Transition from Username/Password to Token Auth for TPP (#31)

* Fix for: VEN-60639 Ansible Role - Transition from Username/Password to Token Auth for TPP * updating ansible-role to use Vcert-Python 0.9.0 * modfied code format and updated test file, so now test lint and unit-test are working as expected * updating venafi_connection and set parameter fake=self.test_mode
Venafi · Oct 8, 2020 · f653556 · f653556
1 parent 98e77e4
commit f653556
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 10 deletions.
diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py
@@ -26,7 +26,8 @@
 
 HAS_VCERT = HAS_CRYPTOGRAPHY = True
 try:
-    from vcert import CertificateRequest, Connection, KeyType
+    from vcert import CertificateRequest, Connection, KeyType,\
+        venafi_connection
 except ImportError:
     HAS_VCERT = False
 try:
@@ -288,12 +289,19 @@ def __init__(self, module):
         self.test_mode = module.params['test_mode']
         self.url = module.params['url']
         self.password = module.params['password']
+        self.access_token = module.params['access_token']
         self.token = module.params['token']
         self.user = module.params['user']
         self.zone = module.params['zone']
         self.privatekey_filename = module.params['privatekey_path']
         self.certificate_filename = module.params['cert_path']
         self.privatekey_type = module.params['privatekey_type']
+
+        if self.user != "":
+            module.warn("User is deprecated use access token instead")
+        if self.password != "":
+            module.warn("Password is deprecated use access token instead")
+
         if module.params['privatekey_curve']:
             if not module.params['privatekey_type']:
                 module.fail_json(
@@ -333,14 +341,27 @@ def __init__(self, module):
                         msg="Failed to determine extension type: %s" % n)
         trust_bundle = module.params['trust_bundle']
         if trust_bundle:
-            self.conn = Connection(
-                url=self.url, token=self.token, password=self.password,
-                user=self.user, fake=self.test_mode,
-                http_request_kwargs={"verify": trust_bundle})
+            if self.access_token and self.access_token != "":
+                self.conn = venafi_connection(
+                    url=self.url, user=None, password=None,
+                    access_token=self.access_token,
+                    refresh_token=None,
+                    http_request_kwargs={"verify": trust_bundle},
+                    api_key=None, fake=self.test_mode)
+            else:
+                self.conn = Connection(
+                 url=self.url, token=self.token, password=self.password,
+                 user=self.user, fake=self.test_mode,
+                 http_request_kwargs={"verify": trust_bundle})
         else:
-            self.conn = Connection(
-                url=self.url, token=self.token, fake=self.test_mode,
-                user=self.user, password=self.password)
+            if self.access_token and self.access_token != "":
+                self.conn = venafi_connection(
+                   url=self.url, access_token=self.access_token,
+                   user=None, password=None, api_key=None, fake=self.test_mode)
+            else:
+                self.conn = Connection(
+                  url=self.url, token=self.token, fake=self.test_mode,
+                  user=self.user, password=self.password)
         self.before_expired_hours = module.params['before_expired_hours']
 
     def check_dirs_existed(self):
@@ -670,6 +691,8 @@ def main():
             url=dict(type='str', required=False, default=''),
             password=dict(type='str', required=False, default='', no_log=True),
             token=dict(type='str', required=False, default='', no_log=True),
+            access_token=dict(type='str', required=False,
+                              default='', no_log=True),
             user=dict(type='str', required=False, default='', no_log=True),
             zone=dict(type='str', required=False, default=''),
             log_verbose=dict(type='str', required=False, default=''),

diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml
@@ -38,10 +38,14 @@
 
   #  This tasks needed only for certificate verification
   tasks:
+    - name: "Install future library"
+      pip:
+        name:
+          - future
     - name: "Install vcert for verification"
       pip:
         name:
-          - vcert==0.7.0
+          - vcert==0.9.0
 
     - name: "Verify Venafi certificate on remote host"
       venafi_certificate:
@@ -51,6 +55,7 @@
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
         user: "{{ venafi.user | default(omit) }}"
         password: "{{ venafi.password | default(omit) }}"
+        access_token: "{{ venafi.access_token | default(omit) }}"
         trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
@@ -72,6 +77,7 @@
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
         user: "{{ venafi.user | default(omit) }}"
         password: "{{ venafi.password | default(omit) }}"
+        access_token: "{{ venafi.access_token | default(omit) }}"
         trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
@@ -98,6 +104,7 @@
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
         user: "{{ venafi.user | default(omit) }}"
         password: "{{ venafi.password | default(omit) }}"
+        access_token: "{{ venafi.access_token | default(omit) }}"
         trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"

diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,3 @@
-vcert~=0.8.0
+vcert~=0.9.0
 ansible
 cryptography
diff --git a/tasks/local-certificate.yml b/tasks/local-certificate.yml
@@ -18,6 +18,7 @@
     test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
     user: "{{ venafi.user | default(omit) }}"
     password: "{{ venafi.password | default(omit) }}"
+    access_token: "{{ venafi.access_token | default(omit) }}"
     trust_bundle: "{{ venafi.trust_bundle  | default(omit) }}"
     cert_path: "{{ certificate_cert_path }}"
     chain_path: "{{ certificate_chain_path | default(omit) }}"

diff --git a/tasks/remote-certificate.yml b/tasks/remote-certificate.yml
@@ -8,6 +8,7 @@
     test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
     user: "{{ venafi.user | default(omit) }}"
     password: "{{ venafi.password | default(omit) }}"
+    access_token: "{{ venafi.access_token | default(omit) }}"
     trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
     cert_path: "{{ certificate_cert_path }}"
     chain_path: "{{ certificate_chain_path | default(omit) }}"

diff --git a/tests/test_venafi_certificate.py b/tests/test_venafi_certificate.py
@@ -20,6 +20,7 @@ class FakeModule(object):
     def __init__(self, asset):
         self.fail_code = None
         self.exit_code = None
+        self.warn =  str
         self.params = defaultdict(lambda: None)
         self.params["cert_path"] = CERT_PATH
         self.params["chain_path"] = CHAIN_PATH