Add lookup plugin option (file_mode) to store secret in a file #51
Conversation
This commit adds the file_mode option (boolean) which makes the lookup plugin store the secret in /dev/shm: a file with a random name (0600 permissions) is created. The lookup command returns the file path.
jcosteatcyberark
force-pushed
the
feature/lookup-secret-in-file
branch
from
18a6b92
to
82bc6ca
Compare
There was a problem hiding this comment.
@jcosteatcyberark Left some comments on this PR. Needs a bit of work but you're on the right track I think.
plugins/lookup/conjur_variable.py
Outdated
| @@ -31,6 +31,10 @@ | |||
| description: Flag to control SSL certificate validation | |||
| type: boolean | |||
| default: True | |||
| file_mode: | |||
| description: Store lookup result in a temp file | |||
There was a problem hiding this comment.
This should include another sentence regarding what this is useful for.
There was a problem hiding this comment.
I agree, done in next commit.
plugins/lookup/conjur_variable.py
Outdated
| @@ -86,6 +90,9 @@ | |||
| from base64 import b64encode | |||
| from netrc import netrc | |||
| from os import environ | |||
| import stat | |||
| from random import choice | |||
| import string | |||
There was a problem hiding this comment.
Imports need to be sorted alphabetically
There was a problem hiding this comment.
I sorted the one I added, others don't seem to be though.
I'll keep it out of this PR.
plugins/lookup/conjur_variable.py
Outdated
| @@ -86,6 +90,9 @@ | |||
| from base64 import b64encode | |||
| from netrc import netrc | |||
| from os import environ | |||
| import stat | |||
| from random import choice | |||
| import string | |||
There was a problem hiding this comment.
For stat and string, I think you can import just the constants/functions you are using instead of the whole package
There was a problem hiding this comment.
Thanks, done in next commit
CHANGELOG.md
Outdated
| @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
| - The [Conjur Ansible role](https://galaxy.ansible.com/cyberark/conjur-host-identity) has been | |||
| migrated to this collection, where it will be maintained moving forward. | |||
| [cyberark/ansible-conjur-host-identity#30](https://github.com/cyberark/ansible-conjur-host-identity/issues/30) | |||
| - Add `file_mode` boolean option to store the secret as a temporary file in /dev/shm/ and return its path. | |||
There was a problem hiding this comment.
This should also include a link to the issue it is trying to resolve.
There was a problem hiding this comment.
I think we also need to add usage of this in the README too
There was a problem hiding this comment.
This is a UX issue but file_mode isn't quite as descriptive as it should be to explain this feature. Any suggestions for a better one maybe?
There was a problem hiding this comment.
Added a link to the Cyberark Commons post. Regarding the usage, I'm not sure where to put it in README.
I renamed file_mode to as_file
plugins/lookup/conjur_variable.py
Outdated
|
|
||
| if file_mode: | ||
| return _store_in_file(conjur_variable) | ||
| else: |
There was a problem hiding this comment.
else isn't needed at this point since there's only a single logic path that remain after file_mode return
There was a problem hiding this comment.
Thanks, removed.
plugins/lookup/conjur_variable.py
Outdated
| @@ -203,12 +210,24 @@ def _fetch_conjur_variable(conjur_variable, token, conjur_url, account, validate | |||
| return {} | |||
|
|
|||
|
|
|||
| def _store_in_file(value): | |||
| file_name = ''.join(choice(string.ascii_uppercase + string.digits) for i in range(12)) | |||
| file_path = os.path.join("/dev/shm", file_name) | |||
There was a problem hiding this comment.
/dev/shm is not guaranteed to exist on the target system
There was a problem hiding this comment.
I created a function to return the best possible path, inspired by Summon equivalent
plugins/lookup/conjur_variable.py
Outdated
| @@ -203,12 +210,24 @@ def _fetch_conjur_variable(conjur_variable, token, conjur_url, account, validate | |||
| return {} | |||
|
|
|||
|
|
|||
| def _store_in_file(value): | |||
| file_name = ''.join(choice(string.ascii_uppercase + string.digits) for i in range(12)) | |||
There was a problem hiding this comment.
You probably should use something like tempfile.NamedTemporaryFile and set prefix/suffix/dir instead of manually assembling the name.
There was a problem hiding this comment.
Thanks, I didn't know this lib. I made the change in next commit
plugins/lookup/conjur_variable.py
Outdated
| def _store_in_file(value): | ||
| file_name = ''.join(choice(string.ascii_uppercase + string.digits) for i in range(12)) | ||
| file_path = os.path.join("/dev/shm", file_name) | ||
| with open(file_path, 'w+') as file: |
There was a problem hiding this comment.
+ in the mode isn't needed since we won't be reading the file
plugins/lookup/conjur_variable.py
Outdated
| file_path = os.path.join("/dev/shm", file_name) | ||
| with open(file_path, 'w+') as file: | ||
| file.write(value[0]) | ||
| os.chmod(file_path, stat.S_IRUSR | stat.S_IWUSR) |
There was a problem hiding this comment.
We should chmod the file before we write the secret into it
There was a problem hiding this comment.
Fixed in next commit
plugins/lookup/conjur_variable.py
Outdated
| file.write(value[0]) | ||
| os.chmod(file_path, stat.S_IRUSR | stat.S_IWUSR) | ||
|
|
||
| return [file_path] |
There was a problem hiding this comment.
This return should happen as part of the function context, not the with context so it should be indented 1 lower level
There was a problem hiding this comment.
This piece of code is removed in next commit thanks to tempfile.NamedTemporaryFile.
jcosteatcyberark
force-pushed
the
feature/lookup-secret-in-file
branch
from
7bd9026
to
b8c2c28
Compare
jcosteatcyberark
force-pushed
the
feature/lookup-secret-in-file
branch
from
b8c2c28
to
501df6a
Compare
|
@jcosteatcyberark Is this ready for another review cycle? I haven't seen any messages that indicate that it is. |
|
Hi @sgnn7, sorry for the delay. It's updated and ready for a review! |
|
Hi @jcosteatcyberark. Just wanted to let you know that I've tagged the team (@cyberark/community-and-integrations-team) and we should be able to get someone to look at this soon. |
There was a problem hiding this comment.
@jcosteatcyberark , thank you for proposing this change! This looks very good to me. The only suggestion that I have is that it might be helpful to add an example of this lookup in the README (in addition to the plain variable lookup that's already there).
Also a question on the syntax for a call to check_output(), just for my own understanding.
| assert secret_file.exists | ||
| assert secret_file.mode == 0o600 | ||
|
|
||
| secret = host.check_output("cat {0}".format(secret_path), shell=True) |
There was a problem hiding this comment.
@jcosteatcyberark, just for my own understanding... Can you explain what this line is doing? I know it's doing a level of indirection (taking secret_path and cating the file that it points to), but I'd like to understand better.
There was a problem hiding this comment.
Hi @diverdane, the test playbook stores the lookup output in /conjur_secret_path.txt. This file contains the path to the file that contains the secret (secret_path).
To resume this test asserts that cat (cat /conjur_secret_path) = secret
There was a problem hiding this comment.
since it wasn't clear to Dane from the code, is it worth writing this in a more-verbose-but-more-clear way or at least adding a code comment?
There was a problem hiding this comment.
Hi @izgeri I cleaned up the code and commented. It should be easier to understand now.
|
Hi @diverdane I added an example to the README and rewrote + commented the test for better readability. |
What does this PR do?
This PR offers a new option:
file_modeas_file (boolean) which adds the possibility to store a secret as a file in/dev/shma temporary file instead of returning it directly. The lookup function instead returns the path of the file.This feature addresses an issue with ansible_ssh_private_key_file which doesn't accept inline ssh keys.
By adding this option, it is now possible to use the below lookup with ansible_ssh_private_key_file:
Without the need to handle temporary file creation in playbooks, it extends the current support of the below:
What ticket does this PR close?
This PR addresses Issue #52 .
This PR also addresses the post in https://discuss.cyberarkcommons.org/t/conjur-ansible-lookup-plugin-and-ssh-key-file/1070
Checklists
Change log
Test coverage
Documentation
READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, or