diff options
Diffstat (limited to '')
152 files changed, 8510 insertions, 0 deletions
diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/.codeclimate.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/.codeclimate.yml new file mode 100644 index 00000000..40b46a5f --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/.codeclimate.yml @@ -0,0 +1,162 @@ +# This is our default .CodeClimate.yml, broken out by language. Uncomment the +# sections at the bottom that apply to your project. ACTION comments indicate +# places where config might need to be tweaked. + +version: "2" + +plugins: + +# --------------- +# Cross-language plugins. Should always be on. + + duplication: # Looks for similar and identical code blocks + enabled: true + config: + languages: + go: + java: + javascript: + php: + python: + python_version: 3 # ACTION Comment this out if using Python 2 + ruby: + swift: + typescript: + + fixme: # Flags any FIXME, TODO, BUG, XXX, HACK comments so they can be fixed + enabled: true + config: + strings: + - FIXME + - TODO + - HACK + - XXX + - BUG + +# --------------- +# Commonly-used languages - run time is minimal and all of these will work +# whether files of that language are found or not. In general, leave uncommented + + # Markdown + markdownlint: + enabled: true + + # Go + gofmt: + enabled: true + golint: + enabled: true + govet: + enabled: true + + # Ruby + flog: + enabled: true + reek: + enabled: true + rubocop: + enabled: true + channel: rubocop-0-79 # As of March 10, 2020, rubocop 0.80.1 is the latest + # However, it does not work with CodeClimate - throws + # an Invalid JSON error. + # ACTION uncomment bundler-audit below if using Gemfile/Gemfile.lock + # ACTION uncomment brakeman below if using Rails + + # Shell scripts + shellcheck: + enabled: true + +# --------------- +# Other languages - will work with or without language files present. Again, +# runtime is minimal, so OK to leave uncommented. + + # CoffeeScript + coffeelint: + enabled: true + + # CSS + csslint: + enabled: true + + # Groovy + codenarc: + enabled: true + + # Java + pmd: + enabled: true + sonar-java: + enabled: true + config: + sonar.java.source: "7" # ACTION set this to the major version of Java used + # ACTION uncomment checkstyle below if Java code exists in repo + + # Node.js + nodesecurity: + enabled: true + # ACTION uncomment eslint below if JavaScript already exists and .eslintrc + # file exists in repo + + # PHP + phan: + enabled: true + config: + file_extensions: "php" + phpcodesniffer: + enabled: true + config: + file_extensions: "php,inc,lib" + # Using Wordpress standards as our one PHP repo is a Wordpress theme + standards: "PSR1,PSR2,WordPress,WordPress-Core,WordPress-Extra" + phpmd: + enabled: true + config: + file_extensions: "php,inc,lib" + rulesets: "cleancode,codesize,controversial,naming,unusedcode" + sonar-php: + enabled: true + + # Python + bandit: + enabled: true + pep8: + enabled: true + radon: + enabled: true + # config: + # python_version: 2 # ACTION Uncomment these 2 lines if using Python 2 + sonar-python: + enabled: true + +# --------------- +# Configuration Required Language specific - these will error and abort the +# codeclimate run if they are turned on and certain files or configuration are +# missing. Should be commented out unless the project already includes the +# necessary files that the linter looks at + + # Ruby - requires presence of Gemfile and Gemfile.lock + # bundler-audit: + # enabled: true + + # Rails - requires detecting a Rails application + # brakeman: + # enabled: true + + # Chef - requires detecting a cookbook + # foodcritic: + # enabled: true + + # Java - might require Java code? Errored when run without + # checkstyle: + # enabled: true + + # JavaScript - requires an eslintrc to be created and added to project + # eslint: + # enabled: true + # channel: "eslint-6" + +# --------------- +# List any files/folders to exclude from checking. Wildcards accepted. Leave +# commented if no files to exclude as an empty array will error +exclude_patterns: + - ".gitignore" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/.github/CODEOWNERS b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/CODEOWNERS new file mode 100644 index 00000000..7e099ff5 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/CODEOWNERS @@ -0,0 +1,10 @@ +* @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team + +# Changes to .trivyignore require Security Architect approval +.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects + +# Changes to .codeclimate.yml require Quality Architect approval +.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects + +# Changes to SECURITY.md require Security Architect approval +SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/.github/ISSUE_TEMPLATE/bug.md b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/ISSUE_TEMPLATE/bug.md new file mode 100644 index 00000000..e91ec392 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/ISSUE_TEMPLATE/bug.md @@ -0,0 +1,42 @@ +--- +name: Bug +about: Create a bug report to help us improve +title: '' +labels: kind/bug, component/ansible +assignees: '' + +--- + +## Summary +A clear and concise description of what the bug is. + +## Steps to Reproduce +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +## Expected Results +A clear and concise description of what you expected to happen. + +## Actual Results (including error logs, if applicable) +A clear and concise description of what actually did happen. + +## Reproducible + * [ ] Always + * [ ] Sometimes + * [ ] Non-Reproducible + +## Version/Tag number +What version of the product are you running? Any version info that you can share is helpful. +For example, you might give the version from Docker logs, the Docker tag, a specific download URL, +the output of the `/info` route, etc. + +## Environment setup +Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud? +Which cloud provider? Which container orchestrator (including version)? +The more info you can share about your runtime environment, the better we may be able to reproduce the issue. + +## Additional Information +Add any other context about the problem here.
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/.github/ISSUE_TEMPLATE/feature_request.md b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..ee0caeee --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,27 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: kind/enhancement, component/ansible +assignees: '' + +--- + +## Is your feature request related to a problem? Please describe. + +A clear and concise description of what the problem is. Ex. `I would like to see [...] because [...]`. +Please include the intended use case and what the feature would improve on so that we can prioritize +the feature accordingly. + +## Describe the solution you would like + +A clear and concise description of what the desired end result(s) would be. + +## Describe alternatives you have considered + +A clear and concise description of any alternative solutions or features that may be related to this that +you have considered. + +## Additional context + +Add any other context information about the feature request here. diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/.github/PULL_REQUEST_TEMPLATE.md b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 00000000..66fbb939 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,21 @@ +### What does this PR do? +- _What's changed? Why were these changes made?_ +- _How should the reviewer approach this PR, especially if manual tests are required?_ +- _Are there relevant screenshots you can add to the PR description?_ + +### What ticket does this PR close? +Resolves #[relevant GitHub issues, eg 76] + +### Checklists + +#### Change log +- [ ] The CHANGELOG has been updated, or +- [ ] This PR does not include user-facing changes and doesn't require a CHANGELOG update + +#### Test coverage +- [ ] This PR includes new unit and integration tests to go with the code changes, or +- [ ] The changes in this PR do not require tests + +#### Documentation +- [ ] Docs (e.g. `README`s) were updated in this PR, and/or there is a follow-on issue to update docs, or +- [ ] This PR does not require updating any documentation
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/.github/workflows/ansible-test.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/workflows/ansible-test.yml new file mode 100644 index 00000000..d460e5e3 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/.github/workflows/ansible-test.yml @@ -0,0 +1,67 @@ +# This file implements a Github action to run Ansible collection sanity tests +# on the Conjur Ansible Collection. The Ansible collection sanity tests are +# run across the following matrices: +# +#Ansible versions: +# - stable-2.9 +# - stable-2.10 +# - devel +# +#Python versions: +# - Python 2.7 +# - Python 3.7 +# - Python 3.8 + +name: CI +on: +# Run CI against all pushes (direct commits) and Pull Requests +- push +- pull_request + +jobs: + +### +# Sanity tests (REQUIRED) +# +# https://docs.ansible.com/ansible/latest/dev_guide/testing_sanity.html + + sanity: + name: Sanity (${{ matrix.ansible }}+py${{ matrix.python }}) + strategy: + matrix: + ansible: + # It's important that Sanity is tested against all stable-X.Y branches + # Testing against `devel` may fail as new tests are added. + - stable-2.9 + - stable-2.10 + - devel + python: + - 2.7 + - 3.7 + - 3.8 + runs-on: ubuntu-latest + steps: + + # ansible-test requires the collection to be in a directory in the form + # .../ansible_collections/cyberark/conjur/ + + - name: Check out code + uses: actions/checkout@v2 + with: + path: ansible_collections/cyberark/conjur + + - name: Set up Python ${{ matrix.ansible }} + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python }} + + # Install the head of the given branch (devel, stable-2.10) + - name: Install ansible-base (${{ matrix.ansible }}) + run: pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check + + # run ansible-test sanity inside of Docker. + # The docker container has all the pinned dependencies that are required. + # Explicity specify the version of Python we want to test + - name: Run sanity tests + run: ansible-test sanity --docker -v --color --python ${{ matrix.python }} + working-directory: ./ansible_collections/cyberark/conjur diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/.gitignore b/collections-debian-merged/ansible_collections/cyberark/conjur/.gitignore new file mode 100644 index 00000000..1680be61 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/.gitignore @@ -0,0 +1,26 @@ +# System directories files +.DS_Store +.idea/ + +# Test output +tests/*/junit/ +tests/*/conjur.pem +tests/*/access_token +**/test-files/output +junit + +# Pycache directories and files +**/__pycache__/ +.pytest_cache +*.pyc + +# Distributable directories files +*.tar.gz +vendor/ + +# Temporary files +*.log +.cache +*.retry +*.tmp +conjur.pem diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/CHANGELOG.md b/collections-debian-merged/ansible_collections/cyberark/conjur/CHANGELOG.md new file mode 100644 index 00000000..717dff8f --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/CHANGELOG.md @@ -0,0 +1,67 @@ +# Changelog +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## [Unreleased] + +## [1.1.0] - 2020-12-29 + +### Added +- The [Conjur Ansible role](https://galaxy.ansible.com/cyberark/conjur-host-identity) has been + migrated to this collection, where it will be maintained moving forward. + At current, the role in the collection is aligned with the v0.3.2 release of + the standalone role. + [cyberark/ansible-conjur-host-identity#30](https://github.com/cyberark/ansible-conjur-host-identity/issues/30) +- Add `as_file` boolean option to the lookup plugin which stores the secret as + a temporary file and returns its path. This enables users to use the + `ansible_ssh_private_key_file` parameter to define an SSH private key using a + variable stored in Conjur; previously, users couldn't set this parameter via + a direct call to the lookup plugin because the parameter does not accept + inline SSH keys, and the lookup plugin could only return a string. + [cyberark/ansible-conjur-collection#52](https://github.com/cyberark/ansible-conjur-collection/issues/52), + [Cyberark Commons post #1070](https://discuss.cyberarkcommons.org/t/conjur-ansible-lookup-plugin-and-ssh-key-file/1070) + +## [1.0.7] - 2020-08-20 + +### Changed +- Various improvements to code quality, documentation, and adherence to Ansible standards + in preparation for including this collection in the release of Ansible 2.10. + [cyberark/ansible-conjur-collection#30](https://github.com/cyberark/ansible-conjur-collection/issues/30) + +## [1.0.6] - 2020-07-01 + +### Added +- Plugin supports authenticating with Conjur access token (for example, if provided by authn-k8s). + [cyberark/ansible-conjur-collection#23](https://github.com/cyberark/ansible-conjur-collection/issues/23) + +## [1.0.5] - 2020-06-18 + +### Added +- Plugin supports validation of self-signed certificates provided in `CONJUR_CERT_FILE` + or Conjur config file + ([cyberark/ansible-conjur-collection#4](https://github.com/cyberark/ansible-conjur-collection/issues/4)) + +### Fixed +- Encode spaces to "%20" instead of "+". This encoding fixes an issue where Conjur + variables that have spaces were not encoded correctly + ([cyberark/ansible-conjur-collection#12](https://github.com/cyberark/ansible-conjur-collection/issues/12)) +- Allow users to set `validate_certs` to `false` without setting a value to `cert_file` + ([cyberark/ansible-conjur-collection#13](https://github.com/cyberark/ansible-conjur-collection/issues/13)) + +## [1.0.3] - 2020-04-18 +### Changed +- Updated documentation section to comply with sanity checks + +## [1.0.2] - 2020-04-01 +### Added +- Migrated code from Ansible conjur_variable lookup plugin +- Added support to configure the use of the plugin via environment variables + +[Unreleased]: https://github.com/cyberark/ansible-conjur-collection/compare/v1.1.0...HEAD +[1.1.0]: https://github.com/cyberark/ansible-conjur-collection/compare/v1.0.7...v1.1.0 +[1.0.7]: https://github.com/cyberark/ansible-conjur-collection/compare/v1.0.6...v1.0.7 +[1.0.6]: https://github.com/cyberark/ansible-conjur-collection/compare/v1.0.5...v1.0.6 +[1.0.5]: https://github.com/cyberark/ansible-conjur-collection/compare/v1.0.3...v1.0.5 +[1.0.3]: https://github.com/cyberark/ansible-conjur-collection/compare/v1.0.2...v1.0.3 diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/CONTRIBUTING.md b/collections-debian-merged/ansible_collections/cyberark/conjur/CONTRIBUTING.md new file mode 100644 index 00000000..ed6ff9c8 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/CONTRIBUTING.md @@ -0,0 +1,36 @@ +# Contributing to the Ansible Conjur Collection + +For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community). + +## Releasing + +From a clean instance of master, perform the following actions to release a new version +of this plugin: + +- Update the version number in [`galaxy.yml`](galaxy.yml) and [`CHANGELOG.md`](CHANGELOG.md) + - Verify that all changes for this version in `CHANGELOG.md` are clear and accurate, + and are followed by a link to their respective issue + - Create a PR with these changes + +- Create an annotated tag with the new version, formatted as `v##.##.##` + - This will kick off an automated script which publish the release to + [Ansible Galaxy](https://galaxy.ansible.com/cyberark/conjur) + +- Create the release on GitHub for that tag + - Build the release package with `./ci/build_release` + - Attach package to Github Release + +## Testing + +To run a specific set of tests: + +```sh-session +$ cd tests +$ ./test.sh -d <role or plugin name> +``` +To run all tests: + +```sh-session +$ cd tests +$ ./test.sh -a +``` diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/FILES.json b/collections-debian-merged/ansible_collections/cyberark/conjur/FILES.json new file mode 100644 index 00000000..d8349536 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/FILES.json @@ -0,0 +1,1258 @@ +{ + "files": [ + { + "name": ".", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": ".codeclimate.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "6e0a09af4e5f5f6fe2b16a8a49230170d53f0a495c6405d962be66a15a9774bd", + "format": 1 + }, + { + "name": "secrets.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "de372b010bf7a57b35af4bc901681a75cabe48b2e182d0691ff48d95a9d2b96f", + "format": 1 + }, + { + "name": "requirements.txt", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "0a2f8c8f38472c11f47c93fe7ac69bb6e08b2d09dcc5a2b9fdd7054366822a21", + "format": 1 + }, + { + "name": ".ansible", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": ".ansible/tmp", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": ".ansible/tmp/ansible-local-12vdmk1qb3", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "Jenkinsfile", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "46882f30ff4cb4377d50b7ada34c1cca15157aec50135dfa77e4ba5c617b15e9", + "format": 1 + }, + { + "name": "README.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "171b84b9088e409aa13b69e7dca2b7450d1bc5f1983e66bc67d489be0ea51c2d", + "format": 1 + }, + { + "name": "LICENSE", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e092618211b1d864e3caf325abbd567f997e6ffb98d9fb97188d4fa280334bbe", + "format": 1 + }, + { + "name": "roles", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tasks", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tasks/identity_check.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "d40d6eca7aa1a21330c8de154a9bf45f6e85dec53c109003fc39b0efca958bda", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tasks/identity.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "db1b82fde3c2956ef6489ebe4c5063e2b5ebaf76b1b34487e0df00ec2771feae", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tasks/summon.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "40ad1a387e7f7a0a7c342614d9cdd5cd7ad4334634f4da733929e8e3b0a7ab4f", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tasks/summon-conjur.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "b75ef3c1b8db527e7469e50d3b1f4f13ce09cc17ccec05ec598273f2afb79f34", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tasks/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "2d955ed3f044317744adb161772366aa66c9f507db1d03f8390a7e6d118db22c", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/templates", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/templates/conjur.conf.j2", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "a658eba375110e14ba752f82ccbcca9012351ca1c51a18419d870917bd807202", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/templates/conjur.identity.j2", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e3b53dbe8b97fc87d0c0c168799a14d91862a010bc0472f982587a47326a2312", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/defaults", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/defaults/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "c7f30d049a541e0fd98faeb5dcd8d83839e00db1f68ece8b14431630fb779e13", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/README.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "a712c1e5c56fb9a3917ebfd4a55109801da9e57dff304d1941aaf2cf2ab471ca", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/meta", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/meta/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "0103f8e65603e7da7511224456dacf19c6a0e92c6e6f1fbf152f171d33741f80", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/conjur.pem", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "d2238df71b5b5e41d876f9367069e0f14794a0d3166e39a9f0118e10a2997823", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/inventory.j2", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "f1474fb6e66c0fbcdd6129332de95feab1e1222f64f1be45325f4eac5101614f", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_app_ubuntu", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "f6e73c9954aaee4a902a89efa5539137034027a510cb6c7822483e71575e1032", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/docker-compose.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "f9073b823fac9f808868cf5202523ed1b720ce9c271a76b72bfc28b1001ef513", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/.pytest_cache", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/.pytest_cache/CACHEDIR.TAG", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ffacb1561d9688b9d9b5e06f3ffa10814a03c2a6f892d7bea3e7fef62599eb23", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/.pytest_cache/README.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "27a7071ba39c9ef4054eaf99bc59e3f0aa328a62166f426e6549ef923ade7533", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/.pytest_cache/.gitignore", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "3ed731b65d06150c138e2dadb0be0697550888a6b47eb8c45ecc9adba8b8e9bd", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/.pytest_cache/v", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/.pytest_cache/v/cache", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/.pytest_cache/v/cache/stepwise", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/.pytest_cache/v/cache/nodeids", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "3a25fae04219955c831e9802af43f421189a5c15f192162adfeeb876e161ae41", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/proxy", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/proxy/default.conf", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "2bf362d9b43aac8f3271e92af5d180ab2e5e9621a91bb49d9819f458e89c8e74", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/proxy/ssl.conf", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "0a4a35d53f3dc60c2c4931e50136c580ed1eeb8850c93eea12e0965248990e41", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/ansible.cfg", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "d1238a6cda7d80750780ec3a82e839dc10e3226fe1266dd8dabb110062bac128", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test.sh", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "f7d9efb3a2dd3d7efa518398c14ad87b936b03f26c4957e49b52c93b2598e90d", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/Dockerfile_nginx", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "513be93943c1c05ff4ea2df90d9e439f41d51059ec4513ce0098f463f0c96822", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_app_centos", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_app_centos/Dockerfile", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "0de86cd21721bcf47192e1cb659d6edf4b20ac7ebf8ce1b667fc2dec14b4fbdf", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/Dockerfile", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "f16467abb465b0ea3ba5721b40bcd3e86ce0a23841c12af40ee3f97fb79009de", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/junit", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/junit/configure-conjur-identity", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "a9bbe41e8ba30ea99032088aacbd76580bf323d7142f5b6e0749b6a56d97a452", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/inventory-playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "f9e582ce10c1d8f5b329ef6ce86aaaa2fbfa567596dcb8667d1b84bb24f03bcc", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_cases", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_cases/configure-conjur-identity", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "99993a901e5347bc3d1ec36845c99c977fe2ab5dc6b8fd0f39108eecfc87b719", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ace9fc981926bf283731dd6cda10438099a4310f5b1bd0cdaef6eb430fe5fcd0", + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/policy", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "roles/conjur_host_identity/tests/policy/root.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "2cf74b90f4eabbb9a9be67afeb2cf63c35b447579cef5b70f6daf270509d4309", + "format": 1 + }, + { + "name": ".gitignore", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "2c5c0c4b8a8232ffc8a871faae14f18b310078bbdc8eedf2acb26a02a3d1918b", + "format": 1 + }, + { + "name": "artifacts", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "CONTRIBUTING.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "59072e1b2b6eb6b84c607c17853950ec28d1143ad9f2a4c9a777304ea18e0a93", + "format": 1 + }, + { + "name": "project", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles/testrole", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles/testrole/tasks", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles/testrole/tasks/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "7a33b30bfd69fe1dfdd82707571cf62d1bba351084b962c69f1d14e309fb03ed", + "format": 1 + }, + { + "name": "project/roles/testrole/defaults", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles/testrole/defaults/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "0a56e4059276426bcec45862ed1641f9bc5774fb3b4cfd8232b9e3111805c0bd", + "format": 1 + }, + { + "name": "project/roles/testrole/README.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "cc751d75266f757a38189f15d54e548dc87706f14a39756995c27b49eaca8a07", + "format": 1 + }, + { + "name": "project/roles/testrole/meta", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles/testrole/meta/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "8ce2f64193caa9ec870f9b08d90160395aba8209875d843e413ba88773edc3d8", + "format": 1 + }, + { + "name": "project/roles/testrole/handlers", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles/testrole/handlers/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "73e01da9f005bbdf1549972e269f9b0c2e510a6046412dc4cc656d435593b67b", + "format": 1 + }, + { + "name": "project/roles/testrole/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles/testrole/tests/test.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "6d74c798696ee182b7ae0d9846205ef46f1087b0658bec3fba92276741cd845d", + "format": 1 + }, + { + "name": "project/roles/testrole/tests/inventory", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e02233819b1a09844410549191813f7cc7ba360f21298578f4ba1727a27d87fc", + "format": 1 + }, + { + "name": "project/roles/testrole/vars", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "project/roles/testrole/vars/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "224a46a01f977b443f7b277fc2f46b3479a72d1693472bb31e1f4dd20f669dd9", + "format": 1 + }, + { + "name": "project/test.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "0cb0c4720851d03b4cc9c6fb5051c3ba67299f5faa83f5d87f55d732f53ae53d", + "format": 1 + }, + { + "name": "meta", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "meta/runtime.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "5d87483c5cc5fa8efe932acb8b6d203610070eaecf3eaf89244828331affdc59", + "format": 1 + }, + { + "name": ".github", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": ".github/workflows", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": ".github/workflows/ansible-test.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "7d67ddd07a98504c5f3a09a20c795272625bebe57e390bf062e9f82dcff84b7e", + "format": 1 + }, + { + "name": ".github/ISSUE_TEMPLATE", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": ".github/ISSUE_TEMPLATE/feature_request.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "69cf3548236f903c62bb4ad00c45ee875f577703df5ea63f542e20e625775dc5", + "format": 1 + }, + { + "name": ".github/ISSUE_TEMPLATE/bug.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e2f4126397d07c6b61154fc38d5e64141c6fb2e1e385cb76938949379e195950", + "format": 1 + }, + { + "name": ".github/PULL_REQUEST_TEMPLATE.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "1cfe9419ea0808d8a2759b1c9604bd82a6e2621186c97b2aaf9a6c355a94af87", + "format": 1 + }, + { + "name": ".github/CODEOWNERS", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "f1dee7b6ae693cebe88547d034b17710489e515c3def06dad75252c8b19bfc51", + "format": 1 + }, + { + "name": "inventory", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "inventory/hosts", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "d906aecb61d076a967d9ffe8821c7b04b063f72df9d9e35b33ef36b1c0d98f16", + "format": 1 + }, + { + "name": "ci", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "ci/build_release", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "3aa4d402ae61bf1816aa7b5601eea0d4a0cdafaf1d38c75a526329e1b4478a9a", + "format": 1 + }, + { + "name": "ci/test.sh", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "3fd542c8bbce32b6e28f49c100a9f82e471cf12e515c6731e9e54c2adaac1017", + "format": 1 + }, + { + "name": "ci/publish_to_galaxy", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "16cd4ced83c286484efb4d5854ccbe5d080d1ee14596dea206e5d30f4d20f2d3", + "format": 1 + }, + { + "name": "ci/parse-changelog.sh", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "21337ea8fac801781f8299af7e0cb7818fbc851bab26cbfff6224a0e5cf8dbb8", + "format": 1 + }, + { + "name": "SECURITY.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "1e913fcef04d2f2652839b896dd875dd3268b67d4669105e0e4b1a0249ef843a", + "format": 1 + }, + { + "name": "CHANGELOG.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "7beca6d84bf153992a0d144f6a47a80af1e3a6ae3d01121ad7f430536e0863f7", + "format": 1 + }, + { + "name": "tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/sanity", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/sanity/ignore-2.9.txt", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "19b8d010359e5fcc0778bc68198c7286b701b294aa2ef810e1813f72ed103525", + "format": 1 + }, + { + "name": "tests/sanity/ignore-2.11.txt", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "9add7c04ae005ba3239be7905dc627cd0bac9f825975b86d5b5a0777ed406f9c", + "format": 1 + }, + { + "name": "tests/sanity/ignore-2.10.txt", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "9add7c04ae005ba3239be7905dc627cd0bac9f825975b86d5b5a0777ed406f9c", + "format": 1 + }, + { + "name": "tests/conjur_variable", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/access_token", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "dd8e367c7c8792d6a00a72c57da6d23b789678e0d0b181ab60eafbbfb2bc29ed", + "format": 1 + }, + { + "name": "tests/conjur_variable/conjur.pem", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "fd9f67b172d39da3b2486eca4cdaaad263d94c83d5381917ad2a62d2005e5853", + "format": 1 + }, + { + "name": "tests/conjur_variable/docker-compose.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "545a210126d982725dae9057d01c271fa6b940c9571c117f1f9f96933ddc4333", + "format": 1 + }, + { + "name": "tests/conjur_variable/.pytest_cache", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/.pytest_cache/CACHEDIR.TAG", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ffacb1561d9688b9d9b5e06f3ffa10814a03c2a6f892d7bea3e7fef62599eb23", + "format": 1 + }, + { + "name": "tests/conjur_variable/.pytest_cache/README.md", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "27a7071ba39c9ef4054eaf99bc59e3f0aa328a62166f426e6549ef923ade7533", + "format": 1 + }, + { + "name": "tests/conjur_variable/.pytest_cache/.gitignore", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "3ed731b65d06150c138e2dadb0be0697550888a6b47eb8c45ecc9adba8b8e9bd", + "format": 1 + }, + { + "name": "tests/conjur_variable/.pytest_cache/v", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/.pytest_cache/v/cache", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/.pytest_cache/v/cache/stepwise", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945", + "format": 1 + }, + { + "name": "tests/conjur_variable/.pytest_cache/v/cache/nodeids", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "700132eede23255ab5dbb4fe5376c7237dda215526ca3716369e84b5402c7bff", + "format": 1 + }, + { + "name": "tests/conjur_variable/pytest.ini", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "4b8dce177a1820e68b4a821d858669035b849f9c5fbc4cfd6d4718325a7e69c8", + "format": 1 + }, + { + "name": "tests/conjur_variable/proxy", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/proxy/default.conf", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ffa77f3f6db4da0916c4c666fc6e5582a3584dc302a4852048a0b84c889ab7ea", + "format": 1 + }, + { + "name": "tests/conjur_variable/proxy/ssl.conf", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "11bd8688bb233d0d366f16673a9892bf14aea34aa0d2fe40811ad5ca5028b490", + "format": 1 + }, + { + "name": "tests/conjur_variable/test.sh", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "3815e8ea313a6f6d618f9cbdbe57f28e25cf9bc01aab6ae9a681b1c23a57a38f", + "format": 1 + }, + { + "name": "tests/conjur_variable/Dockerfile_nginx", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "53cbc9253079dd1a19afb896e3839d9bd8b812d9473d769438c44eb10e03858c", + "format": 1 + }, + { + "name": "tests/conjur_variable/Dockerfile", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ce5335c78cd1844df8f33a461a6bd1745e2f35018eeb957f1b721c056c4ee574", + "format": 1 + }, + { + "name": "tests/conjur_variable/junit", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/junit/retrieve-variable-into-file", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "7c2521dbc9dfd4b95893389e8bdbcd7b3ae0c618b641fbb6a864ce28718fa4f1", + "format": 1 + }, + { + "name": "tests/conjur_variable/junit/retrieve-variable-bad-certs", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "68f9b7b0ba96c9ac8872d72d89dbcdd3c9f454365f60192cf57c5ffe00fc3352", + "format": 1 + }, + { + "name": "tests/conjur_variable/junit/retrieve-variable-no-cert-provided", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ff9841eb90b230a31d3302f3b1037fde2d0f5e2060def5831b611bd88afe79c1", + "format": 1 + }, + { + "name": "tests/conjur_variable/junit/retrieve-variable-with-authn-token", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "a3ff870b6e8565f67404f0eb1dc13f6dbc46287bbcfc455d4a48b6219fc14f4d", + "format": 1 + }, + { + "name": "tests/conjur_variable/junit/retrieve-variable-with-spaces-secret", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "f1d09b907b6983ad8f07145142fa16493e894d9f7de2c2ffd81db0a11688f4b4", + "format": 1 + }, + { + "name": "tests/conjur_variable/junit/retrieve-variable-bad-cert-path", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "afd8520619962cba91c29133ffc964f1f64899ef412d0be729f4cb6c1d6a56eb", + "format": 1 + }, + { + "name": "tests/conjur_variable/junit/retrieve-variable-disable-verify-certs", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "bc9d6eff6b2e2f5f428e5926f432f28267b00d6c37868aff00616027a09be478", + "format": 1 + }, + { + "name": "tests/conjur_variable/junit/retrieve-variable", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "6a2d3d8af8cf9979d995688a2ed7432f56011fd47891dda9630c7c4424fbdf5c", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-into-file", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-into-file/env", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e4e591758bdfdbe673f40afd9e81b4ccdd749a484d843b46f63e77d1e33c8108", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-into-file/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "4f2d5283fdca112825067d3981dedca5c79cc0009115df364e78af58117392be", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "b35ead7d25b79bf07011729173d288accd5a997296f4760373bd51cfeb3e6873", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-certs", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "7529afc89345f5dde282fb51014d158769d3fb22ddf20744d093eb8fa820b8d3", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e1d90dec2be9f840d4f27dcfd2bf1c67be44c5d801ee57ea45c94ff6895ddf62", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ea0f2d7687ae23176814f87bc48be995118374d58b81f8973dd96ad695a09251", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "bb4764e18fcc10f83c16d10cbc4b7eac8c0abd2668f1b158649fc1a0d47df2c8", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ea0f2d7687ae23176814f87bc48be995118374d58b81f8973dd96ad695a09251", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "bb4764e18fcc10f83c16d10cbc4b7eac8c0abd2668f1b158649fc1a0d47df2c8", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-authn-token", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "8fa8ee6b4fb30d49d52e64a5fb70167ac0bdc7d968f18fe53219e1db475fcff9", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "49f43a9caab7bd57f3cc345dc851fc199a9b0969a412126aa3cbdcd30110252f", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "a57510d743d358c0405b3de73cbae3e5945c492fb8ca64be0d3777f1e4de811e", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e4e591758bdfdbe673f40afd9e81b4ccdd749a484d843b46f63e77d1e33c8108", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "a13a2625293bdf040422aa91848c088a2f45ad5e17c8ea6f1cffe1c645691036", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e1a6f8f4cded9369fbf9c6bc55f725cd0aa8da7ff1fba59e91b338511ed20736", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "9f5febf65f45e537c0666df07ea12f0568f1ee5afa7bc9eef5a36370e6b5dfa4", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "ea0f2d7687ae23176814f87bc48be995118374d58b81f8973dd96ad695a09251", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "bb4764e18fcc10f83c16d10cbc4b7eac8c0abd2668f1b158649fc1a0d47df2c8", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "49f43a9caab7bd57f3cc345dc851fc199a9b0969a412126aa3cbdcd30110252f", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "d94bc0b090fc07e738c0bfc05b3b6747850b8f06e5e290771d200efeb3044e35", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable/env", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e4e591758bdfdbe673f40afd9e81b4ccdd749a484d843b46f63e77d1e33c8108", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable/tests", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "49f43a9caab7bd57f3cc345dc851fc199a9b0969a412126aa3cbdcd30110252f", + "format": 1 + }, + { + "name": "tests/conjur_variable/test_cases/retrieve-variable/playbook.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "6bce626301d8259174bfa57b2bc7ff543b267f2f93be4a1a77df69b8cf515801", + "format": 1 + }, + { + "name": "tests/conjur_variable/policy", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/conjur_variable/policy/root.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "a14765439458912cff269b174d8d1630abbc8ff3ce634fb84ef3a3050d36e6dc", + "format": 1 + }, + { + "name": "plugins", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "plugins/lookup", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "plugins/lookup/conjur_variable.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "05265eca47f4d78fa3eee46484ac2c45927ace12dded5d46a4d1e606474f223b", + "format": 1 + }, + { + "name": "examples", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "examples/test.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "d3d70d689b2877e0891d0f240cb622d2ddf6416fe691b4abf146bf5400ad949c", + "format": 1 + } + ], + "format": 1 +}
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/Jenkinsfile b/collections-debian-merged/ansible_collections/cyberark/conjur/Jenkinsfile new file mode 100644 index 00000000..3dc2f497 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/Jenkinsfile @@ -0,0 +1,69 @@ +#!/usr/bin/env groovy + +pipeline { + agent { label 'executor-v2' } + + options { + timestamps() + buildDiscarder(logRotator(numToKeepStr: '30')) + } + + stages { + + stage('Validate') { + parallel { + stage('Changelog') { + steps { sh './ci/parse-changelog.sh' } + } + } + } + + stage('Run tests') { + parallel { + stage("Test conjur_variable lookup plugin") { + steps { + sh './ci/test.sh -d conjur_variable' + junit 'tests/conjur_variable/junit/*' + } + } + + stage("Test conjur_host_identity role") { + steps { + sh './ci/test.sh -d conjur_host_identity' + junit 'roles/conjur_host_identity/tests/junit/*' + } + } + } + } + + stage('Build Release Artifacts') { + when { + anyOf { + branch 'master' + buildingTag() + } + } + + steps { + sh './ci/build_release' + archiveArtifacts 'cyberark-conjur-*.tar.gz' + } + } + + stage('Publish to Ansible Galaxy') { + when { + buildingTag() + } + + steps { + sh 'summon ./ci/publish_to_galaxy' + } + } + } + + post { + always { + cleanupAndNotify(currentBuild.currentResult) + } + } +} diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/LICENSE b/collections-debian-merged/ansible_collections/cyberark/conjur/LICENSE new file mode 100644 index 00000000..af8afbaf --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright (c) 2020 CyberArk Software Ltd. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/MANIFEST.json b/collections-debian-merged/ansible_collections/cyberark/conjur/MANIFEST.json new file mode 100644 index 00000000..2a4fc68e --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/MANIFEST.json @@ -0,0 +1,43 @@ +{ + "collection_info": { + "namespace": "cyberark", + "name": "conjur", + "version": "1.1.0", + "authors": [ + "CyberArk Business Development (@cyberark-bizdev)", + "CyberArk Community and Integrations Team (@cyberark/community-and-integrations-team)" + ], + "readme": "README.md", + "tags": [ + "cyberark", + "conjur", + "access", + "security", + "account", + "vault", + "identity", + "credential", + "secret", + "privileged", + "devops" + ], + "description": "This is a Collection of the CyberArk Conjur/DAP toolkit.", + "license": [ + "Apache-2.0" + ], + "license_file": null, + "dependencies": {}, + "repository": "https://github.com/cyberark/ansible-conjur-collection", + "documentation": null, + "homepage": null, + "issues": null + }, + "file_manifest_file": { + "name": "FILES.json", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "1a55b370f72fa3ed7380f13e6da89b22dbbfdd86a37256165f73cdc0c1ac0a99", + "format": 1 + }, + "format": 1 +}
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/README.md b/collections-debian-merged/ansible_collections/cyberark/conjur/README.md new file mode 100644 index 00000000..ae9219bd --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/README.md @@ -0,0 +1,208 @@ +![](https://img.shields.io/badge/Certification%20Level-Community-28A745?link=https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md) + +# CyberArk Ansible Conjur Collection + +This collection contains components to be used with CyberArk Conjur & DAP (Dynamic Access Provider) +hosted in [Ansible Galaxy](https://galaxy.ansible.com/cyberark/conjur). + +## Table of Contents + +* [Requirements](#requirements) +* [Installation](#installation) +* [Conjur Ansible Role](#conjur-ansible-role) + + [Usage](#usage) + + [Role Variables](#role-variables) + + [Example Playbook](#example-playbook) + + [Summon & Service Managers](#summon---service-managers) + + [Recommendations](#recommendations) +* [Conjur Ansible Lookup Plugin](#conjur-ansible-lookup-plugin) + + [Environment variables](#environment-variables) + + [Role Variables](#role-variables-1) + + [Examples](#examples) + - [Retrieve a secret in a Playbook](#retrieve-a-secret-in-a-playbook) + - [Retrieve a private key in an Inventory file](#retrieve-a-private-key-in-an-inventory-file) +* [Contributing](#contributing) +* [License](#license) + +<!-- Table of contents generated with markdown-toc +http://ecotrust-canada.github.io/markdown-toc/ --> + +## Requirements + +- An instance of [CyberArk Conjur Open Source](https://www.conjur.org) v1.x+ or [CyberArk Dynamic + Access + Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Resources/_TopNav/cc_Home.htm) + v10.x+ accessible from the target node +- Ansible >= 2.9 + +## Using ansible-conjur-collection with Conjur OSS + +Are you using this project with [Conjur OSS](https://github.com/cyberark/conjur)? Then we +**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS +suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html). +Conjur maintainers perform additional testing on the suite release versions to ensure +compatibility. When possible, upgrade your Conjur version to match the +[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm); +when using integrations, choose the latest suite release that matches your Conjur version. For any +questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5). + +## Installation + +From terminal, run the following command: +```sh +ansible-galaxy collection install cyberark.conjur +``` + +## Conjur Ansible Role + +This Ansible role provides the ability to grant Conjur machine identity to a host. Based on that +identity, secrets can then be retrieved securely using the [Conjur Lookup +Plugin](#conjur-ansible-lookup-plugin) or using the [Summon](https://github.com/cyberark/summon) +tool (installed on hosts with identities created by this role). + +### Usage + +The Conjur role provides a method to establish the Conjur identity of a remote node with Ansible. +The node can then be granted least-privilege access to retrieve the secrets it needs in a secure +manner. + +### Role Variables + +* `conjur_appliance_url` _(Optional)_: URL of the running Conjur service +* `conjur_account` _(Optional)_: Conjur account name +* `conjur_host_factory_token` _(Optional)_: [Host + Factory](https://developer.conjur.net/reference/services/host_factory/) token for layer + enrollment. This should be specified in the environment on the Ansible controlling host. +* `conjur_host_name` _(Optional)_: Name of the host to be created. +* `conjur_ssl_certificate`: Public SSL certificate of the Conjur endpoint +* `conjur_validate_certs`: Boolean value to indicate if the Conjur endpoint should validate + certificates +* `summon.version`: version of Summon to install. Default is `0.8.2`. +* `summon_conjur.version`: version of Summon-Conjur provider to install. Default is `0.5.3`. + +The variables marked with _`(Optional)`_ are not required fields. All other variables are required +for running with an HTTPS Conjur endpoint. + +### Example Playbook + +Configure a remote node with a Conjur identity and Summon: +```yml +- hosts: servers + roles: + - role: cyberark.conjur.conjur-host-identity + conjur_appliance_url: 'https://conjur.myorg.com', + conjur_account: 'myorg', + conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}", + conjur_host_name: "{{ inventory_hostname }}" + conjur_ssl_certificate: "{{ lookup('file', '/path/to/conjur.pem') }}" + conjur_validate_certs: yes +``` + +This example: +- Registers the host `{{ inventory_hostname }}` with Conjur, adding it into the Conjur policy layer + defined for the provided host factory token. +- Installs Summon with the Summon Conjur provider for secret retrieval from Conjur. + +### Summon & Service Managers + +With Summon installed, using Conjur with a Service Manager (like systemd) becomes a snap. Here's a +simple example of a `systemd` file connecting to Conjur: + +```ini +[Unit] +Description=DemoApp +After=network-online.target + +[Service] +User=DemoUser +#Environment=CONJUR_MAJOR_VERSION=4 +ExecStart=/usr/local/bin/summon --yaml 'DB_PASSWORD: !var staging/demoapp/database/password' /usr/local/bin/myapp +``` + +> Note: When connecting to Conjur 4 (Conjur Enterprise), Summon requires the environment variable +`CONJUR_MAJOR_VERSION` set to `4`. You can provide it by uncommenting the relevant line above. + +The above example uses Summon to retrieve the password stored in `staging/myapp/database/password`, +set it to an environment variable `DB_PASSWORD`, and provide it to the demo application process. +Using Summon, the secret is kept off disk. If the service is restarted, Summon retrieves the +password as the application is started. + +### Recommendations + +- Add `no_log: true` to each play that uses sensitive data, otherwise that data can be printed to + the logs. + +- Set the Ansible files to minimum permissions. Ansible uses the permissions of the user that runs + it. + +## Conjur Ansible Lookup Plugin + +Fetch credentials from CyberArk Conjur using the controlling host's Conjur identity or environment +variables. + +The controlling host running Ansible must have a Conjur identity, provided for example by the +[ConjurAnsible role](#conjur-ansible-role). + +### Environment variables + +The following environment variables will be used by the lookup plugin to authenticate with the +Conjur host, if they are present on the system running the lookup plugin. + +- `CONJUR_ACCOUNT` : The Conjur account name +- `CONJUR_APPLIANCE_URL` : URL of the running Conjur service +- `CONJUR_CERT_FILE` : Path to the Conjur certificate file +- `CONJUR_AUTHN_LOGIN` : A valid Conjur host username +- `CONJUR_AUTHN_API_KEY` : The api key that corresponds to the Conjur host username +- `CONJUR_AUTHN_TOKEN_FILE` : Path to a file containing a valid Conjur auth token + +### Role Variables + +None. + +### Examples + +#### Retrieve a secret in a Playbook + +```yaml +--- +- hosts: localhost + tasks: + - name: Lookup variable in Conjur + debug: + msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}" +``` + +#### Retrieve a private key in an Inventory file + +```yaml +--- +ansible_host: <host> +ansible_ssh_private_key_file: "{{ lookup('cyberark.conjur.conjur_variable', 'path/to/secret-id', as_file=True) }}" +``` + +**Note:** Using the `as_file=True` condition, the private key is stored in a temporary file and its path is written +in `ansible_ssh_private_key_file`. + +## Contributing + +We welcome contributions of all kinds to this repository. For instructions on how to get started and +descriptions of our development workflows, please see our [contributing guide][contrib]. + +[contrib]: https://github.com/cyberark/ansible-conjur-collection/blob/master/CONTRIBUTING.md + +## License + +Copyright (c) 2020 CyberArk Software Ltd. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use +this file except in compliance with the License. You may obtain a copy of the +License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed under the License is +distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +implied. See the License for the specific language governing permissions and limitations under the +License. + +For the full license text see [`LICENSE`](LICENSE). diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/SECURITY.md b/collections-debian-merged/ansible_collections/cyberark/conjur/SECURITY.md new file mode 100644 index 00000000..5315a395 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/SECURITY.md @@ -0,0 +1,42 @@ +# Security Policies and Procedures + +This document outlines security procedures and general policies for the CyberArk Conjur +suite of tools and products. + + * [Reporting a Bug](#reporting-a-bug) + * [Disclosure Policy](#disclosure-policy) + * [Comments on this Policy](#comments-on-this-policy) + +## Reporting a Bug + +The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously. +Thank you for improving the security of the Conjur suite. We appreciate your efforts and +responsible disclosure and will make every effort to acknowledge your +contributions. + +Report security bugs by emailing the lead maintainers at security@conjur.org. + +The maintainers will acknowledge your email within 2 business days. Subsequently, we will +send a more detailed response within 2 business days of our acknowledgement indicating +the next steps in handling your report. After the initial reply to your report, the security +team will endeavor to keep you informed of the progress towards a fix and full +announcement, and may ask for additional information or guidance. + +Report security bugs in third-party modules to the person or team maintaining +the module. + +## Disclosure Policy + +When the security team receives a security bug report, they will assign it to a +primary handler. This person will coordinate the fix and release process, +involving the following steps: + + * Confirm the problem and determine the affected versions. + * Audit code to find any potential similar problems. + * Prepare fixes for all releases still under maintenance. These fixes will be + released as fast as possible. + +## Comments on this Policy + +If you have suggestions on how this process could be improved please submit a +pull request. diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/ci/build_release b/collections-debian-merged/ansible_collections/cyberark/conjur/ci/build_release new file mode 100755 index 00000000..77c09cd3 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/ci/build_release @@ -0,0 +1,12 @@ +#!/bin/bash + +set -euo pipefail + +CURRENT_DIR="$(cd "$(dirname "$BASH_SOURCE")"; pwd)" + +pushd "$CURRENT_DIR/.." >/dev/null + docker run --rm -t \ + -v "$CURRENT_DIR/..:/runner" \ + ansible/ansible-runner \ + ansible-galaxy collection build --force +popd >/dev/null diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/ci/parse-changelog.sh b/collections-debian-merged/ansible_collections/cyberark/conjur/ci/parse-changelog.sh new file mode 100755 index 00000000..be7d8270 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/ci/parse-changelog.sh @@ -0,0 +1,6 @@ +#!/bin/bash -ex + +docker run \ + --rm \ + --volume "${PWD}/CHANGELOG.md":/CHANGELOG.md \ + cyberark/parse-a-changelog
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/ci/publish_to_galaxy b/collections-debian-merged/ansible_collections/cyberark/conjur/ci/publish_to_galaxy new file mode 100755 index 00000000..43ef7733 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/ci/publish_to_galaxy @@ -0,0 +1,15 @@ +#!/bin/bash + +set -euo pipefail + +# Strip the 'v' from the Tag Name +TAG=${TAG_NAME//"v"} + +CURRENT_DIR="$(cd "$(dirname "$BASH_SOURCE")"; pwd)" + +pushd "$CURRENT_DIR/.." >/dev/null + docker run --rm -t \ + -v "$CURRENT_DIR/..:/runner" \ + ansible/ansible-runner \ + ansible-galaxy collection publish --api-key="${GALAXY_API_KEY}" /runner/cyberark-conjur-${TAG}.tar.gz +popd >/dev/null diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/ci/test.sh b/collections-debian-merged/ansible_collections/cyberark/conjur/ci/test.sh new file mode 100755 index 00000000..c83eb68e --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/ci/test.sh @@ -0,0 +1,90 @@ +#!/bin/bash -x + +# Test runner for Ansible Conjur Collection + +# Test subdirectors containing a `test.sh` file +test_directories=("conjur_variable") + +# Roles containing a test subdirectory +role_directories=("conjur_host_identity") + +# Target directory that can be manually set by passing a value to the `-d` flag +target="" + +# Print usage instructions +function help { + echo "Test runner for Ansible Conjur Collection" + + echo "-a Run all test files in default test directories" + echo "-d <arg> Run test file in given directory. Valid options are: ${test_directories[*]} all" + echo "-h View help and available commands" + exit 1 +} + +# Run a `test.sh` file in a given subdirectory of the top-level `tests` directory +# Expected directory structure is "tests/<plugin>/test.sh" +function run_test { + pushd "${PWD}/tests/${1}" + echo "Running ${1} tests..." + ./test.sh + popd +} + +# Run a `test.sh` file for a given role +# Expected directory structure is "roles/<role>/tests/test.sh" +function run_role_test { + pushd "${PWD}/roles/${1}/tests" + echo "Running ${1} tests..." + ./test.sh + popd +} + +# Handles input to dictate wether all tests should be ran, or just one set +function handle_input { + if [[ ! -z ${target} ]]; then + for test_dir in "${test_directories[@]}"; do + if [[ ${target} == "${test_dir}" ]]; then + run_test ${target} + exit 0 + fi + done + for test_dir in "${role_directories[@]}"; do + if [[ ${target} == "${test_dir}" ]]; then + run_role_test ${target} + exit 0 + fi + done + echo "Error: unrecognized test directory given: ${target}" + echo "" + help + else + echo "Running all tests..." + for test_dir in "${test_directories[@]}"; do + run_test "${test_dir}" + done + for test_dir in "${role_directories[@]}"; do + run_role_test "${test_dir}" + done + exit 0 + fi +} + +# Exit if no input given +if [[ $# -eq 0 ]] ; then + echo "Error: No test directory or flag given" + echo "" + help +fi + +while getopts ahd: option; do + case "$option" in + a) handle_input + ;; + d) target=${OPTARG} + handle_input + ;; + h) help + ;; + esac +done + diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/examples/test.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/examples/test.yml new file mode 100644 index 00000000..c9afa1bf --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/examples/test.yml @@ -0,0 +1,13 @@ +--- + - hosts: localhost + + tasks: + + - name: Lookup variable in Conjur + debug: + msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}" + + - name: Lookup variable in Conjur to not validate certs (in case of self-signed) + debug: + msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret', validate_certs=false) }}" +
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/inventory/hosts b/collections-debian-merged/ansible_collections/cyberark/conjur/inventory/hosts new file mode 100644 index 00000000..2fbb50c4 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/inventory/hosts @@ -0,0 +1 @@ +localhost diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/meta/runtime.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/meta/runtime.yml new file mode 100644 index 00000000..58bc8578 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/meta/runtime.yml @@ -0,0 +1,2 @@ +--- + requires_ansible: '>=2.9' diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/plugins/lookup/conjur_variable.py b/collections-debian-merged/ansible_collections/cyberark/conjur/plugins/lookup/conjur_variable.py new file mode 100644 index 00000000..6b29e3d9 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/plugins/lookup/conjur_variable.py @@ -0,0 +1,317 @@ +# (c) 2020 CyberArk Software Ltd. All rights reserved. +# (c) 2018 Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + +DOCUMENTATION = """ + lookup: conjur_variable + version_added: "2.5" + short_description: Fetch credentials from CyberArk Conjur. + author: + - CyberArk BizDev (@cyberark-bizdev) + - CyberArk Community and Integrations Team (@cyberark/community-and-integrations-team) + description: + Retrieves credentials from Conjur using the controlling host's Conjur identity + or environment variables. + Environment variables could be CONJUR_ACCOUNT, CONJUR_APPLIANCE_URL, CONJUR_CERT_FILE, CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY, CONJUR_AUTHN_TOKEN_FILE + Conjur info - U(https://www.conjur.org/). + requirements: + - 'The controlling host running Ansible has a Conjur identity. + (More: U(https://docs.conjur.org/latest/en/Content/Get%20Started/key_concepts/machine_identity.html))' + options: + _terms: + description: Variable path + required: True + validate_certs: + description: Flag to control SSL certificate validation + type: boolean + default: True + as_file: + description: > + Store lookup result in a temporary file and returns the file path. Thus allowing it to be consumed as an ansible file parameter + (eg ansible_ssh_private_key_file). + type: boolean + default: False + identity_file: + description: Path to the Conjur identity file. The identity file follows the netrc file format convention. + type: path + default: /etc/conjur.identity + required: False + ini: + - section: conjur, + key: identity_file_path + env: + - name: CONJUR_IDENTITY_FILE + authn_token_file: + description: Path to the access token file. + type: path + default: /var/run/conjur/access-token + required: False + ini: + - section: conjur, + key: authn_token_file + env: + - name: CONJUR_AUTHN_TOKEN_FILE + config_file: + description: Path to the Conjur configuration file. The configuration file is a YAML file. + type: path + default: /etc/conjur.conf + required: False + ini: + - section: conjur, + key: config_file_path + env: + - name: CONJUR_CONFIG_FILE +""" + +EXAMPLES = """ +--- + - hosts: localhost + collections: + - cyberark.conjur + tasks: + - name: Lookup variable in Conjur + debug: + msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}" +""" + +RETURN = """ + _raw: + description: + - Value stored in Conjur. +""" + +import os.path +from ansible.errors import AnsibleError +from ansible.plugins.lookup import LookupBase +from base64 import b64encode +from netrc import netrc +from os import environ +from time import time +from ansible.module_utils.six.moves.urllib.parse import quote +from stat import S_IRUSR, S_IWUSR +from tempfile import gettempdir, NamedTemporaryFile +import yaml + +from ansible.module_utils.urls import open_url +from ansible.utils.display import Display +import ssl + +display = Display() + + +# Load configuration and return as dictionary if file is present on file system +def _load_conf_from_file(conf_path): + display.vvv('conf file: {0}'.format(conf_path)) + + if not os.path.exists(conf_path): + return {} + # raise AnsibleError('Conjur configuration file `{0}` was not found on the controlling host' + # .format(conf_path)) + + display.vvvv('Loading configuration from: {0}'.format(conf_path)) + with open(conf_path) as f: + config = yaml.safe_load(f.read()) + return config + + +# Load identity and return as dictionary if file is present on file system +def _load_identity_from_file(identity_path, appliance_url): + display.vvvv('identity file: {0}'.format(identity_path)) + + if not os.path.exists(identity_path): + return {} + # raise AnsibleError('Conjur identity file `{0}` was not found on the controlling host' + # .format(identity_path)) + + display.vvvv('Loading identity from: {0} for {1}'.format(identity_path, appliance_url)) + + conjur_authn_url = '{0}/authn'.format(appliance_url) + identity = netrc(identity_path) + + if identity.authenticators(conjur_authn_url) is None: + raise AnsibleError('The netrc file on the controlling host does not contain an entry for: {0}' + .format(conjur_authn_url)) + + id, account, api_key = identity.authenticators(conjur_authn_url) + if not id or not api_key: + return {} + + return {'id': id, 'api_key': api_key} + + +# Merge multiple dictionaries by using dict.update mechanism +def _merge_dictionaries(*arg): + ret = {} + for item in arg: + ret.update(item) + return ret + + +# The `quote` method's default value for `safe` is '/' so it doesn't encode slashes +# into "%2F" which is what the Conjur server expects. Thus, we need to use this +# method with no safe characters. We can't use the method `quote_plus` (which encodes +# slashes correctly) because it encodes spaces into the character '+' instead of "%20" +# as expected by the Conjur server +def _encode_str(input_str): + return quote(input_str, safe='') + + +# Use credentials to retrieve temporary authorization token +def _fetch_conjur_token(conjur_url, account, username, api_key, validate_certs, cert_file): + conjur_url = '{0}/authn/{1}/{2}/authenticate'.format(conjur_url, account, _encode_str(username)) + display.vvvv('Authentication request to Conjur at: {0}, with user: {1}'.format( + conjur_url, + _encode_str(username))) + + response = open_url(conjur_url, + data=api_key, + method='POST', + validate_certs=validate_certs, + ca_path=cert_file) + code = response.getcode() + if code != 200: + raise AnsibleError('Failed to authenticate as \'{0}\' (got {1} response)' + .format(username, code)) + + return response.read() + + +# Retrieve Conjur variable using the temporary token +def _fetch_conjur_variable(conjur_variable, token, conjur_url, account, validate_certs, cert_file): + token = b64encode(token) + headers = {'Authorization': 'Token token="{0}"'.format(token.decode("utf-8"))} + + url = '{0}/secrets/{1}/variable/{2}'.format(conjur_url, account, _encode_str(conjur_variable)) + display.vvvv('Conjur Variable URL: {0}'.format(url)) + + response = open_url(url, + headers=headers, + method='GET', + validate_certs=validate_certs, + ca_path=cert_file) + + if response.getcode() == 200: + display.vvvv('Conjur variable {0} was successfully retrieved'.format(conjur_variable)) + value = response.read().decode("utf-8") + return [value] + if response.getcode() == 401: + raise AnsibleError('Conjur request has invalid authorization credentials') + if response.getcode() == 403: + raise AnsibleError('The controlling host\'s Conjur identity does not have authorization to retrieve {0}' + .format(conjur_variable)) + if response.getcode() == 404: + raise AnsibleError('The variable {0} does not exist'.format(conjur_variable)) + + return {} + + +def _default_tmp_path(): + if os.access("/dev/shm", os.W_OK): + return "/dev/shm" + + return gettempdir() + + +def _store_secret_in_file(value): + secrets_file = NamedTemporaryFile(mode='w', dir=_default_tmp_path(), delete=False) + os.chmod(secrets_file.name, S_IRUSR | S_IWUSR) + secrets_file.write(value[0]) + + return [secrets_file.name] + + +class LookupModule(LookupBase): + + def run(self, terms, variables=None, **kwargs): + self.set_options(direct=kwargs) + validate_certs = self.get_option('validate_certs') + conf_file = self.get_option('config_file') + as_file = self.get_option('as_file') + + conf = _merge_dictionaries( + _load_conf_from_file(conf_file), + { + "account": environ.get('CONJUR_ACCOUNT'), + "appliance_url": environ.get("CONJUR_APPLIANCE_URL") + } if ( + environ.get('CONJUR_ACCOUNT') is not None + and environ.get('CONJUR_APPLIANCE_URL') is not None + ) + else {}, + { + "cert_file": environ.get('CONJUR_CERT_FILE') + } if (environ.get('CONJUR_CERT_FILE') is not None) + else {}, + { + "authn_token_file": environ.get('CONJUR_AUTHN_TOKEN_FILE') + } if (environ.get('CONJUR_AUTHN_TOKEN_FILE') is not None) + else {} + ) + + if 'authn_token_file' not in conf: + identity_file = self.get_option('identity_file') + identity = _merge_dictionaries( + _load_identity_from_file(identity_file, conf['appliance_url']), + { + "id": environ.get('CONJUR_AUTHN_LOGIN'), + "api_key": environ.get('CONJUR_AUTHN_API_KEY') + } if (environ.get('CONJUR_AUTHN_LOGIN') is not None + and environ.get('CONJUR_AUTHN_API_KEY') is not None) + else {} + ) + + if 'account' not in conf or 'appliance_url' not in conf: + raise AnsibleError( + ("Configuration file on the controlling host must " + "define `account` and `appliance_url`" + "entries or they should be environment variables") + ) + + if 'id' not in identity or 'api_key' not in identity: + raise AnsibleError( + ("Identity file on the controlling host must contain " + "`login` and `password` entries for Conjur appliance" + " URL or they should be environment variables") + ) + + cert_file = None + if 'cert_file' in conf: + display.vvv("Using cert file path {0}".format(conf['cert_file'])) + cert_file = conf['cert_file'] + + token = None + if 'authn_token_file' not in conf: + token = _fetch_conjur_token( + conf['appliance_url'], + conf['account'], + identity['id'], + identity['api_key'], + validate_certs, + cert_file + ) + else: + if not os.path.exists(conf['authn_token_file']): + raise AnsibleError('Conjur authn token file `{0}` was not found on the host' + .format(conf['authn_token_file'])) + with open(conf['authn_token_file'], 'rb') as f: + token = f.read() + + conjur_variable = _fetch_conjur_variable( + terms[0], + token, + conf['appliance_url'], + conf['account'], + validate_certs, + cert_file + ) + + if as_file: + return _store_secret_in_file(conjur_variable) + + return conjur_variable diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/README.md b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/README.md new file mode 100644 index 00000000..225dd44b --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/defaults/main.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/defaults/main.yml new file mode 100644 index 00000000..2a051be2 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for testrole diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/handlers/main.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/handlers/main.yml new file mode 100644 index 00000000..17131efd --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for testrole diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/meta/main.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/meta/main.yml new file mode 100644 index 00000000..ba43fdd2 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/meta/main.yml @@ -0,0 +1,58 @@ +--- +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tasks/main.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tasks/main.yml new file mode 100644 index 00000000..3b588da8 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tasks/main.yml @@ -0,0 +1,5 @@ +--- +# tasks file for testrole +- name: just print a message to stdout + debug: + msg: "hello from the ansible-runner testrole!" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tests/inventory b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tests/inventory new file mode 100644 index 00000000..878877b0 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tests/test.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tests/test.yml new file mode 100644 index 00000000..93c73ccf --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - testrole diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/vars/main.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/vars/main.yml new file mode 100644 index 00000000..7c90db29 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/roles/testrole/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for testrole diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/project/test.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/project/test.yml new file mode 100644 index 00000000..904b389f --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/project/test.yml @@ -0,0 +1,4 @@ +--- +- hosts: all + tasks: + - debug: msg="Test!" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/requirements.txt b/collections-debian-merged/ansible_collections/cyberark/conjur/requirements.txt new file mode 100644 index 00000000..40d19fd8 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/requirements.txt @@ -0,0 +1 @@ +ansible>=2.9 diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/README.md b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/README.md new file mode 100644 index 00000000..138d549d --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/README.md @@ -0,0 +1,8 @@ +# Conjur Ansible Role + +This Ansible role provides the ability to grant Conjur machine identity to a host. +Once a host has an identity created by this role, secrets can be retrieved securely +using the [Summon](https://github.com/cyberark/summon) tool. + +For full usage and installation instructions, please see our +[collection documentation](https://github.com/cyberark/ansible-conjur-collection#installation). diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/defaults/main.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/defaults/main.yml new file mode 100644 index 00000000..d04410d8 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/defaults/main.yml @@ -0,0 +1,6 @@ +summon: + version: 0.8.2 + os: linux-amd64 +summon_conjur: + version: 0.5.3 + os: linux-amd64 diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/meta/main.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/meta/main.yml new file mode 100644 index 00000000..1fc12ef1 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/meta/main.yml @@ -0,0 +1,26 @@ +dependencies: [] + +galaxy_info: + short_description: Grants Conjur machine identity + description: Grants Conjur machine identity to hosts + company: CyberArk + license: Apache + author: + - Cyberark Community and Integrations Team (@cyberark/community-and-integrations-team) + + min_ansible_version: '2.9' + + platforms: + - name: Ubuntu + versions: + - trusty + - xenial + - name: EL + versions: + - 7 + + galaxy_tags: + - identity + - cyberark + - conjur + - security diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity.yml new file mode 100644 index 00000000..48b2f81e --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity.yml @@ -0,0 +1,68 @@ +--- +- name: Create group conjur + group: + name: conjur + state: present + +- block: + - name: Install "ca-certificates" + package: + name: ca-certificates + retries: 10 + delay: 2 + + - name: Place Conjur public SSL certificate + copy: + dest: "{{ conjur_ssl_certificate_path }}" + content: "{{ conjur_ssl_certificate }}" + mode: 0644 + + - name: Symlink Conjur public SSL certificate into /etc/ssl/certs + file: + src: "{{ conjur_ssl_certificate_path }}" + dest: /etc/ssl/certs/conjur.crt + state: link + register: cert_symlink + + - name: Install openssl-perl Package + yum: + name: openssl-perl + when: + ansible_os_family == 'RedHat' + retries: 10 + delay: 2 + + - name: Rehash certs + command: 'c_rehash' + when: cert_symlink.changed + when: ssl_configuration + +- name: Render /etc/conjur.conf + template: + src: templates/conjur.conf.j2 + dest: /etc/conjur.conf + mode: 0644 + +- block: + - name: Request identity from Conjur + uri: + url: "{{ conjur_appliance_url }}/host_factories/hosts" + method: POST + body: "id={{ conjur_host_name }}" + headers: + Authorization: Token token="{{ conjur_host_factory_token }}" + Content-Type: "application/x-www-form-urlencoded" + status_code: 201 + validate_certs: "{{ conjur_validate_certs }}" + register: host_factory_response + retries: 3 + delay: 10 + until: host_factory_response.status == 201 + + - name: Place identity file /etc/conjur.identity + template: + src: templates/conjur.identity.j2 + dest: /etc/conjur.identity + mode: 0640 + group: conjur + when: not conjurized diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity_check.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity_check.yml new file mode 100644 index 00000000..d0f3bba2 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity_check.yml @@ -0,0 +1,49 @@ +--- +- name: Check if /etc/conjur.identity already exists + stat: + path: /etc/conjur.identity + register: identity_file + +- name: Set fact "conjurized" + set_fact: + conjurized: "{{ identity_file.stat.exists|bool }}" + +- name: Ensure all required variables are set + fail: msg="Variable '{{ item }}' is not set!" + when: item is undefined + with_items: + - "{{ conjur_account }}" + - "{{ conjur_appliance_url }}" + - "{{ conjur_host_name }}" + +- name: Set fact "ssl_configuration" + set_fact: + ssl_configuration: "{{ 'https' in conjur_appliance_url }}" + +- block: + - name: Ensure all required ssl variables are set + fail: msg="Variable '{{ item }}' is not set!" + when: item is undefined + with_items: + - "{{ conjur_ssl_certificate }}" + - "{{ conjur_validate_certs }}" + + - name: Set fact "ssl file path" + set_fact: + conjur_ssl_certificate_path: "/etc/conjur.pem" + when: ssl_configuration + +- block: + - name: Set fact "non ssl configuration" + set_fact: + conjur_ssl_certificate_path: "" + conjur_validate_certs: no + when: not ssl_configuration + +- block: + - name: Ensure "conjur_host_factory_token" is set (if node is not already conjurized) + fail: msg="Variable '{{ item }}' is not set!" + when: item is undefined + with_items: + - "{{ conjur_host_factory_token }}" + when: not conjurized diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/main.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/main.yml new file mode 100644 index 00000000..c75a711a --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- include: identity_check.yml # registers variable 'conjurized' +- include: identity.yml +- include: summon.yml +- include: summon-conjur.yml diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon-conjur.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon-conjur.yml new file mode 100644 index 00000000..2e003cd4 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon-conjur.yml @@ -0,0 +1,13 @@ +--- +- name: Create folder for Summon-Conjur to be installed into + file: + path: /usr/local/lib/summon + state: directory + recurse: yes + +- name: Download and unpack Summon-Conjur + unarchive: + src: https://github.com/cyberark/summon-conjur/releases/download/v{{ summon_conjur.version }}/summon-conjur-{{ summon_conjur.os }}.tar.gz + dest: /usr/local/lib/summon + remote_src: yes + creates: /usr/local/lib/summon/summon-conjur diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon.yml new file mode 100644 index 00000000..98ae0b82 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon.yml @@ -0,0 +1,7 @@ +--- +- name: Download and unpack Summon + unarchive: + src: https://github.com/cyberark/summon/releases/download/v{{ summon.version }}/summon-{{ summon.os }}.tar.gz + dest: /usr/local/bin + remote_src: yes + creates: /usr/local/bin/summon diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.conf.j2 b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.conf.j2 new file mode 100644 index 00000000..cd1403ce --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.conf.j2 @@ -0,0 +1,5 @@ +account: {{conjur_account}} +appliance_url: {{conjur_appliance_url}} +cert_file: {{conjur_ssl_certificate_path}} +netrc_path: /etc/conjur.identity +plugins: [] diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.identity.j2 b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.identity.j2 new file mode 100644 index 00000000..7bde0ff2 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.identity.j2 @@ -0,0 +1,3 @@ +machine {{conjur_appliance_url}}/authn + login host/{{conjur_host_name}} + password {{host_factory_response.json.api_key}} diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/.gitignore b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/.gitignore new file mode 100644 index 00000000..bc1a1f61 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/.gitignore @@ -0,0 +1,2 @@ +# Created by pytest automatically. +* diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/CACHEDIR.TAG b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/CACHEDIR.TAG new file mode 100644 index 00000000..381f03a5 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/CACHEDIR.TAG @@ -0,0 +1,4 @@ +Signature: 8a477f597d28d172789f06886806bc55 +# This file is a cache directory tag created by pytest. +# For information about cache directory tags, see: +# http://www.bford.info/cachedir/spec.html diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/README.md b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/README.md new file mode 100644 index 00000000..1863c83c --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/README.md @@ -0,0 +1,8 @@ +# pytest cache directory # + +This directory contains data from the pytest's cache plugin, +which provides the `--lf` and `--ff` options, as well as the `cache` fixture. + +**Do not** commit this to version control. + +See [the docs](https://docs.pytest.org/en/stable/cache.html) for more information. diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/nodeids b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/nodeids new file mode 100644 index 00000000..db4e5500 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/nodeids @@ -0,0 +1,14 @@ +[ + "test_cases/configure-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_1]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_2]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_1]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_2]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_1]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_2]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_1]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_2]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_1]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_2]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_1]", + "test_cases/configure-conjur-identity/tests/test_default.py::test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_2]" +]
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/stepwise b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/stepwise new file mode 100644 index 00000000..0637a088 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/stepwise @@ -0,0 +1 @@ +[]
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile new file mode 100644 index 00000000..49129da5 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile @@ -0,0 +1,24 @@ +FROM ubuntu:18.04 + +RUN apt-get update && apt-get install -y \ + apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common \ + python3-pip + +RUN pip3 install pytest pytest-testinfra ansible && mkdir -p /conjurinc/ + +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - +RUN add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" +RUN apt-get update && apt-get -y install docker-ce +RUN apt-get update && apt-get install -y gcc build-essential +RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.4 ruby2.4-dev +RUN gem install conjur-cli + +WORKDIR /conjurinc/ + +CMD ["/bin/sleep", "1d"] diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile_nginx b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile_nginx new file mode 100644 index 00000000..d9f18c7b --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile_nginx @@ -0,0 +1,16 @@ +FROM nginx:1.13.3 + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install -y iputils-ping procps openssl && \ + rm -rf /var/lib/apt/lists/* + +WORKDIR /etc/nginx/ + +COPY proxy/ssl.conf /etc/ssl/openssl.cnf + +RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -config /etc/ssl/openssl.cnf -extensions v3_ca \ + -keyout cert.key -out cert.crt + +COPY proxy/default.conf /etc/nginx/conf.d/default.conf diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/ansible.cfg b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/ansible.cfg new file mode 100644 index 00000000..c3359828 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/ansible.cfg @@ -0,0 +1,7 @@ +[defaults] +host_key_checking = False +error_on_undefined_vars = True +timeout = 60 +inventory = inventory.tmp +roles_path = /conjurinc +remote_tmp = /tmp diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/conjur.pem b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/conjur.pem new file mode 100644 index 00000000..38d2de7c --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/conjur.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDizCCAnOgAwIBAgIJANeI9KhfqjmKMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV +BAYTAklMMQ8wDQYDVQQIDAZJc3JhZWwxDDAKBgNVBAcMA1RMVjENMAsGA1UECgwE +T255eDERMA8GA1UECwwIQ3liZXJBcmsxGzAZBgNVBAMMEmNvbmp1ci1wcm94eS1u +Z2lueDAeFw0yMDEyMjkxNjI2MTJaFw0yMTEyMjkxNjI2MTJaMGsxCzAJBgNVBAYT +AklMMQ8wDQYDVQQIDAZJc3JhZWwxDDAKBgNVBAcMA1RMVjENMAsGA1UECgwET255 +eDERMA8GA1UECwwIQ3liZXJBcmsxGzAZBgNVBAMMEmNvbmp1ci1wcm94eS1uZ2lu +eDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALelK11va7bSvR61V8Qy +wSWbxTqAs8NihyhrBQBNHZrZETRUhnsKrqZ44h82yN0SqDFmCJOmyodaJkNRibEd +yzDx0Hym83uRklqrhjKYZSMr0/fO32IiCL4VwL60p6a3U+Gp/nrZZovI6t1tDhbX +Dl8SpXIuEPOunFCXwXL06QtJj3SleKUUuMo22qbXWwdOrtBwz/iiRJr+OaXPA/hd +OsbbV4n1rfPx7xDyNMgy3/67jI5DHE29gK9CDVvAcu0SAfAp1tPW7u/ni02/Lkg2 +XX8LCRixTkFyzndLX6GbWMrpDms6wtBxPKPh3eSGojMwCOCWIcr7sTBrl8he/8K1 +8dECAwEAAaMyMDAwLgYDVR0RBCcwJYIJbG9jYWxob3N0ghJjb25qdXItcHJveHkt +bmdpbniHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIHWsbqmFL9panccxSk0lbtr +A4xZBSgy03k4D+KhHmQqKoD3q8M4OeMHvlgoBQSsosrkc3Mc15A0caqnvHnklWSU +nKQkioPasfdxUC3E/114+goD0hX01vNgbJNfCs32w2Pngn+5nxhnQRA1IToh0vJw +Dugl3Lxd21G5bPuOSpr/DhpIbDRdL7cDHtcOZFT2Wj7dry4j8LaZ98p9xcdWNyDt +Pt/Io/4wpvhCeYvuZ9AtK4qdyS3JC+ne0EeKndDxqMRPGIN6j/Wk12yEWrY9LQ/Z +j02jhpWS8A8aC9jpaUvemPVuPKQhONIAWOcRWGwL0VH9Qisj714NWpuFUCU+jQ4= +-----END CERTIFICATE----- diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/docker-compose.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/docker-compose.yml new file mode 100644 index 00000000..7c0422fb --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/docker-compose.yml @@ -0,0 +1,66 @@ +version: '3' +services: + ansible: + build: + context: . + dockerfile: Dockerfile + environment: + CONJUR_APPLIANCE_URL: http://conjur:3000 + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: host/ansible/ansible-master + CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY} + CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY} + COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} + volumes: + - ..:/conjurinc/cyberark.conjur.conjur-host-identity/ + - .:/conjurinc/tests/ + - /var/run/docker.sock:/var/run/docker.sock + pg: + image: postgres:9.3 + + conjur: + image: cyberark/conjur + command: server -a cucumber -p 3000 + environment: + CONJUR_APPLIANCE_URL: http://localhost:3000 + DATABASE_URL: postgres://postgres@pg/postgres + CONJUR_DATA_KEY: "W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA=" + networks: + - default + links: + - pg + + conjur_cli: + image: cyberark/conjur-cli:5-latest + entrypoint: [] + command: sleep infinity + environment: + CONJUR_APPLIANCE_URL: http://conjur:3000 + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: admin + CONJUR_AUTHN_API_KEY: ${CLI_CONJUR_AUTHN_API_KEY} + volumes: + - ./policy:/policy + links: + - conjur + + test_app_ubuntu: + build: ./test_app_ubuntu + entrypoint: sleep + command: infinity + + test_app_centos: + build: ./test_app_centos + entrypoint: sleep + command: infinity + + conjur-proxy-nginx: + build: + context: . + dockerfile: Dockerfile_nginx + entrypoint: nginx-debug -g 'daemon off;' + environment: + TERM: xterm + depends_on: + - conjur + - conjur_cli diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook.yml new file mode 100644 index 00000000..01d0d1d4 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook.yml @@ -0,0 +1,6 @@ +--- +- name: Compile inventory template locally + hosts: localhost + tasks: + - name: compile inventory template + template: src=inventory.j2 dest=/conjurinc/tests/inventory.tmp diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory.j2 b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory.j2 new file mode 100644 index 00000000..62d48ef8 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory.j2 @@ -0,0 +1,6 @@ +[testapp] +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_ubuntu_[1:2] ansible_connection=docker +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_centos_[1:2] ansible_connection=docker + +[ansible] +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_ansible_1 ansible_connection=docker diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/configure-conjur-identity b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/configure-conjur-identity new file mode 100644 index 00000000..2819f9b9 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/configure-conjur-identity @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite errors="0" failures="0" hostname="861541267f74" name="pytest" skipped="0" tests="12" time="17.686" timestamp="2020-12-29T16:29:00.746008"><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_1]" time="2.283" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_1]" time="1.318" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_1]" time="0.348" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_2]" time="2.261" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_2]" time="1.269" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_centos_2]" time="0.334" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_1]" time="2.253" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_1]" time="1.287" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_1]" time="0.364" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_2]" time="2.264" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_2]" time="1.290" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1102conjurhostidentity_test_app_ubuntu_2]" time="0.355" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/policy/root.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/policy/root.yml new file mode 100644 index 00000000..0309cf70 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/policy/root.yml @@ -0,0 +1,32 @@ +--- +- !policy + id: ansible + annotations: + description: Policy for Ansible master and remote hosts + body: + + - !host + id: ansible-master + annotations: + description: Host for running Ansible on remote targets + + - !layer &remote_hosts_layer + id: remote_hosts + annotations: + description: Layer for Ansible remote hosts + + - !host-factory + id: ansible-factory + annotations: + description: Factory to create new hosts for ansible + layer: [ *remote_hosts_layer ] + + - !variable + id: target-password + annotations: + description: Password needed by the Ansible remote machine + + - !permit + role: *remote_hosts_layer + privileges: [ execute ] + resources: [ !variable target-password ] diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/default.conf b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/default.conf new file mode 100644 index 00000000..db2153a7 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/default.conf @@ -0,0 +1,33 @@ +server { + listen 80; + return 301 https://conjur$request_uri; +} + +server { + listen 443; + server_name localhost; + ssl_certificate /etc/nginx/cert.crt; + ssl_certificate_key /etc/nginx/cert.key; + + ssl on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + + location / { + proxy_pass http://conjur:3000; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/ssl.conf b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/ssl.conf new file mode 100644 index 00000000..e78716b2 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/ssl.conf @@ -0,0 +1,39 @@ +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +req_extensions = req_ext +distinguished_name = dn +x509_extensions = v3_ca # The extentions to add to the self signed cert +req_extensions = v3_req +x509_extensions = usr_cert + +[ dn ] +C=IL +ST=Israel +L=TLV +O=Onyx +OU=CyberArk +CN=conjur-proxy-nginx + +[ usr_cert ] +basicConstraints=CA:FALSE +nsCertType = client, server, email +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +[ v3_req ] +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = localhost +DNS.2 = conjur-proxy-nginx +IP.1 = 127.0.0.1 diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test.sh b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test.sh new file mode 100755 index 00000000..a0fe08fb --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test.sh @@ -0,0 +1,126 @@ +#!/bin/bash -e +set -x + +function finish { + echo 'Removing test environment' + echo '---' + docker-compose down -v + rm -rf inventory.tmp +} +trap finish EXIT +finish + +# normalises project name by filtering non alphanumeric characters and transforming to lowercase +declare -x COMPOSE_PROJECT_NAME +COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-plugin-testing}-conjur-host-identity" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') + +declare -x ANSIBLE_CONJUR_AUTHN_API_KEY='' +declare -x CLI_CONJUR_AUTHN_API_KEY='' +declare cli_cid='' +declare conjur_cid='' +declare ansible_cid='' + +function api_key_for { + local role_id=$1 + if [ ! -z "$role_id" ] + then + docker exec ${conjur_cid} rails r "print Credentials['${role_id}'].api_key" + else + echo ERROR: api_key_for called with no argument 1>&2 + exit 1 + fi +} + +function hf_token { + docker exec ${cli_cid} conjur hostfactory tokens create \ + --duration-days=5 \ + ansible/ansible-factory | jq -r '.[0].token' +} + +function setup_conjur { + echo "---- setting up conjur ----" + # run policy + docker exec ${cli_cid} conjur policy load root /policy/root.yml + + # set secret values + docker exec ${cli_cid} bash -c ' + conjur variable values add ansible/target-password target_secret_password + ' +} + +function run_test_cases { + for test_case in test_cases/*; do + teardown_and_setup + run_test_case "$(basename -- "$test_case")" + done +} + +function run_test_case { + echo "---- testing ${test_case} ----" + local test_case=$1 + if [ ! -z "$test_case" ] + then + docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -c " + cd tests + ansible-playbook test_cases/${test_case}/playbook.yml + " + docker exec "${ansible_cid}" bash -c " + cd tests + py.test --junitxml=./junit/${test_case} --connection docker -v test_cases/${test_case}/tests/test_default.py + " + else + echo ERROR: run_test called with no argument 1>&2 + exit 1 + fi +} + +function teardown_and_setup { + docker-compose up -d --force-recreate --scale test_app_ubuntu=2 test_app_ubuntu + docker-compose up -d --force-recreate --scale test_app_centos=2 test_app_centos +} + +function wait_for_server { + # shellcheck disable=SC2016 + docker exec "${cli_cid}" bash -c ' + for i in $( seq 20 ); do + curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break + echo "." + sleep 2 + done + ' +} + +function fetch_ssl_cert { + (docker-compose exec -T conjur-proxy-nginx cat cert.crt) > conjur.pem +} + +function generate_inventory { + # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME + docker-compose exec -T ansible bash -c ' + cd tests + ansible-playbook inventory-playbook.yml + ' +} + +function main() { + docker-compose up -d --build + generate_inventory + + conjur_cid=$(docker-compose ps -q conjur) + cli_cid=$(docker-compose ps -q conjur_cli) + fetch_ssl_cert + wait_for_server + + CLI_CONJUR_AUTHN_API_KEY=$(api_key_for 'cucumber:user:admin') + docker-compose up -d conjur_cli + cli_cid=$(docker-compose ps -q conjur_cli) + setup_conjur + + ANSIBLE_CONJUR_AUTHN_API_KEY=$(api_key_for 'cucumber:host:ansible/ansible-master') + docker-compose up -d ansible + ansible_cid=$(docker-compose ps -q ansible) + + run_test_cases +} + +main diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_centos/Dockerfile b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_centos/Dockerfile new file mode 100644 index 00000000..ee474e7b --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_centos/Dockerfile @@ -0,0 +1,4 @@ +FROM centos:7 + +# Install Python so Ansible can run against node +RUN yum update -y && yum install -y python3 diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile new file mode 100644 index 00000000..414c63f8 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile @@ -0,0 +1,4 @@ +FROM ubuntu:16.04 + +# Install Python so Ansible can run against node +RUN apt-get update -y && apt-get install -y python3-minimal diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml new file mode 100644 index 00000000..782091df --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml @@ -0,0 +1,11 @@ +--- +- name: Configuring conjur identity on remote hosts + hosts: testapp + roles: + - role: cyberark.conjur.conjur-host-identity + conjur_account: cucumber + conjur_appliance_url: "https://conjur-proxy-nginx" + conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}" + conjur_host_name: "conjur_{{ ansible_hostname }}" + conjur_ssl_certificate: "{{lookup('file', '../../conjur.pem')}}" + conjur_validate_certs: yes diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py new file mode 100644 index 00000000..245c1711 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py @@ -0,0 +1,33 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '/conjurinc/tests/inventory.tmp').get_hosts('testapp') + + +def test_hosts_file(host): + f = host.file('/etc/hosts') + + assert f.exists + assert f.user == 'root' + assert f.group == 'root' + + +def test_is_conjurized(host): + identity_file = host.file('/etc/conjur.identity') + + assert identity_file.exists + assert identity_file.user == 'root' + + conf_file = host.file('/etc/conjur.conf') + + assert conf_file.exists + assert conf_file.user == 'root' + + +def test_retrieve_secret_with_summon(host): + result = host.check_output("summon --yaml 'DB_USERNAME: !var ansible/target-password' bash -c 'printenv DB_USERNAME'", shell=True) + + assert result == "target_secret_password" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/secrets.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/secrets.yml new file mode 100644 index 00000000..87c9771b --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/secrets.yml @@ -0,0 +1,2 @@ +--- +GALAXY_API_KEY: !var ecosystems/ansible/galaxy/api-key diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore new file mode 100644 index 00000000..bc1a1f61 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore @@ -0,0 +1,2 @@ +# Created by pytest automatically. +* diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG new file mode 100644 index 00000000..381f03a5 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG @@ -0,0 +1,4 @@ +Signature: 8a477f597d28d172789f06886806bc55 +# This file is a cache directory tag created by pytest. +# For information about cache directory tags, see: +# http://www.bford.info/cachedir/spec.html diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md new file mode 100644 index 00000000..1863c83c --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md @@ -0,0 +1,8 @@ +# pytest cache directory # + +This directory contains data from the pytest's cache plugin, +which provides the `--lf` and `--ff` options, as well as the `cache` fixture. + +**Do not** commit this to version control. + +See [the docs](https://docs.pytest.org/en/stable/cache.html) for more information. diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids new file mode 100644 index 00000000..f7a2e86b --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids @@ -0,0 +1,10 @@ +[ + "test_cases/retrieve-variable-bad-cert-path/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]", + "test_cases/retrieve-variable-bad-certs/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]", + "test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]", + "test_cases/retrieve-variable-into-file/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]", + "test_cases/retrieve-variable-no-cert-provided/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]", + "test_cases/retrieve-variable-with-authn-token/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]", + "test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]", + "test_cases/retrieve-variable/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" +]
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise new file mode 100644 index 00000000..0637a088 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise @@ -0,0 +1 @@ +[]
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile new file mode 100644 index 00000000..46603117 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile @@ -0,0 +1,34 @@ +FROM ubuntu:latest + +ENV DEBIAN_FRONTEND=noninteractive + +WORKDIR /cyberark + +# install ansible +RUN apt-get update && \ + apt-get install -y ansible + +# install python 3 +RUN apt-get update && \ + apt-get install -y python3-pip && \ + pip3 install --upgrade pip==9.0.3 + +# install ansible and its test tool +RUN pip3 install ansible pytest-testinfra + +# install docker installation requirements +RUN apt-get update && \ + apt-get install -y apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common + +# install docker +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - +RUN add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" + +RUN apt-get update && \ + apt-get -y install docker-ce diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx new file mode 100644 index 00000000..6f1e2810 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx @@ -0,0 +1,17 @@ +FROM nginx:1.13.3 + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install -y iputils-ping \ + procps \ + openssl && \ + rm -rf /var/lib/apt/lists/* + +WORKDIR /etc/nginx/ + +COPY proxy/ssl.conf /etc/ssl/openssl.cnf +COPY proxy/default.conf /etc/nginx/conf.d/default.conf + +RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -config /etc/ssl/openssl.cnf -extensions v3_ca \ + -keyout cert.key -out cert.crt diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/access_token b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/access_token new file mode 100644 index 00000000..b9a81951 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/access_token @@ -0,0 +1,5 @@ +{ + "protected": "eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiIxZjA1MjEwZDdhNjBmODQ2N2JkNGJjYmU1YzM5MDZiNzNlNjcxOTg4N2M2MmM3MjE4M2MyMmZmMTgyZjMwYzZkIn0=", + "payload": "eyJzdWIiOiJob3N0L2Fuc2libGUvYW5zaWJsZS1tYXN0ZXIiLCJpYXQiOjE2MDkyNTg5MjN9", + "signature": "V2R2Iw_PRd1aC4mzJbwpQ1uYMS1rAFcdzsHo3SGlcUuONSsFE_l8HMebqufPfuAX3Vvx27OeJPtEqRVWcaXyKtG-pwXoWqzaELJ_nkA8E1J5S4in1eMfjnDHjSjVnfmSQMBk1RoOXOo-lLg9KC6nDIezhzkhKSSZExC8zsbjbkjVuwRvffkaj2QNGbTxNHwxlYNfLZC4LPunlac5kfW-vac01vfLBEHqEJz0WH24bCtSdc1h676korD6LQ_61iXBJuoXUZ7UtSZjOGiPPbmzUV_L14PrdBFk2W1G__u57pMqap0QavEt6oZarko8d5tZtv5Zpw15Zxmzgyz8FarZpueOX8K3GCPJZ-CzllCc8mNcK4888un7N_4TSDofYHaG" +} diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/conjur.pem b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/conjur.pem new file mode 100644 index 00000000..3f097efa --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/conjur.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmGgAwIBAgIJALhyWAVk4XxYMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV +BAYTAklMMQ8wDQYDVQQIDAZJc3JhZWwxDDAKBgNVBAcMA1RMVjENMAsGA1UECgwE +T255eDERMA8GA1UECwwIQ3liZXJBcmsxFTATBgNVBAMMDGNvbmp1ci1odHRwczAe +Fw0yMDEyMjkxNjIxMDRaFw0yMTEyMjkxNjIxMDRaMGUxCzAJBgNVBAYTAklMMQ8w +DQYDVQQIDAZJc3JhZWwxDDAKBgNVBAcMA1RMVjENMAsGA1UECgwET255eDERMA8G +A1UECwwIQ3liZXJBcmsxFTATBgNVBAMMDGNvbmp1ci1odHRwczCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAOYTh2U4pUsr0DfAxteLTgcbKSHdaLRB3u3Y +CrBVl2OMdW7T2ZRZqhhqO9oKqISnCnn/m156xOUVZm8lNfJSWiLUgbRTkO4DEF7j +vDTD+EJro2qhCwwRjOepm3ZDFnAon42Pyj62HP+oUcMQrlGfV1ydn13654ul1e4E +j+W0dv+j2Wu770ryl+68/3kjURxIU2nHIvzbSNaAIYp9BuBYOL/r0t+G29Nknyam +OlsXuIHBLugMMA3pZfC6FPWpvVgyibA3EoIk+2GPOiP4B2Gz1+b6AbLRX2N6s39b +4IkOhCiSxCC9U5Vo34QpEQ4Xa6MRKEP/P0mcVPuCpnqXAyKUJU0CAwEAAaMsMCow +KAYDVR0RBCEwH4IJbG9jYWxob3N0ggxjb25qdXItaHR0cHOHBH8AAAEwDQYJKoZI +hvcNAQELBQADggEBAJes9kqcRhCYvm1GintGczA96JLTdr4JHZCq2t88NjHiXuta +8MdfNGcQHSOjgv0fDyjWJeKtZm2fO3CRS7y1QxE8RvGgLbkZ3FU5vFldCWMeld4z +DdKeYO8iP97CHWiFW18io6qfWZvPqEsN1f3fkuY60MVbZMng3Hsp90kIMO2DENRg +Ci7Qk58Th1OnGtbJ3wU/Auw23SJbOpmFJx8p64dj9tJpANqFaPeY666dGChNEHWp +FhlcB2Z3Cz9sZp6nrPniLRa9rzbcnvcCzMmu83BRBDZd0anrKhCna7JgVli3iUDh +GB9QelE5gsIWkBlg/i+sVe6zCgro2TNNZcaLy0g= +-----END CERTIFICATE----- diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml new file mode 100644 index 00000000..0e183757 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml @@ -0,0 +1,58 @@ +version: '3' +services: + ansible: + build: + context: . + dockerfile: Dockerfile + entrypoint: sleep + command: infinity + environment: + CONJUR_APPLIANCE_URL: https://conjur-https + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: host/ansible/ansible-master + CONJUR_AUTHN_API_KEY: ${ANSIBLE_MASTER_AUTHN_API_KEY} + COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} + links: + - "conjur_https:conjur-https" + volumes: + - ../../plugins:/root/.ansible/plugins + - ../..:/cyberark + - /var/run/docker.sock:/var/run/docker.sock + + pg: + image: postgres:9.4 + environment: + POSTGRES_HOST_AUTH_METHOD: password + POSTGRES_PASSWORD: StrongPass + + conjur: + image: cyberark/conjur + command: server -a cucumber -p 3000 + environment: + DATABASE_URL: postgres://postgres:StrongPass@pg/postgres + CONJUR_DATA_KEY: "W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA=" + depends_on: + - pg + + conjur_https: + hostname: conjur-https + build: + context: . + dockerfile: Dockerfile_nginx + entrypoint: nginx-debug -g 'daemon off;' + environment: + TERM: xterm + depends_on: + - conjur + + conjur_cli: + image: cyberark/conjur-cli:5 + entrypoint: sleep + command: infinity + environment: + CONJUR_APPLIANCE_URL: http://conjur:3000 + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: admin + CONJUR_AUTHN_API_KEY: ${CONJUR_ADMIN_AUTHN_API_KEY} + volumes: + - ./policy:/policy diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable new file mode 100644 index 00000000..1c8fe588 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="1.832" timestamp="2020-12-29T16:24:24.892598" hostname="329ba9aa9e28"><testcase classname="test_cases.retrieve-variable.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" time="1.791" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path new file mode 100644 index 00000000..0dfa7fb8 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="1.535" timestamp="2020-12-29T16:24:29.832179" hostname="329ba9aa9e28"><testcase classname="test_cases.retrieve-variable-bad-cert-path.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" time="1.502" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs new file mode 100644 index 00000000..246f2352 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="1.482" timestamp="2020-12-29T16:24:34.403838" hostname="329ba9aa9e28"><testcase classname="test_cases.retrieve-variable-bad-certs.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" time="1.444" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs new file mode 100644 index 00000000..153ca54c --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="1.831" timestamp="2020-12-29T16:24:39.482221" hostname="329ba9aa9e28"><testcase classname="test_cases.retrieve-variable-disable-verify-certs.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" time="1.797" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file new file mode 100644 index 00000000..c925b286 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="2.886" timestamp="2020-12-29T16:24:45.575908" hostname="329ba9aa9e28"><testcase classname="test_cases.retrieve-variable-into-file.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" time="2.845" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided new file mode 100644 index 00000000..a9519fdd --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="1.435" timestamp="2020-12-29T16:24:51.652150" hostname="329ba9aa9e28"><testcase classname="test_cases.retrieve-variable-no-cert-provided.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" time="1.395" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token new file mode 100644 index 00000000..2627f98c --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="1.833" timestamp="2020-12-29T16:24:56.456424" hostname="329ba9aa9e28"><testcase classname="test_cases.retrieve-variable-with-authn-token.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" time="1.799" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret new file mode 100644 index 00000000..01767c83 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="1.793" timestamp="2020-12-29T16:25:01.632549" hostname="329ba9aa9e28"><testcase classname="test_cases.retrieve-variable-with-spaces-secret.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1102conjurvariable_ansible_1]" time="1.759" /></testsuite></testsuites>
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml new file mode 100644 index 00000000..dbaea73f --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml @@ -0,0 +1,21 @@ +--- +- !policy + id: ansible + annotations: + description: Policy for Ansible master + body: + + - !host + id: ansible-master + annotations: + description: Host for running Ansible on remote targets + + - &variables + - !variable test-secret + - !variable test-secret-in-file + - !variable var with spaces + + - !permit + role: !host ansible-master + privileges: [ read, execute ] + resource: *variables diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf new file mode 100644 index 00000000..578b3c5f --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf @@ -0,0 +1,29 @@ +server { + listen 80; + return 301 https://conjur$request_uri; +} + +server { + listen 443; + server_name localhost; + ssl_certificate /etc/nginx/cert.crt; + ssl_certificate_key /etc/nginx/cert.key; + + ssl on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + + location / { + proxy_pass http://conjur:3000; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf new file mode 100644 index 00000000..1b11cd75 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf @@ -0,0 +1,39 @@ +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +req_extensions = req_ext +distinguished_name = dn +x509_extensions = v3_ca # The extentions to add to the self signed cert +req_extensions = v3_req +x509_extensions = usr_cert + +[ dn ] +C=IL +ST=Israel +L=TLV +O=Onyx +OU=CyberArk +CN=conjur-https + +[ usr_cert ] +basicConstraints=CA:FALSE +nsCertType = client, server, email +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +[ v3_req ] +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = localhost +DNS.2 = conjur-https +IP.1 = 127.0.0.1 diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini new file mode 100644 index 00000000..fe55d2ed --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini @@ -0,0 +1,2 @@ +[pytest] +junit_family=xunit2 diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh new file mode 100755 index 00000000..3b389e1c --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh @@ -0,0 +1,115 @@ +#!/bin/bash -e + +set -o pipefail + +function cleanup { + echo 'Removing test environment' + echo '---' + docker-compose down -v +} + +trap cleanup EXIT + +cleanup + +# normalises project name by filtering non alphanumeric characters and transforming to lowercase +declare -x COMPOSE_PROJECT_NAME +COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-plugin-testing}-conjur-variable" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') + +declare -x ANSIBLE_MASTER_AUTHN_API_KEY='' +declare -x CONJUR_ADMIN_AUTHN_API_KEY='' +declare -x ANSIBLE_CONJUR_CERT_FILE='' + +function main() { + docker-compose up -d --build conjur \ + conjur_https \ + conjur_cli \ + + echo "Waiting for Conjur server to come up" + wait_for_conjur + + echo "Fetching SSL certs" + fetch_ssl_certs + + echo "Fetching admin API key" + CONJUR_ADMIN_AUTHN_API_KEY=$(docker-compose exec -T conjur conjurctl role retrieve-key cucumber:user:admin) + + echo "Recreating conjur CLI with admin credentials" + docker-compose up -d conjur_cli + + echo "Configuring Conjur via CLI" + setup_conjur + + echo "Fetching Ansible master host credentials" + ANSIBLE_MASTER_AUTHN_API_KEY=$(docker-compose exec -T conjur_cli conjur host rotate_api_key --host ansible/ansible-master) + ANSIBLE_CONJUR_CERT_FILE='/cyberark/tests/conjur.pem' + + echo "Get Access Token" + setup_access_token + + echo "Preparing Ansible for test run" + docker-compose up -d --build ansible + + echo "Running tests" + run_test_cases +} + +function wait_for_conjur { + docker-compose exec -T conjur conjurctl wait -r 30 -p 3000 +} + +function fetch_ssl_certs { + docker-compose exec -T conjur_https cat cert.crt > conjur.pem +} + +function setup_conjur { + docker-compose exec -T conjur_cli bash -c ' + conjur policy load root /policy/root.yml + conjur variable values add ansible/test-secret test_secret_password + conjur variable values add ansible/test-secret-in-file test_secret_in_file_password + conjur variable values add "ansible/var with spaces" var_with_spaces_secret_password + ' +} + +function setup_access_token { + docker-compose exec -T conjur_cli bash -c " + export CONJUR_AUTHN_LOGIN=host/ansible/ansible-master + export CONJUR_AUTHN_API_KEY=\"$ANSIBLE_MASTER_AUTHN_API_KEY\" + conjur authn authenticate + " > access_token +} + + +function run_test_cases { + for test_case in test_cases/*; do + run_test_case "$(basename -- "$test_case")" + done +} + +function run_test_case { + local test_case=$1 + echo "---- testing ${test_case} ----" + + if [ ! -n "$test_case" ]; then + echo ERROR: run_test called with no argument 1>&2 + exit 1 + fi + + docker-compose exec -T ansible bash -exc " + cd tests/conjur_variable + + # If env vars were provided, load them + if [ -e 'test_cases/${test_case}/env' ]; then + . ./test_cases/${test_case}/env + fi + + # You can add -vvvv here for debugging + ansible-playbook 'test_cases/${test_case}/playbook.yml' + + py.test --junitxml='./junit/${test_case}' \ + --connection docker \ + -v 'test_cases/${test_case}/tests/test_default.py' + " +} + +main diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env new file mode 100644 index 00000000..07d7632c --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./bad/cert/path diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml new file mode 100644 index 00000000..516faec4 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml @@ -0,0 +1,15 @@ +--- +- name: Retrieve Conjur variable fails with bad cert + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with bad cert + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt + ignore_errors: True diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py new file mode 100644 index 00000000..9818bdcf --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py @@ -0,0 +1,13 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '_ansible_1'] + + +def test_retrieval_failed(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert not secrets_file.exists diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem new file mode 100644 index 00000000..a3831e0c --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIDqTCCApGgAwIBAgIQN/xr5EKbXSqdyhGyGBWCizANBgkqhkiG9w0BAQsFADAY +MRYwFAYDVQQDEw1jb25qdXItb3NzLWNhMB4XDTIwMDYxMjIwNTYzOVoXDTIxMDYx +MjIwNTYzOVowGzEZMBcGA1UEAxMQY29uanVyLm15b3JnLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAOewPeFNcuLuE1tgpINSm4EajDXC+C6qsPhn +Jf3PhDFCpAEHckx1BVK01kFUdC6FOI6JEuI6pFnV1Tb9+WFYTX6wcGBAy90i+K9u +Xcjqb3sz5O3p6MjKL4xVvT4TxllT8cslNJix8gFrTYSvBFaUqCioGJAgyQyJ4SV+ +Tm/bXu/KdtfJQaLie+J5Xz/28220hC5NYlIjhMg5YgtRB7JjCj5bPe3PYykN5m8i +INWEw20EW+54YKNs5RDFNKzXOqF5h6Mrc/RcE1rbCGNOqveQ43DTFUgS4rVF8T8S +juO+LGfso2w6YvO7pT+ob9GxZytZXQSxrOXe8LpU4jSDS5g0+cECAwEAAaOB6zCB +6DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC +MAwGA1UdEwEB/wQCMAAwgagGA1UdEQSBoDCBnYIQY29uanVyLm15b3JnLmNvbYIK +Y29uanVyLW9zc4IhY29uanVyLW9zcy50ZXN0LWRlcGxveS1kZWZhdWx0cy0xgiVj +b25qdXItb3NzLnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjgjNjb25qdXItb3Nz +LnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjLmNsdXN0ZXIubG9jYWwwDQYJKoZI +hvcNAQELBQADggEBAIdtOYlIdnojqVBbHGKPAJS8ZWDUm97W1KajZ6QGy6X7fD66 +tOb0QNhzLwbi4HQsuNR0rpWa48Z/sN1E6V5WlfG8pTrNRjqAc/sdobERMMS+rhtu +RfLu1UbYCRLXYIAQFIQFtGDVNXnuvhkCwDz6PV4rniml24qhnGeL3+8ZkW6m5+8u +XIt4Wq9otR3qj/Jx8eUg9eY/7RKgqCClP5Eg4szO0LaqQNblSR+3OgcGxmdTaJQt +BlXRIH0CPpX+3p3mO4zfKIDRHZ0tueWLqOVRARyx9n9qBbhlpBJnecS19PNUAGVa +10H1XkmpVXdadcV/8vBhjEpeq4cVgguS5oozG7Y= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIRAMUGxDd4cpSs7m9hvzTHoi4wDQYJKoZIhvcNAQELBQAw +GDEWMBQGA1UEAxMNY29uanVyLW9zcy1jYTAeFw0yMDA2MTIyMDU2MzhaFw0yMTA2 +MTIyMDU2MzhaMBgxFjAUBgNVBAMTDWNvbmp1ci1vc3MtY2EwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC111bZxfhVHPerwHXvc+ycgCcI02VtfsrH9Tyk +cmMsbUO6jF5aKBQj4fKSwbOCdXcqYoGwaQHQzOVMCGGruOYrOwfusOg2t2EQ7KIE +KWdP0BpAvASvkKwk/GGfaBqtzy1DvVyl0B8b/4C7tnta21Zs5HFOKo0CE+iX/FUQ +RDjpncE9Zhg2E2f1eCef4D+h2JJLtZPLOUZIUs0IMBPqQiL7iNSfY+e8dy6dRC9v +AhyFLULpK34aPm1DqwX3rHDPoLJl24sZFo8q9UvpCwj3sqVoABagS32yL/8//LvU +DaR4pgwuyd9sWf/CQkT0OHsHup5CH7xbYB0DSdmRJPeb07lHAgMBAAGjQjBAMA4G +A1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYD +VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANrAiuLkZGmSQlURpWtvm +PgfPFPKPt1PAqjNwWhzMjHZg2P3UNBUTLeUdo52yJai6/iajlYTRPVvNUqiVnTay +/X9LwWH5EXTKCHagfQh4fYtTSFa12BUBlSP7at3S25pMDOpylb3CxdGe/Oh8S0HZ +gu7MMayFhcGCSJnT+F+JIqwnWkbWPYgHn0VCbBXN+5s7GJWFWwZljQzMCIa/xvwr +xuSX6Lsgai1Abqo1pDJA8RNyxMtn5V8RHgwjQ/BdeodptqZc/kULVDOZ0dkAKxyH +UYfqxxk4Ywc2JSSJYRs/RJpjngGnnLIOHgnruEIDtdOHw2yxAJZ/e7p8y9ThSxRo +5Q== +-----END CERTIFICATE----- diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env new file mode 100644 index 00000000..73e6e980 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./test_cases/retrieve-variable-bad-certs/bad_cert.pem diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml new file mode 100644 index 00000000..516faec4 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml @@ -0,0 +1,15 @@ +--- +- name: Retrieve Conjur variable fails with bad cert + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with bad cert + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt + ignore_errors: True diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py new file mode 100644 index 00000000..9818bdcf --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py @@ -0,0 +1,13 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '_ansible_1'] + + +def test_retrieval_failed(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert not secrets_file.exists diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml new file mode 100644 index 00000000..f1085642 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable with disabled cert verification + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with disabled cert verification + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret', validate_certs=False)}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py new file mode 100644 index 00000000..d9c84af3 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py @@ -0,0 +1,17 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '_ansible_1'] + + +def test_retrieved_secret(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert secrets_file.exists + + result = host.check_output("cat /conjur_secrets.txt", shell=True) + + assert result == "test_secret_password" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env new file mode 100644 index 00000000..2363951d --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./conjur.pem diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml new file mode 100644 index 00000000..ef982db4 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable into file + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secret_path.txt + + - name: Retrieve Conjur variable into file using as_file option + vars: + secret_path: "{{lookup('conjur_variable', 'ansible/test-secret-in-file', as_file=True)}}" + shell: echo -n "{{secret_path}}" > /lookup_output.txt diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py new file mode 100644 index 00000000..e681fd18 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py @@ -0,0 +1,22 @@ +from __future__ import (absolute_import, division, print_function) + +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '_ansible_1'] + + +def test_retrieved_secret(host): + """ + Verify that the as_file parameter makes the lookup plugin return the path to a temporary file + containing the secret. + """ + lookup_output_file = host.file('/lookup_output.txt') + assert lookup_output_file.exists + + secret_file = host.file(lookup_output_file.content_string) + assert secret_file.exists + assert secret_file.mode == 0o600 + assert secret_file.content_string == "test_secret_in_file_password" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml new file mode 100644 index 00000000..516faec4 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml @@ -0,0 +1,15 @@ +--- +- name: Retrieve Conjur variable fails with bad cert + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with bad cert + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt + ignore_errors: True diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py new file mode 100644 index 00000000..9818bdcf --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py @@ -0,0 +1,13 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '_ansible_1'] + + +def test_retrieval_failed(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert not secrets_file.exists diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env new file mode 100644 index 00000000..f4e4155e --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env @@ -0,0 +1,4 @@ +export CONJUR_CERT_FILE=./conjur.pem +unset CONJUR_AUTHN_API_KEY +unset CONJUR_AUTHN_LOGIN +export CONJUR_AUTHN_TOKEN_FILE=./access_token diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml new file mode 100644 index 00000000..e515b0f1 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable with authn-token + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py new file mode 100644 index 00000000..d9c84af3 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py @@ -0,0 +1,17 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '_ansible_1'] + + +def test_retrieved_secret(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert secrets_file.exists + + result = host.check_output("cat /conjur_secrets.txt", shell=True) + + assert result == "test_secret_password" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env new file mode 100644 index 00000000..2363951d --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./conjur.pem diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml new file mode 100644 index 00000000..103d7e08 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable with spaces in the variable name + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with spaces in the variable name + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/var with spaces')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py new file mode 100644 index 00000000..25034d00 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py @@ -0,0 +1,17 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '_ansible_1'] + + +def test_retrieved_secret(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert secrets_file.exists + + result = host.check_output("cat /conjur_secrets.txt", shell=True) + + assert result == "var_with_spaces_secret_password" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env new file mode 100644 index 00000000..2363951d --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./conjur.pem diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml new file mode 100644 index 00000000..44e993f9 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py new file mode 100644 index 00000000..d9c84af3 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py @@ -0,0 +1,17 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '_ansible_1'] + + +def test_retrieved_secret(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert secrets_file.exists + + result = host.check_output("cat /conjur_secrets.txt", shell=True) + + assert result == "test_secret_password" diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt new file mode 100644 index 00000000..d93b42a3 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt @@ -0,0 +1,10 @@ +Jenkinsfile shebang +tests/conjur_variable/test.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml +roles/conjur_host_identity/tests/test.sh shebang +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt new file mode 100644 index 00000000..d93b42a3 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt @@ -0,0 +1,10 @@ +Jenkinsfile shebang +tests/conjur_variable/test.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml +roles/conjur_host_identity/tests/test.sh shebang +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python diff --git a/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt new file mode 100644 index 00000000..85dc8780 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt @@ -0,0 +1,7 @@ +Jenkinsfile shebang +tests/conjur_variable/test.sh shebang +roles/conjur_host_identity/tests/test.sh shebang +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/.DS_Store b/collections-debian-merged/ansible_collections/cyberark/pas/.DS_Store Binary files differnew file mode 100644 index 00000000..c6fd0311 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/.DS_Store diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/.gitignore b/collections-debian-merged/ansible_collections/cyberark/pas/.gitignore new file mode 100644 index 00000000..022880ad --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/.gitignore @@ -0,0 +1,6 @@ + +meta/.galaxy_install_info +docs/.DS_Store +.DS_Store +.vscode/settings.json +*.gz diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/.vscode/settings.json b/collections-debian-merged/ansible_collections/cyberark/pas/.vscode/settings.json new file mode 100644 index 00000000..c2306d90 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/.vscode/settings.json @@ -0,0 +1,7 @@ +{ + "python.linting.pylintEnabled": false, + "python.linting.enabled": true, + "python.linting.pycodestyleEnabled": false, + "python.linting.flake8Enabled": true, + "python.pythonPath": "/usr/bin/python3" +}
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/CONTRIBUTING.md b/collections-debian-merged/ansible_collections/cyberark/pas/CONTRIBUTING.md new file mode 100644 index 00000000..c6c345bc --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/CONTRIBUTING.md @@ -0,0 +1,7 @@ +# Contributing to the Ansible Security Automation Collection + +Thanks for your interest in the Ansible Security Automation collection. Before considering contributing, please take a moment to read and sign our <a href="https://github.com/cyberark/conjur/blob/master/Contributing_OSS/CyberArk_Open_Source_Contributor_Agreement.pdf" download="conjur_contributor_agreement">Contributor Agreement</a>. This provides patent protection for all CyberArk Ansible users and allows CyberArk to enforce its license terms. + +## Pull Request Workflow + +Currently, this repository is source-available and not open to contributions. Please continue to follow this repository for updates and open-source availability diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/FILES.json b/collections-debian-merged/ansible_collections/cyberark/pas/FILES.json new file mode 100644 index 00000000..91384b83 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/FILES.json @@ -0,0 +1,341 @@ +{ + "files": [ + { + "format": 1, + "ftype": "dir", + "chksum_sha256": null, + "name": ".", + "chksum_type": null + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "releases", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "35f84a3cf19741c27ba5db12b8db9e3948a73f3c4644812a6d395ea26e051ae0", + "name": ".DS_Store", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "f717ec697e01e78397a7c8a6f13b78070ea4503346ba65202ccaa055f34f0261", + "name": "LICENSE", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "plugins", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "b4db0564252905e3cbc58aa4052997e4e05f2dba19a701fad7fb9d495eecd1ff", + "name": "plugins/.DS_Store", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "plugins/modules", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3", + "name": "plugins/modules/.DS_Store", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "b4a1f09b61bb8318e3edb98e0b3d8a17862b0cd4039b711f5de3e7a81be330a9", + "name": "plugins/modules/cyberark_account.py", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "93ecd4c533fb5e76d526fe4013842f8fcf7c86381136693453271fb9eedf659d", + "name": "plugins/modules/cyberark_user.py", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "8bb91b3463ce7806f5a6f4aa2e8ca16ea3933a6d388dab7ab3fde517d5c25c7c", + "name": "plugins/modules/cyberark_credential.py", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "385fa365a6aa42e936771f2fa5b436d3cd820357730648787f2c08d75b2a69f2", + "name": "plugins/modules/cyberark_authentication.py", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "tests", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "ade187fe39cb5d204e4a9f0157140a4490f4384d5a443cc834e6eba857a65052", + "name": "tests/change_test.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "ef66351da4a194e922679fd7b8338ce4997841996f7adb9792ffc24d7fa5e58a", + "name": "tests/provision_user.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "a84d2ad562594a7291bea6414d48431ceb4cea94a91e235b74acf5902582e667", + "name": "tests/test.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "a8783ddd86efbad3b3764ed15eadbe74feca848e412baf6a6bb816a334fc3498", + "name": "tests/provision_account.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "2e2663f92ccbc4b660a4a02e51d3f0e8ad7d18ed09ba48df6c233844c33f994d", + "name": "tests/enable_user.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "8a9f1dc3ff7a408f0b130160a8e78c401b6e2514c8ee773df75bbc594bd40332", + "name": "tests/deprovision_user.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "fb4ea3f8c3c322426eac081abc4eb86f0b997f17507451e1f5a064d2e23ce54a", + "name": "tests/changepolicy.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "fdbc326414f4dfd2a546fc473bf4aeff8c8081fefbe82635473b22e07f165632", + "name": "tests/reset_user_password.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "d194efba14794c5c24125eb99805d519e8d12e5639312afe5f0d2ee2210e30e2", + "name": "tests/disable_user.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "56ce44093120aba1256a85956749990b0a4ef462052718fa7b22ad3fb0594150", + "name": "tests/deprovision_account.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "meta", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "8f69fd09e680663abbea9263b7637d14ca6f4df36dd670341ecc4ed20519c454", + "name": "meta/.galaxy_install_info", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "roles", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3", + "name": "roles/.DS_Store", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "docs", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "e6cc9b8071b126d37c1be152ccad42ca7463a44f2211c244ba51e9ebc0b731af", + "name": "docs/cyberark_account.md", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "e79f670aad7f64b289f079a36bcd0b339adcb504f923d0d1d8d862dfe0a20a88", + "name": "docs/.DS_Store", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "docs/images", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3", + "name": "docs/images/.DS_Store", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "82e22cb050df050bd5af8680d341f61d48beafbf9c30cb40fe994c684151d8d4", + "name": "docs/images/platform_account_properties.JPG", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "5d910c2159e7caded5286414d0329d7e0f084676fcb80610efffa5be7214452b", + "name": "docs/images/full-cyberark-logo.jpg", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "535e69685a6e58c210d685abe0fb4f8990bdca029ef41f30c130000f9a596631", + "name": "docs/images/cyberark_logo.jpg", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "8b6f65400e7a4eede87eea4bf78e44093715b640c83e52ec1db73c848321bf25", + "name": "docs/cyberark_credential.md", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "e84f1f9c378bdd251d8f38b4bbb71de66dce9c4b50385472fe2e2875739fc01d", + "name": "docs/cyberark_authentication.md", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "3603085686d4db88a033acfa92d0f801bc8da65fc75d40b47b93ea0ca01c2090", + "name": "docs/cyberark_user.md", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "e811bfee4ff1cb3f163f8702002a1af06a35a8c0644eafc2804cf44542985d4c", + "name": "README.md", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "dfc5692588b338148d1ae60d04cb5c2561f659e2efdb0a01813b5d1ef5605605", + "name": ".gitignore", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "7940f35447449861a2acc6581aca29ad38c941a9646e1874345ccad60f95b6b2", + "name": "CONTRIBUTING.md", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": ".vscode", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "a0e5a061573540a0b9471b4744ff6e13c4ffaa544a33837eccd3cf0c6f94ff3a", + "name": ".vscode/settings.json", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "custom-cred-types", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "dir", + "chksum_sha256": null, + "name": "custom-cred-types/cyberark-pas-restapi", + "chksum_type": null, + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "f4adbb5b1da168dea98a8fd85d5a4b109c346b3deed95cfd06f160c5db4ce927", + "name": "custom-cred-types/cyberark-pas-restapi/input.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "f61c7965c5570860c7345b15f5ce4eea14b7ea4e51548060e023f6dd75879b4c", + "name": "custom-cred-types/cyberark-pas-restapi/injector.yml", + "chksum_type": "sha256", + "format": 1 + }, + { + "ftype": "file", + "chksum_sha256": "a07b281e2ab653ee3b61a36a7cced24051b2c2a8a7b14fdc8632b2c34f31e2c5", + "name": "custom-cred-types/cyberark-pas-restapi/README.md", + "chksum_type": "sha256", + "format": 1 + } + ], + "format": 1 +}
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/LICENSE b/collections-debian-merged/ansible_collections/cyberark/pas/LICENSE new file mode 100644 index 00000000..d6296a34 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 CyberArk + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/MANIFEST.json b/collections-debian-merged/ansible_collections/cyberark/pas/MANIFEST.json new file mode 100644 index 00000000..eb6e4195 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/MANIFEST.json @@ -0,0 +1,43 @@ +{ + "collection_info": { + "description": "This is a Collection of the CyberArk Ansible Security Automation toolkit.", + "repository": "https://github.com/cyberark/ansible-security-automation-collection", + "tags": [ + "cyberark", + "access", + "security", + "account", + "epv", + "vault", + "identity", + "credential", + "secret", + "privileged" + ], + "dependencies": {}, + "authors": [ + "CyberArk Business Development (@cyberark-bizdev)", + "Edward Nunez (@enunez-cyberark)", + "James Stutes (@JimmyJamCABD)" + ], + "issues": null, + "name": "pas", + "license": [ + "MIT" + ], + "documentation": null, + "namespace": "cyberark", + "version": "1.0.5", + "readme": "README.md", + "license_file": null, + "homepage": null + }, + "file_manifest_file": { + "format": 1, + "ftype": "file", + "chksum_sha256": "d31f399045f1e064f64c62136a7bce1063186d908e44968287ee424be70a2eba", + "name": "FILES.json", + "chksum_type": "sha256" + }, + "format": 1 +}
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/README.md b/collections-debian-merged/ansible_collections/cyberark/pas/README.md new file mode 100644 index 00000000..58d3ad13 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/README.md @@ -0,0 +1,60 @@ +<!-- please note this has to be a absolute URL since otherwise it will not show up on galaxy.ansible.com --> +![cyberark logo|](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/full-cyberark-logo.jpg?raw=true) + +## CyberArk Ansible Security Automation Collection + +************* + +## Collection + +#### cyberark.pas + + +This collection is the CyberArk Ansible Security Automation project. This is aimed to enable the automation of securing privileged access by storing privileged accounts in the Enterprise Password Vault (EPV), controlling user's access to privileged accounts in EPV, and securely retreiving secrets using Application Access Manager (AAM). The following modules will allow CyberArk administrators to automate the following tasks: + +#### Requirements + +- CyberArk Privileged Account Security Web Services SDK +- CyberArk AAM Central Credential Provider (**Only required for cyberark_credential**) + +#### Role Variables + +None. +<br> +<br> + +## Modules + +#### cyberark_authentication + +- Using the CyberArk Web Services SDK, authenticate and obtain an auth token to be passed as a variable in playbooks +- Logoff of an authenticated REST API session<br> +[Playbooks and Module Info](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/cyberark_authentication.md) + +#### cyberark_user + +- Add a CyberArk User +- Delete a CyberArk User +- Update a CyberArk User's account parameters + - Enable/Disable, change password, mark for change at next login, etc +<br>[Playbooks and Module Info](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/cyberark_user.md)<br/> + +#### cyberark_account + +- Add Privileged Account to the EPV +- Delete account objects +- Modify account properties +- Rotatate privileged credentials<br> +[Playbooks and Module Info](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/cyberark_account.md) + +#### cyberark_credential + +- Using AAM Central Credential Provider (CCP), to securely retreive secrets and account properties from EPV to be registered for use in playbooks<br> +[Playbooks and Module Info](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/cyberark_credential.md) + +#### Author Information +- CyberArk Business Development Technical Team + - @enunez-cyberark + - @cyberark-bizdev + - @jimmyjamcabd + diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/README.md b/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/README.md new file mode 100644 index 00000000..852ff7db --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/README.md @@ -0,0 +1,32 @@ +# CyberArk PAS REST API + +Custom Credential Type for Ansible Tower + +## Installation + +1. Login to Ansible Tower as a Tower Administrator. +2. Under Administration, click on Credential Type. +3. Click the green [ + ] in the top right-hand corner to create a new Custom Credential Type. +4. Set the name of your Credential Type. e.g. `CyberArk PAS REST API` +5. Under `Input Configuration` select `YAML`. +6. Copy and paste the [input.yml](input.yml) into the text field for `Input Configuration`. +7. Under `Injector Configuration` select `YAML`. +8. Copy and paste the [injector.yml](injector.yml) into the text field for `Injector Configuration`. +9. Click `Save` at the bottom to save the Custom Credential Type. + +## Usage + +Reference the following environment variables within your Ansible Playbook when using this Credential Type: + +* `CYBERARK_API_URL` \ +This is the Base URI of your CyberArk Password Vault Web Access (PVWA). _e.g. `https://pvwa.cyberark.com`_ + +* `CYBERARK_API_USERNAME` \ +This is the username to use when logging into the CyberArk PAS Web Services SDK (REST API). + +* `CYBERARK_API_PASSWORD` \ +This is the password associated with the username provided for login. + +## Maintainer + +Joe Garcia, CISSP - DevOps Security Engineer, CyberArk - [@infamousjoeg](https://github.com/infamousjoeg) diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/injector.yml b/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/injector.yml new file mode 100644 index 00000000..4d6edc5f --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/injector.yml @@ -0,0 +1,4 @@ +extra_vars: + CYBERARK_API_PASSWORD: '{{ password }}' + CYBERARK_API_URL: '{{ pvwa_url }}' + CYBERARK_API_USERNAME: '{{ username }}' diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/input.yml b/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/input.yml new file mode 100644 index 00000000..59a8441e --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/custom-cred-types/cyberark-pas-restapi/input.yml @@ -0,0 +1,18 @@ +fields: + - id: username + type: string + label: Username + help_text: CyberArk REST API Username + - id: password + type: string + label: Password + secret: true + help_text: CyberArk REST API Password + - id: pvwa_url + type: string + label: PVWA URL + help_text: 'CyberArk PVWA URL e.g. https://pvwa.cyberark.com' +required: + - username + - password + - pvwa_url diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/.DS_Store b/collections-debian-merged/ansible_collections/cyberark/pas/docs/.DS_Store Binary files differnew file mode 100644 index 00000000..10f526f8 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/.DS_Store diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_account.md b/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_account.md new file mode 100644 index 00000000..d35e4806 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_account.md @@ -0,0 +1,278 @@ +# cyberark_account + +Allows for adding, deleting, modifying a privileged credential within the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK.<br> + +The ability to modify consists of the following: + +* Password (see secret_management) +* Safe +* Platform +* Address +* Object Name +* Username +* Platform Account Properties + * These are the parameters listed in the Platform under `UI & Workflows -> Properties` and are unique to each Platform (see image below) +* Remote Machines Access + +![Platform Account Properties](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/platform_account_properties.JPG?raw=true) + +### secret_management +The `secret_management` dictionary provides the capability to set a CPM password rotation flag on an existing account. + +The available options are as follows:<br> + +`automatic_management_enabled`: bool<br> +`manual_management_reason`: This is a string value that populates the Reason field is you have set an account to not be managed by the CPM. This value is only necessary if `automatic_management_enabled` is set to false.<br> +`management_action`: This value indicates what type CPM management flag will be placed on the account +* change - <br> +* change_immediately - <br> +* reconcile - <br> + +`new_secret`: This parameter is available to set the value of the new password<br> +`perform_secret_management`: This parameter was allows the option to place a CPM management flag on an account upon creation of an account object. +* always - All `secret_management` actions will follow the table below at all times. +* on_create - Will place a CPM management flag according to the table below ONLY on creation of an account object. + +#### Secret Management Action Table +| management_action | new_secret | Action | +| :---------: | :----: | :----- | +| change | populated | change password to set value at next scheduled rotation | +| change | NULL | rotate password at next scheduled rotation | +| change_immediately | populated | change immediately to the set value | +| change_immediately | NULL | rotate immediately | +| reconcile | populated | reconcile immediately NOT to set value | +| reconcile | NULL | reconcile immediately | +| NULL | populated | set value in Vault ONLY | + + +### identified_by +This property allows for the module to confidently identify the account object needing to be identified. If multiple accounts are returned from the modules initial `Get Accounts` it will use the value(s) set in the `identified_by` parameter to direct which account is selected from the list. + +**EXAMPLE:** +``` +-Playbook Parameters- + +cyberark_account: + identified_by: "address,username,platform_id" + safe: "testSafe" + address: "dev.local" + username: "admin" + platform_id: WinDomain + + -This is the query sent to CyberArk Web SDK: +/api/Accounts?filter=safeName eq testSafe&search= admin dev.local + +**This could return multiple accounts in the testSafe** + +RETURNED: +account1 + username: administrator + address: cyberark.dev.local + safe: testSafe + policyID: WinDomain + +account2 + username: admin + address: dev.local + safe: testSafe + policyID: WinDomain +``` +With the `identified_by` parameter set the `cyberark_account` module will select the account2 object becauses the values of the `address`, `username` and `platform_id` parameters are identical matches to the values of account2 properties. + +#### Limitations +**Idempotency** - All actions taken in the module adhere to the Ansible idempotency guidelines _except_ for password change. If you have the playbook set to modify a password it will send a password change request every time the playbook is run, even if you are defining the next password value and it is the same password that is set in other runs.<br> +**Remote Machines Access** - When modifying the values in the `remote_machines_access` dictionary be mindful of the `platform_id` value. Remote Machines Access values are stored at the Vault database level and not stored as File Categories. It is a function that is only available with the `WinDomain` platform and if you attempt to assign these values to another platform it will cause errors in the PSM functionality. + + +#### Available Fields +``` +options: + state: + description: + - Assert the desired state of the account C(present) to creat or update and account object. Set to C(absent) for deletion of an account object + required: true + default: present + choices: [present, absent] + type: str + logging_level: + description: + - Parameter used to define the level of troubleshooting output to the C(logging_file) value + required: true + choices: [NOTSET, DEBUG, INFO] + type: str + logging_file: + description: + - Setting the log file name and location for troubleshooting logs + required: false + default: /tmp/ansible_cyberark.log + type: str + api_base_url: + description: + - A string containing the base URL of the server hosting CyberArk's Privileged Account Security Web Services SDK + - Example: U(https://<IIS_Server_Ip>/PasswordVault/api/) + required: true + type: str + validate_certs: + description: + - If C(false), SSL certificate chain will not be validated. This should only set to C(true) if you have a root CA certificate installed on each node. + required: false + default: true + type: bool + cyberark_session: + description: + - Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark_authentication) module for an example of cyberark_session. + required: true + type: dict + identified_by: + description: + - When an API call is made to Get Accounts, often times the default parameters passed will identify more than one account. This parameter is used to confidently identify a single account when the default query can return multiple results. + required: false + default: username,address,platform_id + type: str + safe: + description: + - The safe in the Vault where the privileged account is to be located + required: true + type: str + platform_id: + description: + - The PolicyID of the Platform that is to be managing the account + required: false + type: str + address: + description: + - The adress of the endpoint where the privileged account is located + required: false + type: str + name: + description: + - The ObjectID of the account + required: false + type: str + secret_type: + description: + - The value that identifies what type of account it will be. + required: false + default: password + choices: [password, key] + type: str + secret: + description: + - The initial password for the creation of the account + required: false + type: str + username: + description: + - The username associated with the account + required: false + type: str + secret_management + description: + - Set of parameters associated with the management of the credential + required: false + suboptions: + automatic_management_enabled: + description: + - Parameter that indicates whether the CPM will manage the password or not + default: True + type: bool + manual_management_reason: + description: + - String value indicating why the CPM will NOT manage the password + type: str + management_action: + description: + - CPM action flag to be placed on the account object for credential rotation + choices: [change, change_immediately, reconcile] + type: str + new_secret: + description: + - The actual password value that will be assigned for the CPM action to be taken + type: str + perform_management_action: + description: + - C(always) will perform the management action in every action + - C(on_create) will only perform the management action right after the account is created + choices: [always, on_create] + default: always + type: str + remote_machines_access: + description: + - Set of parameters for defining PSM endpoint access targets + required: false + type: dict + suboptions: + remote_machines: + description: + - List of targets allowed for this account + type: str + access_restricted_to_remote_machines: + description: + - Whether or not to restrict access only to specified remote machines + type: bool + platform_account_properties: + description: + - Object containing key-value pairs to associate with the account, as defined by the account platform. These properties are validated against the mandatory and optional properties of the specified platform's definition. Optional properties that do not exist on the account will not be returned here. Internal properties are not returned. + required: false + type: dict + suboptions: + KEY: + description: + - Freeform key value associated to the mandatory or optional property assigned to the specified Platform's definition. + aliases: [Port, ExtrPass1Name, database] + type: str +``` + +## Example Playbooks + + +```yaml + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark.pas.cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + - name: Creating an Account using the PAS WebServices SDK + cyberark.pas.cyberark_account: + logging_level: DEBUG + identified_by: "address,username" + safe: "Test" + address: "cyberark.local" + username: "administrator-x" + platform_id: WinServerLocal + secret: "@N&Ibl3!" + platform_account_properties: + LogonDomain: "cyberark" + OwnerName: "ansible_user" + secret_management: + automatic_management_enabled: true + state: present + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Rotate credential via reconcile and providing the password to be changed to + cyberark.pas.cyberark_account: + identified_by: "address,username" + safe: "Domain_Admins" + address: "prod.cyberark.local" + username: "admin" + platform_id: WinDomain + platform_account_properties: + LogonDomain: "PROD" + secret_management: + new_secret: "Ama123ah12@#!Xaamdjbdkl@#112" + management_action: "reconcile" + automatic_management_enabled: true + state: present + cyberark_session: "{{ cyberark_session }}" + register: reconcileaccount + + - name: Logoff from CyberArk Vault + cyberark.pas.cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" +``` diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_authentication.md b/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_authentication.md new file mode 100644 index 00000000..500f6e72 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_authentication.md @@ -0,0 +1,99 @@ +# cyberark_authentication + + +Authenticates to CyberArk Vault using Privileged Account Security Web Services SDK and creates a session fact that can be used by other modules. It returns an Ansible fact called `cyberark_session`. Every module can use this fact as `cyberark_session` parameter. + + +#### Available Fields +``` +options: + state: + default: present + choices: [present, absent] + description: + - Specifies if an authentication logon/logoff and a cyberark_session should be added/removed. + username: + description: + - The name of the user who will logon to the Vault. + password: + description: + - The password of the user. + new_password: + description: + - The new password of the user. This parameter is optional, and enables you to change a password. + api_base_url: + description: + - A string containing the base URL of the server hosting CyberArk's Privileged Account Security Web Services SDK. + validate_certs: + type: bool + default: 'yes' + description: + - If C(false), SSL certificates will not be validated. This should only + set to C(false) used on personally controlled sites using self-signed + certificates. + use_shared_logon_authentication: + type: bool + default: 'no' + description: + - Whether or not Shared Logon Authentication will be used. + use_radius_authentication: + type: bool + default: 'no' + description: + - Whether or not users will be authenticated via a RADIUS server. Valid values are true/false. + cyberark_session: + description: + - Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session. +``` +## Example Playbooks + +**Shared Logon Authentication.**<br/> +Shared authentication is based on a user credential file that is stored in the PVWA web server. During shared authentication, only the user defined in the credential file can log on to the PVWA, but multiple users can use the logon token. + +This type of authentication requires the playbook to manage the users as the Vault can't identify which specific user performs each action. + +Multiple concurrent connections can be created using the same token, without affecting each other. + +The shared user is defined in a user credential file, whose location is specified in the WSCredentialFile parameter, in the appsettings section of the PVWAweb.config file: + +```xml +<add key="WSCredentialFile" value="C:\CyberArk\Password Vault Web Access\CredFiles\WSUser.ini"/> +``` +> Make sure that this user can access the PVWA interface.<br/> +> Make sure the user only has the permissions in the Vault that they require. + +It is recommended to secure connections between Ansible and the REST Web Services when using Shared Logon Authentication, using Client Authentication. + +In addition to SSL, use Client Authentication to authenticate Ansible using a client certificate. + +[Configuring client authentication via certificates](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SDK/Configuring%20Client%20Authentication%20via%20Client%20Certificates.htm) + +```yaml +- name: Logon to CyberArk Vault using PAS Web Services SDK - use_shared_logon_authentication + cyberark_authentication: + api_base_url: "{{ web_services_base_url }}" + use_shared_logon_authentication: yes +``` + +**CyberArk Authentication**<br/> +This method authenticates a user to the Vault and returns a token that can be used in subsequent web services calls. In addition, this method allows you to set a new password. + +Users can authenticate using **CyberArk**, **LDAP** or **RADIUS** authentication. + +```yaml +- name: Logon to CyberArk Vault using PAS Web Services SDK - Not use_shared_logon_authentication + cyberark_authentication: + api_base_url: "{{ web_services_base_url }}" + username: "{{ password_object.password }}" + password: "{{ password_object.passprops.username }}" + use_shared_logon_authentication: no +``` +**Logoff**<br/> +This method logs off the user and removes the Vault session. + +```yaml +- name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }} +``` diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_credential.md b/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_credential.md new file mode 100644 index 00000000..8097a44e --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_credential.md @@ -0,0 +1,127 @@ +# cyberark_credential + +Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK through the Central Credential Provider by requesting access with an Application ID. + +**Requirements:** +- CyberArk AAM Central Credential Provider +- ApplicationID with the following permissions on the safe containing the credential being requested: + - List Accounts + - Retrieve Accounts +> **NOTE:** The CCP's Provider user (Prov_hostaname) needs to have the following permissions on the safe containing the credential being requested: +>> List Accounts<br> +>> Retrieve Accounts<br> +>> View Safe Members<br> + +## Query +This field is semicolon delimited value that is the exact syntax that goes in the URI<br> +If you use the `object` parameter then there is no need to use any other parameter as the ObjectID is a unique value.<br> +**Example:** +``` + query: "Safe=test;UserName=admin" + OR + query: "Object=OperatingSystem-administrator-dev.local" +``` + +## Available Fields + +``` +options: + api_base_url: + description: + - A string containing the base URL of the server hosting the Central Credential Provider + required: true + type: string + validate_certs: + description: + - If C(false), SSL certificate chain will not be validated. This should only set to C(true) if you have a root CA certificate installed on each node. + type: bool + required: false + default: false + type: bool + app_id: + description: + - A string containing the Application ID authorized for retrieving the credential + required: true + type: string + query: + description: + - A string containing details of the object being queried + required: true + parameters: + Safe=<safe name> + Folder=<folder name within safe> + Object=<object name> + UserName=<username of object> + Address=<address listed for object> + Database=<optional file category for database objects> + PolicyID=<platform id managing object> + connection_timeout: + description: + - An integer value of the allowed time before the request returns failed + required: false + default: '30' + type: integer + query_format: + description: + - The format for which your Query will be received by the CCP + required: false + default: 'Exact' + choices: [Exact, Regexp] + type: choice + fail_request_on_password_change: + description: + - A boolean parameter for completing the request in the middle of a password change of the requested credential + required: false + default: false + type: bool + client_cert: + description: + - A string containing the file location and name of the client certificate used for authentication + required: false + type: string + client_key: + description: + - A string containing the file location and name of the private key of the client certificate used for authentication + required: false + type: string + reason: + description: + - Reason for requesting credential if required by policy + required: false + type: string +``` + + + +## Example Playbooks + +```yaml +- name: credential retrieval basic + cyberark_credential: + api_base_url: "http://10.10.0.1" + app_id: "TestID" + query: "Safe=test;UserName=admin" + register: {{ result }} + + result: + { api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query } + + +- name: credential retrieval advanced + cyberark_credential: + api_base_url: "https://components.cyberark.local" + validate_certs: yes + client_cert: /etc/pki/ca-trust/source/client.pem + client_key: /etc/pki/ca-trust/source/priv-key.pem + app_id: "TestID" + query: "Safe=test;UserName=admin" + connection_timeout: 60 + query_format: Exact + fail_request_on_password_change: True + reason: "requesting credential for Ansible deployment" + register: {{ result }} + + result: + { api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }"&ConnectionTimeout="{ connection_timeout }"&QueryFormat="{ query_format }"&FailRequestOnPasswordChange="{ fail_request_on_password_change } + +``` diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_user.md b/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_user.md new file mode 100644 index 00000000..b1bfa1bc --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/cyberark_user.md @@ -0,0 +1,163 @@ +# cyberark_user + +This module allows admins to Add, Delete, and Modify CyberArk Vault Users. The ability to modify consists of the following: + +* Enable User<br> +* Disable User<br> +* Add/Remove Group<br> +* Set New Password<br> +* Force "change password at next login"<br> +* Modify User Information Fields<br> + * Email<br> + * First Name<br> + * Last Name<br> + * Expiry Date<br> + * User Type<br> + * Location<br> + +#### Limitations +**Idempotency** - All actions taken in the playbook adhere to the Ansible idempotency guidelines _except_ for password change. If you have the playbook set to modify a password it will "modify" the password every time the playbook is run, even if it is the same password.<br> +**Group Creation** - If the value for `group_name` does not exist in the Vault it will not create that group, the user action that was expected will fail. + +#### Available Fields + +``` +options: + username: + description: + - The name of the user who will be queried (for details), added, updated or deleted. + type: str + required: True + state: + description: + - Specifies the state needed for the user present for create user, absent for delete user. + type: str + choices: [ absent, present ] + default: present + cyberark_session: + description: + - Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, + please see M(cyberark_authentication) module for an example of cyberark_session. + type: dict + required: True + initial_password: + description: + - The password that the new user will use to log on the first time. + - This password must meet the password policy requirements. + - This parameter is required when state is present -- Add User. + type: str + new_password: + description: + - The user updated password. Make sure that this password meets the password policy requirements. + type: str + email: + description: + - The user email address. + type: str + first_name: + description: + - The user first name. + type: str + last_name: + description: + - The user last name. + type: str + change_password_on_the_next_logon: + description: + - Whether or not the user must change their password in their next logon. + type: bool + default: no + expiry_date: + description: + - The date and time when the user account will expire and become disabled. + type: str + user_type_name: + description: + - The type of user. + - The parameter defaults to C(EPVUser). + type: str + disabled: + description: + - Whether or not the user will be disabled. + type: bool + default: no + location: + description: + - The Vault Location for the user. + type: str + group_name: + description: + - The name of the group the user will be added to. + type: str +``` +## Example Playbooks + +This playbook will check if username `admin` exists, if it does not, it will provision the user in the Vault, add it to the `Auditors` group and set the account to be changed at first logon. + +```yaml +- name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: https://components.cyberark.local + use_shared_logon_authentication: yes + +- name: Create user, add to Group + cyberark_user: + username: admin + first_name: "Cyber" + last_name: "Admin" + email: "cyber.admin@ansibledev.com" + initial_password: PA$$Word123 + user_type_name: EPVUser + change_password_on_the_next_logon: yes + group_name: Auditors + state: present + cyberark_session: '{{ cyberark_session }}' + register: cyberarkaction + +- name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: '{{ cyberark_session }}' +``` + +This playbook will identify the user and delete it from the CyberArk Vault based on the `state: absent` parameter. + +```yaml +- name: Logon to CyberArk Vault using PAS Web Services SDK - use_shared_logon_authentication + cyberark_authentication: + api_base_url: "{{ web_services_base_url }}" + use_shared_logon_authentication: yes + +- name: Removing a CyberArk User + cyberark_user: + username: "ansibleuser" + state: absent + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + +- name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" +``` +This playbook is an example of disabling a user based on the `disabled: true` value with that authentication using the credential set in Tower. +```yaml +- name: Logon to CyberArk Vault using PAS Web Services SDK - Not use_shared_logon_authentication + cyberark_authentication: + api_base_url: "{{ web_services_base_url }}" + username: "{{ password_object.password }}" + password: "{{ password_object.passprops.username }}" + use_shared_logon_authentication: no + +- name: Disabling a CyberArk User + cyberark_user: + username: "ansibleuser" + disabled: true + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + +- name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" +``` diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/.DS_Store b/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/.DS_Store Binary files differnew file mode 100644 index 00000000..5008ddfc --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/.DS_Store diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/cyberark_logo.jpg b/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/cyberark_logo.jpg Binary files differnew file mode 100644 index 00000000..e24741c3 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/cyberark_logo.jpg diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/full-cyberark-logo.jpg b/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/full-cyberark-logo.jpg Binary files differnew file mode 100644 index 00000000..f44fdcdf --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/full-cyberark-logo.jpg diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/platform_account_properties.JPG b/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/platform_account_properties.JPG Binary files differnew file mode 100644 index 00000000..4ae11e3b --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/docs/images/platform_account_properties.JPG diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/meta/.galaxy_install_info b/collections-debian-merged/ansible_collections/cyberark/pas/meta/.galaxy_install_info new file mode 100644 index 00000000..e9f68d87 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/meta/.galaxy_install_info @@ -0,0 +1,3 @@ +install_date: Wed Aug 28 18:16:53 2019 +install_date_iso: 2019-08-28 18:16:53.863466 +version: 1.0.5 diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/plugins/.DS_Store b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/.DS_Store Binary files differnew file mode 100644 index 00000000..22a721d7 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/.DS_Store diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/.DS_Store b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/.DS_Store Binary files differnew file mode 100644 index 00000000..5008ddfc --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/.DS_Store diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py new file mode 100644 index 00000000..65a3499a --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py @@ -0,0 +1,1378 @@ +#!/usr/bin/python +# Copyright: (c) 2017, Ansible Project +# GNU General Public License v3.0+ +# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = """ +--- +module: cyberark_account +short_description: Module for CyberArk Account object creation, deletion, and + modification using PAS Web Services SDK. +author: + - CyberArk BizDev (@cyberark-bizdev) + - Edward Nunez (@enunez-cyberark) + - James Stutes (@jimmyjamcabd) +version_added: 2.4 +description: + - Creates a URI for adding, deleting, modifying a privileged credential + within the Cyberark Vault. The request uses the Privileged Account + Security Web Services SDK. + + +options: + state: + description: + - Assert the desired state of the account C(present) to creat or + update and account object. Set to C(absent) for deletion of an + account object. + required: true + default: present + choices: [present, absent] + type: str + logging_level: + description: + - Parameter used to define the level of troubleshooting output to + the C(logging_file) value. + required: true + choices: [NOTSET, DEBUG, INFO] + type: str + logging_file: + description: + - Setting the log file name and location for troubleshooting logs. + required: false + default: /tmp/ansible_cyberark.log + type: str + api_base_url: + description: + - A string containing the base URL of the server hosting CyberArk's + Privileged Account Security Web Services SDK. + - Example U(https://<IIS_Server_Ip>/PasswordVault/api/) + required: true + type: str + validate_certs: + description: + - If C(false), SSL certificate chain will not be validated. This + should only set to C(true) if you have a root CA certificate + installed on each node. + required: false + default: true + type: bool + cyberark_session: + description: + - Dictionary set by a CyberArk authentication containing the + different values to perform actions on a logged-on CyberArk + session, please see M(cyberark_authentication) module for an + example of cyberark_session. + required: true + type: dict + identified_by: + description: + - When an API call is made to Get Accounts, often times the default + parameters passed will identify more than one account. This + parameter is used to confidently identify a single account when + the default query can return multiple results. + required: false + default: username,address,platform_id + type: str + safe: + description: + - The safe in the Vault where the privileged account is to be + located. + required: true + type: str + platform_id: + description: + - The PolicyID of the Platform that is to be managing the account + required: false + type: str + address: + description: + - The address of the endpoint where the privileged account is + located. + required: false + type: str + name: + description: + - The ObjectID of the account + required: false + type: str + secret_type: + description: + - The value that identifies what type of account it will be. + required: false + default: password + choices: [password, key] + type: str + secret: + description: + - The initial password for the creation of the account + required: false + type: str + new_secret: + description: + - The new secret/password to be stored in CyberArk Vault. + type: str + username: + description: + - The username associated with the account. + required: false + type: str + secret_management: + description: + - Set of parameters associated with the management of the + credential. + required: false + type: dict + suboptions: + automatic_management_enabled: + description: + - Parameter that indicates whether the CPM will manage + the password or not. + default: False + type: bool + manual_management_reason: + description: + - String value indicating why the CPM will NOT manage + the password. + type: str + management_action: + description: + - CPM action flag to be placed on the account object + for credential rotation. + choices: [change, change_immediately, reconcile] + type: str + new_secret: + description: + - The actual password value that will be assigned for + the CPM action to be taken. + type: str + perform_management_action: + description: + - C(always) will perform the management action in + every action. + - C(on_create) will only perform the management action + right after the account is created. + choices: [always, on_create] + default: always + type: str + remote_machines_access: + description: + - Set of parameters for defining PSM endpoint access targets. + required: false + type: dict + suboptions: + remote_machines: + description: + - List of targets allowed for this account. + type: str + access_restricted_to_remote_machines: + description: + - Whether or not to restrict access only to specified + remote machines. + type: bool + platform_account_properties: + description: + - Object containing key-value pairs to associate with the account, + as defined by the account platform. These properties are + validated against the mandatory and optional properties of the + specified platform's definition. Optional properties that do not + exist on the account will not be returned here. Internal + properties are not returned. + required: false + type: dict + suboptions: + KEY: + description: + - Freeform key value associated to the mandatory or + optional property assigned to the specified + Platform's definition. + aliases: [Port, ExtrPass1Name, database] + type: str +""" + +EXAMPLES = """ + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + - name: Creating an Account using the PAS WebServices SDK + cyberark_account: + logging_level: DEBUG + identified_by: "address,username" + safe: "Test" + address: "cyberark.local" + username: "administrator-x" + platform_id: WinServerLocal + secret: "@N&Ibl3!" + platform_account_properties: + LogonDomain: "cyberark" + OwnerName: "ansible_user" + secret_management: + automatic_management_enabled: true + state: present + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: + - Rotate credential via reconcile and providing the password to + bechanged to. + cyberark_account: + identified_by: "address,username" + safe: "Domain_Admins" + address: "prod.cyberark.local" + username: "admin" + platform_id: WinDomain + platform_account_properties: + LogonDomain: "PROD" + secret_management: + new_secret: "Ama123ah12@#!Xaamdjbdkl@#112" + management_action: "reconcile" + automatic_management_enabled: true + state: present + cyberark_session: "{{ cyberark_session }}" + register: reconcileaccount + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" + +""" +RETURN = """ +changed: + description: + - Identify if the playbook run resulted in a change to the account in + any way. + returned: always + type: bool +failed: + description: Whether playbook run resulted in a failure of any kind. + returned: always + type: bool +status_code: + description: Result HTTP Status code. + returned: success + type: int + sample: "200, 201, -1, 204" +result: + description: A json dump of the resulting action. + returned: success + type: complex + contains: + address: + description: + - The adress of the endpoint where the privileged account is + located. + returned: successful addition and modification + type: str + sample: dev.local + createdTime: + description: + - Timeframe calculation of the timestamp of account creation. + returned: successful addition and modification + type: int + sample: "1567824520" + id: + description: Internal ObjectID for the account object identified + returned: successful addition and modification + type: int + sample: "25_21" + name: + description: The external ObjectID of the account + returned: successful addition and modification + type: str + sample: + - Operating System-WinServerLocal-cyberark.local-administrator + platformAccountProperties: + description: + - Object containing key-value pairs to associate with the + account, as defined by the account platform. + returned: successful addition and modification + type: complex + contains: + KEY VALUE: + description: + - Object containing key-value pairs to associate with the + account, as defined by the account platform. + returned: successful addition and modification + type: str + sample: + - "LogonDomain": "cyberark" + - "Port": "22" + platformId: + description: + - The PolicyID of the Platform that is to be managing the + account. + returned: successful addition and modification + type: str + sample: WinServerLocal + safeName: + description: + - The safe in the Vault where the privileged account is to + be located. + returned: successful addition and modification + type: str + sample: Domain_Admins + secretManagement: + description: + - Set of parameters associated with the management of + the credential. + returned: successful addition and modification + type: complex + sample: + automaticManagementEnabled: + description: + - Parameter that indicates whether the CPM will manage + the password or not. + returned: successful addition and modification + type: bool + lastModifiedTime: + description: + - Timeframe calculation of the timestamp of account + modification. + returned: successful addition and modification + type: int + sample: "1567824520" + manualManagementReason: + description: + returned: if C(automaticManagementEnabled) is set to false + type: str + sample: This is a static account + secretType: + description: + - The value that identifies what type of account it will be + returned: successful addition and modification + type: list + sample: + - key + - password + userName: + description: The username associated with the account + returned: successful addition and modification + type: str + sample: administrator +""" + + +from ansible.module_utils._text import to_text +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.urls import open_url +from ansible.module_utils.six.moves.urllib.error import HTTPError +import urllib + +import json +try: + import httplib +except ImportError: + # Python 3 + import http.client as httplib +import logging + +_empty = object() + +ansible_specific_parameters = [ + "state", + "api_base_url", + "validate_certs", + "cyberark_session", + "identified_by", + "logging_level", + "logging_file", + "new_secret", + "secret_management.management_action", + "secret_management.new_secret", + "management_action", + "secret_management.perform_management_action", +] + +cyberark_fixed_properties = [ + "createdTime", + "id", + "name", + "lastModifiedTime", + "safeName", + "secretType", + "secret", +] + +removal_value = "NO_VALUE" + +cyberark_reference_fieldnames = { + "username": "userName", + "safe": "safeName", + "platform_id": "platformId", + "secret_type": "secretType", + "platform_account_properties": "platformAccountProperties", + "secret_management": "secretManagement", + "manual_management_reason": "manualManagementReason", + "automatic_management_enabled": "automaticManagementEnabled", + "remote_machines_access": "remoteMachinesAccess", + "access_restricted_to_remote_machines": "accessRestrictedToRemoteMachines", + "remote_machines": "remoteMachines", +} + +ansible_reference_fieldnames = { + "userName": "username", + "safeName": "safe", + "platformId": "platform_id", + "secretType": "secret_type", + "platformAccountProperties": "platform_account_properties", + "secretManagement": "secret_management", + "manualManagementReason": "manual_management_reason", + "automaticManagementEnabled": "automatic_management_enabled", + "remoteMachinesAccess": "remote_machines_access", + "accessRestrictedToRemoteMachines": "access_testricted_to_remoteMachines", + "remoteMachines": "remote_machines", +} + + +def equal_value(existing, parameter): + if isinstance(existing, str): + return existing == str(parameter) + elif isinstance(parameter, str): + return str(existing) == parameter + else: + return existing == parameter + + +def update_account(module, existing_account): + + logging.debug("Updating Account") + + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + # Prepare result, end_point, and headers + result = {"result": existing_account} + changed = False + last_status_code = -1 + + HTTPMethod = "PATCH" + end_point = "/PasswordVault/api/Accounts/%s" % existing_account["id"] + + headers = { + "Content-Type": "application/json", + "Authorization": cyberark_session["token"], + } + + payload = {"Operations": []} + + # Determining whether to add or update properties + for parameter_name in module.params.keys(): + if ( + parameter_name not in ansible_specific_parameters + and module.params[parameter_name] is not None + ): + module_parm_value = module.params[parameter_name] + cyberark_property_name = referenced_value( + parameter_name, + cyberark_reference_fieldnames, + default=parameter_name + ) + existing_account_value = referenced_value( + cyberark_property_name, + existing_account, + keys=existing_account.keys() + ) + if cyberark_property_name not in cyberark_fixed_properties: + if module_parm_value is not None and isinstance( + module_parm_value, dict + ): + # Internal child values + replacing = {} + adding = {} + removing = {} + for child_parm_name in module_parm_value.keys(): + nested_parm_name = "%s.%s" % ( + parameter_name, + child_parm_name) + if ( + nested_parm_name not in ansible_specific_parameters + ): + child_module_parm_value = module_parm_value[ + child_parm_name + ] + child_cyberark_property_name = referenced_value( + child_parm_name, + cyberark_reference_fieldnames, + default=child_parm_name, + ) + child_existing_account_value = referenced_value( + child_cyberark_property_name, + existing_account_value, + existing_account_value.keys() + if existing_account_value is not None + else {}, + ) + path_value = "/%s/%s" % ( + cyberark_property_name, + child_cyberark_property_name, + ) + if child_existing_account_value is not None: + logging.debug( + ("child_module_parm_value: %s " + "child_existing_account_value=%s path=%s") + ( + child_module_parm_value, + child_existing_account_value, + path_value, + ) + ) + if child_module_parm_value == removal_value: + removing.update( + { + child_cyberark_property_name: + child_existing_account_value + } + ) + elif ( + child_module_parm_value is not None + and not equal_value( + child_existing_account_value, + child_module_parm_value, + ) + ): + # Updating a property + replacing.update( + { + child_cyberark_property_name: + child_module_parm_value + } + ) + elif ( + child_module_parm_value is not None + and child_module_parm_value != removal_value + ): + # Adding a property value + adding.update( + { + child_cyberark_property_name: + child_module_parm_value + } + ) + logging.debug( + "parameter_name=%s value=%s existing=%s" + ( + path_value, + child_module_parm_value, + child_existing_account_value, + ) + ) + # Processing child operations + if len(adding.keys()) > 0: + payload["Operations"].append( + { + "op": "add", + "path": "/%s" % cyberark_property_name, + "value": adding, + } + ) + if len(replacing.keys()) > 0: + payload["Operations"].append( + { + "op": "replace", + "path": "/%s" % cyberark_property_name, + "value": replacing, + } + ) + if len(removing) > 0: + payload["Operations"].append( + { + "op": "remove", + "path": "/%s" % cyberark_property_name, + "value": removing, + } + ) + else: + if existing_account_value is not None: + if module_parm_value == removal_value: + payload["Operations"].append( + {"op": "remove", "path": "/%s" % + cyberark_property_name} + ) + elif not equal_value( + existing_account_value, + module_parm_value + ): + # Updating a property + payload["Operations"].append( + { + "op": "replace", + "value": module_parm_value, + "path": "/%s" % cyberark_property_name, + } + ) + elif module_parm_value != removal_value: + # Adding a property value + payload["Operations"].append( + { + "op": "add", + "value": module_parm_value, + "path": "/%s" % cyberark_property_name, + } + ) + logging.debug( + "parameter_name=%s value=%s existing=%s" + ( + parameter_name, module_parm_value, + existing_account_value + ) + ) + + if len(payload["Operations"]) != 0: + if module.check_mode: + logging.debug("Proceeding with Update Account (CHECK_MODE)") + logging.debug("Operations => %s", json.dumps(payload)) + result = {"result": existing_account} + changed = True + last_status_code = -1 + else: + logging.debug("Proceeding with Update Account") + + logging.debug( + "Processing invidual operations (%d) => %s", + len(payload["Operations"]), + json.dumps(payload) + ) + for operation in payload["Operations"]: + individual_payload = [operation] + try: + logging.debug(" ==> %s", json.dumps([operation])) + response = open_url( + api_base_url + end_point, + method=HTTPMethod, + headers=headers, + data=json.dumps(individual_payload), + validate_certs=validate_certs, + ) + + result = {"result": json.loads(response.read())} + changed = True + last_status_code = response.getcode() + + # return (True, result, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + if isinstance(http_exception, HTTPError): + res = json.load(http_exception) + else: + res = to_text(http_exception) + + module.fail_json( + msg=( + "Error while performing update_account." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" + % (api_base_url, end_point, res) + ), + payload=individual_payload, + headers=headers, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing update_account." + "\n*** end_point=%s%s\n%s" + % ( + api_base_url, end_point, + to_text(unknown_exception) + ) + ), + payload=individual_payload, + headers=headers, + status_code=-1, + ) + + return (changed, result, last_status_code) + + +def add_account(module): + + logging.debug("Adding Account") + + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + # Prepare result, end_point, and headers + result = {} + HTTPMethod = "POST" + end_point = "/PasswordVault/api/Accounts" + + headers = { + "Content-Type": "application/json", + "Authorization": cyberark_session["token"], + } + + payload = {"safeName": module.params["safe"]} + + for parameter_name in module.params.keys(): + if ( + parameter_name not in ansible_specific_parameters + and module.params[parameter_name] is not None + ): + cyberark_property_name = referenced_value( + parameter_name, + cyberark_reference_fieldnames, + default=parameter_name + ) + if isinstance(module.params[parameter_name], dict): + payload[cyberark_property_name] = {} + for dict_key in module.params[parameter_name].keys(): + cyberark_child_property_name = referenced_value( + dict_key, + cyberark_reference_fieldnames, + default=dict_key + ) + logging.debug( + ("parameter_name =%s.%s cyberark_property_name=%s " + "cyberark_child_property_name=%s"), + parameter_name, + dict_key, + cyberark_property_name, + cyberark_child_property_name, + ) + if ( + parameter_name + "." + dict_key + not in ansible_specific_parameters + and module.params[parameter_name][dict_key] is not None + ): + payload[cyberark_property_name][ + cyberark_child_property_name + ] = deep_get( + module.params[parameter_name], + dict_key, + _empty, + False + ) + else: + if parameter_name not in cyberark_reference_fieldnames: + module_parm_value = deep_get( + module.params, parameter_name, _empty, False + ) + if ( + module_parm_value is not None + and module_parm_value != removal_value + ): + payload[ + parameter_name + ] = module_parm_value # module.params[parameter_name] + else: + module_parm_value = deep_get( + module.params, parameter_name, _empty, True + ) + if ( + module_parm_value is not None + and module_parm_value != removal_value + ): + payload[ + cyberark_reference_fieldnames[parameter_name] + ] = module_parm_value # module.params[parameter_name] + logging.debug("parameter_name =%s", parameter_name) + + logging.debug("Add Account Payload => %s", json.dumps(payload)) + + try: + + if module.check_mode: + logging.debug("Proceeding with Add Account (CHECK_MODE)") + return (True, {"result": None}, -1) + else: + logging.debug("Proceeding with Add Account") + response = open_url( + api_base_url + end_point, + method=HTTPMethod, + headers=headers, + data=json.dumps(payload), + validate_certs=validate_certs, + ) + + result = {"result": json.loads(response.read())} + + return (True, result, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + if isinstance(http_exception, HTTPError): + res = json.load(http_exception) + else: + res = to_text(http_exception) + + module.fail_json( + msg=( + "Error while performing add_account." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" % ( + api_base_url, + end_point, + res + ) + ), + payload=payload, + headers=headers, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing add_account." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + payload=payload, + headers=headers, + status_code=-1, + ) + + +def delete_account(module, existing_account): + + if module.check_mode: + logging.debug("Deleting Account (CHECK_MODE)") + return (True, {"result": None}, -1) + else: + logging.debug("Deleting Account") + + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + # Prepare result, end_point, and headers + result = {} + HTTPMethod = "DELETE" + end_point = "/PasswordVault/api/Accounts/%s" % existing_account["id"] + + headers = { + "Content-Type": "application/json", + "Authorization": cyberark_session["token"], + } + + try: + + response = open_url( + api_base_url + end_point, + method=HTTPMethod, + headers=headers, + validate_certs=validate_certs, + ) + + result = {"result": None} + + return (True, result, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + if isinstance(http_exception, HTTPError): + res = json.load(http_exception) + else: + res = to_text(http_exception) + + module.fail_json( + msg=( + "Error while performing delete_account." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" % ( + api_base_url, + end_point, + res + ) + ), + headers=headers, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing delete_account." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + headers=headers, + status_code=-1, + ) + + +def reset_account_if_needed(module, existing_account): + + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + # Credential changes + management_action = deep_get( + module.params, + "secret_management.management_action", + "NOT_FOUND", + False + ) + cpm_new_secret = deep_get( + module.params, "secret_management.new_secret", "NOT_FOUND", False + ) + logging.debug( + "management_action: %s cpm_new_secret: %s", + management_action, + cpm_new_secret + ) + + # Prepare result, end_point, and headers + result = {} + end_point = None + payload = {} + existing_account_id = None + if existing_account is not None: + existing_account_id = existing_account["id"] + elif module.check_mode: + existing_account_id = 9999 + + if ( + management_action == "change" + and cpm_new_secret is not None + and cpm_new_secret != "NOT_FOUND" + ): + logging.debug("CPM change secret for next CPM cycle") + end_point = ( + "/PasswordVault/API/Accounts/%s/SetNextPassword" + ) % existing_account_id + payload["ChangeImmediately"] = False + payload["NewCredentials"] = cpm_new_secret + elif management_action == "change_immediately" and ( + cpm_new_secret == "NOT_FOUND" or cpm_new_secret is None + ): + logging.debug("CPM change_immediately with random secret") + end_point = ( + "/PasswordVault/API/Accounts/%s/Change" + ) % existing_account_id + payload["ChangeEntireGroup"] = True + elif management_action == "change_immediately" and ( + cpm_new_secret is not None and cpm_new_secret != "NOT_FOUND" + ): + logging.debug("CPM change immediately secret for next CPM cycle") + end_point = ( + "/PasswordVault/API/Accounts/%s/SetNextPassword" + ) % existing_account_id + payload["ChangeImmediately"] = True + payload["NewCredentials"] = cpm_new_secret + elif management_action == "reconcile": + logging.debug("CPM reconcile secret") + end_point = ( + "/PasswordVault/API/Accounts/%s/Reconcile" + ) % existing_account_id + elif ( + "new_secret" in module.params.keys() + and module.params["new_secret"] is not None + ): + logging.debug("Change Credential in Vault") + end_point = ( + "/PasswordVault/API/Accounts/%s/Password/Update" + ) % existing_account_id + payload["ChangeEntireGroup"] = True + payload["NewCredentials"] = module.params["new_secret"] + + if end_point is not None: + + if module.check_mode: + logging.debug("Proceeding with Credential Rotation (CHECK_MODE)") + return (True, result, -1) + else: + logging.debug("Proceeding with Credential Rotation") + + result = {"result": None} + headers = { + "Content-Type": "application/json", + "Authorization": cyberark_session["token"], + } + HTTPMethod = "POST" + try: + + response = open_url( + api_base_url + end_point, + method=HTTPMethod, + headers=headers, + data=json.dumps(payload), + validate_certs=validate_certs, + ) + + return (True, result, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + if isinstance(http_exception, HTTPError): + res = json.load(http_exception) + else: + res = to_text(http_exception) + + module.fail_json( + msg=( + "Error while performing reset_account." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" + ) % (api_base_url, end_point, res), + headers=headers, + payload=payload, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing delete_account." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + headers=headers, + payload=payload, + status_code=-1, + ) + + else: + return (False, result, -1) + + +def referenced_value(field, dct, keys=None, default=None): + return dct[field] if field in ( + keys if keys is not None else dct + ) else default + + +def deep_get(dct, dotted_path, default=_empty, use_reference_table=True): + result_dct = {} + for key in dotted_path.split("."): + try: + key_field = key + if use_reference_table: + key_field = referenced_value( + key, cyberark_reference_fieldnames, default=key + ) + + if len(result_dct.keys()) == 0: # No result_dct set yet + result_dct = dct + + logging.debug( + "keys=%s key_field=>%s key=>%s", + ",".join(result_dct.keys()), + key_field, + key + ) + result_dct = ( + result_dct[key_field] + if key_field in result_dct.keys() + else result_dct[key] + ) + if result_dct is None: + return default + + except KeyError as e: + logging.debug("KeyError %s", to_text(e)) + if default is _empty: + raise + return default + return result_dct + + +def get_account(module): + + logging.debug("Finding Account") + + identified_by_fields = module.params["identified_by"].split(",") + logging.debug("Identified_by: %s", json.dumps(identified_by_fields)) + safe_filter = ( + urllib.quote("safeName eq ") + urllib.quote(module.params["safe"]) + if "safe" in module.params and module.params["safe"] is not None + else None + ) + search_string = None + for field in identified_by_fields: + if field not in ansible_specific_parameters: + search_string = "%s%s" % ( + search_string + " " if search_string is not None else "", + deep_get(module.params, field, "NOT FOUND", False), + ) + + logging.debug("Search_String => %s", search_string) + logging.debug("Safe Filter => %s", safe_filter) + + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + end_point = None + if search_string is not None and safe_filter is not None: + end_point = "/PasswordVault/api/accounts?filter=%s&search=%s" % ( + safe_filter, + urllib.quote(search_string.lstrip()), + ) + elif search_string is not None: + end_point = ( + "/PasswordVault/api/accounts?search=%s" + ) % (search_string.lstrip()) + else: + end_point = "/PasswordVault/api/accounts?filter=%s" % (safe_filter) + + logging.debug("End Point => %s", end_point) + + headers = {"Content-Type": "application/json"} + headers["Authorization"] = cyberark_session["token"] + + try: + + logging.debug("Executing: " + api_base_url + end_point) + response = open_url( + api_base_url + end_point, + method="GET", + headers=headers, + validate_certs=validate_certs, + ) + + result_string = response.read() + accounts_data = json.loads(result_string) + + logging.debug("RESULT => %s", json.dumps(accounts_data)) + + if accounts_data["count"] == 0: + return (False, None, response.getcode()) + else: + how_many = 0 + first_record_found = None + for account_record in accounts_data["value"]: + logging.debug("Acct Record => %s", json.dumps(account_record)) + found = False + for field in identified_by_fields: + record_field_value = deep_get( + account_record, + field, + "NOT FOUND" + ) + logging.debug( + ( + "Comparing field %s | record_field_name=%s " + "record_field_value=%s module.params_value=%s" + ), + field, + field, + record_field_value, + deep_get(module.params, field, "NOT FOUND") + ) + if ( + record_field_value != "NOT FOUND" + and ( + record_field_value + == deep_get( + module.params, + field, + "NOT FOUND", + False + ) + ) + ): + found = True + else: + found = False + break + if found: + how_many = how_many + 1 + if first_record_found is None: + first_record_found = account_record + + logging.debug( + "How Many: %d First Record Found => %s", + how_many, + json.dumps(first_record_found) + ) + if how_many > 1: # too many records found + module.fail_json( + msg=( + "Error while performing get_account. " + "Too many rows (%d) found matching your criteria!" + ) % how_many + ) + else: + return (how_many == 1, first_record_found, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + if http_exception.code == 404: + return (False, None, http_exception.code) + else: + module.fail_json( + msg=( + "Error while performing get_account." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" + % (api_base_url, end_point, to_text(http_exception)) + ), + headers=headers, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing get_account." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + headers=headers, + status_code=-1, + ) + + +def main(): + + fields = { + "state": { + "type": "str", + "choices": ["present", "absent"], + "default": "present", + }, + "logging_level": { + "type": "str", + "choices": ["NOTSET", "DEBUG", "INFO"] + }, + "logging_file": { + "type": "str", + "default": "/tmp/ansible_cyberark.log" + }, + "api_base_url": {"type": "str"}, + "validate_certs": {"type": "bool", "default": "true"}, + "cyberark_session": {"required": True, "type": "dict", "no_log": True}, + "identified_by": { + "required": False, + "type": "str", + "default": "username,address,platform_id", + }, + "safe": {"required": True, "type": "str"}, + "platform_id": {"required": False, "type": "str"}, + "address": {"required": False, "type": "str"}, + "name": {"required": False, "type": "str"}, + "secret_type": { + "required": False, + "type": "str", + "choices": ["password", "key"], + "default": "password", + }, + "secret": {"required": False, "type": "str", "no_log": True}, + "new_secret": {"required": False, "type": "str", "no_log": True}, + "username": {"required": False, "type": "str"}, + "secret_management": { + "required": False, + "type": "dict", + "options": { + "automatic_management_enabled": {"type": "bool"}, + "manual_management_reason": {"type": "str"}, + "management_action": { + "type": "str", + "choices": ["change", "change_immediately", "reconcile"], + }, + "new_secret": {"type": "str", "no_log": True}, + "perform_management_action": { + "type": "str", + "choices": ["on_create", "always"], + "default": "always", + }, + }, + }, + "remote_machines_access": { + "required": False, + "type": "dict", + "options": { + "remote_machines": {"type": "str"}, + "access_restricted_to_remote_machines": {"type": "bool"}, + }, + }, + "platform_account_properties": {"required": False, "type": "dict"}, + } + + module = AnsibleModule(argument_spec=fields, supports_check_mode=True) + + if module.params["logging_level"] is not None: + logging.basicConfig( + filename=module.params["logging_file"], + level=module.params["logging_level"] + ) + + logging.info("Starting Module") + + state = module.params["state"] + + (found, account_record, status_code) = get_account(module) + logging.debug( + "Account was %s, status_code=%s", + "FOUND" if found else "NOT FOUND", + status_code + ) + + changed = False + result = {"result": account_record} + + if state == "present": + + if found: # Account already exists + (changed, result, status_code) = update_account( + module, + account_record + ) + else: # Account does not exist + (changed, result, status_code) = add_account(module) + + perform_management_action = "always" + if "secret_management" in module.params.keys(): + secret_management = module.params["secret_management"] + if ( + secret_management is not None + and "perform_management_action" in secret_management.keys() + ): + perform_management_action = secret_management[ + "perform_management_action" + ] + + logging.debug("Result=>%s", json.dumps(result)) + if ( + perform_management_action == "always" + or ( + perform_management_action == "on_create" and not found + ) + ): + (account_reset, no_result, no_status_code) = reset_account_if_needed( + module, + result["result"] + ) + if account_reset: + changed = True + + elif found and state == "absent": + (changed, result, status_code) = delete_account(module, account_record) + + module.exit_json(changed=changed, result=result, status_code=status_code) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py new file mode 100644 index 00000000..324abf65 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py @@ -0,0 +1,357 @@ +#!/usr/bin/python +# Copyright: (c) 2017, Ansible Project +# GNU General Public License v3.0+ +# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "certified", +} + +DOCUMENTATION = ''' +--- +module: cyberark_authentication +short_description: CyberArk Authentication using PAS Web Services SDK. +author: + - Edward Nunez (@enunez-cyberark) CyberArk BizDev + - Cyberark Bizdev (@cyberark-bizdev) + - Erasmo Acosta (@erasmix) +version_added: 2.4 +description: + - Authenticates to CyberArk Vault using Privileged Account Security + Web Services SDK and creates a session fact that can be used by other + modules. It returns an Ansible fact called I(cyberark_session). Every + module can use this fact as C(cyberark_session) parameter. +options: + state: + default: present + choices: [present, absent] + description: + - Specifies if an authentication logon/logoff and a + cyberark_session should be added/removed. + type: str + username: + description: + - The name of the user who will logon to the Vault. + type: str + password: + description: + - The password of the user. + type: str + new_password: + description: + - The new password of the user. This parameter is optional, + and enables you to change a password. + type: str + api_base_url: + description: + - A string containing the base URL of the server hosting + CyberArk's Privileged Account Security Web Services SDK. + type: str + validate_certs: + type: bool + default: 'yes' + description: + - If C(false), SSL certificates will not be validated. This + should only set to C(false) used on personally controlled + sites using self-signed certificates. + use_shared_logon_authentication: + type: bool + default: 'no' + description: + - Whether or not Shared Logon Authentication will be used. + use_radius_authentication: + type: bool + default: 'no' + description: + - Whether or not users will be authenticated via a RADIUS + server. Valid values are true/false. + connection_number: + type: int + description: + - To support multiple connections for same user specify + - different value for this parameter. + cyberark_session: + description: + - Dictionary set by a CyberArk authentication containing the + different values to perform actions on a logged-on CyberArk + session. + type: dict +''' + +EXAMPLES = ''' +- name: Logon - use_shared_logon_authentication + cyberark_authentication: + api_base_url: "{{ web_services_base_url }}" + use_shared_logon_authentication: yes + +- name: Logon - Not use_shared_logon_authentication + cyberark_authentication: + api_base_url: "{{ web_services_base_url }}" + username: "{{ password_object.password }}" + password: "{{ password_object.passprops.username }}" + use_shared_logon_authentication: no + +- name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" +''' + +RETURN = ''' +cyberark_session: + description: Authentication facts. + returned: success + type: complex + contains: + api_base_url: + description: + - Base URL for API calls. Returned in the cyberark_session, + so it can be used in subsequent calls. + type: str + returned: always + token: + description: + - The token that identifies the session, encoded in BASE 64. + type: str + returned: always + use_shared_logon_authentication: + description: + - Whether or not Shared Logon Authentication was used to + establish the session. + type: bool + returned: always + validate_certs: + description: Whether or not SSL certificates should be validated. + type: bool + returned: always +''' + +from ansible.module_utils._text import to_text +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.urls import open_url +from ansible.module_utils.six.moves.urllib.error import HTTPError +import json + +try: + import httplib +except ImportError: + # Python 3 + import http.client as httplib + + +def processAuthentication(module): + + # Getting parameters from module + + api_base_url = module.params["api_base_url"] + validate_certs = module.params["validate_certs"] + username = module.params["username"] + password = module.params["password"] + new_password = module.params["new_password"] + use_shared_logon = module.params[ + "use_shared_logon_authentication" + ] + use_radius = module.params["use_radius_authentication"] + connection_number = module.params["connection_number"] + state = module.params["state"] + cyberark_session = module.params["cyberark_session"] + + # if in check mode it will not perform password changes + if module.check_mode and new_password is not None: + new_password = None + + # Defining initial values for open_url call + headers = {"Content-Type": "application/json"} + payload = "" + + if state == "present": # Logon Action + + # Different end_points based on the use of shared logon authentication + if use_shared_logon: + + end_point = ("/PasswordVault/WebServices/auth/Shared" + "/RestfulAuthenticationService.svc/Logon") + + else: + + end_point = ("/PasswordVault/WebServices/auth/Cyberark" + "/CyberArkAuthenticationService.svc/Logon") + + # The payload will contain username, password + # and optionally use_radius_authentication and new_password + payload_dict = {"username": username, "password": password} + + if use_radius: + payload_dict["useRadiusAuthentication"] = use_radius + + if new_password is not None: + payload_dict["newPassword"] = new_password + + if connection_number is not None: + payload_dict["connectionNumber"] = connection_number + + payload = json.dumps(payload_dict) + + else: # Logoff Action + + # Get values from cyberark_session already established + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + use_shared_logon = cyberark_session[ + "use_shared_logon_authentication" + ] + headers["Authorization"] = cyberark_session["token"] + + # Different end_points based on the use of shared logon authentication + if use_shared_logon: + end_point = ("/PasswordVault/WebServices/auth/Shared" + "/RestfulAuthenticationService.svc/Logoff") + else: + end_point = ("/PasswordVault/WebServices/auth/Cyberark" + "/CyberArkAuthenticationService.svc/Logoff") + + result = None + changed = False + response = None + + try: + + response = open_url( + api_base_url + end_point, + method="POST", + headers=headers, + data=payload, + validate_certs=validate_certs, + ) + + except (HTTPError, httplib.HTTPException) as http_exception: + + module.fail_json( + msg=( + "Error while performing authentication." + "Please validate parameters provided, and ability to logon to " + "CyberArk.\n*** end_point=%s%s\n ==> %s" + ) % (api_base_url, end_point, to_text(http_exception)), + payload=payload, + headers=headers, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing authentication." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + payload=payload, + headers=headers, + status_code=-1, + ) + + if response.getcode() == 200: # Success + + if state == "present": # Logon Action + + # Result token from REST Api uses a different key based + # the use of shared logon authentication + token = None + try: + if use_shared_logon: + token = json.loads(response.read())["LogonResult"] + else: + token = json.loads(response.read())["CyberArkLogonResult"] + except Exception as e: + module.fail_json( + msg="Error obtaining token\n%s" % (to_text(e)), + payload=payload, + headers=headers, + status_code=-1, + ) + + # Preparing result of the module + result = { + "cyberark_session": { + "token": token, + "api_base_url": api_base_url, + "validate_certs": validate_certs, + "use_shared_logon_authentication": use_shared_logon, + } + } + + if new_password is not None: + # Only marks change if new_password was received resulting + # in a password change + changed = True + + else: # Logoff Action clears cyberark_session + + result = {"cyberark_session": {}} + + return (changed, result, response.getcode()) + + else: + module.fail_json( + msg="error in end_point=>" + end_point, headers=headers + ) + + +def main(): + + fields = { + "api_base_url": {"type": "str"}, + "validate_certs": {"type": "bool", "default": "true"}, + "username": {"type": "str"}, + "password": {"type": "str", "no_log": True}, + "new_password": {"type": "str", "no_log": True}, + "use_shared_logon_authentication": {"default": False, "type": "bool"}, + "use_radius_authentication": {"default": False, "type": "bool"}, + "connection_number": {"type": "int"}, + "state": { + "type": "str", + "choices": ["present", "absent"], + "default": "present", + }, + "cyberark_session": {"type": "dict"}, + } + + mutually_exclusive = [ + ["use_shared_logon_authentication", "use_radius_authentication"], + ["use_shared_logon_authentication", "new_password"], + ["api_base_url", "cyberark_session"], + ["cyberark_session", "username", "use_shared_logon_authentication"], + ] + + required_if = [ + ("state", "present", ["api_base_url"]), + ("state", "absent", ["cyberark_session"]), + ] + + required_together = [["username", "password"]] + + module = AnsibleModule( + argument_spec=fields, + mutually_exclusive=mutually_exclusive, + required_if=required_if, + required_together=required_together, + supports_check_mode=True, + ) + + (changed, result, status_code) = processAuthentication(module) + + module.exit_json( + changed=changed, + ansible_facts=result, + status_code=status_code + ) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_credential.py b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_credential.py new file mode 100644 index 00000000..ab832192 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_credential.py @@ -0,0 +1,350 @@ +#!/usr/bin/python +# Copyright: (c) 2017, Ansible Project +# GNU General Public License v3.0+ +# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = """ +--- +module: cyberark_credential +short_description: Credential retrieval using AAM Central Credential Provider. +author: + - Edward Nunez (@enunez-cyberark) + - CyberArk BizDev (@cyberark-bizdev) + - Erasmo Acosta (@erasmix) + - James Stutes (@JimmyJamCABD) +version_added: 2.4 +description: + - Creates a URI for retrieving a credential from a password object stored + in the Cyberark Vault. The request uses the Privileged Account Security + Web Services SDK through the Central Credential Provider by requesting + access with an Application ID. + +options: + api_base_url: + type: str + required: true + description: + - A string containing the base URL of the server hosting the + Central Credential Provider. + validate_certs: + type: bool + required: false + default: true + description: + - If C(false), SSL certificate chain will not be validated. This + should only set to C(true) if you have a root CA certificate + installed on each node. + app_id: + type: str + required: true + description: + - A string containing the Application ID authorized for retrieving + the credential. + query: + type: str + required: true + description: + - A string containing details of the object being queried; + - Possible parameters could be Safe, Folder, Object + - (internal account name), UserName, Address, Database, + - PolicyID. + connection_timeout: + type: int + required: false + default: '30' + description: + - An integer value of the allowed time before the request returns + failed. + query_format: + type: str + required: false + default: Exact + choices: [Exact, Regexp] + description: + - The format for which your Query will be received by the CCP. + fail_request_on_password_change: + type: bool + required: false + default: false + description: + - A boolean parameter for completing the request in the middle of + a password change of the requested credential. + client_cert: + type: str + required: false + description: + - A string containing the file location and name of the client + certificate used for authentication. + client_key: + type: str + required: false + description: + - A string containing the file location and name of the private + key of the client certificate used for authentication. + reason: + type: str + required: false + description: + - Reason for requesting credential if required by policy; + - It must be specified if the Policy managing the object + - requires it. +""" + +EXAMPLES = """ + tasks: + - name: credential retrieval basic + cyberark_credential: + api_base_url: "http://10.10.0.1" + app_id: "TestID" + query: "Safe=test;UserName=admin" + register: result + + - name: credential retrieval advanced + cyberark_credential: + api_base_url: "https://components.cyberark.local" + validate_certs: yes + client_cert: /etc/pki/ca-trust/source/client.pem + client_key: /etc/pki/ca-trust/source/priv-key.pem + app_id: "TestID" + query: "Safe=test;UserName=admin" + connection_timeout: 60 + query_format: Exact + fail_request_on_password_change: True + reason: "requesting credential for Ansible deployment" + register: result + +""" + +RETURN = """ +changed: + description: + - Identify if the playbook run resulted in a change to the account in + any way. + returned: always + type: bool +failed: + description: Whether playbook run resulted in a failure of any kind. + returned: always + type: bool +status_code: + description: Result HTTP Status code. + returned: success + type: int + sample: "200, 201, -1, 204" +result: + description: A json dump of the resulting action. + returned: success + type: complex + contains: + Address: + description: The target address of the credential being queried + type: str + returned: if required + Content: + description: The password for the object being queried + type: str + returned: always + CreationMethod: + description: This is how the object was created in the Vault + type: str + returned: always + DeviceType: + description: + - An internal File Category for more granular management of + Platforms. + type: str + returned: always + Folder: + description: + - The folder within the Safe where the credential is stored. + type: str + returned: always + Name: + description: + - The Cyberark unique object ID of the credential being + queried. + type: str + returned: always + PasswordChangeInProcess: + description: If the password has a change flag placed by the CPM + type: bool + returned: always + PolicyID: + description: Whether or not SSL certificates should be validated. + type: str + returned: if assigned to a policy + Safe: + description: The safe where the queried credential is stored + type: string + returned: always + Username: + description: The username of the credential being queried + type: str + returned: if required + LogonDomain: + description: The Address friendly name resolved by the CPM + type: str + returned: if populated + CPMDisabled: + description: + - A description of why this vaulted credential is not being + managed by the CPM. + type: str + returned: if CPM management is disabled and a reason is given +""" + +from ansible.module_utils._text import to_text +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.urls import open_url +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible.module_utils.six.moves.urllib.parse import quote +import json + +try: + import httplib +except ImportError: + # Python 3 + import http.client as httplib + + +def retrieve_credential(module): + + # Getting parameters from module + + api_base_url = module.params["api_base_url"] + validate_certs = module.params["validate_certs"] + app_id = module.params["app_id"] + query = module.params["query"] + connection_timeout = module.params["connection_timeout"] + query_format = module.params["query_format"] + fail_request_on_password_change = module.params[ + "fail_request_on_password_change" + ] + client_cert = None + client_key = None + + if "client_cert" in module.params: + client_cert = module.params["client_cert"] + if "client_key" in module.params: + client_key = module.params["client_key"] + + end_point = ( + "/AIMWebService/api/Accounts?AppId=%s&Query=%s&" + "ConnectionTimeout=%s&QueryFormat=%s" + "&FailRequestOnPasswordChange=%s" + ) % ( + quote(app_id), + quote(query), + connection_timeout, + query_format, + fail_request_on_password_change, + ) + + if "reason" in module.params and module.params["reason"] is not None: + reason = quote(module.params["reason"]) + end_point = end_point + "&reason=%s" % reason + + result = None + response = None + + try: + + response = open_url( + api_base_url + end_point, + method="GET", + validate_certs=validate_certs, + client_cert=client_cert, + client_key=client_key, + ) + + except (HTTPError, httplib.HTTPException) as http_exception: + + module.fail_json( + msg=( + "Error while retrieving credential." + "Please validate parameters provided, and permissions for " + "the application and provider in CyberArk." + "\n*** end_point=%s%s\n ==> %s" + % (api_base_url, end_point, to_text(http_exception)) + ), + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while retrieving credential." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + status_code=-1, + ) + + if response.getcode() == 200: # Success + + # Result token from REST Api uses a different key based + try: + result = json.loads(response.read()) + except Exception as exc: + module.fail_json( + msg=( + "Error obtain cyberark credential result " + "from http body\n%s" + ) % (to_text(exc)), + status_code=-1, + ) + + return (result, response.getcode()) + + else: + module.fail_json(msg="error in end_point=>" + end_point) + + +def main(): + + fields = { + "api_base_url": {"required": True, "type": "str"}, + "app_id": {"required": True, "type": "str"}, + "query": {"required": True, "type": "str"}, + "reason": {"required": False, "type": "str"}, + "connection_timeout": { + "required": False, + "type": "int", + "default": 30 + }, + "query_format": { + "required": False, + "type": "str", + "choices": ["Exact", "Regexp"], + "default": "Exact", + }, + "fail_request_on_password_change": { + "required": False, + "type": "bool", + "default": False, + }, + "validate_certs": {"type": "bool", "default": True}, + "client_cert": {"type": "str", "required": False}, + "client_key": {"type": "str", "required": False}, + } + + module = AnsibleModule(argument_spec=fields, supports_check_mode=True) + + (result, status_code) = retrieve_credential(module) + + module.exit_json(changed=False, result=result, status_code=status_code) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_user.py b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_user.py new file mode 100644 index 00000000..3939378a --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/plugins/modules/cyberark_user.py @@ -0,0 +1,619 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2017, Ansible Project +# GNU General Public License v3.0+ +# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "certified", +} + +DOCUMENTATION = r""" +--- +module: cyberark_user +short_description: CyberArk User Management using PAS Web Services SDK. +author: + - Edward Nunez (@enunez-cyberark) + - Cyberark Bizdev (@cyberark-bizdev) + - Erasmo Acosta (@erasmix) + - James Stutes (@jimmyjamcabd) +version_added: 2.4 +description: + - CyberArk User Management using PAS Web Services SDK, + It currently supports the following actions Get User Details, Add User, + Update User, Delete User. + +options: + username: + description: + - The name of the user who will be queried (for details), added, + updated or deleted. + type: str + required: True + state: + description: + - Specifies the state needed for the user present for create user, + absent for delete user. + type: str + choices: [ absent, present ] + default: present + logging_level: + description: + - Parameter used to define the level of troubleshooting output to + the C(logging_file) value. + required: true + choices: [NOTSET, DEBUG, INFO] + default: NOTSET + type: str + logging_file: + description: + - Setting the log file name and location for troubleshooting logs. + required: false + default: /tmp/ansible_cyberark.log + type: str + cyberark_session: + description: + - Dictionary set by a CyberArk authentication containing the + different values to perform actions on a logged-on CyberArk + session, please see M(cyberark_authentication) module for an + example of cyberark_session. + type: dict + required: True + initial_password: + description: + - The password that the new user will use to log on the first time. + - This password must meet the password policy requirements. + - This parameter is required when state is present -- Add User. + type: str + new_password: + description: + - The user updated password. Make sure that this password meets + the password policy requirements. + type: str + email: + description: + - The user email address. + type: str + first_name: + description: + - The user first name. + type: str + last_name: + description: + - The user last name. + type: str + change_password_on_the_next_logon: + description: + - Whether or not the user must change their password in their + next logon. + type: bool + default: no + expiry_date: + description: + - The date and time when the user account will expire and become + disabled. + type: str + user_type_name: + description: + - The type of user. + - The parameter defaults to C(EPVUser). + type: str + disabled: + description: + - Whether or not the user will be disabled. + type: bool + default: no + location: + description: + - The Vault Location for the user. + type: str + group_name: + description: + - The name of the group the user will be added to. + type: str +""" + +EXAMPLES = r""" +- name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: https://components.cyberark.local + use_shared_logon_authentication: yes + +- name: Create user & immediately add it to a group + cyberark_user: + username: username + initial_password: password + user_type_name: EPVUser + change_password_on_the_next_logon: no + group_name: GroupOfUser + state: present + cyberark_session: '{{ cyberark_session }}' + +- name: Make sure user is present and reset user credential if present + cyberark_user: + username: Username + new_password: password + disabled: no + state: present + cyberark_session: '{{ cyberark_session }}' + +- name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: '{{ cyberark_session }}' +""" + +RETURN = r""" +changed: + description: Whether there was a change done. + type: bool + returned: always +cyberark_user: + description: Dictionary containing result properties. + returned: always + type: complex + contains: + result: + description: user properties when state is present + type: dict + returned: success +status_code: + description: Result HTTP Status code + returned: success + type: int + sample: 200 +""" + +import json + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_text +from ansible.module_utils.six.moves import http_client as httplib +from ansible.module_utils.six.moves.urllib.error import HTTPError +from ansible.module_utils.urls import open_url +import logging +import urllib + + +def user_details(module): + + # Get username from module parameters, and api base url + # along with validate_certs from the cyberark_session established + username = module.params["username"] + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + # Prepare result, end_point, and headers + result = {} + end_point = "/PasswordVault/WebServices/PIMServices.svc/Users/{0}".format( + username + ) + headers = {"Content-Type": "application/json"} + headers["Authorization"] = cyberark_session["token"] + + try: + + response = open_url( + api_base_url + end_point, + method="GET", + headers=headers, + validate_certs=validate_certs, + ) + result = {"result": json.loads(response.read())} + + return (False, result, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + if http_exception.code == 404: + return (False, None, http_exception.code) + else: + module.fail_json( + msg=( + "Error while performing user_details." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" + % (api_base_url, end_point, to_text(http_exception)) + ), + headers=headers, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing user_details." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + headers=headers, + status_code=-1, + ) + + +def user_add_or_update(module, HTTPMethod, existing_info): + + # Get username from module parameters, and api base url + # along with validate_certs from the cyberark_session established + username = module.params["username"] + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + # Prepare result, paylod, and headers + result = {} + payload = {} + headers = { + "Content-Type": "application/json", + "Authorization": cyberark_session["token"], + } + + # end_point and payload sets different depending on POST/PUT + # for POST -- create -- payload contains username + # for PUT -- update -- username is part of the endpoint + if HTTPMethod == "POST": + end_point = "/PasswordVault/WebServices/PIMServices.svc/Users" + payload["UserName"] = username + if ( + "initial_password" in module.params.keys() + and module.params["initial_password"] is not None + ): + payload["InitialPassword"] = module.params["initial_password"] + + elif HTTPMethod == "PUT": + end_point = "/PasswordVault/WebServices/PIMServices.svc/Users/{0}" + end_point = end_point.format(username) + + # --- Optionally populate payload based on parameters passed --- + if ( + "new_password" in module.params + and module.params["new_password"] is not None + ): + payload["NewPassword"] = module.params["new_password"] + + if "email" in module.params and module.params["email"] is not None: + payload["Email"] = module.params["email"] + + if ( + "first_name" in module.params + and module.params["first_name"] is not None + ): + payload["FirstName"] = module.params["first_name"] + + if "last_name" in module.params and module.params["last_name"] is not None: + payload["LastName"] = module.params["last_name"] + + if ( + "change_password_on_the_next_logon" in module.params + and module.params["change_password_on_the_next_logon"] is not None + ): + payload["ChangePasswordOnTheNextLogon"] = module.params[ + "change_password_on_the_next_logon" + ] + + if ( + "expiry_date" in module.params + and module.params["expiry_date"] is not None + ): + payload["ExpiryDate"] = module.params["expiry_date"] + + if ( + "user_type_name" in module.params + and module.params["user_type_name"] is not None + ): + payload["UserTypeName"] = module.params["user_type_name"] + + if "disabled" in module.params and module.params["disabled"] is not None: + payload["Disabled"] = module.params["disabled"] + + if "location" in module.params and module.params["location"] is not None: + payload["Location"] = module.params["location"] + + # -------------------------------------------------------------- + logging.debug( + "HTTPMethod = " + + HTTPMethod + + " module.params = " + + json.dumps(module.params) + ) + logging.debug("Existing Info: %s", json.dumps(existing_info)) + logging.debug("payload => %s", json.dumps(payload)) + + if HTTPMethod == "PUT" and ( + "new_password" not in module.params + or module.params["new_password"] is None + ): + logging.info("Verifying if needs to be updated") + proceed = False + updateable_fields = [ + "Email", + "FirstName", + "LastName", + "ChangePasswordOnTheNextLogon", + "ExpiryDate", + "UserTypeName", + "Disabled", + "Location", + ] + for field_name in updateable_fields: + logging.debug("#### field_name : %s", field_name) + if ( + field_name in payload + and field_name in existing_info + and payload[field_name] != existing_info[field_name] + ): + logging.debug("Changing value for %s", field_name) + proceed = True + else: + proceed = True + + if proceed: + logging.info("Proceeding to either update or create") + try: + + # execute REST action + response = open_url( + api_base_url + end_point, + method=HTTPMethod, + headers=headers, + data=json.dumps(payload), + validate_certs=validate_certs, + ) + + result = {"result": json.loads(response.read())} + + return (True, result, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + module.fail_json( + msg=( + "Error while performing user_add_or_update." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" + % (api_base_url, end_point, to_text(http_exception)) + ), + payload=payload, + headers=headers, + status_code=http_exception.code, + ) + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing user_add_or_update." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + payload=payload, + headers=headers, + status_code=-1, + ) + else: + return (False, existing_info, 200) + + +def user_delete(module): + + # Get username from module parameters, and api base url + # along with validate_certs from the cyberark_session established + username = module.params["username"] + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + # Prepare result, end_point, and headers + result = {} + end_point = ( + "/PasswordVault/WebServices/PIMServices.svc/Users/{0}" + ).format(username) + + headers = {"Content-Type": "application/json"} + headers["Authorization"] = cyberark_session["token"] + + try: + + # execute REST action + response = open_url( + api_base_url + end_point, + method="DELETE", + headers=headers, + validate_certs=validate_certs, + ) + + result = {"result": {}} + + return (True, result, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + exception_text = to_text(http_exception) + if http_exception.code == 404 and "ITATS003E" in exception_text: + # User does not exist + result = {"result": {}} + return (False, result, http_exception.code) + else: + module.fail_json( + msg=( + "Error while performing user_delete." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" + % (api_base_url, end_point, exception_text) + ), + headers=headers, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing user_delete." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + headers=headers, + status_code=-1, + ) + + +def user_add_to_group(module): + + # Get username, and groupname from module parameters, and api base url + # along with validate_certs from the cyberark_session established + username = module.params["username"] + group_name = module.params["group_name"] + cyberark_session = module.params["cyberark_session"] + api_base_url = cyberark_session["api_base_url"] + validate_certs = cyberark_session["validate_certs"] + + # Prepare result, end_point, headers and payload + result = {} + end_point = ( + "/PasswordVault/WebServices/PIMServices.svc/Groups/{0}/Users" + ).format( + urllib.quote(group_name) + ) + + headers = {"Content-Type": "application/json"} + headers["Authorization"] = cyberark_session["token"] + payload = {"UserName": username} + + try: + + # execute REST action + response = open_url( + api_base_url + end_point, + method="POST", + headers=headers, + data=json.dumps(payload), + validate_certs=validate_certs, + ) + + result = {"result": {}} + + return (True, result, response.getcode()) + + except (HTTPError, httplib.HTTPException) as http_exception: + + exception_text = to_text(http_exception) + if http_exception.code == 409 and "ITATS262E" in exception_text: + # User is already member of Group + return (False, None, http_exception.code) + else: + module.fail_json( + msg=( + "Error while performing user_add_to_group." + "Please validate parameters provided." + "\n*** end_point=%s%s\n ==> %s" + % (api_base_url, end_point, exception_text) + ), + payload=payload, + headers=headers, + status_code=http_exception.code, + ) + + except Exception as unknown_exception: + + module.fail_json( + msg=( + "Unknown error while performing user_add_to_group." + "\n*** end_point=%s%s\n%s" + % (api_base_url, end_point, to_text(unknown_exception)) + ), + payload=payload, + headers=headers, + status_code=-1, + ) + + +def main(): + + module = AnsibleModule( + argument_spec=dict( + username=dict(type="str", required=True), + state=dict( + type="str", + default="present", + choices=["absent", "present"] + ), + logging_level=dict( + type="str", + default="NOTSET", + choices=["NOTSET", "DEBUG", "INFO"] + ), + logging_file=dict(type="str", default="/tmp/ansible_cyberark.log"), + cyberark_session=dict(type="dict", required=True), + initial_password=dict(type="str", no_log=True), + new_password=dict(type="str", no_log=True), + email=dict(type="str"), + first_name=dict(type="str"), + last_name=dict(type="str"), + change_password_on_the_next_logon=dict(type="bool"), + expiry_date=dict(type="str"), + user_type_name=dict(type="str"), + disabled=dict(type="bool"), + location=dict(type="str"), + group_name=dict(type="str"), + ) + ) + + if module.params["logging_level"] is not None: + logging.basicConfig( + filename=module.params["logging_file"], + level=module.params["logging_level"] + ) + + logging.info("Starting Module") + + state = module.params["state"] + group_name = module.params["group_name"] + + if state == "present": + (changed, result, status_code) = user_details(module) + + if status_code == 200: + # User already exists + + (changed, result, status_code) = user_add_or_update( + module, "PUT", result["result"] + ) + + if group_name is not None: + # If user exists, add to group if needed + (changed_group, no_result, no_status_code) = user_add_to_group(module) + changed = changed or changed_group + + elif status_code == 404: + # User does not exist, proceed to create it + (changed, result, status_code) = user_add_or_update( + module, + "POST", + None + ) + + if status_code == 201 and group_name is not None: + # If user was created, add to group if needed + (changed, no_result, no_status_code) = user_add_to_group(module) + + elif state == "absent": + (changed, result, status_code) = user_delete(module) + + module.exit_json( + changed=changed, + cyberark_user=result, + status_code=status_code + ) + + +if __name__ == "__main__": + main() diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/roles/.DS_Store b/collections-debian-merged/ansible_collections/cyberark/pas/roles/.DS_Store Binary files differnew file mode 100644 index 00000000..5008ddfc --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/roles/.DS_Store diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/change_test.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/change_test.yml new file mode 100644 index 00000000..8db42b45 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/change_test.yml @@ -0,0 +1,37 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + - name: Rotate credential via reconcile and providing the password to be changed to + cyberark_account: + identified_by: "address,username" + safe: "Test" + address: "prod.cyberark.local" + username: "admin" + platform_id: WinDomain + platform_account_properties: + ReconcileAccount: "Operating System-WinServerLocal-cyberark.local-administrator-x" + LogonDomain: "PROD" + secret_management: +# new_secret: "Ama123ah12@#!Xaamdjbdkl@#112" +# management_action: "reconcile" + automatic_management_enabled: true + state: present + cyberark_session: "{{ cyberark_session }}" + register: reconcileaccount + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}"
\ No newline at end of file diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/changepolicy.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/changepolicy.yml new file mode 100644 index 00000000..9875e135 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/changepolicy.yml @@ -0,0 +1,41 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + + - name: Debug message + debug: + var: cyberark_session + + - name: Account + cyberark_account: + identified_by: "address,username" + safe: "Test" + address: "cyberark.local" + username: "cyberark-administrator" + platform_id: WinDomain-Level2 + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" + + - name: Debug message + debug: var=cyberark_session diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/deprovision_account.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/deprovision_account.yml new file mode 100644 index 00000000..8aca477d --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/deprovision_account.yml @@ -0,0 +1,42 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + + - name: Debug message + debug: + var: cyberark_session + + - name: Account + cyberark_account: + logging_level: DEBUG + identified_by: "address,username" + safe: "Test" + address: "cyberark.local" + username: "cyberark-administrator" + state: absent + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" + + - name: Debug message + debug: var=cyberark_session diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/deprovision_user.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/deprovision_user.yml new file mode 100644 index 00000000..18110c76 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/deprovision_user.yml @@ -0,0 +1,39 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + + - name: Debug message + debug: + var: cyberark_session + + - name: Removing a CyberArk User + cyberark_user: + username: "ansibleuser" + state: absent + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" + + - name: Debug message + debug: var=cyberark_session diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/disable_user.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/disable_user.yml new file mode 100644 index 00000000..8f0dec90 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/disable_user.yml @@ -0,0 +1,31 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + - name: Disabling a CyberArk User + cyberark_user: + username: "ansibleuser" + disabled: true + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/enable_user.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/enable_user.yml new file mode 100644 index 00000000..7cad3f6d --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/enable_user.yml @@ -0,0 +1,32 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + - name: Enabling a CyberArk User and forcing a password change at next logon + cyberark_user: + username: "ansibleuser" + disabled: false + state: present + change_password_on_the_next_logon: true + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/provision_account.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/provision_account.yml new file mode 100644 index 00000000..5e9bdc3d --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/provision_account.yml @@ -0,0 +1,41 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + - name: Account + cyberark_account: + identified_by: "address,username" + safe: "Test" + address: "cyberark.local" + username: "cyberark-administrator" + platform_id: WinDomain-Level2 + secret: "CyberarkFirst" + platform_account_properties: + LogonDomain: "RedHatAnsible" + OwnerName: "James Stutes" + Port: 8080 + secret_management: + automatic_management_enabled: true + state: present + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/provision_user.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/provision_user.yml new file mode 100644 index 00000000..64b6a233 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/provision_user.yml @@ -0,0 +1,37 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + - name: Creating a CyberArk User, setting a simple password but forcing a password change at next logon + cyberark_user: + username: "ansibleuser" + first_name: "Ansible" + last_name: "User" + email: "ansibleuser@demo.com" + initial_password: "Cyberark1" + user_type_name: "EPVUser" + group_name: "AnsibleAdmins" + disabled: false + state: present + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/reset_user_password.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/reset_user_password.yml new file mode 100644 index 00000000..98fff96f --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/reset_user_password.yml @@ -0,0 +1,33 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + - name: Enabling a CyberArk User and forcing a password change at next logon + cyberark_user: + username: "ansibleuser" + disabled: false + new_password: Cyberark1 + state: present + change_password_on_the_next_logon: true + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" diff --git a/collections-debian-merged/ansible_collections/cyberark/pas/tests/test.yml b/collections-debian-merged/ansible_collections/cyberark/pas/tests/test.yml new file mode 100644 index 00000000..537d93e5 --- /dev/null +++ b/collections-debian-merged/ansible_collections/cyberark/pas/tests/test.yml @@ -0,0 +1,65 @@ +--- +- hosts: localhost + + collections: + - cyberark.pas + + tasks: + + - name: Logon to CyberArk Vault using PAS Web Services SDK + cyberark_authentication: + api_base_url: "http://components.cyberark.local" + validate_certs: no + username: "bizdev" + password: "Cyberark1" + + + - name: Debug message + debug: + var: cyberark_session + + - name: User + cyberark_user: + username: "testuser" + initial_password: "Cyberark1" + user_type_name: "EPVUser" + change_password_on_the_next_logon: false + group_name: "Auditors" + disabled: false + state: present + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + - name: Account + cyberark_account: +# logging_level: DEBUG + identified_by: "address,username" + name: "EDWARD_ACCOUNT" + safe: "Test" + address: "10.0.1.20" + username: "james_test" + platform_id: WinServerLocal + platform_account_properties: + LogonDomain: "10.0.1.20" + secret_management: + automatic_management_enabled: false + manual_management_reason: "No Reason" + state: present + cyberark_session: "{{ cyberark_session }}" + register: cyberarkaction + + - name: Debug message + debug: + var: cyberarkaction + + - name: Logoff from CyberArk Vault + cyberark_authentication: + state: absent + cyberark_session: "{{ cyberark_session }}" + + - name: Debug message + debug: var=cyberark_session |