B ÷±ô`]ã @sJddlmZmZmZeZddlZddlZddlZddl Z ddl Z ddl m Z ddl mZddlmZddlmmmmmZdZdZdZdZyœddlmZddlm Z dd lm!Z!dd l"m#Z#dd l$m%Z&dd l'm(Z(m)Z)dd l*m+Z+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2ddl$m3Z3ddl4m5Z5Wn,e6k r`Z7z e7ZdZWddZ7[7XYnXy,ddl8mZddl*m9Z9m:Z:ddl;mm%Z?Wne6k rØdZ?YnXe@ddddddddd d! ZAe@d"d#d$d%ZBd&ZCd' De?¡ZEGd(d)„d)eFƒZGGd*d+„d+ƒZHd,d-„ZIeJd.krFeIƒdS)/é)Úabsolute_importÚdivisionÚprint_functionN)ÚKeyVaultClient)Ú configparser)Ú expanduserT)ÚAADTokenCredentials)Ú CloudError)ÚMSIAuthentication)Ú azure_cloud)Ú __version__)ÚAzureMissingResourceHttpErrorÚAzureHttpError)ÚServicePrincipalCredentialsÚUserPassCredentials)ÚNetworkManagementClient)ÚResourceManagementClient)ÚSubscriptionClient)ÚComputeManagementClient)ÚAuthenticationContextF)ÚCLIError)Úget_azure_cli_credentialsÚget_cli_profile)Úget_cli_active_cloudÚunknownZ AZURE_PROFILEZAZURE_SUBSCRIPTION_IDZAZURE_CLIENT_IDZ AZURE_SECRETZ AZURE_TENANTZ AZURE_AD_USERZAZURE_PASSWORDZAZURE_CLOUD_ENVIRONMENTZAZURE_ADFS_AUTHORITY_URL) ÚprofileÚsubscription_idÚ client_idÚsecretÚtenantÚad_userÚpasswordÚcloud_environmentÚadfs_authority_urlZAZURE_VAULT_NAMEZAZURE_VAULT_SECRET_NAMEZAZURE_VAULT_SECRET_VERSION)Ú vault_nameÚ secret_nameÚsecret_versionz2.0.0z Ansible/{0}c@s¨eZdZdd„Zdd„Zdd„Zd%dd „Zd d „Zd d „Zd&dd„Z dd„Z dd„Z dd„Z dd„Z dd„Zdd„Zedd„ƒZedd „ƒZed!d"„ƒZed#d$„ƒZdS)'ÚAzureRMc s||_d|_d|_d|_d|_d|_d|_d|_d|_|jrBd|_|  |¡|_ |j s^|  d¡|j   d¡‰ˆsxt j|_nÌdd„t t ¡Dƒ}‡fdd„|Dƒ}t|ƒdkr¶|d |_nŽt|ƒdkrÔ|  d  ˆ¡¡npt ˆ¡jsú|  d  d d„|Dƒ¡¡yt  ˆ¡|_Wn8tk rB}z|  d  ˆ|j¡¡Wdd}~XYnX|j   dd¡dkrb|  d¡| d¡|j d|_|j   d¡r–|j   d¡|_n |jjj|_|jjj|_|j   d¡rÎ|j   d¡|_n4|j   d¡r |j   d¡r |j   d¡r t|j d|j d|j d|jd|_nâ|j   d¡dk rœ|j   d¡dk rœ|j   d¡dk rœ|j   d¡dk rœ| |j|j|j d|j d|j d|j d¡|_nf|j   d¡dk rø|j   d¡dk rø|j   d¡}|sÖd}t |j d|j d||jd|_n |  d¡dS)NFTz}Failed to get credentials. Either pass as parameters, set environment variables, or define a profile in ~/.azure/credentials.r"cSs$g|]}t|dtjƒr|d‘qS)é)Ú isinstancer ZCloud)Ú.0Úx©r,ún/home/dcms/DCMS/lib/python3.7/site-packages/ansible_collections/community/general/scripts/vault/azure_vault.pyú Úsz$AzureRM.__init__..csg|]}|jˆkr|‘qSr,)Úname)r*r+)Ú raw_cloud_envr,r-r.Ûsr(rzOAzure SDK failure: more than one cloud matched for cloud_environment name '{0}'zAcloud_environment must be an endpoint discovery URL or one of {0}cSsg|] }|j‘qSr,)r/)r*r+r,r,r-r.äsz0cloud_environment {0} could not be resolved: {1}rz4Credentials did not include a subscription_id value.zsetting subscription_idr#Ú credentialsrrr)rrrr"r r!Úcommon)rr"a Failed to authenticate with provided credentials. Some attributes were missing. Credentials must include client_id, secret and tenant or ad_user and password, or ad_user, password, client_id, tenant and adfs_authority_url(optional) for ADFS authentication, or be logged in using AzureCLI.)!Ú_argsÚ_cloud_environmentÚ_compute_clientÚ_resource_clientÚ_network_clientZ_adfs_authority_urlÚ _vault_clientZ _resourceÚdebugÚ_get_credentialsr1ÚfailÚgetr ZAZURE_PUBLIC_CLOUDÚinspectÚ getmembersÚlenÚformatÚurlparseÚschemeZ get_cloud_from_metadata_endpointÚ ExceptionÚmessageÚlogrÚ endpointsZactive_directoryZactive_directory_resource_idÚazure_credentialsrÚ$acquire_token_with_username_passwordr)ÚselfÚargsZ all_cloudsZmatched_cloudsÚerr,)r0r-Ú__init__Ás„         &     * $  zAzureRM.__init__cCs|jrt|dƒdS)NÚ )r9Úprint)rIÚmsgr,r,r-rEsz AzureRM.logcCs t|ƒ‚dS)N)rC)rIrOr,r,r-r;"sz AzureRM.failÚdefaultc CsÆtdƒ}|d7}yt ¡}| |¡Wn8tk r^}z| d |t|ƒ¡¡Wdd}~XYnXtƒ}x:t D]2}y|j ||dd||<Wqltk rœYqlXqlW|  d¡dk s¾|  d¡dk rÂ|SdS)Nú~z/.azure/credentialszNFailed to access {0}. Check that the file exists and you have read access. {1}T)Úrawrr ) rÚcpÚ ConfigParserÚreadrCr;r@ÚstrÚdictÚAZURE_CREDENTIAL_ENV_MAPPINGr<)rIrÚpathÚconfigÚexcr1Úkeyr,r,r-Ú _get_profile%s"   zAzureRM._get_profilecCsltƒ}x&t ¡D]\}}tj |d¡||<qW|ddk rL| |d¡}|S|ddk sd|ddk rh|SdS)Nrrr )rWrXÚitemsÚosÚenvironr<r])rIÚenv_credentialsÚ attributeÚ env_variabler1r,r,r-Ú_get_env_credentials:s zAzureRM._get_env_credentialscCs tƒ\}}tƒ}|||dœ}|S)N)r1rr")rr)rIr1rr"Úcli_credentialsr,r,r-Ú_get_azure_cli_credentialsHs  z"AzureRM._get_azure_cli_credentialsNc Cs\tƒ}y.t|ƒ}t|j ¡ƒ}t|jƒ}||p0|dœStk rV}zdSd}~XYnXdS)N)r1r)r rÚnextZ subscriptionsÚlistrVrrC)rIZsubscription_id_paramr1Zsubscription_clientZ subscriptionrr[r,r,r-Ú_get_msi_credentialsSs  zAzureRM._get_msi_credentialsc Cs:| d¡tƒ}x"t ¡D]\}}t||ƒ||<qW|ddk r\| d¡| |d¡}|S|ddk rv| d¡|S|ddk r| d¡|S| ¡}|rª| d¡|S| ¡}|rÄ| d¡|S| | d ¡¡}|ræ| d ¡|Syt rö| d ¡|  ¡} | St k r4} z| d   | ¡¡Wdd} ~ XYnXdS) NzGetting credentialsrz.Retrieving credentials with profile parameter.rz%Received credentials from parameters.r zReceived credentials from env.z@Retrieved default profile credentials from ~/.azure/credentials.rzRetrieved credentials from MSI.z,Retrieving credentials from AzureCLI profilez0Error getting AzureCLI profile credentials - {0}) rErWrXr^Úgetattrr]rdrir<ÚHAS_AZURE_CLI_CORErfrr@) rIÚparamsZarg_credentialsrbrcr1raZdefault_credentialsZmsi_credentialsreZcer,r,r-r:asD           "zAzureRM._get_credentialsc Cs8|}|dk r|d|}t|ƒ}| ||||¡} t| ƒS)Nú/)rrHr) rIÚ authorityÚresourceÚusernamer!rrZ authority_uriÚcontextZtoken_responser,r,r-rH”s  z,AzureRM.acquire_token_with_username_passwordc Csny|j}|j |¡WnRtk rh}z4| d |t|ƒ¡¡| d |¡¡| d¡Wdd}~XYnXdS)Nz)One-time registration of {0} failed - {1}z5You might need to register {0} using an admin accountz¨To register a provider using the Python CLI: https://docs.microsoft.com/azure/azure-resource-manager/resource-manager-common-deployment-errors#noregisteredproviderfound)Ú rm_clientZ providersÚregisterrCrEr@rV)rIr\Zresource_clientr[r,r,r-Ú _registeržszAzureRM._registercCs$||j|j||d}|j t¡|S)N)Úbase_urlÚ api_version)rGrrZZadd_user_agentÚANSIBLE_USER_AGENT)rIZ client_typerurvÚclientr,r,r-Úget_mgmt_svc_client«s  zAzureRM.get_mgmt_svc_clientcCs t|jƒS)N)rrG)rIr,r,r-Úget_vault_client³szAzureRM.get_vault_clientcCs |jjjS)N)r4ÚsuffixesZ keyvault_dns)rIr,r,r-Úget_vault_suffix¶szAzureRM.get_vault_suffixcCs6| d¡|js0| t|jjjd¡|_| d¡|jS)NzGetting network clientz 2017-06-01zMicrosoft.Network)rEr7ryrr4rFÚresource_managerrt)rIr,r,r-Únetwork_client¹s  zAzureRM.network_clientcCs,| d¡|js&| t|jjjd¡|_|jS)NzGetting resource manager clientz 2017-05-10)rEr6ryrr4rFr})rIr,r,r-rrÃs  zAzureRM.rm_clientcCs6| d¡|js0| t|jjjd¡|_| d¡|jS)NzGetting compute clientz 2017-03-30zMicrosoft.Compute)rEr5ryrr4rFr}rt)rIr,r,r-Úcompute_clientÌs  zAzureRM.compute_clientcCs | d¡|js| ¡|_|jS)NzGetting the Key Vault client)rEr8rz)rIr,r,r-Ú vault_clientÖs  zAzureRM.vault_client)rP)N)Ú__name__Ú __module__Ú __qualname__rLrEr;r]rdrfrir:rHrtryrzr|Úpropertyr~rrrr€r,r,r,r-r'¿s"]  3   r'c@s<eZdZdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd S)ÚAzureKeyVaultSecretc Cs°| ¡|_yt|jƒ}Wn6tk rN}zt d t|ƒ¡¡Wdd}~XYnX| ¡|jj rj|jj |_ |jj r||jj |_ |jj rŽ|jj |_ |  ¡|_ |j|_t| ¡ƒdS)Nz{0})Ú_parse_cli_argsr3r'rCÚsysÚexitr@rVÚ_get_vault_settingsr$r%r&r|Ú _vault_suffixr€r8rNÚget_password_from_vault)rIZrmrKr,r,r-rLás &    zAzureKeyVaultSecret.__init__cCsìtjdd}|jddddd|jdd dd d|jd d dd d|jddddd|jdddd|jdddd|jdddd|jdddd|jdddd|jdddd|jddd d|jd!dd"d|jd#dd$d| ¡S)%Nz=Obtain the vault password used to secure your Ansilbe secrets)Ú descriptionz-nz --vault-nameÚstorezName of Azure Key Vault)ÚactionÚhelpz-sz --secret-namez,Name of the secret stored in Azure Key Vaultz-vz--secret-versionz%Version of the secret to be retrievedz--debugÚ store_trueFz!Send the debug messages to STDOUT)rŽrPrz --profilez/Azure profile contained in ~/.azure/credentialsz--subscription_idzAzure Subscription Idz --client_idzAzure Client Id z--secretzAzure Client Secretz--tenantzAzure Tenant Idz --ad_userzActive Directory Userz --passwordr!z--adfs_authority_urlzAzure ADFS authority urlz--cloud_environmentz6Azure Cloud Environment name or metadata discovery URL)ÚargparseÚArgumentParserÚ add_argumentÚ parse_args)rIÚparserr,r,r-r†ús8   z#AzureKeyVaultSecret._parse_cli_argscCs*d |j|j¡}|j ||j|j¡}|jS)Nzhttps://{0}{1})r@r$rŠr8Z get_secretr%r&Úvalue)rIZ vault_urlrr,r,r-r‹sz+AzureKeyVaultSecret.get_password_from_vaultcCsz| ¡}dt| ¡ƒkr={0}' --upgrade`) - {1})Ú HAS_AZUREr‡rˆr@ÚAZURE_MIN_VERSIONÚ HAS_AZURE_EXCr…r,r,r,r-ÚmainJs r¨Ú__main__)KÚ __future__rrrÚtypeÚ __metaclass__r‘r_Úrer‡r=Zazure.keyvaultrZansible.module_utils.six.movesrrSÚos.pathrZ+ansible.module_utils.six.moves.urllib.parseZ module_utilsÚsixÚmovesÚurllibÚparserAr¥r§rkrZ"msrestazure.azure_active_directoryrZmsrestazure.azure_exceptionsr r Z msrestazurer Zazure.mgmt.computer Zazure_compute_versionZ azure.commonr rZazure.common.credentialsrrZazure.mgmt.networkrZazure.mgmt.resource.resourcesrZ!azure.mgmt.resource.subscriptionsrrZadal.authentication_contextrÚ ImportErrorr[Zazure.cli.core.utilrrZazure.common.cloudrrCZansible.releaseZansible_versionrWrXršr¦r@rwÚobjectr'r…r¨rr,r,r,r-Ú s€k   $             "k