
vault_type: symmetric
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
- name: Ensure symmetric vault is present, with password from file, again.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: symvault
|
||||
username: user01
|
||||
vault_password_file: password.txt
|
||||
vault_type: symmetric
|
||||
register: result
|
||||
failed_when: result.changed
|
||||
|
||||
- name: Ensure asymmetric vault is present, with public key file.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: admin
|
||||
description: An asymmetric private vault.
|
||||
public_key_file: "{{ ansible_env.HOME }}/public.pem"
|
||||
vault_type: asymmetric
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
- name: Ensure asymmetric vault is present, with public key file, again.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: admin
|
||||
description: An asymmetric private vault.
|
||||
public_key_file: "{{ ansible_env.HOME }}/public.pem"
|
||||
vault_type: asymmetric
|
||||
register: result
|
||||
failed_when: result.changed
|
||||
|
||||
- name: Archive data in asymmetric vault.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: admin
|
||||
vault_data: Hello World.
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
- name: Ensure asymmetric vault is absent.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: admin
|
||||
state: absent
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
- name: Ensure asymmetric vault is absent, again.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: admin
|
||||
state: absent
|
||||
register: result
|
||||
failed_when: result.changed
|
||||
|
||||
- name: Ensure asymmetric vault is present.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: user01
|
||||
description: A symmetric private vault.
|
||||
description: An asymmetric private vault.
|
||||
vault_public_key:
|
||||
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
|
||||
HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
|
||||
9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
|
||||
295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
|
||||
bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
|
||||
tLS0tLQo=
|
||||
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
|
||||
vault_type: asymmetric
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
@@ -195,13 +308,9 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: user01
|
||||
description: An asymmetric private vault.
|
||||
vault_public_key:
|
||||
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
|
||||
HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
|
||||
9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
|
||||
295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
|
||||
bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
|
||||
tLS0tLQo=
|
||||
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
|
||||
vault_type: asymmetric
|
||||
register: result
|
||||
failed_when: result.changed
|
||||
@@ -212,10 +321,32 @@
|
||||
name: asymvault
|
||||
username: user01
|
||||
vault_data: Hello World.
|
||||
action: member
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
- name: Retrieve data from asymmetric vault.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: user01
|
||||
vault_type: asymmetric
|
||||
retrieve: true
|
||||
private_key:
|
||||
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBck01L2Y2ZGQvWUltL2E5ZW9HVlRXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4CkhENCtSVlV3eC9scWxrUFliVWk5YlhWL3JKQWtVd0FFRE9uSmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVkKU2lxeXlOeEZJSnZaQW8wZEc0Q0FXallLMjd0TGc0SWg2b0dzWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZQpETU81N3Vudm1JS0VtYUJFMGV3UGZ2a2RaaDVrOEd0czlINGZoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkCituN0JiYVZjODIwVGdaRE8vclNZdG51WGFJYzZXeDBVOUxYWmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFAKcXJHcW15V2QvRTFjSDJiNWp6SXhpR284cHNMNXN4V1ZZN1dKZHdJREFRQUJBb0lCQUE2ZTlpaXQxNFVBZ3g0Sgp2WDdpczlmYk90Y1drQitqbzk0Tk1meFNGWGdacElNbDEzOW9RTXFLOTdLanhzSHFBYURWZTdtTUxINUVQOTZKCjdNM081ZzRyZ2wwY1ZXdHBNckRReVpzTHZxREZ6Qld4dENIcVZQQXJ1dW1VWmhzU0ozbFJPUXJvOGFnL3c1YmYKNXRDNW9nVnE0K3JzQjRoQnBoZ3Axakdyc1VNK0U4TzdEWFhGSDY4RjhXZ0JpNzI1V3Zjam5iSTlpcmtiMEdjcQoxYkNQSndOM2ZBMWkyVldpUndWWVdiTlRXbkRvTk05WmRZWXhLMGt1VWtEK1F0cmV5Y1dQZjlWNDlsdlVpMVZwCkZWTm1CVUR2R0szSzFNd2JnWFJ3T1hoYWNZN1B0amtkdmFlYjJRY3U1UmpUa3J1R2h6VVlzT1AzcC9jdyt3S1YKdnpRcWNlRUNnWUVBNVd6N1YyU2xSYTJyLy96K0VUUWtKZkVOSjBLRG5DYjBwTUNsQ1FoM2pUTlBBNkRiaGlNawpGVGtjb05icWNwVGlWU2x2aGg2VEtzY1NncVlRVWpRL09xeUc3U2tqS1ZqUTcyajViZVFMeGlMVHRVeWoxT21QClhoOWNXSlh4OGlRKzQ1Y1BvbitrTU9BSWlUd2lCM21tRlJmUWpJR3ZlMURQVW85SitOWjRYZEVDZ1lFQXdOS2cKT2RHWXh4S3RDclhWejFtZGc2UERsVjhxaDdueHhaYlBjaCthTUlRbDErb1RDZ1NpdzhvT1lFZDhnMEhPZFY2dAoxRytJV2h2UHhpaVd5My9BRTBRaGdvS2syR1VzU2pXU01MY0piYVV6RG9FSEZqVExqZWNSbHFkem83cXhSWHFCCm1lTjRMNVdKWUtuTEM0ODJLN2h2dWZTK3VvNWZCNXF3UG10MTNNY0NnWUFlNFRWUFJQK3R5anR0WUNyK084dGwKdy9VbVJLQ2NRdTRJd3Rrenh3ejRWMkNhTjJ0MHVZUWd5eWdjU2ZFU2JSR3RycjhSQ1VwN3BvSEtUZm5DWnIvZgo4TnJVVHdZcGlZZk53WTVaQ1NuQWlHMkFhSWxnbmZNckV3T0Y5T0MwMjhZUE1nVHJ0VXh2TzZoS2VHcUlJUXFHCnFrYnFzb1hoRGpacGdWbk9nV2VBRVFLQmdHdWlaMHcvSXFBbFhiQzMxZlViMmlCTWZ2WFhuSjhNL2RmRkdtRmoKSUtmcWJGRjlXVWxqVXhRbHF5YTFZTnpJRkI1U1RvaGlCZVArMkZtTitMYjV4ZGM3VmRWTFpnZGhXbnJHTXFlOAoxS2QrNnVReXhDanlLWm81blFqU3ltdGY0R3FmT3M4VE9kaWVDWVNLNDB1OWtvaVBPTmE5dHVYZWFVK09Xc2xOCkpRcXJBb0dCQUozTUtPdnNuUXp1WlZQMnZ6MFpxTHdJRTNYalJpRkd2ZVZwaXpxNGh3T1ZldU5zVjA4SnZBMHQKcHVlTkl5OWtsUFNjRmM5T1VkaVpXa0VYMDlCd0prVklyT0hvdHVTQjhBU3RPNVVBbnRObnV5V0xKRUZDNFVxNApHcEI4bGJqOWpreFNLYVU3WDNHYWMyM0s5Skw4ZXVMaDdFN3JQdVpSWWE2bVlONG5iS3F1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
|
||||
register: result
|
||||
failed_when: result.data | b64decode != 'Hello World.' or result.changed
|
||||
|
||||
- name: Retrieve data from asymmetric vault, with private key file.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: asymvault
|
||||
username: user01
|
||||
vault_type: asymmetric
|
||||
retrieve: true
|
||||
private_key_file: "{{ ansible_env.HOME }}/private.pem"
|
||||
register: result
|
||||
failed_when: result.data | b64decode != 'Hello World.' or result.changed
|
||||
|
||||
- name: Ensure asymmetric vault is absent.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
@@ -260,10 +391,44 @@
|
||||
name: stdvault
|
||||
username: user01
|
||||
vault_data: Hello World.
|
||||
action: member
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
- name: Retrieve data from standard vault.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: stdvault
|
||||
username: user01
|
||||
retrieve: yes
|
||||
out: "{{ ansible_env.HOME }}/data.txt"
|
||||
register: result
|
||||
failed_when: result.changed
|
||||
|
||||
- name: Verify retrieved data.
|
||||
slurp:
|
||||
src: "{{ ansible_env.HOME }}/data.txt"
|
||||
register: slurpfile
|
||||
failed_when: slurpfile['content'] | b64decode != 'Hello World.'
|
||||
|
||||
- name: Archive data in standard vault.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: stdvault
|
||||
username: user01
|
||||
in: "{{ ansible_env.HOME }}/in.txt"
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
- name: Retrieve data from standard vault.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: stdvault
|
||||
username: user01
|
||||
vault_type: standard
|
||||
retrieve: true
|
||||
register: result
|
||||
failed_when: result.data | b64decode != 'Another World.' or result.changed
|
||||
|
||||
- name: Ensure standard vault member user is present.
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
@@ -454,7 +619,7 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: sharedvault
|
||||
shared: True
|
||||
ipavaultpassword: MyVaultPassword123
|
||||
ipavaultpassword: SomeVAULTpassword
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
|
||||
@@ -471,7 +636,7 @@
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: svcvault
|
||||
ipavaultpassword: MyVaultPassword123
|
||||
ipavaultpassword: SomeVAULTpassword
|
||||
service: "HTTP/{{ groups.ipaserver[0] }}"
|
||||
register: result
|
||||
failed_when: not result.changed
|
||||
@@ -689,7 +854,7 @@
|
||||
state: absent
|
||||
|
||||
# cleaup
|
||||
- name: Ensure test vaults are absent
|
||||
- name: Ensure user01 vaults are absent
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name:
|
||||
@@ -699,6 +864,16 @@
|
||||
username: user01
|
||||
state: absent
|
||||
|
||||
- name: Ensure test vaults are absent
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name:
|
||||
- stdvault
|
||||
- symvault
|
||||
- asymvault
|
||||
username: admin
|
||||
state: absent
|
||||
|
||||
- name: Ensure shared vaults are absent
|
||||
ipavault:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
@@ -727,3 +902,28 @@
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: vaultgroup
|
||||
state: absent
|
||||
|
||||
- name: Remove password file from target host.
|
||||
file:
|
||||
path: "{{ ansible_env.HOME }}/password.txt"
|
||||
state: absent
|
||||
|
||||
- name: Remove public key file from target host.
|
||||
file:
|
||||
path: "{{ ansible_env.HOME }}/public.pem"
|
||||
state: absent
|
||||
|
||||
- name: Remove private key file from target host.
|
||||
file:
|
||||
path: "{{ ansible_env.HOME }}/private.pem"
|
||||
state: absent
|
||||
|
||||
- name: Remove output data file from target host.
|
||||
file:
|
||||
path: "{{ ansible_env.HOME }}/data.txt"
|
||||
state: absent
|
||||
|
||||
- name: Remove input data file from target host.
|
||||
file:
|
||||
path: "{{ ansible_env.HOME }}/in.txt"
|
||||
state: absent
|
||||
|
||||
Reference in New Issue
Block a user