Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added ipa vault lookup plugin #42050

Closed
wants to merge 3 commits into from
Closed

Added ipa vault lookup plugin #42050

wants to merge 3 commits into from

Conversation

mvazquezc
Copy link

SUMMARY

Added IPA Vault lookup plugin. With this lookup you can:

  • list existing vaults
  • show information about vaults
  • retrieve information for standard, symmetric and asymmetric vaults (data will be returned b64 encoded)
ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

ipa_vault

ANSIBLE VERSION
ansible 2.5.5
  config file = None
  configured module search path = [u'/home/cloud-user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/cloud-user/ipa_vault/venv/lib/python2.7/site-packages/ansible
  executable location = /home/cloud-user/ipa_vault/venv/bin/ansible
  python version = 2.7.5 (default, Feb 20 2018, 09:19:12) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
ADDITIONAL INFORMATION
TASK [Query ipa for all vaults availabe for the krb token] **********************************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        [
            {
                "Type": "standard", 
                "Vault name": "test01", 
                "Vault user": "admin"
            }
        ], 
        [
            {
                "Type": "symmetric", 
                "Vault name": "test02", 
                "Vault user": "admin"
            }
        ], 
        [
            {
                "Type": "asymmetric", 
                "Vault name": "test03", 
                "Vault user": "admin"
            }
        ]
    ]
}

TASK [Query ipa for details about an specific vault] ****************************************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        {
            "Owner users": "admin", 
            "Type": "standard", 
            "Vault name": "test01", 
            "Vault user": "admin"
        }
    ]
}

TASK [Retrieve vault content for a standard vault] ******************************************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        {
            "Data": "dGVzdDAxCg=="
        }
    ]
}

TASK [Retrieve vault content for a symmetric vault] *****************************************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        {
            "Data": "dGVzdDAyCg=="
        }
    ]
}

TASK [Retrieve vault content for an asymmetric vault] ***************************************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        {
            "Data": "dGVzdDAzCg=="
        }
    ]
}

TASK [Retrieve vault content for a symmetric vault using a non-default location for ipa binary] *********************************************************************************************************************
ok: [localhost] => {
    "msg": [
        {
            "Data": "dGVzdDAyCg=="
        }
    ]
}

@ansibot ansibot added affects_2.7 This issue/PR affects Ansible v2.7 feature This issue/PR relates to a feature request. needs_triage Needs a first human triage before being processed. new_contributor This PR is the first contribution by a new community member. new_plugin This PR includes a new plugin. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Jun 28, 2018
@ansibot
Copy link
Contributor

ansibot commented Jun 28, 2018

The test ansible-test sanity --test ansible-doc --python 2.6 [explain] failed with 1 error:

lib/ansible/plugins/lookup/ipa_vault.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test compile --python 2.6 [explain] failed with 1 error:

lib/ansible/plugins/lookup/ipa_vault.py:102:33: SyntaxError: _list = {k: v for k, v in temp_list}

click here for bot help

@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Jun 28, 2018
@samdoran samdoran removed the needs_triage Needs a first human triage before being processed. label Jun 28, 2018
@ansibot
Copy link
Contributor

ansibot commented Jun 29, 2018

The test ansible-test sanity --test ansible-doc --python 2.6 [explain] failed with 1 error:

lib/ansible/plugins/lookup/ipa_vault.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test compile --python 2.6 [explain] failed with 1 error:

lib/ansible/plugins/lookup/ipa_vault.py:102:33: SyntaxError: _list = {k: v for k, v in temp_list}

click here for bot help

@ansibot ansibot added the ci_verified Changes made in this PR are causing tests to fail. label Jun 29, 2018
@ansibot
Copy link
Contributor

ansibot commented Jul 2, 2018

@mvazquezc this PR contains the following merge commits:

Please rebase your branch to remove these commits.

click here for bot help

@ansibot ansibot added merge_commit This PR contains at least one merge commit. Please resolve! needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html and removed ci_verified Changes made in this PR are causing tests to fail. labels Jul 2, 2018
@ansibot ansibot removed merge_commit This PR contains at least one merge commit. Please resolve! needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html labels Jul 2, 2018
@mvazquezc
Copy link
Author

The only test that failed seems that was due to a connectivity error. Could tests be re-run?

@mvazquezc
Copy link
Author

@samdoran Is there anything I could do in order to re-run the failed test?

@samdoran
Copy link
Contributor

samdoran commented Jul 3, 2018

I just re-ran the failed test.

@ansibot ansibot removed the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Jul 3, 2018
@fxfitz
Copy link
Contributor

fxfitz commented Jul 3, 2018

I'm surprised you implemented this as a lookup plugin instead of a module. Any reason not to go the module route?

I ask because there's another very similar PR open right now (#41902).

@mvazquezc
Copy link
Author

mvazquezc commented Jul 4, 2018
edited
Loading

Well, I thought that since the main functionality is gathering data from a vault, a lookup would be "a better choice". For me, it works like the "file" lookup which gets the content of a file. Does that make sense? @fxfitz

@jparrill
Copy link
Contributor

jparrill commented Jul 4, 2018
edited
Loading

@fxfitz regarding your question, a module purpose will perform an action (create vault, archive vault data, etc...) into the destination system and this just will catch the vault information/data. Time ago many PR's was rejected because of that fact. Ansible people always tries to separate the lookup purposes from the modules ones.

@fxfitz
Copy link
Contributor

fxfitz commented Jul 4, 2018

@jparrill @mvazquezc Thanks for the clarification! To be honest I hadn't dived into a full-blown review yet to catch the difference (woops; my bad. I spoke too soon! 😄), I just noticed the similarity in the PR list.

I'll dive in on this ASAP.

@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Jul 10, 2018
fxfitz
fxfitz suggested changes Jul 10, 2018
View reviewed changes
Copy link
Contributor

@fxfitz fxfitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about using IPAClient to achieve the same results? That way you're not parsing stdout, you'll have json results, you won't have the ipa client utility, etc etc etc

lib/ansible/plugins/lookup/ipa_vault.py Outdated
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

ANSIBLE_METADATA = {'metadata_version': '0.1',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be 1.1. Ref: https://docs.ansible.com/ansible/2.6/dev_guide/developing_modules_documenting.html#ansible-metadata-block

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. On second thought, I'm not even sure if ANSIBLE_METADATA is used in lookup plugins? I think that's only for modules specifically.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

lib/ansible/plugins/lookup/ipa_vault.py Outdated
author:
- Mario Vazquez (mavazque@redhat.com)
lookup: ipa_vault
version_added: "2.5"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would be 2.7.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

lib/ansible/plugins/lookup/ipa_vault.py Outdated
def __init__(self, ipa_cli='/usr/bin/ipa'):
self.ipa_cli = ipa_cli
if not os.path.isfile(self.ipa_cli):
raise AnsibleError("IPA Client not found in the controll machine %s, install IPA Client and try againg." % self.ipa_cli)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: s/controll/control

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: s/againg/again

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

lib/ansible/plugins/lookup/ipa_vault.py Outdated
version_added: "2.5"
short_description: Gets info from IPA Vault
requirements:
- ipa client (command line utility)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just an idea: While I know this isn't module, you could get around this requirement by using IPAClient and pull the same information from the IPA Web API.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was my first approach, but sadly IPAClient should change the way it works in order to be able to take advantage of it within a lookup plugin.

Basically their post_json method needs a module object to work, in this lookup we don't use this kind of objects. I tried initializing an empty module object and it didn't work because post_json method needs some information present in the object.

On top of that, they should implement cryptographic functions in order to generate the session key needed to interact with the Vault API.

As a first step we opened an Issue[1] so maybe they can fix the first problem (post_json needing a module object), once this issue is solved we can try to implement this using IPAClient rather than using ipa cli.

[1] #42616

lib/ansible/plugins/lookup/ipa_vault.py Outdated
"""

EXAMPLES = """
- name: Query ipa for all vaults availabe for the krb token
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: s/availabe/available

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solved.

@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Jul 10, 2018
mvazquezc
mvazquezc commented Jul 11, 2018
View reviewed changes
Copy link
Author

@mvazquezc mvazquezc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes pushed.

lib/ansible/plugins/lookup/ipa_vault.py Outdated
"""

EXAMPLES = """
- name: Query ipa for all vaults availabe for the krb token
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solved.

lib/ansible/plugins/lookup/ipa_vault.py Outdated
def __init__(self, ipa_cli='/usr/bin/ipa'):
self.ipa_cli = ipa_cli
if not os.path.isfile(self.ipa_cli):
raise AnsibleError("IPA Client not found in the controll machine %s, install IPA Client and try againg." % self.ipa_cli)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

lib/ansible/plugins/lookup/ipa_vault.py Outdated
author:
- Mario Vazquez (mavazque@redhat.com)
lookup: ipa_vault
version_added: "2.5"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

lib/ansible/plugins/lookup/ipa_vault.py Outdated
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

ANSIBLE_METADATA = {'metadata_version': '0.1',
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

lib/ansible/plugins/lookup/ipa_vault.py Outdated
version_added: "2.5"
short_description: Gets info from IPA Vault
requirements:
- ipa client (command line utility)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was my first approach, but sadly IPAClient should change the way it works in order to be able to take advantage of it within a lookup plugin.

Basically their post_json method needs a module object to work, in this lookup we don't use this kind of objects. I tried initializing an empty module object and it didn't work because post_json method needs some information present in the object.

On top of that, they should implement cryptographic functions in order to generate the session key needed to interact with the Vault API.

As a first step we opened an Issue[1] so maybe they can fix the first problem (post_json needing a module object), once this issue is solved we can try to implement this using IPAClient rather than using ipa cli.

[1] #42616

@ansibot
Copy link
Contributor

ansibot commented Jul 11, 2018

@mvazquezc this PR contains the following merge commits:

Please rebase your branch to remove these commits.

click here for bot help

@ansibot ansibot added merge_commit This PR contains at least one merge commit. Please resolve! needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html and removed stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Jul 11, 2018
@ansibot ansibot removed merge_commit This PR contains at least one merge commit. Please resolve! needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html labels Jul 11, 2018
@mvazquezc
Copy link
Author

Hey @fxfitz,

Have you seen the pushed changes?

Thanks,

@ansibot ansibot added stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. stale_review Updates were made after the last review and the last review is more than 7 days old. labels Jul 26, 2018
@schegi
Copy link

schegi commented Aug 25, 2018

I added some ipa_vault related modules recently (cf. #44631). Together with the modules i added IPAVaultClient (ipa_vault.py in module_utils) as extention to IPAClient which adds all necessray transport, symmetric and asymmetric en/decryption functionality necessary to handle vault data. Maybe this is interessting for you to get rid of all cli calls in your lookup. But it has to pass review first.

@ansibot ansibot added support:community This issue/PR relates to code supported by the Ansible community. and removed support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Sep 18, 2018
@dagwieers dagwieers added the ipa IPA community label Feb 8, 2019
@ansibot ansibot removed the stale_review Updates were made after the last review and the last review is more than 7 days old. label Jul 2, 2019
@ansibot ansibot added the stale_review Updates were made after the last review and the last review is more than 7 days old. label Jul 10, 2019
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. stale_review Updates were made after the last review and the last review is more than 7 days old. labels Mar 3, 2020
@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. stale_review Updates were made after the last review and the last review is more than 7 days old. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Mar 27, 2020
@Akasurde
Copy link
Member

Hi @mvazquezc, Thank you very much for your interest in Ansible. This plugin/module is no longer maintained in this repository and has been migrated to https://github.com/ansible-collections/community.general

If you have further questions please stop by IRC or the mailing list:

* IRC: #ansible on irc.freenode.net
* mailing list: https://groups.google.com/forum/#!forum/ansible-project

needs_info

@Akasurde Akasurde closed this Aug 20, 2020
@ansible ansible locked as resolved and limited conversation to collaborators Aug 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@fxfitz fxfitz fxfitz requested changes

Assignees
No one assigned
Labels
affects_2.7 This issue/PR affects Ansible v2.7 feature This issue/PR relates to a feature request. ipa IPA community needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. new_contributor This PR is the first contribution by a new community member. new_plugin This PR includes a new plugin. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. stale_review Updates were made after the last review and the last review is more than 7 days old. support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@mvazquezc @ansibot @samdoran @fxfitz @jparrill @schegi @Akasurde @dagwieers