Merge branch 'master' into BC-6654-update-mongodb

hpi-schul-cloud · Jul 12, 2024 · ebc2870 · ebc2870
2 parents 2d2fac0 + 4af1f07
commit ebc2870
Show file tree

Hide file tree

Showing 19 changed files with 371 additions and 55 deletions.
diff --git a/.github/workflows/bapontag.yaml b/.github/workflows/bapontag.yaml
@@ -35,7 +35,7 @@ jobs:
   
   build_and_push:
     needs: pre_build
-    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@6
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@7
     permissions:
       packages: write
       contents: read

diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,5 @@ venv
 dbcmetrics/dbcm_config.yaml
 prod-container-list/*.csv
 prod-container-list/*.log
+
+onepwd/credentials.json
diff --git a/awx-ee/_build/scripts/assemble b/awx-ee/_build/scripts/assemble
@@ -43,7 +43,7 @@ fi
 
 if [ "$PKGMGR" = "/usr/bin/microdnf" ]
 then
-    if [ -z $PKGMGR_OPTS ]; then
+    if [ -z "${PKGMGR_OPTS}" ]; then
         # NOTE(pabelanger): skip install docs and weak dependencies to
         # make smaller images. Sadly, setting these in dnf.conf don't
         # appear to work.

diff --git a/awx-ee/_build/scripts/install-from-bindep b/awx-ee/_build/scripts/install-from-bindep
@@ -37,7 +37,7 @@ fi
 
 if [ "$PKGMGR" = "/usr/bin/microdnf" ]
 then
-    if [ -z $PKGMGR_OPTS ]; then
+    if [ -z "${PKGMGR_OPTS}" ]; then
         # NOTE(pabelanger): skip install docs and weak dependencies to
         # make smaller images. Sadly, setting these in dnf.conf don't
         # appear to work.

diff --git a/awx-ee/_build/scripts/introspect.py b/awx-ee/_build/scripts/introspect.py
@@ -208,7 +208,7 @@ def simple_combine(reqs):
     return fancy_lines
 
 
-def parse_args(args=sys.argv[1:]):
+def parse_args(args=None):
 
     parser = argparse.ArgumentParser(
         prog='introspect',
@@ -217,14 +217,15 @@ def parse_args(args=sys.argv[1:]):
         )
     )
 
-    subparsers = parser.add_subparsers(help='The command to invoke.', dest='action')
-    subparsers.required = True
+    subparsers = parser.add_subparsers(
+        help='The command to invoke.',
+        dest='action',
+        required=True,
+    )
 
     create_introspect_parser(subparsers)
 
-    args = parser.parse_args(args)
-
-    return args
+    return parser.parse_args(args)
 
 
 def run_introspect(args, logger):

diff --git a/onepwd/credentials.json.j2 b/onepwd/credentials.json.j2
@@ -0,0 +1,7 @@
+{
+    "OP_EMAIL": "{{ OP_EMAIL }}",
+    "OP_PASSWORD": "{{ OP_PASSWORD }}",
+    "OP_SUBDOMAIN": "{{ OP_SUBDOMAIN }}",
+    "OP_SECRET_KEY": "{{ OP_SECRET_KEY }}",
+    "OP_2FA_TOKEN": "{{ OP_2FA_TOKEN }}"
+}
diff --git a/onepwd/galaxy.yml b/onepwd/galaxy.yml
@@ -9,7 +9,7 @@ namespace: dbildungscloud
 name: onepwd
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 2.3.0
+version: 2.4.0
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

diff --git a/onepwd/playbook-test-onepwd.yml b/onepwd/playbook-test-onepwd.yml
@@ -7,7 +7,26 @@
       Test file.
     document_updated_content: |-
       Updated file.
+    op_credentials:
+      OP_EMAIL: "{{ lookup('env','OP_EMAIL') }}"
+      OP_PASSWORD: "{{ lookup('env','OP_PASSWORD') }}"
+      OP_SECRET_KEY: "{{ lookup('env','OP_SECRET_KEY') }}"
+      OP_SUBDOMAIN: "{{ lookup('env','OP_SUBDOMAIN') }}"
+      OP_2FA_TOKEN: "{{ lookup('env','OP_2FA_TOKEN') }}"
+    op_credentials_file: "{{ playbook_dir }}/credentials.json"
+
   tasks:
+    - name: Generate credentials file
+      template:
+        src: credentials.json.j2
+        dest: "{{ op_credentials_file }}"
+      vars:
+        OP_EMAIL: "{{ lookup('env','OP_EMAIL') }}"
+        OP_PASSWORD: "{{ lookup('env','OP_PASSWORD') }}"
+        OP_SECRET_KEY: "{{ lookup('env','OP_SECRET_KEY') }}"
+        OP_SUBDOMAIN: "{{ lookup('env','OP_SUBDOMAIN') }}"
+        OP_2FA_TOKEN: "{{ lookup('env','OP_2FA_TOKEN') }}"
+
     - name: Run the tests
       block:
         - name: Create item
@@ -38,6 +57,34 @@
               - op.item.title == 'create-test'
               - op.item.category | lower == 'password'
 
+        - name: Delete item (test credentials as arguments)
+          dbildungscloud.onepwd.item:
+            vault: Private
+            credentials: "{{ op_credentials }}"
+            name: create-test
+            category: password
+            state: absent
+          register: op
+        - name: Delete item
+          assert:
+            that:
+              - op.changed
+
+        - name: Re-create item (file credentials as arguments)
+          dbildungscloud.onepwd.item:
+            vault: Private
+            credentials_file: "{{ op_credentials_file }}"
+            name: create-test
+            category: password
+          register: op
+        - name: Re-create item (file credentials as arguments)
+          assert:
+            that:
+              - op.changed
+              - op.item is defined
+              - op.item.title == 'create-test'
+              - op.item.category | lower == 'password'
+
         - name: Item already exists, add fields
           dbildungscloud.onepwd.item:
             vault: Private
@@ -58,6 +105,7 @@
               - op.item.title == 'create-test'
               - op.item.category | lower == 'password'
               - op.item.fields | length >= 2
+
         - name: Item already exists, field already exists (overwrite set to False)
           dbildungscloud.onepwd.item:
             vault: Private
@@ -72,6 +120,7 @@
           assert:
             that:
               - not op.changed
+
         - name: Field have the correct values
           vars:
             fields:
@@ -156,7 +205,21 @@
         - name: Get document
           set_fact:
             onepassword_document: "{{ lookup('dbildungscloud.onepwd.onepwd', secret_name='document-test', vault='Private') }}"
-        - name: Create document
+        - name: Get document
+          assert:
+            that:
+              - onepassword_document == document_original_content
+        - name: Get document
+          set_fact:
+            onepassword_document: "{{ lookup('dbildungscloud.onepwd.onepwd', secret_name='document-test', vault='Private', credentials=op_credentials) }}"
+        - name: Get document credentials as args
+          assert:
+            that:
+              - onepassword_document == document_original_content
+        - name: Get document credentials as file
+          set_fact:
+            onepassword_document: "{{ lookup('dbildungscloud.onepwd.onepwd', secret_name='document-test', vault='Private', credentials_file=op_credentials_file) }}"
+        - name: Get document
           assert:
             that:
               - onepassword_document == document_original_content
@@ -174,12 +237,13 @@
         - name: Get document
           set_fact:
             onepassword_document: "{{ lookup('dbildungscloud.onepwd.onepwd', secret_name='document-test', vault='Private') }}"
-        - name: Create document
+        - name: Get document
           assert:
             that:
               - onepassword_document != document_original_content
               - onepassword_document == document_updated_content
 
+
       always:
         - name: Delete item
           dbildungscloud.onepwd.item:
@@ -198,3 +262,12 @@
             name: document-test
             state: absent
           register: op
+        - name: Delete document
+          assert:
+            that:
+              - op.changed
+          register: op
+        - name: Delete credentials file
+          file:
+            path: "{{ op_credentials_file }}"
+            state: absent
diff --git a/onepwd/plugins/action/create_s3_item.py b/onepwd/plugins/action/create_s3_item.py
@@ -34,7 +34,12 @@ class ActionModule(ActionBase):
 
     def run(self, tmp=None, task_vars=None, **kwargs):
         # Log into OnePassword
-        login_secret=onepwd.get_op_login()
+        if 'credentials' in self._task.args:
+            login_secret=onepwd.get_op_login_from_args(self._task.args.get('credentials'))
+        elif 'credentials_file' in self._task.args:
+            login_secret=onepwd.get_op_login_from_file(self._task.args.get('credentials_file'))
+        else:
+            login_secret=onepwd.get_op_login_from_env()
         session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)

diff --git a/onepwd/plugins/action/document.py b/onepwd/plugins/action/document.py
@@ -9,7 +9,14 @@
 
 class ActionModule(ActionBase):
     def run(self, tmp=None, task_vars=None, **kwargs):
-        login_secret=onepwd.get_op_login()
+        # Log into OnePassword
+        if 'credentials' in self._task.args:
+            login_secret=onepwd.get_op_login_from_args(self._task.args.get('credentials'))
+        elif 'credentials_file' in self._task.args:
+            login_secret=onepwd.get_op_login_from_file(self._task.args.get('credentials_file'))
+        else:
+            login_secret=onepwd.get_op_login_from_env()
+
         session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)

diff --git a/onepwd/plugins/action/item.py b/onepwd/plugins/action/item.py
@@ -9,7 +9,14 @@
 
 class ActionModule(ActionBase):
     def run(self, tmp=None, task_vars=None, **kwargs):
-        login_secret=onepwd.get_op_login()
+        # Log into OnePassword
+        if 'credentials' in self._task.args:
+            login_secret=onepwd.get_op_login_from_args(self._task.args.get('credentials'))
+        elif 'credentials_file' in self._task.args:
+            login_secret=onepwd.get_op_login_from_file(self._task.args.get('credentials_file'))
+        else:
+            login_secret=onepwd.get_op_login_from_env()
+
         session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)

diff --git a/onepwd/plugins/action/share.py b/onepwd/plugins/action/share.py
@@ -9,7 +9,14 @@
 
 class ActionModule(ActionBase):
     def run(self, tmp=None, task_vars=None, **kwargs):
-        login_secret=onepwd.get_op_login()
+        # Log into OnePassword
+        if 'credentials' in self._task.args:
+            login_secret=onepwd.get_op_login_from_args(self._task.args.get('credentials'))
+        elif 'credentials_file' in self._task.args:
+            login_secret=onepwd.get_op_login_from_file(self._task.args.get('credentials_file'))
+        else:
+            login_secret=onepwd.get_op_login_from_env()
+
         session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)

diff --git a/onepwd/plugins/action/update_s3_values_of_item.py b/onepwd/plugins/action/update_s3_values_of_item.py
@@ -39,7 +39,13 @@ class ActionModule(ActionBase):
 
     def run(self, tmp=None, task_vars=None, **kwargs):
         # Log into OnePassword
-        login_secret=onepwd.get_op_login()
+        if 'credentials' in self._task.args:
+            login_secret=onepwd.get_op_login_from_args(self._task.args.get('credentials'))
+        elif 'credentials_file' in self._task.args:
+            login_secret=onepwd.get_op_login_from_file(self._task.args.get('credentials_file'))
+        else:
+            login_secret=onepwd.get_op_login_from_env()
+
         session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)

diff --git a/onepwd/plugins/action/upload_s3_secret.py b/onepwd/plugins/action/upload_s3_secret.py
@@ -33,7 +33,13 @@ class ActionModule(ActionBase):
 
     def run(self, tmp=None, task_vars=None, **kwargs):
         # Log into OnePassword
-        login_secret=onepwd.get_op_login()
+        if 'credentials' in self._task.args:
+            login_secret=onepwd.get_op_login_from_args(self._task.args.get('credentials'))
+        elif 'credentials_file' in self._task.args:
+            login_secret=onepwd.get_op_login_from_file(self._task.args.get('credentials_file'))
+        else:
+            login_secret=onepwd.get_op_login_from_env()
+
         session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)

diff --git a/onepwd/plugins/lookup/onepwd.py b/onepwd/plugins/lookup/onepwd.py
@@ -27,7 +27,14 @@
 class LookupModule(LookupBase):
 
     def run(self, terms, variables=None, **kwargs):
-        login_secret=onepwd.get_op_login()
+        # Log into OnePassword
+        if 'credentials' in kwargs:
+            login_secret=onepwd.get_op_login_from_args(kwargs['credentials'])
+        elif 'credentials_file' in kwargs:
+            login_secret=onepwd.get_op_login_from_file(kwargs['credentials_file'])
+        else:
+            login_secret=onepwd.get_op_login_from_env()
+
         session_shorthand=kwargs.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         display.debug(u"Session shorthand is %s" % session_shorthand)

diff --git a/onepwd/plugins/modules/document.py b/onepwd/plugins/modules/document.py
@@ -31,6 +31,19 @@
       - Must be set when running in AWX.
     type: str
     default: the USER environment variable
+  credentials:
+    description:
+      - Allows passing credentials as dictionary
+      - dict must contain keys {"OP_EMAIL", "OP_PASSWORD", "OP_SUBDOMAIN", "OP_SECRET_KEY"}
+      - Key OP_2FA_TOKEN is optional
+    type: dict
+  credentials_file:
+    description:
+      - Allows passing credentials as file
+      - The file must be json
+      - The file must contain a dictionary with the keys {"OP_EMAIL", "OP_PASSWORD", "OP_SUBDOMAIN", "OP_SECRET_KEY"}
+      - Key OP_2FA_TOKEN is optional
+    type: dict
 '''
 
 EXAMPLES = r'''
@@ -39,6 +52,25 @@
     vault: "vault"
     name: "name"
     path: /path/to/file
+
+- name: Create Document with credentials dictionary
+  dbildungscloud.onepwd.document:
+    vault: "vault"
+    name: "name"
+    path: /path/to/file
+    credentials: 
+      OP_EMAIL: <email>
+      OP_PASSWORD": <password>
+      OP_SUBDOMAIN": <subdomain>
+      OP_SECRET_KEY": <secret-key>
+      OP_2FA_TOKEN": <2fa-token>
+
+- name: Create Document with credentials file
+  dbildungscloud.onepwd.document:
+    vault: "vault"
+    name: "name"
+    path: /path/to/file
+    credentials_file: path/to/file.json
 '''
 
 RETURN = r'''