OPS-4474-evaluate-kubernetesproxy-Add options to generate passwords a…

…nd not overwriting existing ones (#59) Add options to generate passwords and not overwriting existing ones
hpi-schul-cloud · Apr 25, 2023 · d696160 · d696160
1 parent 9cd03f1
commit d696160
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 14 deletions.
diff --git a/onepwd/plugins/action/item.py b/onepwd/plugins/action/item.py
@@ -29,16 +29,18 @@ def run(self, tmp=None, task_vars=None, **kwargs):
         state = self._task.args.get('state', 'present')
         if state not in ('present', 'absent'):
             raise AnsibleActionFail('State must be one of absent, present.')
+        generate_password = self._task.args.get('generate_password', None)
+        overwrite = self._task.args.get('overwrite', True)
         check = self._task.check_mode
 
         result = {}
         if state == 'present':
-            result = self.run_present(op, category, name, vault, fields, check)
+            result = self.run_present(op, category, name, vault, fields, generate_password, overwrite, check)
         if state == 'absent':
             result = self.run_absent(op, name, vault, check)
         return result
 
-    def run_present(self, op:onepwd.OnePwd, category, name, vault, fields, check):
+    def run_present(self, op:onepwd.OnePwd, category, name, vault, fields, generate_password, overwrite, check):
         assignment_statements = ""
         for field in fields:
             assignment_statements += " " + onepwd.build_assignment_statement(field)
@@ -47,18 +49,18 @@ def run_present(self, op:onepwd.OnePwd, category, name, vault, fields, check):
         diff = {}
         try:
             get_result = op.get('item', item_name=name, vault=vault)
-            edit_result = op.edit_item(name, assignment_statements, vault=vault, dry_run=check)
-            changed = not items_equal(get_result, edit_result)
+            edit_result = op.edit_item(name, assignment_statements, vault=vault, generate_password=generate_password, dry_run=True)
+            changed = not items_equal(get_result, edit_result) and overwrite
             if changed:
                 if not check:
-                    edit_result = op.edit_item(name, assignment_statements, vault=vault)
+                    edit_result = op.edit_item(name, assignment_statements, vault=vault, generate_password=generate_password)
                 diff['before'] = get_result
                 diff['after'] = edit_result
                 result['item'] = edit_result
             else:
                 result['item'] = get_result
         except onepwd.UnknownResourceItem:
-            create_result = op.create_item_string(category, name, assignment_statements, vault=vault, dry_run=check)
+            create_result = op.create_item_string(category, name, assignment_statements, vault=vault, generate_password=generate_password, dry_run=check)
             diff['before'] = {}
             diff['after'] = create_result
             result['item'] = create_result

diff --git a/onepwd/plugins/modules/item.py b/onepwd/plugins/modules/item.py
@@ -48,6 +48,17 @@
       - Must be set when running in AWX.
     type: str
     default: the USER environment variable
+  generate_password:
+    description:
+      - 1Password generates the password 
+      - Password properties can be set (e.g. "letters,digits,symbols,32"), see https://developer.1password.com/docs/cli/create-item/#create-an-item
+    type: str
+  overwrite:
+    description:
+      - If True (default) existing items are changed if there are differences
+      - If False existing items are not changed if there are differences (usefull if item should be generated only once)
+    type: bool
+    default: True
 '''
 
 EXAMPLES = r'''

diff --git a/onepwd/setup.py b/onepwd/setup.py
@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="onepwd",
-    version="2.2.0",
+    version="2.2.1",
     author="HPI Schulcloud",
     author_email="devops@dbildungscloud.de",
     description="Utilities to work with 1password",

diff --git a/onepwd/src/onepwd/__init__.py b/onepwd/src/onepwd/__init__.py
@@ -99,17 +99,18 @@ def create_item(self, category, json_item, title, vault=None, url=None):
         """
         return json.loads(run_op_command_in_shell(command, input=json_item.encode()))
 
-    def create_item_string(self, category, title, assignment_statements:str, vault=None, url=None, dry_run=False):
+    def create_item_string(self, category, title, assignment_statements:str, vault=None, url=None, generate_password:str=None, dry_run=False):
         vault_flag = get_optional_flag(vault=vault)
         url_flag = get_optional_flag(url=url)
+        generate_password_flag = get_optional_flag(generate_password=generate_password)
         dry_run_flag = get_optional_flag(dry_run=dry_run)
 
         command = f"""
             {self.op} item  create --category={quote(category)} - \
             --title='{title}' \
             --session={self.session_token} \
             {vault_flag} {url_flag} \
-            {assignment_statements} {dry_run_flag}
+            {generate_password_flag} {assignment_statements} {dry_run_flag}
         """
         return json.loads(run_op_command_in_shell(command))
 
@@ -150,10 +151,11 @@ def update_s3_values_of_standard_s3_item(self, title, vault=None, ACCESS_KEY=Non
             fields_to_change += f"s3_endpoint_url={ENDPOINT_URL} "
         return self.edit_item(title, fields_to_change, vault)
 
-    def edit_item(self, title, assignment_statements:str, vault=None, dry_run=False):
+    def edit_item(self, title, assignment_statements:str, vault=None, generate_password:str=None, dry_run=False):
         vault_flag = get_optional_flag(vault=vault)
         dry_run_flag = get_optional_flag(dry_run=dry_run)
-        command = f""" {self.op} item edit '{title}' --session={self.session_token} {vault_flag} {dry_run_flag} {assignment_statements} """
+        generate_password_flag = get_optional_flag(generate_password=generate_password)
+        command = f""" {self.op} item edit '{title}' --session={self.session_token} {vault_flag} {generate_password_flag} {dry_run_flag} {assignment_statements} """
         return json.loads(run_op_command_in_shell(command))
 
     def delete_item(self, item_name, vault=None):
@@ -364,7 +366,7 @@ def generate_secrets_file(op, items, file, field=None, disable_empty=False, perm
             if field is None:
                 field = "password"
             for f in item["fields"]:
-                if f["label"]==field:
+                if "label" in f and f["label"]==field:
                     secret_value=f["value"]
         elif item["category"]=='DOCUMENT': # File template type
             sname=item["title"]
@@ -393,13 +395,13 @@ def get_single_secret(op:OnePwd, item_name:str, field=None, vault=None) -> str:
     if item["category"]=='LOGIN': # Login template type
         if field:
             for f in item["fields"]:
-                if f["label"]==field:
+                if "label" in f and f["label"]==field:
                     secret_value=f["value"]
     elif item["category"]=='PASSWORD': # Password template type
         if field is None:
             field = "password"
         for f in item["fields"]:
-                if f["label"]==field and "value" in f:
+                if "label" in f and f["label"]==field and "value" in f:
                     secret_value=f["value"]
     elif item["category"]=='DOCUMENT': # File template type
         document=op.get_document(item['id'])