From 0b8fedfd04bd8937a306b90be29e48e3bd73151f Mon Sep 17 00:00:00 2001 From: Steffen Scheib <92300342+sscheib-rh@users.noreply.github.com> Date: Wed, 15 Nov 2023 21:28:34 +0100 Subject: [PATCH] Adding the possibility to decode base64 decoded strings to Delinea's Devops Secret Vault (DSV) (#14646) Adding the possibility to decode base64 decoded strings to Delinea's Devops Secret Vault (DSV). This is necessary as uploading files to DSV is not possible (and not meant to be) and files should be added base64 encoded. The commit is making sure to remain backward compatible (no secret decoding), as a default is supplied. This has been tested with DSV and works for secrets that are base64 encoded and secrets that are not base64 encoded (which is the default). Signed-off-by: Steffen Scheib --- awx/main/credential_plugins/dsv.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/awx/main/credential_plugins/dsv.py b/awx/main/credential_plugins/dsv.py index 6e9441ed95..7dc74cab91 100644 --- a/awx/main/credential_plugins/dsv.py +++ b/awx/main/credential_plugins/dsv.py @@ -3,6 +3,7 @@ from .plugin import CredentialPlugin from django.conf import settings from django.utils.translation import gettext_lazy as _ from delinea.secrets.vault import PasswordGrantAuthorizer, SecretsVault +from base64 import b64decode dsv_inputs = { 'fields': [ @@ -44,8 +45,16 @@ dsv_inputs = { 'help_text': _('The field to extract from the secret'), 'type': 'string', }, + { + 'id': 'secret_decoding', + 'label': _('Should the secret be base64 decoded?'), + 'help_text': _('Specify whether the secret should be base64 decoded, typically used for storing files, such as SSH keys'), + 'choices': ['No Decoding', 'Decode Base64'], + 'type': 'string', + 'default': 'No Decoding', + }, ], - 'required': ['tenant', 'client_id', 'client_secret', 'path', 'secret_field'], + 'required': ['tenant', 'client_id', 'client_secret', 'path', 'secret_field', 'secret_decoding'], } if settings.DEBUG: @@ -67,12 +76,18 @@ def dsv_backend(**kwargs): client_secret = kwargs['client_secret'] secret_path = kwargs['path'] secret_field = kwargs['secret_field'] + # providing a default value to remain backward compatible for secrets that have not specified this option + secret_decoding = kwargs.get('secret_decoding', 'No Decoding') tenant_url = tenant_url_template.format(tenant_name, tenant_tld.strip(".")) authorizer = PasswordGrantAuthorizer(tenant_url, client_id, client_secret) dsv_secret = SecretsVault(tenant_url, authorizer).get_secret(secret_path) + # files can be uploaded base64 decoded to DSV and thus decoding it only, when asked for + if secret_decoding == 'Decode Base64': + return b64decode(dsv_secret['data'][secret_field]).decode() + return dsv_secret['data'][secret_field]