OPS-4371 Implemented minimal document module to upload files to 1PW (#57

) * OPS-4371 Implemented minimal document module to upload files to 1PW * OPS-4371 Added quotes to 1PW item category * OPS-4371 Added OpenSSL to awx-ee * OPS-4371 Downgraded Terraform to 1.1.4 * OPS-4371 set session shorthand for item plugin * OPS-4371 1Password action plugins now get sessions shorthand from args * OPS-4371 Added session_shorthand to plugin documentation * OPS-4371 Increased Helm and 1PW CLI versions, added dnf upgrade
hpi-schul-cloud · Mar 17, 2023 · 9cd03f1 · 9cd03f1
1 parent 95f8ef5
commit 9cd03f1
Show file tree

Hide file tree

Showing 15 changed files with 177 additions and 17 deletions.
diff --git a/awx-ee/Dockerfile b/awx-ee/Dockerfile
@@ -22,19 +22,21 @@ RUN assemble
 
 FROM $EE_BASE_IMAGE
 USER root
-ARG HELM_VERSION=3.10.1
-ARG TERRAFORM_VERSION=1.3.4
+ARG HELM_VERSION=3.11.2
+ARG TERRAFORM_VERSION=1.1.4
 ARG KUBECTL_VERSION=1.21.4
-ARG OP_VERSION=2.7.3
+ARG OP_VERSION=2.15.0
 RUN whoami
 RUN cat /etc/os-release
 RUN pip3 install --upgrade pip setuptools
 RUN dnf install -y unzip
-RUN cd /tmp && curl -LO https://releases.hashicorp.com/terraform/$TERRAFORM_VERSION/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip && install -o root -g root -m 0755 terraform /usr/local/bin/terraform
+RUN cd /tmp && curl -LO https://releases.hashicorp.com/terraform/$TERRAFORM_VERSION/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip && install -o root -g root -m 0755 terraform /usr/local/bin/terraform && rm terraform
 RUN curl -LO https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/amd64/kubectl
 RUN install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
-RUN cd /tmp && curl -LO https://get.helm.sh/helm-v$HELM_VERSION-linux-amd64.tar.gz &&  tar -xf helm-v$HELM_VERSION-linux-amd64.tar.gz && install -o root -g root -m 0755 linux-amd64/helm /usr/local/bin/helm
-RUN cd /tmp && curl -LO https://cache.agilebits.com/dist/1P/op2/pkg/v$OP_VERSION/op_linux_amd64_v$OP_VERSION.zip && unzip op_linux_amd64_v$OP_VERSION.zip && install -o root -g root -m 0755 op /usr/local/bin/op
+RUN cd /tmp && curl -LO https://get.helm.sh/helm-v$HELM_VERSION-linux-amd64.tar.gz &&  tar -xf helm-v$HELM_VERSION-linux-amd64.tar.gz && install -o root -g root -m 0755 linux-amd64/helm /usr/local/bin/helm && rm linux-amd64/helm
+RUN cd /tmp && curl -LO https://cache.agilebits.com/dist/1P/op2/pkg/v$OP_VERSION/op_linux_amd64_v$OP_VERSION.zip && unzip op_linux_amd64_v$OP_VERSION.zip && install -o root -g root -m 0755 op /usr/local/bin/op && rm op
+RUN dnf install -y openssl
+RUN dnf upgrade --refresh -y
 
 COPY --from=galaxy /usr/share/ansible /usr/share/ansible
 

diff --git a/awx-ee/execution-environment.yml b/awx-ee/execution-environment.yml
@@ -9,7 +9,7 @@ dependencies:
 additional_build_steps:
   prepend: |
     ARG HELM_VERSION=3.10.1
-    ARG TERRAFORM_VERSION=1.3.4
+    ARG TERRAFORM_VERSION=1.1.4
     ARG KUBECTL_VERSION=1.21.4
     ARG OP_VERSION=2.7.3
     RUN whoami
@@ -21,5 +21,6 @@ additional_build_steps:
     RUN install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
     RUN cd /tmp && curl -LO https://get.helm.sh/helm-v$HELM_VERSION-linux-amd64.tar.gz &&  tar -xf helm-v$HELM_VERSION-linux-amd64.tar.gz && install -o root -g root -m 0755 linux-amd64/helm /usr/local/bin/helm
     RUN cd /tmp && curl -LO https://cache.agilebits.com/dist/1P/op2/pkg/v$OP_VERSION/op_linux_amd64_v$OP_VERSION.zip && unzip op_linux_amd64_v$OP_VERSION.zip && install -o root -g root -m 0755 op /usr/local/bin/op
+    RUN dnf install -y openssl
   append:
     - RUN alternatives --set python /usr/bin/python3
diff --git a/onepwd/galaxy.yml b/onepwd/galaxy.yml
@@ -9,7 +9,7 @@ namespace: dbildungscloud
 name: onepwd
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 2.1.0
+version: 2.2.0
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

diff --git a/onepwd/playbook-test-onepwd.yml b/onepwd/playbook-test-onepwd.yml
@@ -2,6 +2,11 @@
 - name: Test
   hosts: localhost
   gather_facts: false
+  vars:
+    document_original_content: |-
+      Test file.
+    document_updated_content: |-
+      Updated file.
   tasks:
     - name: Run the tests
       block:
@@ -124,6 +129,43 @@
           uri:
             url: "{{ op.link }}"
 
+        - name: Create file to upload
+          copy:
+            content: "{{ document_original_content }}"
+            dest: /tmp/original-file.txt
+            mode: 0600
+        - name: Create document
+          dbildungscloud.onepwd.document:
+            vault: Private
+            name: document-test
+            path: /tmp/original-file.txt
+        - name: Get document
+          set_fact:
+            onepassword_document: "{{ lookup('dbildungscloud.onepwd.onepwd', secret_name='document-test', vault='Private') }}"
+        - name: Create document
+          assert:
+            that:
+              - onepassword_document == document_original_content
+
+        - name: Create updated file to upload
+          copy:
+            content: "{{ document_updated_content }}"
+            dest: /tmp/updated-file.txt
+            mode: 0600
+        - name: Update document
+          dbildungscloud.onepwd.document:
+            vault: Private
+            name: document-test
+            path: /tmp/updated-file.txt
+        - name: Get document
+          set_fact:
+            onepassword_document: "{{ lookup('dbildungscloud.onepwd.onepwd', secret_name='document-test', vault='Private') }}"
+        - name: Create document
+          assert:
+            that:
+              - onepassword_document != document_original_content
+              - onepassword_document == document_updated_content
+
       always:
         - name: Delete item
           dbildungscloud.onepwd.item:
@@ -136,3 +178,9 @@
           assert:
             that:
               - op.changed
+        - name: Delete document
+          dbildungscloud.onepwd.item:
+            vault: Private
+            name: document-test
+            state: absent
+          register: op
diff --git a/onepwd/plugins/action/create_s3_item.py b/onepwd/plugins/action/create_s3_item.py
@@ -35,7 +35,7 @@ class ActionModule(ActionBase):
     def run(self, tmp=None, task_vars=None, **kwargs):
         # Log into OnePassword
         login_secret=onepwd.get_op_login()
-        session_shorthand=kwargs.get('session_shorthand', os.getenv('USER'))
+        session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)
 

diff --git a/onepwd/plugins/action/document.py b/onepwd/plugins/action/document.py
@@ -0,0 +1,31 @@
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+import os
+import onepwd
+from ansible.plugins.action import ActionBase
+from ansible.errors import AnsibleActionFail
+
+class ActionModule(ActionBase):
+    def run(self, tmp=None, task_vars=None, **kwargs):
+        login_secret=onepwd.get_op_login()
+        session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
+        session_timeout=kwargs.get('session_timeout', 30)
+        op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)
+
+        # Input validation
+        for arg in ['vault', 'name', 'path']:
+            if arg not in self._task.args:
+                raise AnsibleActionFail(f"Parameter '{arg}' is required.")
+        vault = self._task.args.get('vault')
+        name = self._task.args.get('name')
+        path = self._task.args.get('path')
+        check = self._task.check_mode
+
+        if not check:
+            try:
+                op.edit_document_from_file(path, name, vault)
+            except onepwd.UnknownResourceItem:
+                op.create_document_from_file(path, name, vault)
+        return {'changed': True}
diff --git a/onepwd/plugins/action/item.py b/onepwd/plugins/action/item.py
@@ -10,7 +10,7 @@
 class ActionModule(ActionBase):
     def run(self, tmp=None, task_vars=None, **kwargs):
         login_secret=onepwd.get_op_login()
-        session_shorthand=kwargs.get('session_shorthand', os.getenv('USER'))
+        session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)
 

diff --git a/onepwd/plugins/action/share.py b/onepwd/plugins/action/share.py
@@ -10,7 +10,7 @@
 class ActionModule(ActionBase):
     def run(self, tmp=None, task_vars=None, **kwargs):
         login_secret=onepwd.get_op_login()
-        session_shorthand=kwargs.get('session_shorthand', os.getenv('USER'))
+        session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)
 

diff --git a/onepwd/plugins/action/update_s3_values_of_item.py b/onepwd/plugins/action/update_s3_values_of_item.py
@@ -40,7 +40,7 @@ class ActionModule(ActionBase):
     def run(self, tmp=None, task_vars=None, **kwargs):
         # Log into OnePassword
         login_secret=onepwd.get_op_login()
-        session_shorthand=kwargs.get('session_shorthand', os.getenv('USER'))
+        session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)
 

diff --git a/onepwd/plugins/action/upload_s3_secret.py b/onepwd/plugins/action/upload_s3_secret.py
@@ -34,7 +34,7 @@ class ActionModule(ActionBase):
     def run(self, tmp=None, task_vars=None, **kwargs):
         # Log into OnePassword
         login_secret=onepwd.get_op_login()
-        session_shorthand=kwargs.get('session_shorthand', os.getenv('USER'))
+        session_shorthand=self._task.args.get('session_shorthand', os.getenv('USER'))
         session_timeout=kwargs.get('session_timeout', 30)
         op = onepwd.OnePwd(secret=login_secret, shorthand=session_shorthand, session_timeout=session_timeout)
 

diff --git a/onepwd/plugins/modules/document.py b/onepwd/plugins/modules/document.py
@@ -0,0 +1,45 @@
+# Dummy module needed by ansible-doc
+DOCUMENTATION = r'''
+---
+module: item
+short_description: Minimal plugin to create 1Password documents
+description:
+  - Create 1Password documents
+  - Updates the item without checking if it's different
+  - Will be replaced by the item module when it can be used to upload files
+version_added: 2.12.3
+author: DBC SRE Team
+options:
+  vault:
+    description:
+      - Vault of the document to create.
+    type: str
+    required: yes
+  name:
+    description:
+      - Name of the document to create.
+    type: str
+    required: yes
+  path:
+    description:
+        - Path to the file to upload.
+    type: str
+    required: yes
+  session_shorthand:
+    description:
+      - Session shorthand used by the 1Password CLI.
+      - Must be set when running in AWX.
+    type: str
+    default: the USER environment variable
+'''
+
+EXAMPLES = r'''
+- name: Create Document
+  dbildungscloud.onepwd.document:
+    vault: "vault"
+    name: "name"
+    path: /path/to/file
+'''
+
+RETURN = r'''
+'''
diff --git a/onepwd/plugins/modules/item.py b/onepwd/plugins/modules/item.py
@@ -42,6 +42,12 @@
       - Supported properties are name, type, value, section
     type: list
     default: []
+  session_shorthand:
+    description:
+      - Session shorthand used by the 1Password CLI.
+      - Must be set when running in AWX.
+    type: str
+    default: the USER environment variable
 '''
 
 EXAMPLES = r'''

diff --git a/onepwd/plugins/modules/share.py b/onepwd/plugins/modules/share.py
@@ -34,6 +34,12 @@
       - Expire link after a single view.
     type: bool
     default: false
+  session_shorthand:
+    description:
+      - Session shorthand used by the 1Password CLI.
+      - Must be set when running in AWX.
+    type: str
+    default: the USER environment variable
 '''
 
 EXAMPLES = r'''

diff --git a/onepwd/setup.py b/onepwd/setup.py
@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="onepwd",
-    version="2.1.0",
+    version="2.2.0",
     author="HPI Schulcloud",
     author_email="devops@dbildungscloud.de",
     description="Utilities to work with 1password",

diff --git a/onepwd/src/onepwd/__init__.py b/onepwd/src/onepwd/__init__.py
@@ -92,7 +92,7 @@ def create_item(self, category, json_item, title, vault=None, url=None):
         url_flag = get_optional_flag(url=url)
 
         command = f"""
-            {self.op} item  create --category={category} - \
+            {self.op} item  create --category={quote(category)} - \
             --title='{title}' \
             --session={self.session_token} \
             {vault_flag} {url_flag}
@@ -105,7 +105,7 @@ def create_item_string(self, category, title, assignment_statements:str, vault=N
         dry_run_flag = get_optional_flag(dry_run=dry_run)
 
         command = f"""
-            {self.op} item  create --category={category} - \
+            {self.op} item  create --category={quote(category)} - \
             --title='{title}' \
             --session={self.session_token} \
             {vault_flag} {url_flag} \
@@ -192,7 +192,28 @@ def get_document(self, item_name):
             return run_op_command_in_shell(op_command)
         except subprocess.CalledProcessError:
             raise UnknownResourceItem(f"document: {item_name}")
-
+
+    def create_document_from_file(self, path, title, vault=None):
+        vault_flag = get_optional_flag(vault=vault)
+
+        command = f"""
+            {self.op} document create {path} \
+            --title='{title}' \
+            --session={self.session_token} \
+            {vault_flag}
+        """
+        return run_op_command_in_shell(command)
+
+    def edit_document_from_file(self, path, title, vault=None):
+        vault_flag = get_optional_flag(vault=vault)
+
+        command = f"""
+            {self.op} document edit {title} {path} \
+            --session={self.session_token} \
+            {vault_flag}
+        """
+        return run_op_command_in_shell(command)
+
     def share(self, item_name, vault=None, emails=[], expiry=None, view_once=False):
         vault_flag = get_optional_flag(vault=vault)
         emails_list = ",".join(emails)