From 3dee9f05123404cf8d5b1011a70abba2bd2fd9fc Mon Sep 17 00:00:00 2001
From: Jake McDermott <yo@jakemcdermott.me>
Date: Thu, 21 Mar 2019 10:57:46 -0400
Subject: [PATCH] add plugin for cyberark aim

---
 awx/main/credential_plugins/aim.py            | 103 ++++++++++++++++++
 awx/main/tests/functional/test_credential.py  |   1 +
 setup.py                                      |   1 +
 .../awx.egg-info/entry_points.txt             |   1 +
 4 files changed, 106 insertions(+)
 create mode 100644 awx/main/credential_plugins/aim.py

diff --git a/awx/main/credential_plugins/aim.py b/awx/main/credential_plugins/aim.py
new file mode 100644
index 0000000000..98fb1e55ca
--- /dev/null
+++ b/awx/main/credential_plugins/aim.py
@@ -0,0 +1,103 @@
+from .plugin import CredentialPlugin
+
+import os
+import stat
+import tempfile
+import threading
+from urllib.parse import quote, urljoin
+
+from django.utils.translation import ugettext_lazy as _
+import requests
+
+
+aim_inputs = {
+    'fields': [{
+        'id': 'url',
+        'label': _('CyberArk AIM URL'),
+        'type': 'string',
+    }, {
+        'id': 'app_id',
+        'label': _('Application ID'),
+        'type': 'string',
+        'secret': True,
+    }, {
+        'id': 'client_key',
+        'label': _('Client Key'),
+        'type': 'string',
+        'secret': True,
+        'multiline': True,
+    }, {
+        'id': 'client_cert',
+        'label': _('Client Cert'),
+        'type': 'string',
+        'secret': True,
+        'multiline': True,
+    }, {
+        'id': 'verify',
+        'type': 'boolean',
+        'default': True,
+        'label': _('Verify'),
+        'help_text': _('Verify SSL certificates for HTTPS requests'),
+    }],
+    'metadata': [{
+        'id': 'safe',
+        'label': _('Safe'),
+        'type': 'string',
+    }, {
+        'id': 'object',
+        'label': _('Object'),
+        'type': 'string',
+    }],
+    'required': ['url', 'app_id', 'safe', 'object'],
+}
+
+
+def create_temporary_fifo(data):
+    """Open fifo named pipe in a new thread using a temporary file path. The
+    thread blocks until data is read from the pipe.
+
+    Returns the path to the fifo.
+
+    :param data(bytes): Data to write to the pipe.
+    """
+    path = os.path.join(tempfile.mkdtemp(), next(tempfile._get_candidate_names()))
+    os.mkfifo(path, stat.S_IRUSR | stat.S_IWUSR)
+
+    threading.Thread(
+        target=lambda p, d: open(p, 'wb').write(d),
+        args=(path, data)
+    ).start()
+    return path
+
+
+def aim_backend(**kwargs):
+    url = kwargs['url']
+    verify = kwargs['verify']
+    client_cert = kwargs.get('client_cert', None)
+    client_key = kwargs.get('client_key', None)
+    app_id = quote(kwargs['app_id'])
+    safe = quote(kwargs['safe'])
+    object_ = quote(kwargs['object'])
+
+    request_qs = '?AppId={0}&Safe={1}&object={2}'.format(app_id, safe, object_)
+    request_url = urljoin(url, '/'.join(['AIMWebService', 'api', 'Accounts']))
+
+    cert = None
+    if client_cert and client_key:
+        cert = (
+            create_temporary_fifo(client_cert.encode()),
+            create_temporary_fifo(client_key.encode())
+        )
+    elif client_cert:
+        cert = create_temporary_fifo(client_cert.encode())
+
+    res = requests.get(request_url + request_qs, cert=cert, verify=verify)
+    res.raise_for_status()
+    return res.json()['Content']
+
+
+aim_plugin = CredentialPlugin(
+    'CyberArk AIM Secret Lookup',
+    inputs=aim_inputs,
+    backend=aim_backend
+)
diff --git a/awx/main/tests/functional/test_credential.py b/awx/main/tests/functional/test_credential.py
index 882bc2755e..4683dcbfde 100644
--- a/awx/main/tests/functional/test_credential.py
+++ b/awx/main/tests/functional/test_credential.py
@@ -75,6 +75,7 @@ GLqbpJyX2r3p/Rmo6mLY71SqpA==
 @pytest.mark.django_db
 def test_default_cred_types():
     assert sorted(CredentialType.defaults.keys()) == [
+        'aim',
         'aws',
         'azure_kv',
         'azure_rm',
diff --git a/setup.py b/setup.py
index 957976a5c5..7588e50a0c 100755
--- a/setup.py
+++ b/setup.py
@@ -119,6 +119,7 @@ setup(
             'hashivault_kv = awx.main.credential_plugins.hashivault:hashivault_kv_plugin',
             'hashivault_ssh = awx.main.credential_plugins.hashivault:hashivault_ssh_plugin',
             'azure_kv = awx.main.credential_plugins.azure_kv:azure_keyvault_plugin',
+            'aim = awx.main.credential_plugins.aim:aim_plugin'
         ]
     },
     data_files = proc_data_files([
diff --git a/tools/docker-compose/awx.egg-info/entry_points.txt b/tools/docker-compose/awx.egg-info/entry_points.txt
index dfc186681d..0192f8056f 100644
--- a/tools/docker-compose/awx.egg-info/entry_points.txt
+++ b/tools/docker-compose/awx.egg-info/entry_points.txt
@@ -7,3 +7,4 @@ conjur = awx.main.credential_plugins.conjur:conjur_plugin
 hashivault_kv = awx.main.credential_plugins.hashivault:hashivault_kv_plugin
 hashivault_ssh = awx.main.credential_plugins.hashivault:hashivault_ssh_plugin
 azure_kv = awx.main.credential_plugins.azure_kv:azure_keyvault_plugin
+aim = awx.main.credential_plugins.aim:aim_plugin