def run(self, terms, variables, **kwargs):
self.set_options(var_options=variables, direct=kwargs)
vault_parameters = {
"tenant": self.get_option("tenant"),
"client_id": self.get_option("client_id"),
"client_secret": self.get_option("client_secret"),
"url_template": self.get_option("url_template"),
}
vault = SecretsVault(**vault_parameters)
result = []
for term in terms:
display.debug("dsv_lookup term: %s" % term)
try:
path = term.lstrip("[/:]")
if path == "":
raise AnsibleOptionsError("Invalid secret path: %s" % term)
display.vvv(u"DevOps Secrets Vault GET /secrets/%s" % path)
result.append(vault.get_secret_json(path))
except SecretsVaultError as error:
raise AnsibleError("DevOps Secrets Vault lookup failure: %s" %
error.message)
display.debug(u"dsv_lookup result: %s" % result)
return result
def Client(vault_parameters):
try:
vault = SecretsVault(**vault_parameters)
return vault
except TypeError:
raise AnsibleError(
"python-dsv-sdk==0.0.1 must be installed to use this plugin")
def main():
try:
authorizer = PasswordGrantAuthorizer(BASE_URL, CLIENT_ID,
CLIENT_SECRET)
vault = SecretsVault(BASE_URL, authorizer)
secret = VaultSecret(**vault.get_secret("/test/sdk/simple"))
print(f"""
username: {secret.data['username']}
password: {secret.data['password']}
""")
except SecretsVaultAccessError as e:
print(e.message)
except SecretsVaultError as e:
print(e.response.text)
def Client(vault_parameters):
return SecretsVault(**vault_parameters)
'type': 'string',
'secret': True,
},
],
'metadata': [
{
'id': 'path',
'label': _('Secret Path'),
'type': 'string',
'help_text': _('The secret path e.g. /test/secret1'),
},
],
'required': ['tenant', 'client_id', 'client_secret', 'path'],
}
if settings.DEBUG:
dsv_inputs['fields'].append(
{
'id': 'url_template',
'label': _('URL template'),
'type': 'string',
'default': 'https://{}.secretsvaultcloud.{}/v1',
}
)
dsv_plugin = CredentialPlugin(
'Thycotic DevOps Secrets Vault',
dsv_inputs,
lambda **kwargs: SecretsVault(**{k: v for (k, v) in kwargs.items() if k in [field['id'] for field in dsv_inputs['fields']]}).get_secret(kwargs['path']),
)
def test_access_token_authorizer(authorizer, env_vars):
"""Tests that an existing access token can be used to retrieve a secret"""
token = authorizer.get_access_token()
vault = SecretsVault(env_vars["base_url"], AccessTokenAuthorizer(token))
assert len(VaultSecret(**vault.get_secret("test/sdk/simple")).id) == 36
def vault(authorizer, env_vars):
return SecretsVault(env_vars["base_url"], authorizer)
import json
from thycotic.secrets.dataclasses import VaultSecret
from thycotic.secrets.vault import (
SecretsVault,
SecretsVaultAccessError,
SecretsVaultError,
)
if __name__ == "__main__":
with open("test_vault.json") as f:
vault = SecretsVault(**json.load(f))
try:
secret = VaultSecret(**vault.get_secret("/test/secret"))
print(f"""username: {secret.data['username']}
password: {secret.data['password']}""")
except SecretsVaultAccessError as e:
print(e.message)
except SecretsVaultError as e:
print(e.response.text)
def vault(json):
return SecretsVault(**json)