From f653556056cf40bfa40588b62d8acc8342423865 Mon Sep 17 00:00:00 2001 From: Angel Moo <67758421+angelmoo@users.noreply.github.com> Date: Thu, 8 Oct 2020 16:06:38 -0500 Subject: [PATCH] Transition from Username/Password to Token Auth for TPP (#31) * Fix for: VEN-60639 Ansible Role - Transition from Username/Password to Token Auth for TPP * updating ansible-role to use Vcert-Python 0.9.0 * modfied code format and updated test file, so now test lint and unit-test are working as expected * updating venafi_connection and set parameter fake=self.test_mode --- library/venafi_certificate.py | 39 +++++++++++++++++++++++++------- molecule/default/playbook.yml | 9 +++++++- requirements.txt | 2 +- tasks/local-certificate.yml | 1 + tasks/remote-certificate.yml | 1 + tests/test_venafi_certificate.py | 1 + 6 files changed, 43 insertions(+), 10 deletions(-) mode change 100644 => 100755 library/venafi_certificate.py diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py old mode 100644 new mode 100755 index 3c0c7e3..5fb6d27 --- a/library/venafi_certificate.py +++ b/library/venafi_certificate.py @@ -26,7 +26,8 @@ HAS_VCERT = HAS_CRYPTOGRAPHY = True try: - from vcert import CertificateRequest, Connection, KeyType + from vcert import CertificateRequest, Connection, KeyType,\ + venafi_connection except ImportError: HAS_VCERT = False try: @@ -288,12 +289,19 @@ def __init__(self, module): self.test_mode = module.params['test_mode'] self.url = module.params['url'] self.password = module.params['password'] + self.access_token = module.params['access_token'] self.token = module.params['token'] self.user = module.params['user'] self.zone = module.params['zone'] self.privatekey_filename = module.params['privatekey_path'] self.certificate_filename = module.params['cert_path'] self.privatekey_type = module.params['privatekey_type'] + + if self.user != "": + module.warn("User is deprecated use access token instead") + if self.password != "": + module.warn("Password is deprecated use access token instead") + if module.params['privatekey_curve']: if not module.params['privatekey_type']: module.fail_json( @@ -333,14 +341,27 @@ def __init__(self, module): msg="Failed to determine extension type: %s" % n) trust_bundle = module.params['trust_bundle'] if trust_bundle: - self.conn = Connection( - url=self.url, token=self.token, password=self.password, - user=self.user, fake=self.test_mode, - http_request_kwargs={"verify": trust_bundle}) + if self.access_token and self.access_token != "": + self.conn = venafi_connection( + url=self.url, user=None, password=None, + access_token=self.access_token, + refresh_token=None, + http_request_kwargs={"verify": trust_bundle}, + api_key=None, fake=self.test_mode) + else: + self.conn = Connection( + url=self.url, token=self.token, password=self.password, + user=self.user, fake=self.test_mode, + http_request_kwargs={"verify": trust_bundle}) else: - self.conn = Connection( - url=self.url, token=self.token, fake=self.test_mode, - user=self.user, password=self.password) + if self.access_token and self.access_token != "": + self.conn = venafi_connection( + url=self.url, access_token=self.access_token, + user=None, password=None, api_key=None, fake=self.test_mode) + else: + self.conn = Connection( + url=self.url, token=self.token, fake=self.test_mode, + user=self.user, password=self.password) self.before_expired_hours = module.params['before_expired_hours'] def check_dirs_existed(self): @@ -670,6 +691,8 @@ def main(): url=dict(type='str', required=False, default=''), password=dict(type='str', required=False, default='', no_log=True), token=dict(type='str', required=False, default='', no_log=True), + access_token=dict(type='str', required=False, + default='', no_log=True), user=dict(type='str', required=False, default='', no_log=True), zone=dict(type='str', required=False, default=''), log_verbose=dict(type='str', required=False, default=''), diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index dd857fa..13414ce 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -38,10 +38,14 @@ # This tasks needed only for certificate verification tasks: + - name: "Install future library" + pip: + name: + - future - name: "Install vcert for verification" pip: name: - - vcert==0.7.0 + - vcert==0.9.0 - name: "Verify Venafi certificate on remote host" venafi_certificate: @@ -51,6 +55,7 @@ test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" user: "{{ venafi.user | default(omit) }}" password: "{{ venafi.password | default(omit) }}" + access_token: "{{ venafi.access_token | default(omit) }}" trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" @@ -72,6 +77,7 @@ test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" user: "{{ venafi.user | default(omit) }}" password: "{{ venafi.password | default(omit) }}" + access_token: "{{ venafi.access_token | default(omit) }}" trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" @@ -98,6 +104,7 @@ test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" user: "{{ venafi.user | default(omit) }}" password: "{{ venafi.password | default(omit) }}" + access_token: "{{ venafi.access_token | default(omit) }}" trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" diff --git a/requirements.txt b/requirements.txt index a682dd6..d50a71e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -vcert~=0.8.0 +vcert~=0.9.0 ansible cryptography \ No newline at end of file diff --git a/tasks/local-certificate.yml b/tasks/local-certificate.yml index d802f1b..2b13fd6 100644 --- a/tasks/local-certificate.yml +++ b/tasks/local-certificate.yml @@ -18,6 +18,7 @@ test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" user: "{{ venafi.user | default(omit) }}" password: "{{ venafi.password | default(omit) }}" + access_token: "{{ venafi.access_token | default(omit) }}" trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_cert_path }}" chain_path: "{{ certificate_chain_path | default(omit) }}" diff --git a/tasks/remote-certificate.yml b/tasks/remote-certificate.yml index 9ad86d6..92191a9 100644 --- a/tasks/remote-certificate.yml +++ b/tasks/remote-certificate.yml @@ -8,6 +8,7 @@ test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" user: "{{ venafi.user | default(omit) }}" password: "{{ venafi.password | default(omit) }}" + access_token: "{{ venafi.access_token | default(omit) }}" trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_cert_path }}" chain_path: "{{ certificate_chain_path | default(omit) }}" diff --git a/tests/test_venafi_certificate.py b/tests/test_venafi_certificate.py index 6fe5170..8393de7 100644 --- a/tests/test_venafi_certificate.py +++ b/tests/test_venafi_certificate.py @@ -20,6 +20,7 @@ class FakeModule(object): def __init__(self, asset): self.fail_code = None self.exit_code = None + self.warn = str self.params = defaultdict(lambda: None) self.params["cert_path"] = CERT_PATH self.params["chain_path"] = CHAIN_PATH