146 lines
3.8 KiB
Python
146 lines
3.8 KiB
Python
#!/usr/bin/python
|
|
|
|
# Copyright (c) 2024, Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
DOCUMENTATION = r"""
|
|
module: systemd_creds_encrypt
|
|
short_description: C(systemd)'s C(systemd-creds encrypt) plugin
|
|
description:
|
|
- This module encrypts input using C(systemd)'s C(systemd-creds encrypt).
|
|
author:
|
|
- Thomas Sjögren (@konstruktoid)
|
|
version_added: '10.2.0'
|
|
extends_documentation_fragment:
|
|
- community.general.attributes
|
|
attributes:
|
|
check_mode:
|
|
support: full
|
|
details:
|
|
- This action does not modify state.
|
|
diff_mode:
|
|
support: N/A
|
|
details:
|
|
- This action does not modify state.
|
|
options:
|
|
name:
|
|
description:
|
|
- The credential name to embed in the encrypted credential data.
|
|
type: str
|
|
required: false
|
|
not_after:
|
|
description:
|
|
- The time when the credential shall not be used anymore.
|
|
- Takes a timestamp specification in the format described in V(systemd.time(7\)).
|
|
type: str
|
|
required: false
|
|
pretty:
|
|
description:
|
|
- Pretty print the output so that it may be pasted directly into a unit file.
|
|
type: bool
|
|
required: false
|
|
default: false
|
|
secret:
|
|
description:
|
|
- The secret to encrypt.
|
|
type: str
|
|
required: true
|
|
timestamp:
|
|
description:
|
|
- The timestamp to embed into the encrypted credential.
|
|
- Takes a timestamp specification in the format described in V(systemd.time(7\)).
|
|
type: str
|
|
required: false
|
|
user:
|
|
description:
|
|
- A user name or numeric UID to encrypt the credential for.
|
|
- If set to the special string V(self) it sets the user to the user of the calling process.
|
|
- Requires C(systemd) 256 or later.
|
|
type: str
|
|
required: false
|
|
notes:
|
|
- C(systemd-creds) requires C(systemd) 250 or later.
|
|
"""
|
|
|
|
EXAMPLES = r"""
|
|
- name: Encrypt secret
|
|
become: true
|
|
community.general.systemd_creds_encrypt:
|
|
name: db
|
|
not_after: +48hr
|
|
secret: access_token
|
|
register: encrypted_secret
|
|
|
|
- name: Print the encrypted secret
|
|
ansible.builtin.debug:
|
|
msg: "{{ encrypted_secret }}"
|
|
"""
|
|
|
|
RETURN = r"""
|
|
value:
|
|
description: The Base64 encoded encrypted secret.
|
|
type: str
|
|
returned: always
|
|
sample: "WhQZht+JQJax1aZemmGLxmAAAA..."
|
|
"""
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
|
|
|
|
def main():
|
|
"""Encrypt secret using systemd-creds."""
|
|
module = AnsibleModule(
|
|
argument_spec=dict(
|
|
name=dict(type="str", required=False),
|
|
not_after=dict(type="str", required=False),
|
|
pretty=dict(type="bool", default=False),
|
|
secret=dict(type="str", required=True, no_log=True),
|
|
timestamp=dict(type="str", required=False),
|
|
user=dict(type="str", required=False),
|
|
),
|
|
supports_check_mode=True,
|
|
)
|
|
|
|
cmd = module.get_bin_path("systemd-creds", required=True)
|
|
|
|
name = module.params["name"]
|
|
not_after = module.params["not_after"]
|
|
pretty = module.params["pretty"]
|
|
secret = module.params["secret"]
|
|
timestamp = module.params["timestamp"]
|
|
user = module.params["user"]
|
|
|
|
encrypt_cmd = [cmd, "encrypt"]
|
|
if name:
|
|
encrypt_cmd.append("--name=" + name)
|
|
else:
|
|
encrypt_cmd.append("--name=")
|
|
if not_after:
|
|
encrypt_cmd.append("--not-after=" + not_after)
|
|
if pretty:
|
|
encrypt_cmd.append("--pretty")
|
|
if timestamp:
|
|
encrypt_cmd.append("--timestamp=" + timestamp)
|
|
if user:
|
|
encrypt_cmd.append("--uid=" + user)
|
|
encrypt_cmd.extend(["-", "-"])
|
|
|
|
rc, stdout, stderr = module.run_command(encrypt_cmd, data=secret, binary_data=True)
|
|
|
|
module.exit_json(
|
|
changed=False,
|
|
value=stdout,
|
|
rc=rc,
|
|
stderr=stderr,
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|