cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Migrated to cyberark.bizdev

Browse source
This commit is contained in:
Ansible Core Team 2020-03-09 09:40:36 +00:00 committed by Matt Martz
parent b82d084e90
commit fb696bf66b
4 changed files with 0 additions and 781 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
lib/ansible/modules/identity/cyberark/__init__.py
View file

310
lib/ansible/modules/identity/cyberark/cyberark_authentication.py
View file

@ -1,310 +0,0 @@
#!/usr/bin/python
# Copyright: (c) 2017, Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'certified'}
DOCUMENTATION = '''
---
module: cyberark_authentication
short_description: Module for CyberArk Vault Authentication using PAS Web Services SDK
author:
- Edward Nunez (@enunez-cyberark) CyberArk BizDev
- Cyberark Bizdev (@cyberark-bizdev)
- erasmix (@erasmix)
version_added: 2.4
description:
- Authenticates to CyberArk Vault using Privileged Account Security Web Services SDK and
creates a session fact that can be used by other modules. It returns an Ansible fact
called I(cyberark_session). Every module can use this fact as C(cyberark_session) parameter.
options:
state:
default: present
choices: [present, absent]
description:
- Specifies if an authentication logon/logoff and a cyberark_session should be added/removed.
username:
description:
- The name of the user who will logon to the Vault.
password:
description:
- The password of the user.
new_password:
description:
- The new password of the user. This parameter is optional, and enables you to change a password.
api_base_url:
description:
- A string containing the base URL of the server hosting CyberArk's Privileged Account Security Web Services SDK.
validate_certs:
type: bool
default: 'yes'
description:
- If C(false), SSL certificates will not be validated. This should only
set to C(false) used on personally controlled sites using self-signed
certificates.
use_shared_logon_authentication:
type: bool
default: 'no'
description:
- Whether or not Shared Logon Authentication will be used.
use_radius_authentication:
type: bool
default: 'no'
description:
- Whether or not users will be authenticated via a RADIUS server. Valid values are true/false.
cyberark_session:
description:
- Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session.
'''
EXAMPLES = '''
- name: Logon to CyberArk Vault using PAS Web Services SDK - use_shared_logon_authentication
cyberark_authentication:
api_base_url: "{{ web_services_base_url }}"
use_shared_logon_authentication: yes
- name: Logon to CyberArk Vault using PAS Web Services SDK - Not use_shared_logon_authentication
cyberark_authentication:
api_base_url: "{{ web_services_base_url }}"
username: "{{ password_object.password }}"
password: "{{ password_object.passprops.username }}"
use_shared_logon_authentication: no
- name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent
cyberark_session: "{{ cyberark_session }}"
'''
RETURN = '''
cyberark_session:
description: Authentication facts.
returned: success
type: dict
sample:
api_base_url:
description: Base URL for API calls. Returned in the cyberark_session, so it can be used in subsequent calls.
type: str
returned: always
token:
description: The token that identifies the session, encoded in BASE 64.
type: str
returned: always
use_shared_logon_authentication:
description: Whether or not Shared Logon Authentication was used to establish the session.
type: bool
returned: always
validate_certs:
description: Whether or not SSL certificates should be validated.
type: bool
returned: always
'''
from ansible.module_utils._text import to_text
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.urls import open_url
from ansible.module_utils.six.moves.urllib.error import HTTPError
import json
try:
import httplib
except ImportError:
# Python 3
import http.client as httplib
def processAuthentication(module):
# Getting parameters from module
api_base_url = module.params["api_base_url"]
validate_certs = module.params["validate_certs"]
username = module.params["username"]
password = module.params["password"]
new_password = module.params["new_password"]
use_shared_logon_authentication = module.params[
"use_shared_logon_authentication"]
use_radius_authentication = module.params["use_radius_authentication"]
state = module.params["state"]
cyberark_session = module.params["cyberark_session"]
# if in check mode it will not perform password changes
if module.check_mode and new_password is not None:
new_password = None
# Defining initial values for open_url call
headers = {'Content-Type': 'application/json'}
payload = ""
if state == "present": # Logon Action
# Different end_points based on the use of shared logon authentication
if use_shared_logon_authentication:
end_point = "/PasswordVault/WebServices/auth/Shared/RestfulAuthenticationService.svc/Logon"
else:
end_point = "/PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logon"
# The payload will contain username, password
# and optionally use_radius_authentication and new_password
payload_dict = {"username": username, "password": password}
if use_radius_authentication:
payload_dict["useRadiusAuthentication"] = use_radius_authentication
if new_password is not None:
payload_dict["newPassword"] = new_password
payload = json.dumps(payload_dict)
else: # Logoff Action
# Get values from cyberark_session already established
api_base_url = cyberark_session["api_base_url"]
validate_certs = cyberark_session["validate_certs"]
use_shared_logon_authentication = cyberark_session[
"use_shared_logon_authentication"]
headers["Authorization"] = cyberark_session["token"]
# Different end_points based on the use of shared logon authentication
if use_shared_logon_authentication:
end_point = "/PasswordVault/WebServices/auth/Shared/RestfulAuthenticationService.svc/Logoff"
else:
end_point = "/PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logoff"
result = None
changed = False
response = None
try:
response = open_url(
api_base_url + end_point,
method="POST",
headers=headers,
data=payload,
validate_certs=validate_certs)
except (HTTPError, httplib.HTTPException) as http_exception:
module.fail_json(
msg=("Error while performing authentication."
"Please validate parameters provided, and ability to logon to CyberArk."
"\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, to_text(http_exception))),
payload=payload,
headers=headers,
status_code=http_exception.code)
except Exception as unknown_exception:
module.fail_json(
msg=("Unknown error while performing authentication."
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
payload=payload,
headers=headers,
status_code=-1)
if response.getcode() == 200: # Success
if state == "present": # Logon Action
# Result token from REST Api uses a different key based
# the use of shared logon authentication
token = None
try:
if use_shared_logon_authentication:
token = json.loads(response.read())["LogonResult"]
else:
token = json.loads(response.read())["CyberArkLogonResult"]
except Exception as e:
module.fail_json(
msg="Error obtaining token\n%s" % (to_text(e)),
payload=payload,
headers=headers,
status_code=-1)
# Preparing result of the module
result = {
"cyberark_session": {
"token": token, "api_base_url": api_base_url, "validate_certs": validate_certs,
"use_shared_logon_authentication": use_shared_logon_authentication},
}
if new_password is not None:
# Only marks change if new_password was received resulting
# in a password change
changed = True
else: # Logoff Action clears cyberark_session
result = {
"cyberark_session": {}
}
return (changed, result, response.getcode())
else:
module.fail_json(
msg="error in end_point=>" +
end_point,
headers=headers)
def main():
fields = {
"api_base_url": {"type": "str"},
"validate_certs": {"type": "bool",
"default": "true"},
"username": {"type": "str"},
"password": {"type": "str", "no_log": True},
"new_password": {"type": "str", "no_log": True},
"use_shared_logon_authentication": {"default": False, "type": "bool"},
"use_radius_authentication": {"default": False, "type": "bool"},
"state": {"type": "str",
"choices": ["present", "absent"],
"default": "present"},
"cyberark_session": {"type": "dict"},
}
mutually_exclusive = [
["use_shared_logon_authentication", "use_radius_authentication"],
["use_shared_logon_authentication", "new_password"],
["api_base_url", "cyberark_session"],
["cyberark_session", "username", "use_shared_logon_authentication"]
]
required_if = [
("state", "present", ["api_base_url"]),
("state", "absent", ["cyberark_session"])
]
required_together = [
["username", "password"]
]
module = AnsibleModule(
argument_spec=fields,
mutually_exclusive=mutually_exclusive,
required_if=required_if,
required_together=required_together,
supports_check_mode=True)
(changed, result, status_code) = processAuthentication(module)
module.exit_json(
changed=changed,
ansible_facts=result,
status_code=status_code)
if __name__ == '__main__':
main()

470
lib/ansible/modules/identity/cyberark/cyberark_user.py
View file

@ -1,470 +0,0 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright: (c) 2017, Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'certified'}
DOCUMENTATION = r'''
---
module: cyberark_user
short_description: Module for CyberArk User Management using PAS Web Services SDK
author:
- Edward Nunez (@enunez-cyberark) CyberArk BizDev
- Cyberark Bizdev (@cyberark-bizdev)
- erasmix (@erasmix)
version_added: 2.4
description:
- CyberArk User Management using PAS Web Services SDK.
- It currently supports the following actions Get User Details, Add User, Update User, Delete User.
options:
username:
description:
- The name of the user who will be queried (for details), added, updated or deleted.
type: str
required: True
state:
description:
- Specifies the state needed for the user present for create user, absent for delete user.
type: str
choices: [ absent, present ]
default: present
cyberark_session:
description:
- Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session,
please see M(cyberark_authentication) module for an example of cyberark_session.
type: dict
required: True
initial_password:
description:
- The password that the new user will use to log on the first time.
- This password must meet the password policy requirements.
- This parameter is required when state is present -- Add User.
type: str
new_password:
description:
- The user updated password. Make sure that this password meets the password policy requirements.
type: str
email:
description:
- The user email address.
type: str
first_name:
description:
- The user first name.
type: str
last_name:
description:
- The user last name.
type: str
change_password_on_the_next_logon:
description:
- Whether or not the user must change their password in their next logon.
type: bool
default: no
expiry_date:
description:
- The date and time when the user account will expire and become disabled.
type: str
user_type_name:
description:
- The type of user.
- The parameter defaults to C(EPVUser).
type: str
disabled:
description:
- Whether or not the user will be disabled.
type: bool
default: no
location:
description:
- The Vault Location for the user.
type: str
group_name:
description:
- The name of the group the user will be added to.
type: str
'''
EXAMPLES = r'''
- name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark_authentication:
api_base_url: https://components.cyberark.local
use_shared_logon_authentication: yes
- name: Create user & immediately add it to a group
cyberark_user:
username: username
initial_password: password
user_type_name: EPVUser
change_password_on_the_next_logon: no
group_name: GroupOfUser
state: present
cyberark_session: '{{ cyberark_session }}'
- name: Make sure user is present and reset user credential if present
cyberark_user:
username: Username
new_password: password
disabled: no
state: present
cyberark_session: '{{ cyberark_session }}'
- name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent
cyberark_session: '{{ cyberark_session }}'
'''
RETURN = r'''
changed:
description: Whether there was a change done.
type: bool
returned: always
cyberark_user:
description: Dictionary containing result properties.
returned: always
type: dict
sample:
result:
description: user properties when state is present
type: dict
returned: success
status_code:
description: Result HTTP Status code
returned: success
type: int
sample: 200
'''
import json
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_text
from ansible.module_utils.six.moves import http_client as httplib
from ansible.module_utils.six.moves.urllib.error import HTTPError
from ansible.module_utils.urls import open_url
def user_details(module):
# Get username from module parameters, and api base url
# along with validate_certs from the cyberark_session established
username = module.params["username"]
cyberark_session = module.params["cyberark_session"]
api_base_url = cyberark_session["api_base_url"]
validate_certs = cyberark_session["validate_certs"]
# Prepare result, end_point, and headers
result = {}
end_point = "/PasswordVault/WebServices/PIMServices.svc/Users/{0}".format(
username)
headers = {'Content-Type': 'application/json'}
headers["Authorization"] = cyberark_session["token"]
try:
response = open_url(
api_base_url + end_point,
method="GET",
headers=headers,
validate_certs=validate_certs)
result = {"result": json.loads(response.read())}
return (False, result, response.getcode())
except (HTTPError, httplib.HTTPException) as http_exception:
if http_exception.code == 404:
return (False, None, http_exception.code)
else:
module.fail_json(
msg=("Error while performing user_details."
"Please validate parameters provided."
"\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, to_text(http_exception))),
headers=headers,
status_code=http_exception.code)
except Exception as unknown_exception:
module.fail_json(
msg=("Unknown error while performing user_details."
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
headers=headers,
status_code=-1)
def user_add_or_update(module, HTTPMethod):
# Get username from module parameters, and api base url
# along with validate_certs from the cyberark_session established
username = module.params["username"]
cyberark_session = module.params["cyberark_session"]
api_base_url = cyberark_session["api_base_url"]
validate_certs = cyberark_session["validate_certs"]
# Prepare result, payload, and headers
result = {}
payload = {}
headers = {'Content-Type': 'application/json',
"Authorization": cyberark_session["token"]}
# end_point and payload sets different depending on POST/PUT
# for POST -- create -- payload contains username
# for PUT -- update -- username is part of the endpoint
if HTTPMethod == "POST":
end_point = "/PasswordVault/WebServices/PIMServices.svc/Users"
payload["UserName"] = username
elif HTTPMethod == "PUT":
end_point = "/PasswordVault/WebServices/PIMServices.svc/Users/{0}"
end_point = end_point.format(username)
# --- Optionally populate payload based on parameters passed ---
if "initial_password" in module.params:
payload["InitialPassword"] = module.params["initial_password"]
if "new_password" in module.params:
payload["NewPassword"] = module.params["new_password"]
if "email" in module.params:
payload["Email"] = module.params["email"]
if "first_name" in module.params:
payload["FirstName"] = module.params["first_name"]
if "last_name" in module.params:
payload["LastName"] = module.params["last_name"]
if "change_password_on_the_next_logon" in module.params:
if module.params["change_password_on_the_next_logon"]:
payload["ChangePasswordOnTheNextLogon"] = "true"
else:
payload["ChangePasswordOnTheNextLogon"] = "false"
if "expiry_date" in module.params:
payload["ExpiryDate"] = module.params["expiry_date"]
if "user_type_name" in module.params:
payload["UserTypeName"] = module.params["user_type_name"]
if "disabled" in module.params:
if module.params["disabled"]:
payload["Disabled"] = "true"
else:
payload["Disabled"] = "false"
if "location" in module.params:
payload["Location"] = module.params["location"]
# --------------------------------------------------------------
try:
# execute REST action
response = open_url(
api_base_url + end_point,
method=HTTPMethod,
headers=headers,
data=json.dumps(payload),
validate_certs=validate_certs)
result = {"result": json.loads(response.read())}
return (True, result, response.getcode())
except (HTTPError, httplib.HTTPException) as http_exception:
module.fail_json(
msg=("Error while performing user_add_or_update."
"Please validate parameters provided."
"\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, to_text(http_exception))),
payload=payload,
headers=headers,
status_code=http_exception.code)
except Exception as unknown_exception:
module.fail_json(
msg=("Unknown error while performing user_add_or_update."
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
payload=payload,
headers=headers,
status_code=-1)
def user_delete(module):
# Get username from module parameters, and api base url
# along with validate_certs from the cyberark_session established
username = module.params["username"]
cyberark_session = module.params["cyberark_session"]
api_base_url = cyberark_session["api_base_url"]
validate_certs = cyberark_session["validate_certs"]
# Prepare result, end_point, and headers
result = {}
end_point = "/PasswordVault/WebServices/PIMServices.svc/Users/{0}".format(
username)
headers = {'Content-Type': 'application/json'}
headers["Authorization"] = cyberark_session["token"]
try:
# execute REST action
response = open_url(
api_base_url + end_point,
method="DELETE",
headers=headers,
validate_certs=validate_certs)
result = {"result": {}}
return (True, result, response.getcode())
except (HTTPError, httplib.HTTPException) as http_exception:
exception_text = to_text(http_exception)
if http_exception.code == 404 and "ITATS003E" in exception_text:
# User does not exist
result = {"result": {}}
return (False, result, http_exception.code)
else:
module.fail_json(
msg=("Error while performing user_delete."
"Please validate parameters provided."
"\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, exception_text)),
headers=headers,
status_code=http_exception.code)
except Exception as unknown_exception:
module.fail_json(
msg=("Unknown error while performing user_delete."
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
headers=headers,
status_code=-1)
def user_add_to_group(module):
# Get username, and groupname from module parameters, and api base url
# along with validate_certs from the cyberark_session established
username = module.params["username"]
group_name = module.params["group_name"]
cyberark_session = module.params["cyberark_session"]
api_base_url = cyberark_session["api_base_url"]
validate_certs = cyberark_session["validate_certs"]
# Prepare result, end_point, headers and payload
result = {}
end_point = "/PasswordVault/WebServices/PIMServices.svc//Groups/{0}/Users".format(
group_name)
headers = {'Content-Type': 'application/json'}
headers["Authorization"] = cyberark_session["token"]
payload = {"UserName": username}
try:
# execute REST action
response = open_url(
api_base_url + end_point,
method="POST",
headers=headers,
data=json.dumps(payload),
validate_certs=validate_certs)
result = {"result": {}}
return (True, result, response.getcode())
except (HTTPError, httplib.HTTPException) as http_exception:
exception_text = to_text(http_exception)
if http_exception.code == 409 and "ITATS262E" in exception_text:
# User is already member of Group
return (False, None, http_exception.code)
else:
module.fail_json(
msg=("Error while performing user_add_to_group."
"Please validate parameters provided."
"\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, exception_text)),
payload=payload,
headers=headers,
status_code=http_exception.code)
except Exception as unknown_exception:
module.fail_json(
msg=("Unknown error while performing user_add_to_group."
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
payload=payload,
headers=headers,
status_code=-1)
def main():
module = AnsibleModule(
argument_spec=dict(
username=dict(type='str', required=True),
state=dict(type='str', default='present', choices=['absent', 'present']),
cyberark_session=dict(type='dict', required=True),
initial_password=dict(type='str', no_log=True),
new_password=dict(type='str', no_log=True),
email=dict(type='str'),
first_name=dict(type='str'),
last_name=dict(type='str'),
change_password_on_the_next_logon=dict(type='bool'),
expiry_date=dict(type='str'),
user_type_name=dict(type='str'),
disabled=dict(type='bool'),
location=dict(type='str'),
group_name=dict(type='str'),
),
)
state = module.params['state']
new_password = module.params['new_password']
group_name = module.params['group_name']
if (state == "present"):
(changed, result, status_code) = user_details(module)
if (status_code == 200):
# User already exists
# If new_password specified, proceed to update user credential
if (new_password is not None):
(changed, result, status_code) = user_add_or_update(module, "PUT")
if (group_name is not None):
# If user exists, add to group if needed
(changed, ignored_result, ignored_status_code) = user_add_to_group(module)
elif (status_code == 404):
# User does not exist, proceed to create it
(changed, result, status_code) = user_add_or_update(module, "POST")
if (status_code == 201 and group_name is not None):
# If user was created, add to group if needed
(changed, ignored_result, ignored_status_code) = user_add_to_group(module)
elif (state == "absent"):
(changed, result, status_code) = user_delete(module)
module.exit_json(
changed=changed,
cyberark_user=result,
status_code=status_code)
if __name__ == '__main__':
main()

1
test/sanity/ignore.txt
View file

@ -1031,7 +1031,6 @@ lib/ansible/modules/files/stat.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/files/stat.py validate-modules:undocumented-parameter
lib/ansible/modules/files/unarchive.py validate-modules:nonexistent-parameter-documented
lib/ansible/modules/files/unarchive.py validate-modules:parameter-list-no-elements
lib/ansible/modules/identity/cyberark/cyberark_authentication.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/net_tools/basics/get_url.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/net_tools/basics/uri.py pylint:blacklisted-name
lib/ansible/modules/net_tools/basics/uri.py validate-modules:doc-required-mismatch