Fix multiple issues with the TSS lookup plugin when using fetch_attachments

[laszlojau]

SUMMARY

There are multiple issues present in the TSS lookup plugin when the recently added fetch_attachments is set to True:

• All files are written as text with UTF-8 encoding - this does not work for PFX files which have to be written in binary format
• An AttributeError is raised ('str' object has no attribute 'text') when some attachments are missing from a secret. This is an issue, as some attachments may be optional (e.g. a secret can hold both a PFX and PEM format certificate in separate fields)
• Empty files get created for missing attachments, so an empty certificate may be uploaded to a target server if we are only checking for the file being present

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

tss

ADDITIONAL INFORMATION

1. An AttributeError is raised when attachments are missing:

   Before this PR (files get created for missing attachments and the whole task errors out):

   fatal: [localhost]: FAILED! => {
       "msg": "An unhandled exception occurred while templating '{{\n    lookup(\n        'community.general.tss',\n        1234,\n        fetch_attachments=True,\n        file_download_path='files/certs-test',\n    )\n}}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'community.general.tss'. Error was a <class 'AttributeError'>, original message: 'str' object has no attribute 'text'. 'str' object has no attribute 'text'"
   }

   After this PR (files won't be created for missing attachments and the task will raise warnings instead of erroring out):

   TASK [Test secret without all attachments] *************************************************************************
   [WARNING]: Could not read file content for certificate-file-pem
   [WARNING]: Could not read file content for key-file-pem
   [WARNING]: Could not read file content for full-chain-certificate-file-pem
   

2. Downloaded files are corrupted when using PFX attachments

   Before this PR: PFX files get corrupted when downloading them with the current lookup plugin, which uses the text field for loading the content of the attachment - i.e. they can't be read with openssl pkcs12 -in my-cert.pfx -clcerts -nokeys -noout -text.

   After this PR: Using the content field and writing the file as binary works for PFX files. It also works for PEM format certificates and RSA keys.

3. The return values are different when using fetch_attachments and they cannot be printed
I've reverted the relevant commit as this was an issue on our end, masked by the above the 2 issues. I was receiving errors as our secret template did not have a private-key field.

[ansibullbot]

cc @delineaKrehl @tylerezimmerman
click here for bot help

[felixfontein]

Thanks for your contribution! I've a first comment on the changelog fragment, the plugin maintainers might have more/other comments.

[patchback]

Backport to stable-6: 💔 cherry-picking failed — conflicts found

❌ Failed to cleanly apply 6bff57e on top of patchback/backports/stable-6/6bff57ee6e85a450540ddd9151b9814cd24d294f/pr-6720

Backporting merged PR #6720 into main

1. Ensure you have a local repo clone of your fork. Unless you cloned it
   from the upstream, this would be your origin remote.
2. Make sure you have an upstream repo added as a remote too. In these
   instructions you'll refer to it by the name upstream. If you don't
   have it, here's how you can add it:

   $ git remote add upstream https://github.com/ansible-collections/community.general.git

3. Ensure you have the latest copy of upstream and prepare a branch
   that will hold the backported code:

   $ git fetch upstream
   $ git checkout -b patchback/backports/stable-6/6bff57ee6e85a450540ddd9151b9814cd24d294f/pr-6720 upstream/stable-6

4. Now, cherry-pick PR Fix multiple issues with the TSS lookup plugin when using fetch_attachments #6720 contents into that branch:

   $ git cherry-pick -x 6bff57ee6e85a450540ddd9151b9814cd24d294f

   If it'll yell at you with something like fatal: Commit 6bff57ee6e85a450540ddd9151b9814cd24d294f is a merge but no -m option was given., add -m 1 as follows instead:

   $ git cherry-pick -m1 -x 6bff57ee6e85a450540ddd9151b9814cd24d294f

5. At this point, you'll probably encounter some merge conflicts. You must
   resolve them in to preserve the patch from PR Fix multiple issues with the TSS lookup plugin when using fetch_attachments #6720 as close to the
   original as possible.
6. Push this branch to your fork on GitHub:

   $ git push origin patchback/backports/stable-6/6bff57ee6e85a450540ddd9151b9814cd24d294f/pr-6720

7. Create a PR, ensure that the CI is green. If it's not — update it so that
   the tests and any other checks pass. This is it!
   Now relax and wait for the maintainers to process your pull request
   when they have some cycles to do reviews. Don't worry — they'll tell you if
   any improvements are necessary when the time comes!

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[patchback]

Backport to stable-7: 💚 backport PR created

✅ Backport PR branch: patchback/backports/stable-7/6bff57ee6e85a450540ddd9151b9814cd24d294f/pr-6720

Backported as #6751

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[felixfontein]

@laszlojau thanks for fixing this!
@delinea-sagar @delineaKrehl thanks for reviewing!