246 lines
8.3 KiB
Python
246 lines
8.3 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
# Copyright (c) 2024 Alexander Bakanovskii <skottttt228@gmail.com>
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
__metaclass__ = type
|
|
|
|
|
|
DOCUMENTATION = r"""
|
|
module: ipa_getkeytab
|
|
short_description: Manage keytab file in FreeIPA
|
|
version_added: 9.5.0
|
|
description:
|
|
- Manage keytab file with C(ipa-getkeytab) utility.
|
|
- See U(https://manpages.ubuntu.com/manpages/jammy/man1/ipa-getkeytab.1.html) for reference.
|
|
author: "Alexander Bakanovskii (@abakanovskii)"
|
|
attributes:
|
|
check_mode:
|
|
support: full
|
|
diff_mode:
|
|
support: none
|
|
options:
|
|
path:
|
|
description:
|
|
- The base path where to put generated keytab file.
|
|
type: path
|
|
aliases: ["keytab"]
|
|
required: true
|
|
principal:
|
|
description:
|
|
- The non-realm part of the full principal name.
|
|
type: str
|
|
required: true
|
|
ipa_host:
|
|
description:
|
|
- The IPA server to retrieve the keytab from (FQDN).
|
|
type: str
|
|
ldap_uri:
|
|
description:
|
|
- LDAP URI. If V(ldap://) is specified, STARTTLS is initiated by default.
|
|
- Can not be used with the O(ipa_host) option.
|
|
type: str
|
|
bind_dn:
|
|
description:
|
|
- The LDAP DN to bind as when retrieving a keytab without Kerberos credentials.
|
|
- Generally used with the O(bind_pw) option.
|
|
type: str
|
|
bind_pw:
|
|
description:
|
|
- The LDAP password to use when not binding with Kerberos.
|
|
type: str
|
|
password:
|
|
description:
|
|
- Use this password for the key instead of one randomly generated.
|
|
type: str
|
|
ca_cert:
|
|
description:
|
|
- The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections.
|
|
type: path
|
|
sasl_mech:
|
|
description:
|
|
- SASL mechanism to use if O(bind_dn) and O(bind_pw) are not specified.
|
|
choices: ["GSSAPI", "EXTERNAL"]
|
|
type: str
|
|
retrieve_mode:
|
|
description:
|
|
- Retrieve an existing key from the server instead of generating a new one.
|
|
- This is incompatible with the O(password), and will work only against a IPA server more recent than version 3.3.
|
|
- The user requesting the keytab must have access to the keys for this operation to succeed.
|
|
- Be aware that if set V(true), a new keytab will be generated.
|
|
- This invalidates all previously retrieved keytabs for this service principal.
|
|
type: bool
|
|
encryption_types:
|
|
description:
|
|
- The list of encryption types to use to generate keys.
|
|
- It will use local client defaults if not provided.
|
|
- Valid values depend on the Kerberos library version and configuration.
|
|
type: str
|
|
state:
|
|
description:
|
|
- The state of the keytab file.
|
|
- V(present) only check for existence of a file, if you want to recreate keytab with other parameters you should set
|
|
O(force=true).
|
|
type: str
|
|
default: present
|
|
choices: ["present", "absent"]
|
|
force:
|
|
description:
|
|
- Force recreation if exists already.
|
|
type: bool
|
|
requirements:
|
|
- freeipa-client
|
|
- Managed host is FreeIPA client
|
|
extends_documentation_fragment:
|
|
- community.general.attributes
|
|
"""
|
|
|
|
EXAMPLES = r"""
|
|
- name: Get Kerberos ticket using default principal
|
|
community.general.krb_ticket:
|
|
password: "{{ aldpro_admin_password }}"
|
|
|
|
- name: Create keytab
|
|
community.general.ipa_getkeytab:
|
|
path: /etc/ipa/test.keytab
|
|
principal: HTTP/freeipa-dc02.ipa.test
|
|
ipa_host: freeipa-dc01.ipa.test
|
|
|
|
- name: Retrieve already existing keytab
|
|
community.general.ipa_getkeytab:
|
|
path: /etc/ipa/test.keytab
|
|
principal: HTTP/freeipa-dc02.ipa.test
|
|
ipa_host: freeipa-dc01.ipa.test
|
|
retrieve_mode: true
|
|
|
|
- name: Force keytab recreation
|
|
community.general.ipa_getkeytab:
|
|
path: /etc/ipa/test.keytab
|
|
principal: HTTP/freeipa-dc02.ipa.test
|
|
ipa_host: freeipa-dc01.ipa.test
|
|
force: true
|
|
"""
|
|
|
|
import os
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
from ansible_collections.community.general.plugins.module_utils.cmd_runner import CmdRunner, cmd_runner_fmt
|
|
|
|
|
|
class IPAKeytab(object):
|
|
def __init__(self, module, **kwargs):
|
|
self.module = module
|
|
self.path = kwargs['path']
|
|
self.state = kwargs['state']
|
|
self.principal = kwargs['principal']
|
|
self.ipa_host = kwargs['ipa_host']
|
|
self.ldap_uri = kwargs['ldap_uri']
|
|
self.bind_dn = kwargs['bind_dn']
|
|
self.bind_pw = kwargs['bind_pw']
|
|
self.password = kwargs['password']
|
|
self.ca_cert = kwargs['ca_cert']
|
|
self.sasl_mech = kwargs['sasl_mech']
|
|
self.retrieve_mode = kwargs['retrieve_mode']
|
|
self.encryption_types = kwargs['encryption_types']
|
|
|
|
self.runner = CmdRunner(
|
|
module,
|
|
command='ipa-getkeytab',
|
|
arg_formats=dict(
|
|
retrieve_mode=cmd_runner_fmt.as_bool('--retrieve'),
|
|
path=cmd_runner_fmt.as_opt_val('--keytab'),
|
|
ipa_host=cmd_runner_fmt.as_opt_val('--server'),
|
|
principal=cmd_runner_fmt.as_opt_val('--principal'),
|
|
ldap_uri=cmd_runner_fmt.as_opt_val('--ldapuri'),
|
|
bind_dn=cmd_runner_fmt.as_opt_val('--binddn'),
|
|
bind_pw=cmd_runner_fmt.as_opt_val('--bindpw'),
|
|
password=cmd_runner_fmt.as_opt_val('--password'),
|
|
ca_cert=cmd_runner_fmt.as_opt_val('--cacert'),
|
|
sasl_mech=cmd_runner_fmt.as_opt_val('--mech'),
|
|
encryption_types=cmd_runner_fmt.as_opt_val('--enctypes'),
|
|
)
|
|
)
|
|
|
|
def _exec(self, check_rc=True):
|
|
with self.runner(
|
|
"retrieve_mode path ipa_host principal ldap_uri bind_dn bind_pw password ca_cert sasl_mech encryption_types",
|
|
check_rc=check_rc
|
|
) as ctx:
|
|
rc, out, err = ctx.run()
|
|
return out
|
|
|
|
|
|
def main():
|
|
arg_spec = dict(
|
|
path=dict(type='path', required=True, aliases=["keytab"]),
|
|
state=dict(default='present', choices=['present', 'absent']),
|
|
principal=dict(type='str', required=True),
|
|
ipa_host=dict(type='str'),
|
|
ldap_uri=dict(type='str'),
|
|
bind_dn=dict(type='str'),
|
|
bind_pw=dict(type='str'),
|
|
password=dict(type='str', no_log=True),
|
|
ca_cert=dict(type='path'),
|
|
sasl_mech=dict(type='str', choices=["GSSAPI", "EXTERNAL"]),
|
|
retrieve_mode=dict(type='bool'),
|
|
encryption_types=dict(type='str'),
|
|
force=dict(type='bool'),
|
|
)
|
|
module = AnsibleModule(
|
|
argument_spec=arg_spec,
|
|
mutually_exclusive=[('ipa_host', 'ldap_uri'), ('retrieve_mode', 'password')],
|
|
supports_check_mode=True,
|
|
)
|
|
|
|
path = module.params['path']
|
|
state = module.params['state']
|
|
force = module.params['force']
|
|
|
|
keytab = IPAKeytab(module,
|
|
path=path,
|
|
state=state,
|
|
principal=module.params['principal'],
|
|
ipa_host=module.params['ipa_host'],
|
|
ldap_uri=module.params['ldap_uri'],
|
|
bind_dn=module.params['bind_dn'],
|
|
bind_pw=module.params['bind_pw'],
|
|
password=module.params['password'],
|
|
ca_cert=module.params['ca_cert'],
|
|
sasl_mech=module.params['sasl_mech'],
|
|
retrieve_mode=module.params['retrieve_mode'],
|
|
encryption_types=module.params['encryption_types'],
|
|
)
|
|
|
|
changed = False
|
|
if state == 'present':
|
|
if os.path.exists(path):
|
|
if force and not module.check_mode:
|
|
try:
|
|
os.remove(path)
|
|
except OSError as e:
|
|
module.fail_json(msg="Error deleting: %s - %s." % (e.filename, e.strerror))
|
|
keytab._exec()
|
|
changed = True
|
|
if force and module.check_mode:
|
|
changed = True
|
|
else:
|
|
changed = True
|
|
keytab._exec()
|
|
|
|
if state == 'absent':
|
|
if os.path.exists(path):
|
|
changed = True
|
|
if not module.check_mode:
|
|
try:
|
|
os.remove(path)
|
|
except OSError as e:
|
|
module.fail_json(msg="Error deleting: %s - %s." % (e.filename, e.strerror))
|
|
|
|
module.exit_json(changed=changed)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|