1.0.17 (#53)

* Fixes #44 sanity tests failing in cyberarkpas (#49)

* Add sanity & integration tests

* Add master branch (legacy)

* Resolved all failing sanity tests

* Bump version to 1.0.17

* Add tests for Ansible 2.9 & ansible-base 2.10

* Resolve @felixfontein review comments

* no_log: False for Secrets Management parent

* Resolve @felixfontein review - rm needs units

* rm integration tests (for now)

* Add cyberark.aimprovider role to collection (#52)

.github/workflows/ci.yml

@@ -0,0 +1,105 @@
+# README FIRST
+# 1. If you don't have unit tests, remove that section.
+# 2. If your collection depends on other collections ensure they are installed,
+#    add them to the "test-deps" input.
+# 3. For the comprehensive list of the inputs supported by the
+#    ansible-community/ansible-test-gh-action GitHub Action, see
+#    https://github.com/marketplace/actions/ansible-test.
+# 4. If you want to prevent merging PRs that do not pass all tests,
+#    make sure to add the "check" job to your repository branch
+#    protection once this workflow is added.
+#    It is also possible to tweak which jobs are allowed to fail. See
+#    https://github.com/marketplace/actions/alls-green#gotchas for more detail.
+# 5. If you need help please ask in #ansible-community on the Libera.chat IRC
+#    network.
+
+name: CI
+on:
+  # Run CI against all pushes (direct commits, also merged PRs), Pull Requests
+  push:
+    branches:
+      - main
+      - master
+      - stable-*
+  pull_request:
+  # Run CI once per day (at 06:00 UTC)
+  # This ensures that even if there haven't been commits that we are still
+  # testing against latest version of ansible-test for each ansible-core
+  # version
+  schedule:
+    - cron: '0 6 * * *'
+
+concurrency:
+  group: >-
+    ${{ github.workflow }}-${{
+      github.event.pull_request.number || github.sha
+    }}
+  cancel-in-progress: true
+
+jobs:
+
+###
+# Sanity tests (REQUIRED)
+#
+# https://docs.ansible.com/ansible/latest/dev_guide/testing_sanity.html
+
+  sanity:
+    name: Sanity (Ⓐ${{ matrix.ansible }})
+    strategy:
+      matrix:
+        ansible:
+          # It's important that Sanity is tested against all stable-X.Y branches
+          # Testing against `devel` may fail as new tests are added.
+          # An alternative to `devel` is the `milestone` branch with
+          # gets synchronized with `devel` every few weeks and therefore
+          # tends to be a more stable target. Be aware that it is not updated
+          # around creation of a new stable branch, this might cause a problem
+          # that two different versions of ansible-test use the same sanity test
+          # ignore.txt file.
+          - stable-2.9 # Only if your collection supports Ansible 2.9
+          - stable-2.10 # Only if your collection supports ansible-base 2.10
+          - stable-2.11
+          - stable-2.12
+          - stable-2.13
+          - stable-2.14
+          - devel
+        # - milestone
+    # Ansible-test on various stable branches does not yet work well with cgroups v2.
+    # Since ubuntu-latest now uses Ubuntu 22.04, we need to fall back to the ubuntu-20.04
+    # image for these stable branches. The list of branches where this is necessary will
+    # shrink over time, check out https://github.com/ansible-collections/news-for-maintainers/issues/28
+    # for the latest list.
+    runs-on: >-
+      ${{ contains(fromJson(
+          '["stable-2.9", "stable-2.10", "stable-2.11"]'
+      ), matrix.ansible) && 'ubuntu-20.04' || 'ubuntu-latest' }}
+    steps:
+      # Run sanity tests inside a Docker container.
+      # The docker container has all the pinned dependencies that are
+      # required and all Python versions Ansible supports.
+      - name: Perform sanity testing
+        uses: ansible-community/ansible-test-gh-action@release/v1
+        with:
+          ansible-core-version: ${{ matrix.ansible }}
+          testing-type: sanity
+          # OPTIONAL If your sanity tests require code
+          # from other collections, install them like this
+          # test-deps: >-
+          #   ansible.netcommon
+          #   ansible.utils
+
+  check:  # This job does nothing and is only used for the branch protection
+          # or multi-stage CI jobs, like making sure that all tests pass before
+          # a publishing job is started.
+    if: always()
+
+    needs:
+      - sanity
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}

README.md

@@ -51,6 +51,13 @@ None.
 - Using AAM Central Credential Provider (CCP), to securely retreive secrets and account properties from EPV to be registered for use in playbooks<br>
 [Playbooks and Module Info](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/cyberark_credential.md)
 
+## Roles
+
+#### aimprovider
+
+- Install agent-based Credential Provider (AIM) on Linux hosts
+[Playbooks and Module Info](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/aimprovider.md)
+
 #### Python3
 
 - The modules will work with either python2 or python3.

docs/aimprovider.md

@@ -0,0 +1,91 @@
+cyberark.pas.aimprovider
+====================
+
+Role to install/uninstall CyberArk's AIM Credential Provider.
+
+Requirements
+------------
+
+- CyberArk Privileged Account Security Web Services SDK.
+- `cyberark.pas` Collection from Ansible Galaxy or Automation Hub
+
+Role Variables
+--------------
+```
+# CyberArk's Privileged Account Security Web Services SDK api base URL (example: https://components.cyberark.local)
+rest_api_url: ""
+
+# Whether to validate certificates for REST api calls. If false, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates.
+validate_certs: true
+
+# Zip file with distribution of AIM Provider (example: /tmp/binaries/RHELinux x64-Rls-v9.8.zip); this file is located in the Ansible server, and it will be copied to the Ansible nodes. It should point to the current version of AIM distribution to be used when delivering to the nodes in a central folder within the Ansible server.
+zip_file_name: ""
+
+# Folder name within the ZIP file that will be used. By default, it's taken from zip file name, for example: "RHELinux x64"
+folder_name: '{{zip_file_name.split("/")[-1].split("-Rls")[0]}}'
+
+# CyberArk location for App Provider user to be created
+app_provider_user_location: "\\Applications"
+
+# CyberArk Vault Address
+vault_address: ""
+
+# Whether to use shared logon authentication. If true, it will use the "Shared Logon Authentication" as described in the CyberArk's document "Privileged Account Security Web Services SDK Implementation Guide"
+use_shared_logon_authentication: false
+
+# State - can be "present"/"absent" for install/uninstall.
+state: "present"
+```
+
+
+Additionally:
+- **app_provider_user_group**: The name of the group the Provider user will be added to.
+
+Dependencies
+------------
+
+None.
+
+
+Example Playbook
+----------------
+
+1) Install CyberArk AIM Provider.
+
+```
+---
+- hosts: all
+
+  roles:
+
+    - role: cyberark.pas.aimprovider
+      api_base_url: "https://components.cyberark.local"
+      validate_certs: false
+      zip_file_name: "/tmp/binaries/RHELinux x64-Rls-v9.8.zip"
+      vault_address: "10.0.1.10"
+      use_shared_logon_authentication: true
+```
+
+2) Uninstall CyberArk AIM Provider.
+```
+---
+- hosts: all
+
+  roles:
+
+    - role: cyberark.pas.aimprovider
+      api_base_url: "https://components.cyberark.local"
+      use_shared_logon_authentication: true
+      state: "absent"
+      validate_certs: false
+```
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+- Edward Nunez ([email protected])

galaxy.yml

@@ -1,10 +1,11 @@
 namespace: "cyberark"
 name: "pas"
-version: "1.0.16"
+version: "1.0.17"
 readme: README.md
 authors:
     - CyberArk Business Development (@cyberark-bizdev)
     - Edward Nunez (@enunez-cyberark)
+    - Joe Garcia (@infamousjoeg)
 description: "This is a Collection of the CyberArk Ansible Security Automation toolkit."
 license: "MIT"
 tags:

plugins/modules/cyberark_account.py

@@ -22,7 +22,7 @@
     - CyberArk BizDev (@cyberark-bizdev)
     - Edward Nunez (@enunez-cyberark)
     - James Stutes (@jimmyjamcabd)
-version_added: 2.4
+version_added: '1.0.0'
 description:
     - Creates a URI for adding, deleting, modifying a privileged credential
       within the Cyberark Vault.  The request uses the Privileged Account
@@ -35,15 +35,15 @@
             - Assert the desired state of the account C(present) to creat or
               update and account object. Set to C(absent) for deletion of an
               account object.
-        required: true
+        required: false
         default: present
         choices: [present, absent]
         type: str
     logging_level:
         description:
             - Parameter used to define the level of troubleshooting output to
               the C(logging_file) value.
-        required: true
+        required: false
         choices: [NOTSET, DEBUG, INFO]
         type: str
     logging_file:
@@ -57,7 +57,7 @@
             - A string containing the base URL of the server hosting CyberArk's
               Privileged Account Security Web Services SDK.
             - Example U(https://<IIS_Server_Ip>/PasswordVault/api/)
-        required: true
+        required: false
         type: str
     validate_certs:
         description:
@@ -71,7 +71,7 @@
         description:
             - Dictionary set by a CyberArk authentication containing the
               different values to perform actions on a logged-on CyberArk
-              session, please see M(cyberark_authentication) module for an
+              session, please see M(cyberark.pas.cyberark_authentication) module for an
               example of cyberark_session.
         required: true
         type: dict
@@ -337,7 +337,7 @@
                   the credential.
             returned: successful addition and modification
             type: complex
-            sample:
+            contains:
                 automaticManagementEnabled:
                     description:
                         - Parameter that indicates whether the CPM will manage
@@ -353,6 +353,7 @@
                     sample: "1567824520"
                 manualManagementReason:
                     description:
+                        - Reason for disabling automatic management of the account
                     returned: if C(automaticManagementEnabled) is set to false
                     type: str
                     sample: This is a static account
@@ -1223,7 +1224,10 @@ def main():
             "required": False,
             "type": "dict",
             "options": {
-                "automatic_management_enabled": {"type": "bool"},
+                "automatic_management_enabled": {
+                    "type": "bool",
+                    "default": False,
+                },
                 "manual_management_reason": {"type": "str"},
                 "management_action": {
                     "type": "str",
@@ -1236,6 +1240,7 @@ def main():
                     "default": "always",
                 },
             },
+            "no_log": False,
         },
         "remote_machines_access": {
             "required": False,

plugins/modules/cyberark_authentication.py

@@ -18,10 +18,9 @@
 module: cyberark_authentication
 short_description: CyberArk Authentication using PAS Web Services SDK.
 author:
-    - Edward Nunez (@enunez-cyberark) CyberArk BizDev
+    - Edward Nunez (@enunez-cyberark)
     - Cyberark Bizdev (@cyberark-bizdev)
-    - Edgar Mota
-version_added: 2.4
+version_added: '1.0.0'
 description:
     - Authenticates to CyberArk Vault using Privileged Account Security
       Web Services SDK and creates a session fact that can be used by other
@@ -86,6 +85,11 @@
         description:
             - To support multiple connections for same user specify
             - different value for this parameter.
+    concurrentSession:
+        type: bool
+        default: False
+        description:
+            - Whether or not to allow concurrent sessions for the same user.
     cyberark_session:
         description:
             - Dictionary set by a CyberArk authentication containing the
@@ -95,6 +99,7 @@
     timeout:
         description:
             - Allows you set a timeout for when your authenticating to Cyberark
+        default: 10
         type: int
 """
 

plugins/modules/cyberark_credential.py

@@ -22,7 +22,7 @@
     - CyberArk BizDev (@cyberark-bizdev)
     - Erasmo Acosta (@erasmix)
     - James Stutes (@JimmyJamCABD)
-version_added: 2.4
+version_added: '1.0.0'
 description:
     - Creates a URI for retrieving a credential from a password object stored
       in the Cyberark Vault.  The request uses the Privileged Account Security
@@ -185,7 +185,7 @@
             returned: if assigned to a policy
         Safe:
             description: The safe where the queried credential is stored
-            type: string
+            type: str
             returned: always
         Username:
             description: The username of the credential being queried
@@ -323,7 +323,7 @@ def main():
         },
         "validate_certs": {"type": "bool", "default": True},
         "client_cert": {"type": "str", "required": False},
-        "client_key": {"type": "str", "required": False},
+        "client_key": {"type": "str", "required": False, "no_log": True},
     }
 
     module = AnsibleModule(argument_spec=fields, supports_check_mode=True)