Adding upstream version 7.7.0+dfsg.upstream/7.7.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

60 files changed, 1074 insertions, 0 deletions

diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.dockerignore b/ansible_collections/cyberark/conjur/tests/conjur_variable/.dockerignore
new file mode 100644
index 000000000..5ed3ebd29
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.dockerignore
@@ -0,0 +1 @@
+conjur-intro/
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore
new file mode 100644
index 000000000..bc1a1f616
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore
@@ -0,0 +1,2 @@
+# Created by pytest automatically.
+*
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG
new file mode 100644
index 000000000..fce15ad7e
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG
@@ -0,0 +1,4 @@
+Signature: 8a477f597d28d172789f06886806bc55
+# This file is a cache directory tag created by pytest.
+# For information about cache directory tags, see:
+#	https://bford.info/cachedir/spec.html
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md
new file mode 100644
index 000000000..b89018ced
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md
@@ -0,0 +1,8 @@
+# pytest cache directory #
+
+This directory contains data from the pytest's cache plugin,
+which provides the `--lf` and `--ff` options, as well as the `cache` fixture.
+
+**Do not** commit this to version control.
+
+See [the docs](https://docs.pytest.org/en/stable/how-to/cache.html) for more information.
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids
new file mode 100644
index 000000000..c6b2f5e13
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids
@@ -0,0 +1,11 @@
+[
+  "test_cases/retrieve-variable-bad-cert-path/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]",
+  "test_cases/retrieve-variable-bad-certs/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]",
+  "test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]",
+  "test_cases/retrieve-variable-into-file/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]",
+  "test_cases/retrieve-variable-no-cert-provided/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]",
+  "test_cases/retrieve-variable-with-authn-token-bad-cert/tests/test_default.py::test_retrieve_secret_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]",
+  "test_cases/retrieve-variable-with-authn-token/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]",
+  "test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]",
+  "test_cases/retrieve-variable/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]"
+]
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise
new file mode 100644
index 000000000..0637a088a
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise
@@ -0,0 +1 @@
+[]
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile b/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile
new file mode 100644
index 000000000..293ccdca0
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile
@@ -0,0 +1,31 @@
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+WORKDIR /cyberark
+
+# install python 3
+RUN apt-get update && \
+    apt-get install -y python3-pip && \
+    pip3 install --upgrade pip
+
+ARG ANSIBLE_VERSION
+# install ansible and its test tool
+RUN pip3 install ansible==${ANSIBLE_VERSION}.* pytest-testinfra
+
+# install docker installation requirements
+RUN apt-get update && \
+    apt-get install -y apt-transport-https \
+                       ca-certificates \
+                       curl \
+                       software-properties-common
+
+# install docker
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
+RUN add-apt-repository \
+       "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+       $(lsb_release -cs) \
+       stable"
+
+RUN apt-get update && \
+    apt-get -y install docker-ce
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx b/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx
new file mode 100644
index 000000000..6f1e28107
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx
@@ -0,0 +1,17 @@
+FROM nginx:1.13.3
+
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get install -y iputils-ping \
+                       procps \
+                       openssl && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /etc/nginx/
+
+COPY proxy/ssl.conf /etc/ssl/openssl.cnf
+COPY proxy/default.conf /etc/nginx/conf.d/default.conf
+
+RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -config /etc/ssl/openssl.cnf -extensions v3_ca \
+    -keyout cert.key -out cert.crt
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml
new file mode 100644
index 000000000..01294d94b
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml
@@ -0,0 +1,67 @@
+version: '3'
+services:
+  ansible:
+    image: ansiblecontainername
+    container_name: ${COMPOSE_PROJECT_NAME}-ansible
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+       ANSIBLE_VERSION: ${ANSIBLE_VERSION}
+    entrypoint: sleep
+    command: infinity
+    environment:
+      CONJUR_APPLIANCE_URL: ${CONJUR_APPLIANCE_URL}
+      CONJUR_ACCOUNT: ${CONJUR_ACCOUNT}
+      CONJUR_AUTHN_LOGIN: ${CONJUR_AUTHN_LOGIN}
+      CONJUR_AUTHN_API_KEY: ${ANSIBLE_MASTER_AUTHN_API_KEY}
+      COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME}
+    networks:
+      - "${DOCKER_NETWORK}"
+    volumes:
+      - ../../plugins:/root/.ansible/plugins
+      - ../..:/cyberark
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  pg:
+    image: postgres:9.4
+    environment:
+      POSTGRES_HOST_AUTH_METHOD: password
+      POSTGRES_PASSWORD: StrongPass
+
+  conjur:
+    image: cyberark/conjur
+    command: server -a cucumber -p 3000
+    environment:
+      DATABASE_URL: postgres://postgres:StrongPass@pg/postgres
+      CONJUR_DATA_KEY: "W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA="
+    depends_on:
+      - pg
+
+  conjur_https:
+    hostname: conjur-https
+    build:
+      context: .
+      dockerfile: Dockerfile_nginx
+    entrypoint: nginx-debug -g 'daemon off;'
+    environment:
+      TERM: xterm
+    depends_on:
+      - conjur
+
+  conjur_cli:
+    image: cyberark/conjur-cli:5
+    entrypoint: sleep
+    command: infinity
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur:3000
+      CONJUR_ACCOUNT: cucumber
+      CONJUR_AUTHN_LOGIN: admin
+      CONJUR_AUTHN_API_KEY: ${CONJUR_ADMIN_AUTHN_API_KEY}
+    volumes:
+      - ./policy:/policy
+
+networks:
+  dap_net:
+    name: dap_net
+    external: true
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable
new file mode 100644
index 000000000..08c9ccb5e
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.575" timestamp="2022-09-09T15:07:48.307449" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.530" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path
new file mode 100644
index 000000000..0ed22fad7
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.458" timestamp="2022-09-09T15:07:51.763243" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-bad-cert-path.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.422" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs
new file mode 100644
index 000000000..6b0b865c1
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.459" timestamp="2022-09-09T15:07:55.122204" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-bad-certs.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.423" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs
new file mode 100644
index 000000000..9f1fc6494
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.568" timestamp="2022-09-09T15:07:58.851346" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-disable-verify-certs.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.532" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file
new file mode 100644
index 000000000..5fcc68f80
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.863" timestamp="2022-09-09T15:08:02.658511" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-into-file.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.828" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided
new file mode 100644
index 000000000..f1c9029a8
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.464" timestamp="2022-09-09T15:08:06.406130" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-no-cert-provided.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.429" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token
new file mode 100644
index 000000000..407145017
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.551" timestamp="2022-09-09T15:08:10.115226" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-with-authn-token.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.516" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token-bad-cert b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token-bad-cert
new file mode 100644
index 000000000..680f3913f
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token-bad-cert
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.460" timestamp="2022-09-09T15:08:13.541799" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-with-authn-token-bad-cert.tests.test_default" name="test_retrieve_secret_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.425" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret
new file mode 100644
index 000000000..65e72fecb
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.571" timestamp="2022-09-09T15:08:17.207877" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-with-spaces-secret.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.536" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml
new file mode 100644
index 000000000..dbaea73fa
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml
@@ -0,0 +1,21 @@
+---
+- !policy
+  id: ansible
+  annotations:
+    description: Policy for Ansible master
+  body:
+
+  - !host
+    id: ansible-master
+    annotations:
+      description: Host for running Ansible on remote targets
+
+  - &variables
+    - !variable test-secret
+    - !variable test-secret-in-file
+    - !variable var with spaces
+
+  - !permit
+    role: !host ansible-master
+    privileges: [ read, execute ]
+    resource: *variables
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf b/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf
new file mode 100644
index 000000000..578b3c5f8
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf
@@ -0,0 +1,29 @@
+server {
+    listen 80;
+    return 301 https://conjur$request_uri;
+}
+
+server {
+    listen       443;
+    server_name  localhost;
+    ssl_certificate           /etc/nginx/cert.crt;
+    ssl_certificate_key       /etc/nginx/cert.key;
+
+    ssl on;
+    ssl_session_cache  builtin:1000  shared:SSL:10m;
+    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
+    ssl_prefer_server_ciphers on;
+
+    access_log            /var/log/nginx/access.log;
+
+    location / {
+      proxy_pass http://conjur:3000;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+}
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf b/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf
new file mode 100644
index 000000000..1b11cd755
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf
@@ -0,0 +1,39 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+req_extensions  = v3_req
+x509_extensions = usr_cert
+
+[ dn ]
+C=IL
+ST=Israel
+L=TLV
+O=Onyx
+OU=CyberArk
+CN=conjur-https
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+nsCertType                      = client, server, email
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
+nsComment                       = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+[ v3_req ]
+extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+DNS.2 = conjur-https
+IP.1 = 127.0.0.1
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini b/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini
new file mode 100644
index 000000000..fe55d2ed6
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini
@@ -0,0 +1,2 @@
+[pytest]
+junit_family=xunit2
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh b/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh
new file mode 100755
index 000000000..464921b81
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh
@@ -0,0 +1,225 @@
+#!/bin/bash -eu
+
+set -o pipefail
+
+# normalises project name by filtering non alphanumeric characters and transforming to lowercase
+declare -x COMPOSE_PROJECT_NAME=''
+declare -x ENTERPRISE_PROJECT='conjur-intro-variable'
+declare -x ANSIBLE_PROJECT=''
+
+declare -x ANSIBLE_MASTER_AUTHN_API_KEY=''
+declare -x CONJUR_ADMIN_AUTHN_API_KEY=''
+declare -x DOCKER_NETWORK="default"
+declare -x ANSIBLE_VERSION="${ANSIBLE_VERSION:-6}"
+
+ANSIBLE_PROJECT=$(echo "${BUILD_TAG:-ansible-plugin-testing}-conjur-variable" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]')
+
+enterprise="false"
+cli_cid=""
+test_dir="$(pwd)"
+
+function cleanup {
+  echo 'Removing test environment'
+  echo '---'
+
+  # Escape conjur-intro dir if Enterprise setup fails
+  cd "${test_dir}"
+
+  if [[ -d conjur-intro ]]; then
+    pushd conjur-intro
+      COMPOSE_PROJECT_NAME="${ENTERPRISE_PROJECT}"
+      ./bin/dap --stop
+    popd
+    rm -rf conjur-intro
+  fi
+
+  COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}"
+  docker-compose down -v
+  rm -f conjur.pem \
+        access_token
+}
+trap cleanup EXIT
+
+while getopts 'e' flag; do
+  case "${flag}" in
+    e) enterprise="true" ;;
+    *) exit 1 ;;
+   esac
+done
+
+cleanup
+
+function wait_for_conjur {
+  echo "Waiting for Conjur server to come up"
+  docker-compose exec -T conjur conjurctl wait -r 30 -p 3000
+}
+
+function fetch_ssl_certs {
+  echo "Fetching SSL certs"
+  service_id="conjur_https"
+  cert_path="cert.crt"
+  if [[ "${enterprise}" == "true" ]]; then
+    service_id="conjur-master.mycompany.local"
+    cert_path="/etc/ssl/certs/ca.pem"
+  fi
+
+  (docker-compose exec -T "${service_id}" cat "${cert_path}") > conjur.pem
+}
+
+function setup_conjur_resources {
+  echo "Configuring Conjur via CLI"
+
+  policy_path="root.yml"
+  if [[ "${enterprise}" == "false" ]]; then
+    policy_path="/policy/${policy_path}"
+  fi
+
+  docker exec "${cli_cid}" bash -c "
+    conjur policy load root ${policy_path}
+    conjur variable values add ansible/test-secret test_secret_password
+    conjur variable values add ansible/test-secret-in-file test_secret_in_file_password
+    conjur variable values add 'ansible/var with spaces' var_with_spaces_secret_password
+  "
+}
+
+function setup_admin_api_key {
+  echo "Fetching admin API key"
+  if [[ "$enterprise" == "true" ]]; then
+    CONJUR_ADMIN_AUTHN_API_KEY="$(docker exec "${cli_cid}" conjur user rotate_api_key)"
+  else
+    CONJUR_ADMIN_AUTHN_API_KEY="$(docker-compose exec -T conjur conjurctl role retrieve-key "${CONJUR_ACCOUNT}":user:admin)"
+  fi
+}
+
+function setup_ansible_api_key {
+  echo "Fetching Ansible master host credentials"
+  ANSIBLE_MASTER_AUTHN_API_KEY="$(docker exec "${cli_cid}" conjur host rotate_api_key --host ansible/ansible-master)"
+}
+
+function setup_access_token {
+  echo "Get Access Token"
+  docker exec "${cli_cid}" bash -c "
+    export CONJUR_AUTHN_LOGIN=host/ansible/ansible-master
+    export CONJUR_AUTHN_API_KEY=\"$ANSIBLE_MASTER_AUTHN_API_KEY\"
+    conjur authn authenticate
+  " > access_token
+}
+
+function setup_conjur_open_source()  {
+  docker-compose up -d --build conjur \
+                               conjur_https
+
+  wait_for_conjur
+  fetch_ssl_certs
+  setup_admin_api_key
+
+  echo "Creating Conjur CLI with admin credentials"
+  docker-compose up -d conjur_cli
+  cli_cid="$(docker-compose ps -q conjur_cli)"
+
+  setup_conjur_resources
+  setup_ansible_api_key
+  setup_access_token
+}
+
+function setup_conjur_enterprise() {
+  git clone --single-branch --branch main https://github.com/conjurdemos/conjur-intro.git
+  pushd ./conjur-intro
+
+    echo "Provisioning Enterprise leader and follower"
+    ./bin/dap --provision-master
+    ./bin/dap --provision-follower
+
+    cp ../policy/root.yml .
+
+    # Run 'sleep infinity' in the CLI container, so the scripts
+    # have access to an alive and authenticated CLI until the script terminates
+    cli_cid="$(docker-compose run -d \
+      -w /src/cli \
+      --entrypoint sleep client infinity)"
+
+    echo "Authenticate Conjur CLI container"
+    docker exec "${cli_cid}" \
+      /bin/bash -c "
+        if [ ! -e /root/conjur-demo.pem ]; then
+          yes 'yes' | conjur init -u ${CONJUR_APPLIANCE_URL} -a ${CONJUR_ACCOUNT}
+        fi
+        conjur authn login -u admin -p MySecretP@ss1
+        hostname -I
+      "
+
+    fetch_ssl_certs
+    setup_conjur_resources
+    setup_admin_api_key
+    setup_ansible_api_key
+    setup_access_token
+
+    echo "Relocate credential files"
+    mv conjur.pem ../.
+    mv access_token ../.
+  popd
+}
+
+function run_test_cases {
+  for test_case in test_cases/*; do
+    run_test_case "$(basename -- "$test_case")"
+  done
+}
+
+function run_test_case {
+  local test_case=$1
+  echo "---- testing ${test_case} ----"
+
+  if [ -z "$test_case" ]; then
+    echo ERROR: run_test called with no argument 1>&2
+    exit 1
+  fi
+
+  docker-compose exec -T ansible bash -exc "
+    cd tests/conjur_variable
+
+    # If env vars were provided, load them
+    if [ -e 'test_cases/${test_case}/env' ]; then
+      . ./test_cases/${test_case}/env
+    fi
+
+    # You can add -vvvv here for debugging
+    ansible-playbook 'test_cases/${test_case}/playbook.yml'
+
+    py.test --junitxml='./junit/${test_case}' \
+      --connection docker \
+      -v 'test_cases/${test_case}/tests/test_default.py'
+  "
+}
+
+function main() {
+  if [[ "$enterprise" == "true" ]]; then
+    echo "Deploying Conjur Enterprise"
+
+    export CONJUR_APPLIANCE_URL="https://conjur-master.mycompany.local"
+    export CONJUR_ACCOUNT="demo"
+    COMPOSE_PROJECT_NAME="${ENTERPRISE_PROJECT}"
+    DOCKER_NETWORK="dap_net"
+
+    setup_conjur_enterprise
+  else
+    echo "Deploying Conjur Open Source"
+
+    export CONJUR_APPLIANCE_URL="https://conjur-https"
+    export CONJUR_ACCOUNT="cucumber"
+    COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}"
+
+    setup_conjur_open_source
+  fi
+
+  COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}"
+  export CONJUR_AUTHN_LOGIN="host/ansible/ansible-master"
+
+  echo "Preparing Ansible for test run"
+  docker-compose up -d --build ansible
+
+  echo "Running tests"
+  run_test_cases
+}
+
+main
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env
new file mode 100644
index 000000000..07d7632c0
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env
@@ -0,0 +1 @@
+export CONJUR_CERT_FILE=./bad/cert/path
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml
new file mode 100644
index 000000000..516faec41
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml
@@ -0,0 +1,15 @@
+---
+- name: Retrieve Conjur variable fails with bad cert
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secrets.txt
+
+    - name: Retrieve Conjur variable with bad cert
+      vars:
+        super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}"
+      shell: echo "{{super_secret_key}}" > /conjur_secrets.txt
+      ignore_errors: True
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py
new file mode 100644
index 000000000..a3f2bbdf3
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py
@@ -0,0 +1,13 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieval_failed(host):
+    secrets_file = host.file('/conjur_secrets.txt')
+
+    assert not secrets_file.exists
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem
new file mode 100644
index 000000000..a3831e0ce
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem
@@ -0,0 +1,41 @@
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIQN/xr5EKbXSqdyhGyGBWCizANBgkqhkiG9w0BAQsFADAY
+MRYwFAYDVQQDEw1jb25qdXItb3NzLWNhMB4XDTIwMDYxMjIwNTYzOVoXDTIxMDYx
+MjIwNTYzOVowGzEZMBcGA1UEAxMQY29uanVyLm15b3JnLmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOewPeFNcuLuE1tgpINSm4EajDXC+C6qsPhn
+Jf3PhDFCpAEHckx1BVK01kFUdC6FOI6JEuI6pFnV1Tb9+WFYTX6wcGBAy90i+K9u
+Xcjqb3sz5O3p6MjKL4xVvT4TxllT8cslNJix8gFrTYSvBFaUqCioGJAgyQyJ4SV+
+Tm/bXu/KdtfJQaLie+J5Xz/28220hC5NYlIjhMg5YgtRB7JjCj5bPe3PYykN5m8i
+INWEw20EW+54YKNs5RDFNKzXOqF5h6Mrc/RcE1rbCGNOqveQ43DTFUgS4rVF8T8S
+juO+LGfso2w6YvO7pT+ob9GxZytZXQSxrOXe8LpU4jSDS5g0+cECAwEAAaOB6zCB
+6DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MAwGA1UdEwEB/wQCMAAwgagGA1UdEQSBoDCBnYIQY29uanVyLm15b3JnLmNvbYIK
+Y29uanVyLW9zc4IhY29uanVyLW9zcy50ZXN0LWRlcGxveS1kZWZhdWx0cy0xgiVj
+b25qdXItb3NzLnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjgjNjb25qdXItb3Nz
+LnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjLmNsdXN0ZXIubG9jYWwwDQYJKoZI
+hvcNAQELBQADggEBAIdtOYlIdnojqVBbHGKPAJS8ZWDUm97W1KajZ6QGy6X7fD66
+tOb0QNhzLwbi4HQsuNR0rpWa48Z/sN1E6V5WlfG8pTrNRjqAc/sdobERMMS+rhtu
+RfLu1UbYCRLXYIAQFIQFtGDVNXnuvhkCwDz6PV4rniml24qhnGeL3+8ZkW6m5+8u
+XIt4Wq9otR3qj/Jx8eUg9eY/7RKgqCClP5Eg4szO0LaqQNblSR+3OgcGxmdTaJQt
+BlXRIH0CPpX+3p3mO4zfKIDRHZ0tueWLqOVRARyx9n9qBbhlpBJnecS19PNUAGVa
+10H1XkmpVXdadcV/8vBhjEpeq4cVgguS5oozG7Y=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIRAMUGxDd4cpSs7m9hvzTHoi4wDQYJKoZIhvcNAQELBQAw
+GDEWMBQGA1UEAxMNY29uanVyLW9zcy1jYTAeFw0yMDA2MTIyMDU2MzhaFw0yMTA2
+MTIyMDU2MzhaMBgxFjAUBgNVBAMTDWNvbmp1ci1vc3MtY2EwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC111bZxfhVHPerwHXvc+ycgCcI02VtfsrH9Tyk
+cmMsbUO6jF5aKBQj4fKSwbOCdXcqYoGwaQHQzOVMCGGruOYrOwfusOg2t2EQ7KIE
+KWdP0BpAvASvkKwk/GGfaBqtzy1DvVyl0B8b/4C7tnta21Zs5HFOKo0CE+iX/FUQ
+RDjpncE9Zhg2E2f1eCef4D+h2JJLtZPLOUZIUs0IMBPqQiL7iNSfY+e8dy6dRC9v
+AhyFLULpK34aPm1DqwX3rHDPoLJl24sZFo8q9UvpCwj3sqVoABagS32yL/8//LvU
+DaR4pgwuyd9sWf/CQkT0OHsHup5CH7xbYB0DSdmRJPeb07lHAgMBAAGjQjBAMA4G
+A1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANrAiuLkZGmSQlURpWtvm
+PgfPFPKPt1PAqjNwWhzMjHZg2P3UNBUTLeUdo52yJai6/iajlYTRPVvNUqiVnTay
+/X9LwWH5EXTKCHagfQh4fYtTSFa12BUBlSP7at3S25pMDOpylb3CxdGe/Oh8S0HZ
+gu7MMayFhcGCSJnT+F+JIqwnWkbWPYgHn0VCbBXN+5s7GJWFWwZljQzMCIa/xvwr
+xuSX6Lsgai1Abqo1pDJA8RNyxMtn5V8RHgwjQ/BdeodptqZc/kULVDOZ0dkAKxyH
+UYfqxxk4Ywc2JSSJYRs/RJpjngGnnLIOHgnruEIDtdOHw2yxAJZ/e7p8y9ThSxRo
+5Q==
+-----END CERTIFICATE-----
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env
new file mode 100644
index 000000000..73e6e980a
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env
@@ -0,0 +1 @@
+export CONJUR_CERT_FILE=./test_cases/retrieve-variable-bad-certs/bad_cert.pem
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml
new file mode 100644
index 000000000..516faec41
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml
@@ -0,0 +1,15 @@
+---
+- name: Retrieve Conjur variable fails with bad cert
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secrets.txt
+
+    - name: Retrieve Conjur variable with bad cert
+      vars:
+        super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}"
+      shell: echo "{{super_secret_key}}" > /conjur_secrets.txt
+      ignore_errors: True
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py
new file mode 100644
index 000000000..a3f2bbdf3
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py
@@ -0,0 +1,13 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieval_failed(host):
+    secrets_file = host.file('/conjur_secrets.txt')
+
+    assert not secrets_file.exists
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml
new file mode 100644
index 000000000..f1085642f
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml
@@ -0,0 +1,14 @@
+---
+- name: Retrieve Conjur variable with disabled cert verification
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secrets.txt
+
+    - name: Retrieve Conjur variable with disabled cert verification
+      vars:
+        super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret', validate_certs=False)}}"
+      shell: echo "{{super_secret_key}}" > /conjur_secrets.txt
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py
new file mode 100644
index 000000000..a98ce29e9
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py
@@ -0,0 +1,17 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieved_secret(host):
+    secrets_file = host.file('/conjur_secrets.txt')
+
+    assert secrets_file.exists
+
+    result = host.check_output("cat /conjur_secrets.txt", shell=True)
+
+    assert result == "test_secret_password"
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env
new file mode 100644
index 000000000..2363951d1
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env
@@ -0,0 +1 @@
+export CONJUR_CERT_FILE=./conjur.pem
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml
new file mode 100644
index 000000000..ef982db4f
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml
@@ -0,0 +1,14 @@
+---
+- name: Retrieve Conjur variable into file
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secret_path.txt
+
+    - name: Retrieve Conjur variable into file using as_file option
+      vars:
+        secret_path: "{{lookup('conjur_variable', 'ansible/test-secret-in-file', as_file=True)}}"
+      shell: echo -n "{{secret_path}}" > /lookup_output.txt
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py
new file mode 100644
index 000000000..5d05f950b
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py
@@ -0,0 +1,22 @@
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieved_secret(host):
+    """
+    Verify that the as_file parameter makes the lookup plugin return the path to a temporary file
+    containing the secret.
+    """
+    lookup_output_file = host.file('/lookup_output.txt')
+    assert lookup_output_file.exists
+
+    secret_file = host.file(lookup_output_file.content_string)
+    assert secret_file.exists
+    assert secret_file.mode == 0o600
+    assert secret_file.content_string == "test_secret_in_file_password"
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml
new file mode 100644
index 000000000..516faec41
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml
@@ -0,0 +1,15 @@
+---
+- name: Retrieve Conjur variable fails with bad cert
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secrets.txt
+
+    - name: Retrieve Conjur variable with bad cert
+      vars:
+        super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}"
+      shell: echo "{{super_secret_key}}" > /conjur_secrets.txt
+      ignore_errors: True
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py
new file mode 100644
index 000000000..a3f2bbdf3
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py
@@ -0,0 +1,13 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieval_failed(host):
+    secrets_file = host.file('/conjur_secrets.txt')
+
+    assert not secrets_file.exists
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/bad-cert.pem b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/bad-cert.pem
new file mode 100644
index 000000000..a3831e0ce
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/bad-cert.pem
@@ -0,0 +1,41 @@
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIQN/xr5EKbXSqdyhGyGBWCizANBgkqhkiG9w0BAQsFADAY
+MRYwFAYDVQQDEw1jb25qdXItb3NzLWNhMB4XDTIwMDYxMjIwNTYzOVoXDTIxMDYx
+MjIwNTYzOVowGzEZMBcGA1UEAxMQY29uanVyLm15b3JnLmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOewPeFNcuLuE1tgpINSm4EajDXC+C6qsPhn
+Jf3PhDFCpAEHckx1BVK01kFUdC6FOI6JEuI6pFnV1Tb9+WFYTX6wcGBAy90i+K9u
+Xcjqb3sz5O3p6MjKL4xVvT4TxllT8cslNJix8gFrTYSvBFaUqCioGJAgyQyJ4SV+
+Tm/bXu/KdtfJQaLie+J5Xz/28220hC5NYlIjhMg5YgtRB7JjCj5bPe3PYykN5m8i
+INWEw20EW+54YKNs5RDFNKzXOqF5h6Mrc/RcE1rbCGNOqveQ43DTFUgS4rVF8T8S
+juO+LGfso2w6YvO7pT+ob9GxZytZXQSxrOXe8LpU4jSDS5g0+cECAwEAAaOB6zCB
+6DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MAwGA1UdEwEB/wQCMAAwgagGA1UdEQSBoDCBnYIQY29uanVyLm15b3JnLmNvbYIK
+Y29uanVyLW9zc4IhY29uanVyLW9zcy50ZXN0LWRlcGxveS1kZWZhdWx0cy0xgiVj
+b25qdXItb3NzLnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjgjNjb25qdXItb3Nz
+LnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjLmNsdXN0ZXIubG9jYWwwDQYJKoZI
+hvcNAQELBQADggEBAIdtOYlIdnojqVBbHGKPAJS8ZWDUm97W1KajZ6QGy6X7fD66
+tOb0QNhzLwbi4HQsuNR0rpWa48Z/sN1E6V5WlfG8pTrNRjqAc/sdobERMMS+rhtu
+RfLu1UbYCRLXYIAQFIQFtGDVNXnuvhkCwDz6PV4rniml24qhnGeL3+8ZkW6m5+8u
+XIt4Wq9otR3qj/Jx8eUg9eY/7RKgqCClP5Eg4szO0LaqQNblSR+3OgcGxmdTaJQt
+BlXRIH0CPpX+3p3mO4zfKIDRHZ0tueWLqOVRARyx9n9qBbhlpBJnecS19PNUAGVa
+10H1XkmpVXdadcV/8vBhjEpeq4cVgguS5oozG7Y=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIRAMUGxDd4cpSs7m9hvzTHoi4wDQYJKoZIhvcNAQELBQAw
+GDEWMBQGA1UEAxMNY29uanVyLW9zcy1jYTAeFw0yMDA2MTIyMDU2MzhaFw0yMTA2
+MTIyMDU2MzhaMBgxFjAUBgNVBAMTDWNvbmp1ci1vc3MtY2EwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC111bZxfhVHPerwHXvc+ycgCcI02VtfsrH9Tyk
+cmMsbUO6jF5aKBQj4fKSwbOCdXcqYoGwaQHQzOVMCGGruOYrOwfusOg2t2EQ7KIE
+KWdP0BpAvASvkKwk/GGfaBqtzy1DvVyl0B8b/4C7tnta21Zs5HFOKo0CE+iX/FUQ
+RDjpncE9Zhg2E2f1eCef4D+h2JJLtZPLOUZIUs0IMBPqQiL7iNSfY+e8dy6dRC9v
+AhyFLULpK34aPm1DqwX3rHDPoLJl24sZFo8q9UvpCwj3sqVoABagS32yL/8//LvU
+DaR4pgwuyd9sWf/CQkT0OHsHup5CH7xbYB0DSdmRJPeb07lHAgMBAAGjQjBAMA4G
+A1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANrAiuLkZGmSQlURpWtvm
+PgfPFPKPt1PAqjNwWhzMjHZg2P3UNBUTLeUdo52yJai6/iajlYTRPVvNUqiVnTay
+/X9LwWH5EXTKCHagfQh4fYtTSFa12BUBlSP7at3S25pMDOpylb3CxdGe/Oh8S0HZ
+gu7MMayFhcGCSJnT+F+JIqwnWkbWPYgHn0VCbBXN+5s7GJWFWwZljQzMCIa/xvwr
+xuSX6Lsgai1Abqo1pDJA8RNyxMtn5V8RHgwjQ/BdeodptqZc/kULVDOZ0dkAKxyH
+UYfqxxk4Ywc2JSSJYRs/RJpjngGnnLIOHgnruEIDtdOHw2yxAJZ/e7p8y9ThSxRo
+5Q==
+-----END CERTIFICATE-----
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/env
new file mode 100644
index 000000000..b93328faf
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/env
@@ -0,0 +1,4 @@
+unset CONJUR_AUTHN_API_KEY
+unset CONJUR_AUTHN_LOGIN
+export CONJUR_AUTHN_TOKEN_FILE=./access_token
+export CONJUR_CERT_FILE=./test_cases/retrieve-variable-with-authn-token-bad-cert/bad-cert.pem
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/playbook.yml
new file mode 100644
index 000000000..8423a2c13
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/playbook.yml
@@ -0,0 +1,15 @@
+---
+- name: Retrieve Conjur variable with authn-token fails with bad cert
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secrets.txt
+
+    - name: Retrieve Conjur variable with bad cert
+      vars:
+        super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}"
+      shell: echo "{{super_secret_key}}" > /conjur_secrets.txt
+      ignore_errors: True
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/tests/test_default.py
new file mode 100644
index 000000000..c87b160f4
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/tests/test_default.py
@@ -0,0 +1,13 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieve_secret_failed(host):
+    secrets_file = host.file('/conjur_secrets.txt')
+
+    assert not secrets_file.exists
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env
new file mode 100644
index 000000000..f4e4155ea
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env
@@ -0,0 +1,4 @@
+export CONJUR_CERT_FILE=./conjur.pem
+unset CONJUR_AUTHN_API_KEY
+unset CONJUR_AUTHN_LOGIN
+export CONJUR_AUTHN_TOKEN_FILE=./access_token
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml
new file mode 100644
index 000000000..e515b0f11
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml
@@ -0,0 +1,14 @@
+---
+- name: Retrieve Conjur variable with authn-token
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secrets.txt
+
+    - name: Retrieve Conjur variable
+      vars:
+        super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}"
+      shell: echo "{{super_secret_key}}" > /conjur_secrets.txt
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py
new file mode 100644
index 000000000..a98ce29e9
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py
@@ -0,0 +1,17 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieved_secret(host):
+    secrets_file = host.file('/conjur_secrets.txt')
+
+    assert secrets_file.exists
+
+    result = host.check_output("cat /conjur_secrets.txt", shell=True)
+
+    assert result == "test_secret_password"
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env
new file mode 100644
index 000000000..2363951d1
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env
@@ -0,0 +1 @@
+export CONJUR_CERT_FILE=./conjur.pem
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml
new file mode 100644
index 000000000..103d7e082
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml
@@ -0,0 +1,14 @@
+---
+- name: Retrieve Conjur variable with spaces in the variable name
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secrets.txt
+
+    - name: Retrieve Conjur variable with spaces in the variable name
+      vars:
+        super_secret_key: "{{lookup('conjur_variable', 'ansible/var with spaces')}}"
+      shell: echo "{{super_secret_key}}" > /conjur_secrets.txt
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py
new file mode 100644
index 000000000..145cbb2eb
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py
@@ -0,0 +1,17 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieved_secret(host):
+    secrets_file = host.file('/conjur_secrets.txt')
+
+    assert secrets_file.exists
+
+    result = host.check_output("cat /conjur_secrets.txt", shell=True)
+
+    assert result == "var_with_spaces_secret_password"
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env
new file mode 100644
index 000000000..2363951d1
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env
@@ -0,0 +1 @@
+export CONJUR_CERT_FILE=./conjur.pem
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml
new file mode 100644
index 000000000..44e993f97
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml
@@ -0,0 +1,14 @@
+---
+- name: Retrieve Conjur variable
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Clean artifact path
+      file:
+        state: absent
+        path: /conjur_secrets.txt
+
+    - name: Retrieve Conjur variable
+      vars:
+        super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}"
+      shell: echo "{{super_secret_key}}" > /conjur_secrets.txt
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py
new file mode 100644
index 000000000..a98ce29e9
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py
@@ -0,0 +1,17 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible']
+
+
+def test_retrieved_secret(host):
+    secrets_file = host.file('/conjur_secrets.txt')
+
+    assert secrets_file.exists
+
+    result = host.check_output("cat /conjur_secrets.txt", shell=True)
+
+    assert result == "test_secret_password"
diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt
new file mode 100644
index 000000000..92bf04480
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt
@@ -0,0 +1,10 @@
+dev/start.sh shebang
+Jenkinsfile shebang
+tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml
+roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python
+ci/build_release shebang
+ci/parse-changelog.sh shebang
+ci/publish_to_galaxy shebang
+ci/test.sh shebang
+secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+dev/policy/root.yml yamllint:unparsable-with-libyaml
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt
new file mode 100644
index 000000000..6049963fb
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt
@@ -0,0 +1,10 @@
+Jenkinsfile shebang
+dev/start.sh shebang
+tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml
+roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python
+ci/build_release shebang
+ci/parse-changelog.sh shebang
+ci/publish_to_galaxy shebang
+ci/test.sh shebang
+secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+dev/policy/root.yml yamllint:unparsable-with-libyaml
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.12.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.12.txt
new file mode 100644
index 000000000..5d750b26c
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.12.txt
@@ -0,0 +1,10 @@
+Jenkinsfile shebang
+dev/start.sh shebang
+tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+ci/build_release shebang
+ci/parse-changelog.sh shebang
+ci/publish_to_galaxy shebang
+ci/test.sh shebang
+secrets.yml yamllint:unparsable-with-libyaml # File loaded by Summon utility (in Jenkinsfile), not via Python
+dev/policy/root.yml yamllint:unparsable-with-libyaml
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.13.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.13.txt
new file mode 100644
index 000000000..5d750b26c
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.13.txt
@@ -0,0 +1,10 @@
+Jenkinsfile shebang
+dev/start.sh shebang
+tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+ci/build_release shebang
+ci/parse-changelog.sh shebang
+ci/publish_to_galaxy shebang
+ci/test.sh shebang
+secrets.yml yamllint:unparsable-with-libyaml # File loaded by Summon utility (in Jenkinsfile), not via Python
+dev/policy/root.yml yamllint:unparsable-with-libyaml
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.14.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.14.txt
new file mode 100644
index 000000000..00a2d8432
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.14.txt
@@ -0,0 +1,11 @@
+Jenkinsfile shebang
+dev/start.sh shebang
+tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+ci/build_release shebang
+ci/parse-changelog.sh shebang
+ci/publish_to_galaxy shebang
+ci/test.sh shebang
+secrets.yml yamllint:unparsable-with-libyaml # File loaded by Summon utility (in Jenkinsfile), not via Python
+dev/policy/root.yml yamllint:unparsable-with-libyaml
+plugins/lookup/conjur_variable.py validate-modules:version-added-must-be-major-or-minor # Lookup plugin added in v1.0.2
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt
new file mode 100644
index 000000000..45c7c7e97
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt
@@ -0,0 +1,8 @@
+Jenkinsfile shebang
+dev/start.sh shebang
+tests/conjur_variable/test.sh shebang
+roles/conjur_host_identity/tests/test.sh shebang
+ci/build_release shebang
+ci/parse-changelog.sh shebang
+ci/publish_to_galaxy shebang
+ci/test.sh shebang
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/tests/unit/Dockerfile b/ansible_collections/cyberark/conjur/tests/unit/Dockerfile
new file mode 100644
index 000000000..66e584669
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/unit/Dockerfile
@@ -0,0 +1,8 @@
+ARG PYTHON_VERSION
+FROM python:${PYTHON_VERSION}
+
+ARG ANSIBLE_VERSION
+RUN pip install https://github.com/ansible/ansible/archive/${ANSIBLE_VERSION}.tar.gz --disable-pip-version-check
+
+COPY tests/unit/requirements.txt /tmp/requirements.txt
+RUN pip install -r /tmp/requirements.txt
diff --git a/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/__init__.py b/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/__init__.py
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/__init__.py
diff --git a/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/test_conjur_variable.py b/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/test_conjur_variable.py
new file mode 100644
index 000000000..7a0db1e12
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/test_conjur_variable.py
@@ -0,0 +1,159 @@
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+from unittest import TestCase
+from unittest.mock import call, MagicMock, patch
+from ansible.errors import AnsibleError
+from ansible.plugins.loader import lookup_loader
+
+from ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable import _merge_dictionaries, _fetch_conjur_token, _fetch_conjur_variable
+from ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable import _load_identity_from_file, _load_conf_from_file
+
+
+class MockMergeDictionaries(MagicMock):
+    RESPONSE = {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'}
+
+
+class MockFileload(MagicMock):
+    RESPONSE = {}
+
+
+class TestConjurLookup(TestCase):
+    def setUp(self):
+        self.lookup = lookup_loader.get("conjur_variable")
+
+    def test_merge_dictionaries(self):
+        functionOutput = _merge_dictionaries(
+            {},
+            {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'}
+        )
+        self.assertEquals(MockMergeDictionaries.RESPONSE, functionOutput)
+
+    def test_load_identity_from_file(self):
+        load_identity = _load_identity_from_file("/etc/conjur.identity", "https://conjur-fake")
+        self.assertEquals(MockFileload.RESPONSE, load_identity)
+
+    def test_load_conf_from_file(self):
+        load_conf = _load_conf_from_file("/etc/conjur.conf")
+        self.assertEquals(MockFileload.RESPONSE, load_conf)
+
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable.open_url')
+    def test_fetch_conjur_token(self, mock_open_url):
+        mock_response = MagicMock()
+        mock_response.getcode.return_value = 200
+        mock_response.read.return_value = "response body"
+        mock_open_url.return_value = mock_response
+        result = _fetch_conjur_token("url", "account", "username", "api_key", True, "cert_file")
+        mock_open_url.assert_called_with("url/authn/account/username/authenticate",
+                                         data="api_key",
+                                         method="POST",
+                                         validate_certs=True,
+                                         ca_path="cert_file")
+        self.assertEquals("response body", result)
+
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._repeat_open_url')
+    def test_fetch_conjur_variable(self, mock_repeat_open_url):
+        mock_response = MagicMock()
+        mock_response.getcode.return_value = 200
+        mock_response.read.return_value = "response body".encode("utf-8")
+        mock_repeat_open_url.return_value = mock_response
+        result = _fetch_conjur_variable("variable", b'{"protected":"fakeid"}', "url", "account", True, "cert_file")
+        mock_repeat_open_url.assert_called_with("url/secrets/account/variable/variable",
+                                                headers={'Authorization': 'Token token="eyJwcm90ZWN0ZWQiOiJmYWtlaWQifQ=="'},
+                                                method="GET",
+                                                validate_certs=True,
+                                                ca_path="cert_file")
+        self.assertEquals(['response body'], result)
+
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._fetch_conjur_variable')
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._fetch_conjur_token')
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._merge_dictionaries')
+    def test_run(self, mock_merge_dictionaries, mock_fetch_conjur_token, mock_fetch_conjur_variable):
+        mock_fetch_conjur_token.return_value = "token"
+        mock_fetch_conjur_variable.return_value = ["conjur_variable"]
+        mock_merge_dictionaries.side_effect = [
+            {'account': 'fakeaccount', 'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'},
+            {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'}
+        ]
+
+        terms = ['ansible/fake-secret']
+        kwargs = {'as_file': False, 'conf_file': 'conf_file', 'validate_certs': False}
+        result = self.lookup.run(terms, **kwargs)
+
+        self.assertEquals(result, ["conjur_variable"])
+
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._fetch_conjur_variable')
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._fetch_conjur_token')
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._merge_dictionaries')
+    def test_retrieve_to_file(self, mock_merge_dictionaries, mock_fetch_conjur_token, mock_fetch_conjur_variable):
+        mock_fetch_conjur_token.return_value = "token"
+        mock_fetch_conjur_variable.return_value = ["conjur_variable"]
+        mock_merge_dictionaries.side_effect = [
+            {'account': 'fakeaccount', 'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'},
+            {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'}
+        ]
+
+        terms = ['ansible/fake-secret']
+        kwargs = {'as_file': True, 'conf_file': 'conf_file', 'validate_certs': False}
+        filepaths = self.lookup.run(terms, **kwargs)
+        self.assertRegex(filepaths[0], '/dev/shm/.*')
+
+        with open(filepaths[0], "r") as file:
+            content = file.read()
+            self.assertEqual(content, "conjur_variable")
+
+    # Negative test cases
+
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._merge_dictionaries')
+    def test_run_bad_config(self, mock_merge_dictionaries):
+        # Withhold 'account' field
+        mock_merge_dictionaries.side_effect = [
+            {'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'},
+            {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'}
+        ]
+
+        terms = ['ansible/fake-secret']
+        kwargs = {'as_file': False, 'conf_file': 'conf_file', 'validate_certs': True}
+        with self.assertRaises(AnsibleError) as context:
+            self.lookup.run(terms, **kwargs)
+            self.assertEqual(
+                context.exception.message,
+                "Configuration file on the controlling host must define `account` and `appliance_url` entries or they should be environment variables"
+            )
+
+        # Withhold 'id' and 'api_key' fields
+        mock_merge_dictionaries.side_effect = [
+            {'account': 'fakeaccount', 'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'},
+            {}
+        ]
+
+        with self.assertRaises(AnsibleError) as context:
+            self.lookup.run(terms, **kwargs)
+            self.assertEqual(
+                context.exception.message,
+                ("Identity file on the controlling host must contain `login` and `password` "
+                 "entries for Conjur appliance URL or they should be environment variables")
+            )
+
+    @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._merge_dictionaries')
+    def test_run_bad_cert_path(self, mock_merge_dictionaries):
+        mock_merge_dictionaries.side_effect = [
+            {'account': 'fakeaccount', 'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'},
+            {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'}
+        ]
+
+        terms = ['ansible/fake-secret']
+        kwargs = {'as_file': False, 'conf_file': 'conf_file', 'validate_certs': True}
+        with self.assertRaises(FileNotFoundError):
+            self.lookup.run(terms, **kwargs)
+
+    def test_run_no_variable_path(self):
+        kwargs = {'as_file': False, 'conf_file': 'conf_file', 'validate_certs': True}
+
+        with self.assertRaises(AnsibleError) as context:
+            self.lookup.run([], **kwargs)
+            self.assertEqual(context.exception.message, "Invalid secret path: no secret path provided.")
+
+        with self.assertRaises(AnsibleError) as context:
+            self.lookup.run([''], **kwargs)
+            self.assertEqual(context.exception.message, "Invalid secret path: empty secret path not accepted.")
diff --git a/ansible_collections/cyberark/conjur/tests/unit/requirements.txt b/ansible_collections/cyberark/conjur/tests/unit/requirements.txt
new file mode 100644
index 000000000..9b481ce1d
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/tests/unit/requirements.txt
@@ -0,0 +1,14 @@
+mock
+pytest
+pytest-mock
+pytest-xdist
+pytest-forked
+pyyaml  # required by the collection loader (only needed for collections)
+coverage==4.5.4
+
+bcrypt ; python_version >= '3.8'  # controller only
+passlib ; python_version >= '3.8'  # controller only
+pexpect ; python_version >= '3.8'  # controller only
+pytz
+pywinrm ; python_version >= '3.8'  # controller only
+unittest2 ; python_version < '2.7'