diff --git a/lib/ansible/modules/identity/cyberark/__init__.py b/lib/ansible/modules/identity/cyberark/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/lib/ansible/modules/identity/cyberark/cyberark_authentication.py b/lib/ansible/modules/identity/cyberark/cyberark_authentication.py deleted file mode 100644 index 064a0a33a37..00000000000 --- a/lib/ansible/modules/identity/cyberark/cyberark_authentication.py +++ /dev/null @@ -1,310 +0,0 @@ -#!/usr/bin/python -# Copyright: (c) 2017, Ansible Project -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -from __future__ import absolute_import, division, print_function -__metaclass__ = type - -ANSIBLE_METADATA = {'metadata_version': '1.1', - 'status': ['preview'], - 'supported_by': 'certified'} - -DOCUMENTATION = ''' ---- -module: cyberark_authentication -short_description: Module for CyberArk Vault Authentication using PAS Web Services SDK -author: - - Edward Nunez (@enunez-cyberark) CyberArk BizDev - - Cyberark Bizdev (@cyberark-bizdev) - - erasmix (@erasmix) -version_added: 2.4 -description: - - Authenticates to CyberArk Vault using Privileged Account Security Web Services SDK and - creates a session fact that can be used by other modules. It returns an Ansible fact - called I(cyberark_session). Every module can use this fact as C(cyberark_session) parameter. - - -options: - state: - default: present - choices: [present, absent] - description: - - Specifies if an authentication logon/logoff and a cyberark_session should be added/removed. - username: - description: - - The name of the user who will logon to the Vault. - password: - description: - - The password of the user. - new_password: - description: - - The new password of the user. This parameter is optional, and enables you to change a password. - api_base_url: - description: - - A string containing the base URL of the server hosting CyberArk's Privileged Account Security Web Services SDK. - validate_certs: - type: bool - default: 'yes' - description: - - If C(false), SSL certificates will not be validated. This should only - set to C(false) used on personally controlled sites using self-signed - certificates. - use_shared_logon_authentication: - type: bool - default: 'no' - description: - - Whether or not Shared Logon Authentication will be used. - use_radius_authentication: - type: bool - default: 'no' - description: - - Whether or not users will be authenticated via a RADIUS server. Valid values are true/false. - cyberark_session: - description: - - Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session. -''' - -EXAMPLES = ''' -- name: Logon to CyberArk Vault using PAS Web Services SDK - use_shared_logon_authentication - cyberark_authentication: - api_base_url: "{{ web_services_base_url }}" - use_shared_logon_authentication: yes - -- name: Logon to CyberArk Vault using PAS Web Services SDK - Not use_shared_logon_authentication - cyberark_authentication: - api_base_url: "{{ web_services_base_url }}" - username: "{{ password_object.password }}" - password: "{{ password_object.passprops.username }}" - use_shared_logon_authentication: no - -- name: Logoff from CyberArk Vault - cyberark_authentication: - state: absent - cyberark_session: "{{ cyberark_session }}" -''' - -RETURN = ''' -cyberark_session: - description: Authentication facts. - returned: success - type: dict - sample: - api_base_url: - description: Base URL for API calls. Returned in the cyberark_session, so it can be used in subsequent calls. - type: str - returned: always - token: - description: The token that identifies the session, encoded in BASE 64. - type: str - returned: always - use_shared_logon_authentication: - description: Whether or not Shared Logon Authentication was used to establish the session. - type: bool - returned: always - validate_certs: - description: Whether or not SSL certificates should be validated. - type: bool - returned: always -''' - -from ansible.module_utils._text import to_text -from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils.urls import open_url -from ansible.module_utils.six.moves.urllib.error import HTTPError -import json -try: - import httplib -except ImportError: - # Python 3 - import http.client as httplib - - -def processAuthentication(module): - - # Getting parameters from module - - api_base_url = module.params["api_base_url"] - validate_certs = module.params["validate_certs"] - username = module.params["username"] - password = module.params["password"] - new_password = module.params["new_password"] - use_shared_logon_authentication = module.params[ - "use_shared_logon_authentication"] - use_radius_authentication = module.params["use_radius_authentication"] - state = module.params["state"] - cyberark_session = module.params["cyberark_session"] - - # if in check mode it will not perform password changes - if module.check_mode and new_password is not None: - new_password = None - - # Defining initial values for open_url call - headers = {'Content-Type': 'application/json'} - payload = "" - - if state == "present": # Logon Action - - # Different end_points based on the use of shared logon authentication - if use_shared_logon_authentication: - - end_point = "/PasswordVault/WebServices/auth/Shared/RestfulAuthenticationService.svc/Logon" - - else: - - end_point = "/PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logon" - - # The payload will contain username, password - # and optionally use_radius_authentication and new_password - payload_dict = {"username": username, "password": password} - - if use_radius_authentication: - payload_dict["useRadiusAuthentication"] = use_radius_authentication - - if new_password is not None: - payload_dict["newPassword"] = new_password - - payload = json.dumps(payload_dict) - - else: # Logoff Action - - # Get values from cyberark_session already established - api_base_url = cyberark_session["api_base_url"] - validate_certs = cyberark_session["validate_certs"] - use_shared_logon_authentication = cyberark_session[ - "use_shared_logon_authentication"] - headers["Authorization"] = cyberark_session["token"] - - # Different end_points based on the use of shared logon authentication - if use_shared_logon_authentication: - end_point = "/PasswordVault/WebServices/auth/Shared/RestfulAuthenticationService.svc/Logoff" - else: - end_point = "/PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logoff" - - result = None - changed = False - response = None - - try: - - response = open_url( - api_base_url + end_point, - method="POST", - headers=headers, - data=payload, - validate_certs=validate_certs) - - except (HTTPError, httplib.HTTPException) as http_exception: - - module.fail_json( - msg=("Error while performing authentication." - "Please validate parameters provided, and ability to logon to CyberArk." - "\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, to_text(http_exception))), - payload=payload, - headers=headers, - status_code=http_exception.code) - - except Exception as unknown_exception: - - module.fail_json( - msg=("Unknown error while performing authentication." - "\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))), - payload=payload, - headers=headers, - status_code=-1) - - if response.getcode() == 200: # Success - - if state == "present": # Logon Action - - # Result token from REST Api uses a different key based - # the use of shared logon authentication - token = None - try: - if use_shared_logon_authentication: - token = json.loads(response.read())["LogonResult"] - else: - token = json.loads(response.read())["CyberArkLogonResult"] - except Exception as e: - module.fail_json( - msg="Error obtaining token\n%s" % (to_text(e)), - payload=payload, - headers=headers, - status_code=-1) - - # Preparing result of the module - result = { - "cyberark_session": { - "token": token, "api_base_url": api_base_url, "validate_certs": validate_certs, - "use_shared_logon_authentication": use_shared_logon_authentication}, - } - - if new_password is not None: - # Only marks change if new_password was received resulting - # in a password change - changed = True - - else: # Logoff Action clears cyberark_session - - result = { - "cyberark_session": {} - } - - return (changed, result, response.getcode()) - - else: - module.fail_json( - msg="error in end_point=>" + - end_point, - headers=headers) - - -def main(): - - fields = { - "api_base_url": {"type": "str"}, - "validate_certs": {"type": "bool", - "default": "true"}, - "username": {"type": "str"}, - "password": {"type": "str", "no_log": True}, - "new_password": {"type": "str", "no_log": True}, - "use_shared_logon_authentication": {"default": False, "type": "bool"}, - "use_radius_authentication": {"default": False, "type": "bool"}, - "state": {"type": "str", - "choices": ["present", "absent"], - "default": "present"}, - "cyberark_session": {"type": "dict"}, - } - - mutually_exclusive = [ - ["use_shared_logon_authentication", "use_radius_authentication"], - ["use_shared_logon_authentication", "new_password"], - ["api_base_url", "cyberark_session"], - ["cyberark_session", "username", "use_shared_logon_authentication"] - ] - - required_if = [ - ("state", "present", ["api_base_url"]), - ("state", "absent", ["cyberark_session"]) - ] - - required_together = [ - ["username", "password"] - ] - - module = AnsibleModule( - argument_spec=fields, - mutually_exclusive=mutually_exclusive, - required_if=required_if, - required_together=required_together, - supports_check_mode=True) - - (changed, result, status_code) = processAuthentication(module) - - module.exit_json( - changed=changed, - ansible_facts=result, - status_code=status_code) - - -if __name__ == '__main__': - main() diff --git a/lib/ansible/modules/identity/cyberark/cyberark_user.py b/lib/ansible/modules/identity/cyberark/cyberark_user.py deleted file mode 100644 index a2dd6ecd1b3..00000000000 --- a/lib/ansible/modules/identity/cyberark/cyberark_user.py +++ /dev/null @@ -1,470 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- - -# Copyright: (c) 2017, Ansible Project -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -from __future__ import absolute_import, division, print_function -__metaclass__ = type - -ANSIBLE_METADATA = {'metadata_version': '1.1', - 'status': ['preview'], - 'supported_by': 'certified'} - -DOCUMENTATION = r''' ---- -module: cyberark_user -short_description: Module for CyberArk User Management using PAS Web Services SDK -author: - - Edward Nunez (@enunez-cyberark) CyberArk BizDev - - Cyberark Bizdev (@cyberark-bizdev) - - erasmix (@erasmix) -version_added: 2.4 -description: - - CyberArk User Management using PAS Web Services SDK. - - It currently supports the following actions Get User Details, Add User, Update User, Delete User. - -options: - username: - description: - - The name of the user who will be queried (for details), added, updated or deleted. - type: str - required: True - state: - description: - - Specifies the state needed for the user present for create user, absent for delete user. - type: str - choices: [ absent, present ] - default: present - cyberark_session: - description: - - Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, - please see M(cyberark_authentication) module for an example of cyberark_session. - type: dict - required: True - initial_password: - description: - - The password that the new user will use to log on the first time. - - This password must meet the password policy requirements. - - This parameter is required when state is present -- Add User. - type: str - new_password: - description: - - The user updated password. Make sure that this password meets the password policy requirements. - type: str - email: - description: - - The user email address. - type: str - first_name: - description: - - The user first name. - type: str - last_name: - description: - - The user last name. - type: str - change_password_on_the_next_logon: - description: - - Whether or not the user must change their password in their next logon. - type: bool - default: no - expiry_date: - description: - - The date and time when the user account will expire and become disabled. - type: str - user_type_name: - description: - - The type of user. - - The parameter defaults to C(EPVUser). - type: str - disabled: - description: - - Whether or not the user will be disabled. - type: bool - default: no - location: - description: - - The Vault Location for the user. - type: str - group_name: - description: - - The name of the group the user will be added to. - type: str -''' - -EXAMPLES = r''' -- name: Logon to CyberArk Vault using PAS Web Services SDK - cyberark_authentication: - api_base_url: https://components.cyberark.local - use_shared_logon_authentication: yes - -- name: Create user & immediately add it to a group - cyberark_user: - username: username - initial_password: password - user_type_name: EPVUser - change_password_on_the_next_logon: no - group_name: GroupOfUser - state: present - cyberark_session: '{{ cyberark_session }}' - -- name: Make sure user is present and reset user credential if present - cyberark_user: - username: Username - new_password: password - disabled: no - state: present - cyberark_session: '{{ cyberark_session }}' - -- name: Logoff from CyberArk Vault - cyberark_authentication: - state: absent - cyberark_session: '{{ cyberark_session }}' -''' - -RETURN = r''' -changed: - description: Whether there was a change done. - type: bool - returned: always -cyberark_user: - description: Dictionary containing result properties. - returned: always - type: dict - sample: - result: - description: user properties when state is present - type: dict - returned: success -status_code: - description: Result HTTP Status code - returned: success - type: int - sample: 200 -''' - -import json - -from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils._text import to_text -from ansible.module_utils.six.moves import http_client as httplib -from ansible.module_utils.six.moves.urllib.error import HTTPError -from ansible.module_utils.urls import open_url - - -def user_details(module): - - # Get username from module parameters, and api base url - # along with validate_certs from the cyberark_session established - username = module.params["username"] - cyberark_session = module.params["cyberark_session"] - api_base_url = cyberark_session["api_base_url"] - validate_certs = cyberark_session["validate_certs"] - - # Prepare result, end_point, and headers - result = {} - end_point = "/PasswordVault/WebServices/PIMServices.svc/Users/{0}".format( - username) - headers = {'Content-Type': 'application/json'} - headers["Authorization"] = cyberark_session["token"] - - try: - - response = open_url( - api_base_url + end_point, - method="GET", - headers=headers, - validate_certs=validate_certs) - result = {"result": json.loads(response.read())} - - return (False, result, response.getcode()) - - except (HTTPError, httplib.HTTPException) as http_exception: - - if http_exception.code == 404: - return (False, None, http_exception.code) - else: - module.fail_json( - msg=("Error while performing user_details." - "Please validate parameters provided." - "\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, to_text(http_exception))), - headers=headers, - status_code=http_exception.code) - - except Exception as unknown_exception: - - module.fail_json( - msg=("Unknown error while performing user_details." - "\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))), - headers=headers, - status_code=-1) - - -def user_add_or_update(module, HTTPMethod): - - # Get username from module parameters, and api base url - # along with validate_certs from the cyberark_session established - username = module.params["username"] - cyberark_session = module.params["cyberark_session"] - api_base_url = cyberark_session["api_base_url"] - validate_certs = cyberark_session["validate_certs"] - - # Prepare result, payload, and headers - result = {} - payload = {} - headers = {'Content-Type': 'application/json', - "Authorization": cyberark_session["token"]} - - # end_point and payload sets different depending on POST/PUT - # for POST -- create -- payload contains username - # for PUT -- update -- username is part of the endpoint - if HTTPMethod == "POST": - end_point = "/PasswordVault/WebServices/PIMServices.svc/Users" - payload["UserName"] = username - elif HTTPMethod == "PUT": - end_point = "/PasswordVault/WebServices/PIMServices.svc/Users/{0}" - end_point = end_point.format(username) - - # --- Optionally populate payload based on parameters passed --- - if "initial_password" in module.params: - payload["InitialPassword"] = module.params["initial_password"] - - if "new_password" in module.params: - payload["NewPassword"] = module.params["new_password"] - - if "email" in module.params: - payload["Email"] = module.params["email"] - - if "first_name" in module.params: - payload["FirstName"] = module.params["first_name"] - - if "last_name" in module.params: - payload["LastName"] = module.params["last_name"] - - if "change_password_on_the_next_logon" in module.params: - if module.params["change_password_on_the_next_logon"]: - payload["ChangePasswordOnTheNextLogon"] = "true" - else: - payload["ChangePasswordOnTheNextLogon"] = "false" - - if "expiry_date" in module.params: - payload["ExpiryDate"] = module.params["expiry_date"] - - if "user_type_name" in module.params: - payload["UserTypeName"] = module.params["user_type_name"] - - if "disabled" in module.params: - if module.params["disabled"]: - payload["Disabled"] = "true" - else: - payload["Disabled"] = "false" - - if "location" in module.params: - payload["Location"] = module.params["location"] - # -------------------------------------------------------------- - - try: - - # execute REST action - response = open_url( - api_base_url + end_point, - method=HTTPMethod, - headers=headers, - data=json.dumps(payload), - validate_certs=validate_certs) - - result = {"result": json.loads(response.read())} - - return (True, result, response.getcode()) - - except (HTTPError, httplib.HTTPException) as http_exception: - - module.fail_json( - msg=("Error while performing user_add_or_update." - "Please validate parameters provided." - "\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, to_text(http_exception))), - payload=payload, - headers=headers, - status_code=http_exception.code) - - except Exception as unknown_exception: - - module.fail_json( - msg=("Unknown error while performing user_add_or_update." - "\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))), - payload=payload, - headers=headers, - status_code=-1) - - -def user_delete(module): - - # Get username from module parameters, and api base url - # along with validate_certs from the cyberark_session established - username = module.params["username"] - cyberark_session = module.params["cyberark_session"] - api_base_url = cyberark_session["api_base_url"] - validate_certs = cyberark_session["validate_certs"] - - # Prepare result, end_point, and headers - result = {} - end_point = "/PasswordVault/WebServices/PIMServices.svc/Users/{0}".format( - username) - - headers = {'Content-Type': 'application/json'} - headers["Authorization"] = cyberark_session["token"] - - try: - - # execute REST action - response = open_url( - api_base_url + end_point, - method="DELETE", - headers=headers, - validate_certs=validate_certs) - - result = {"result": {}} - - return (True, result, response.getcode()) - - except (HTTPError, httplib.HTTPException) as http_exception: - - exception_text = to_text(http_exception) - if http_exception.code == 404 and "ITATS003E" in exception_text: - # User does not exist - result = {"result": {}} - return (False, result, http_exception.code) - else: - module.fail_json( - msg=("Error while performing user_delete." - "Please validate parameters provided." - "\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, exception_text)), - headers=headers, - status_code=http_exception.code) - - except Exception as unknown_exception: - - module.fail_json( - msg=("Unknown error while performing user_delete." - "\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))), - headers=headers, - status_code=-1) - - -def user_add_to_group(module): - - # Get username, and groupname from module parameters, and api base url - # along with validate_certs from the cyberark_session established - username = module.params["username"] - group_name = module.params["group_name"] - cyberark_session = module.params["cyberark_session"] - api_base_url = cyberark_session["api_base_url"] - validate_certs = cyberark_session["validate_certs"] - - # Prepare result, end_point, headers and payload - result = {} - end_point = "/PasswordVault/WebServices/PIMServices.svc//Groups/{0}/Users".format( - group_name) - - headers = {'Content-Type': 'application/json'} - headers["Authorization"] = cyberark_session["token"] - payload = {"UserName": username} - - try: - - # execute REST action - response = open_url( - api_base_url + end_point, - method="POST", - headers=headers, - data=json.dumps(payload), - validate_certs=validate_certs) - - result = {"result": {}} - - return (True, result, response.getcode()) - - except (HTTPError, httplib.HTTPException) as http_exception: - - exception_text = to_text(http_exception) - if http_exception.code == 409 and "ITATS262E" in exception_text: - # User is already member of Group - return (False, None, http_exception.code) - else: - module.fail_json( - msg=("Error while performing user_add_to_group." - "Please validate parameters provided." - "\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, exception_text)), - payload=payload, - headers=headers, - status_code=http_exception.code) - - except Exception as unknown_exception: - - module.fail_json( - msg=("Unknown error while performing user_add_to_group." - "\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))), - payload=payload, - headers=headers, - status_code=-1) - - -def main(): - - module = AnsibleModule( - argument_spec=dict( - username=dict(type='str', required=True), - state=dict(type='str', default='present', choices=['absent', 'present']), - cyberark_session=dict(type='dict', required=True), - initial_password=dict(type='str', no_log=True), - new_password=dict(type='str', no_log=True), - email=dict(type='str'), - first_name=dict(type='str'), - last_name=dict(type='str'), - change_password_on_the_next_logon=dict(type='bool'), - expiry_date=dict(type='str'), - user_type_name=dict(type='str'), - disabled=dict(type='bool'), - location=dict(type='str'), - group_name=dict(type='str'), - ), - ) - - state = module.params['state'] - new_password = module.params['new_password'] - group_name = module.params['group_name'] - - if (state == "present"): - (changed, result, status_code) = user_details(module) - - if (status_code == 200): - # User already exists - - # If new_password specified, proceed to update user credential - if (new_password is not None): - (changed, result, status_code) = user_add_or_update(module, "PUT") - - if (group_name is not None): - # If user exists, add to group if needed - (changed, ignored_result, ignored_status_code) = user_add_to_group(module) - - elif (status_code == 404): - # User does not exist, proceed to create it - (changed, result, status_code) = user_add_or_update(module, "POST") - - if (status_code == 201 and group_name is not None): - # If user was created, add to group if needed - (changed, ignored_result, ignored_status_code) = user_add_to_group(module) - - elif (state == "absent"): - (changed, result, status_code) = user_delete(module) - - module.exit_json( - changed=changed, - cyberark_user=result, - status_code=status_code) - - -if __name__ == '__main__': - main() diff --git a/test/sanity/ignore.txt b/test/sanity/ignore.txt index fa5c130eab8..6d7ca43060e 100644 --- a/test/sanity/ignore.txt +++ b/test/sanity/ignore.txt @@ -1031,7 +1031,6 @@ lib/ansible/modules/files/stat.py validate-modules:parameter-type-not-in-doc lib/ansible/modules/files/stat.py validate-modules:undocumented-parameter lib/ansible/modules/files/unarchive.py validate-modules:nonexistent-parameter-documented lib/ansible/modules/files/unarchive.py validate-modules:parameter-list-no-elements -lib/ansible/modules/identity/cyberark/cyberark_authentication.py validate-modules:parameter-type-not-in-doc lib/ansible/modules/net_tools/basics/get_url.py validate-modules:parameter-type-not-in-doc lib/ansible/modules/net_tools/basics/uri.py pylint:blacklisted-name lib/ansible/modules/net_tools/basics/uri.py validate-modules:doc-required-mismatch