From 4078a368bc2155679dfcdd43c7645bc0de8b8039 Mon Sep 17 00:00:00 2001
From: JtMotoX <7191259+JtMotoX@users.noreply.github.com>
Date: Wed, 13 Nov 2024 16:18:05 -0800
Subject: [PATCH 1/4] add retrieve option to state
---
plugins/modules/cyberark_account.py | 82 ++++++++++++++++++++++++++++-
1 file changed, 81 insertions(+), 1 deletion(-)
diff --git a/plugins/modules/cyberark_account.py b/plugins/modules/cyberark_account.py
index e23b493..88d18b1 100644
--- a/plugins/modules/cyberark_account.py
+++ b/plugins/modules/cyberark_account.py
@@ -1189,12 +1189,89 @@ def get_account(module):
)
+def retrieve_password(module, existing_account):
+ logging.debug("Retrieving Password")
+
+ cyberark_session = module.params["cyberark_session"]
+ api_base_url = cyberark_session["api_base_url"]
+ validate_certs = cyberark_session["validate_certs"]
+
+ result = existing_account
+ HTTPMethod = "POST"
+ end_point = "/PasswordVault/api/Accounts/%s/Password/Retrieve" % existing_account["id"]
+
+ headers = {
+ "Content-Type": "application/json",
+ "Authorization": cyberark_session["token"],
+ "User-Agent": "CyberArk/1.0 (Ansible; cyberark.pas)"
+ }
+
+ try:
+
+ response = open_url(
+ api_base_url + end_point,
+ method=HTTPMethod,
+ headers=headers,
+ validate_certs=validate_certs,
+ )
+
+ password = response.read().decode('utf-8')
+
+ if not (password.startswith('"') and password.endswith('"')):
+ module.fail_json(
+ msg=(
+ "Error while performing retrieve_password."
+ "The returned value was not formatted as expected."
+ "\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, res)
+ ),
+ headers=headers,
+ status_code=http_exception.code,
+ )
+
+ password = password[1:-1]
+
+ result["password"] = password
+
+ logging.debug("Password Retrieved")
+
+ return (False, result, response.getcode())
+
+ except (HTTPError, HTTPException) as http_exception:
+
+ if isinstance(http_exception, HTTPError):
+ res = json.load(http_exception)
+ else:
+ res = to_text(http_exception)
+
+ module.fail_json(
+ msg=(
+ "Error while performing retrieve_password."
+ "Please validate parameters provided."
+ "\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, res)
+ ),
+ headers=headers,
+ status_code=http_exception.code,
+ )
+
+ except Exception as unknown_exception:
+
+ module.fail_json(
+ msg=(
+ "Unknown error while performing retrieve_password."
+ "\n*** end_point=%s%s\n%s"
+ % (api_base_url, end_point, to_text(unknown_exception))
+ ),
+ headers=headers,
+ status_code=-1,
+ )
+
+
def main():
fields = {
"state": {
"type": "str",
- "choices": ["present", "absent"],
+ "choices": ["present", "absent", "retrieve"],
"default": "present",
},
"logging_level": {"type": "str", "choices": ["NOTSET", "DEBUG", "INFO"]},
@@ -1302,6 +1379,9 @@ def main():
elif found and state == "absent":
(changed, result, status_code) = delete_account(module, account_record)
+ elif found and state == "retrieve":
+ (changed, result, status_code) = retrieve_password(module, account_record)
+
module.exit_json(changed=changed, result=result, status_code=status_code)
From 5e03fb88a4b9cc73f89bcbbef084c2bbac32bd24 Mon Sep 17 00:00:00 2001
From: JtMotoX <7191259+JtMotoX@users.noreply.github.com>
Date: Wed, 13 Nov 2024 16:35:08 -0800
Subject: [PATCH 2/4] update version, changelog, and docs
---
CHANGELOG.md | 4 ++++
README.md | 3 ++-
docs/cyberark_account.md | 10 +++++++++
galaxy.yml | 2 +-
plugins/modules/cyberark_account.py | 22 ++++++++++++++-----
tests/retrieve_account.yml | 34 +++++++++++++++++++++++++++++
6 files changed, 67 insertions(+), 8 deletions(-)
create mode 100644 tests/retrieve_account.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 52c5fc3..ae43352 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.28
+
+- Added ability to retrieve password
+
## 1.0.27
- Fixed Pep8 & pylint for publication in Automation Hub
diff --git a/README.md b/README.md
index 401676e..afed70d 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,8 @@ None.
- Add Privileged Account to the EPV
- Delete account objects
- Modify account properties
-- Rotatate privileged credentials
+- Rotatate privileged credentials
+- Retrieve account password
[Playbooks and Module Info](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/cyberark_account.md)
#### cyberark_credential
diff --git a/docs/cyberark_account.md b/docs/cyberark_account.md
index 7ddb4e4..68921e7 100644
--- a/docs/cyberark_account.md
+++ b/docs/cyberark_account.md
@@ -271,6 +271,16 @@ options:
cyberark_session: "{{ cyberark_session }}"
register: reconcileaccount
+ - name: Retrieve account and password
+ cyberark.pas.cyberark_account:
+ identified_by: "address,username"
+ safe: "Domain_Admins"
+ address: "prod.cyberark.local"
+ username: "admin"
+ state: retrieve
+ cyberark_session: "{{ cyberark_session }}"
+ register: retrieveaccount
+
- name: Logoff from CyberArk Vault
cyberark.pas.cyberark_authentication:
state: absent
diff --git a/galaxy.yml b/galaxy.yml
index 00a9921..d7173ee 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
namespace: "cyberark"
name: "pas"
-version: "1.0.27"
+version: "1.0.28"
readme: README.md
authors:
- CyberArk Business Development (@cyberark-bizdev)
diff --git a/plugins/modules/cyberark_account.py b/plugins/modules/cyberark_account.py
index 88d18b1..605b2d4 100644
--- a/plugins/modules/cyberark_account.py
+++ b/plugins/modules/cyberark_account.py
@@ -16,15 +16,15 @@
DOCUMENTATION = """
---
module: cyberark_account
-short_description: Module for CyberArk Account object creation, deletion, and
- modification using PAS Web Services SDK.
+short_description: Module for CyberArk Account object creation, deletion,
+ modification, and password retrieval using PAS Web Services SDK.
author:
- CyberArk BizDev (@cyberark-bizdev)
- Edward Nunez (@enunez-cyberark)
- James Stutes (@jimmyjamcabd)
version_added: '1.0.0'
description:
- - Creates a URI for adding, deleting, modifying a privileged credential
+ - Creates a URI for adding, deleting, modifying, and retrieving a privileged credential
within the Cyberark Vault. The request uses the Privileged Account
Security Web Services SDK.
@@ -32,12 +32,12 @@
options:
state:
description:
- - Assert the desired state of the account C(present) to creat or
+ - Assert the desired state of the account C(present) to create or
update and account object. Set to C(absent) for deletion of an
- account object.
+ account object. Set to C(retrieve) to get the account object including the password.
required: false
default: present
- choices: [present, absent]
+ choices: [present, absent, retrieve]
type: str
logging_level:
description:
@@ -250,6 +250,16 @@
cyberark_session: "{{ cyberark_session }}"
register: reconcileaccount
+ - name: Retrieve account and password
+ cyberark.pas.cyberark_account:
+ identified_by: "address,username"
+ safe: "Domain_Admins"
+ address: "prod.cyberark.local"
+ username: "admin"
+ state: retrieve
+ cyberark_session: "{{ cyberark_session }}"
+ register: retrieveaccount
+
- name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent
diff --git a/tests/retrieve_account.yml b/tests/retrieve_account.yml
new file mode 100644
index 0000000..5301aba
--- /dev/null
+++ b/tests/retrieve_account.yml
@@ -0,0 +1,34 @@
+---
+- hosts: localhost
+
+ collections:
+ - cyberark.pas
+
+ tasks:
+
+ - name: Logon to CyberArk Vault using PAS Web Services SDK
+ cyberark_authentication:
+ api_base_url: "http://components.cyberark.local"
+ validate_certs: false
+ username: "bizdev"
+ password: "Cyberark1"
+
+
+ - name: Retrieve account and password
+ cyberark.pas.cyberark_account:
+ identified_by: "address,username"
+ safe: "Test"
+ address: "cyberark.local"
+ username: "cyberark-administrator"
+ state: retrieve
+ cyberark_session: "{{ cyberark_session }}"
+ register: retrieveaccount
+
+ - name: Debug message
+ debug:
+ var: retrieveaccount
+
+ - name: Logoff from CyberArk Vault
+ cyberark_authentication:
+ state: absent
+ cyberark_session: "{{ cyberark_session }}"
From 19e3de29b28935870d7bb09f88fb0a113dedd6a2 Mon Sep 17 00:00:00 2001
From: JtMotoX <7191259+JtMotoX@users.noreply.github.com>
Date: Mon, 18 Nov 2024 15:05:24 -0800
Subject: [PATCH 3/4] Add docs for updating password in vault only (#76)
* update docs to provide details to update password only in vault
* update version
* update task id in docs
* update task id in docs
* update changelog
---------
Co-authored-by: Jonathan Fair
---
CHANGELOG.md | 4 ++++
docs/cyberark_account.md | 12 ++++++++++++
galaxy.yml | 2 +-
plugins/modules/cyberark_account.py | 16 +++++++++++++---
4 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ae43352..426deaf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.29
+
+- Added documentation to update password only in Vault
+
## 1.0.28
- Added ability to retrieve password
diff --git a/docs/cyberark_account.md b/docs/cyberark_account.md
index 68921e7..2acada3 100644
--- a/docs/cyberark_account.md
+++ b/docs/cyberark_account.md
@@ -270,6 +270,18 @@ options:
state: present
cyberark_session: "{{ cyberark_session }}"
register: reconcileaccount
+
+ - name: Update password only in VAULT
+ cyberark.pas.cyberark_account:
+ identified_by: "address,username"
+ safe: "Domain_Admins"
+ address: "prod.cyberark.local"
+ username: "admin"
+ platform_id: Generic
+ new_secret: "Ama123ah12@#!Xaamdjbdkl@#112"
+ state: present
+ cyberark_session: "{{ cyberark_session }}"
+ register: updateaccount
- name: Retrieve account and password
cyberark.pas.cyberark_account:
diff --git a/galaxy.yml b/galaxy.yml
index d7173ee..30606d2 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
namespace: "cyberark"
name: "pas"
-version: "1.0.28"
+version: "1.0.29"
readme: README.md
authors:
- CyberArk Business Development (@cyberark-bizdev)
diff --git a/plugins/modules/cyberark_account.py b/plugins/modules/cyberark_account.py
index 605b2d4..a833c9c 100644
--- a/plugins/modules/cyberark_account.py
+++ b/plugins/modules/cyberark_account.py
@@ -231,9 +231,7 @@
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction
- - name:
- - Rotate credential via reconcile and providing the password to
- bechanged to.
+ - name: Rotate credential via reconcile and providing the password to be changed to
cyberark_account:
identified_by: "address,username"
safe: "Domain_Admins"
@@ -249,6 +247,18 @@
state: present
cyberark_session: "{{ cyberark_session }}"
register: reconcileaccount
+
+ - name: Update password only in VAULT
+ cyberark.pas.cyberark_account:
+ identified_by: "address,username"
+ safe: "Domain_Admins"
+ address: "prod.cyberark.local"
+ username: "admin"
+ platform_id: Generic
+ new_secret: "Ama123ah12@#!Xaamdjbdkl@#112"
+ state: present
+ cyberark_session: "{{ cyberark_session }}"
+ register: updateaccount
- name: Retrieve account and password
cyberark.pas.cyberark_account:
From 4b4f3b48c06eb4613d39ae43c0d82cce433f9198 Mon Sep 17 00:00:00 2001
From: JtMotoX <7191259+JtMotoX@users.noreply.github.com>
Date: Mon, 18 Nov 2024 15:44:19 -0800
Subject: [PATCH 4/4] remove duplicate example
---
plugins/modules/cyberark_account.py | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/plugins/modules/cyberark_account.py b/plugins/modules/cyberark_account.py
index 69356ce..a833c9c 100644
--- a/plugins/modules/cyberark_account.py
+++ b/plugins/modules/cyberark_account.py
@@ -270,18 +270,6 @@
cyberark_session: "{{ cyberark_session }}"
register: retrieveaccount
- - name: Update password only in VAULT
- cyberark.pas.cyberark_account:
- identified_by: "address,username"
- safe: "Domain_Admins"
- address: "prod.cyberark.local"
- username: "admin"
- platform_id: Generic
- new_secret: "Ama123ah12@#!Xaamdjbdkl@#112"
- state: present
- cyberark_session: "{{ cyberark_session }}"
- register: updateaccount
-
- name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent