From d54a2526a3dbd2424df4c43c4d172bafee796995 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 4 Nov 2023 08:55:02 +0100 Subject: [PATCH] Add azure_rm_access_token module This adds a module to retrieve an access token for Azure. --- plugins/modules/azure_rm_access_token_info.py | 127 ++++++++++++++++++ .../azure_rm_access_token_info/aliases | 3 + .../azure_rm_access_token_info/meta/main.yml | 2 + .../azure_rm_access_token_info/tasks/main.yml | 13 ++ 4 files changed, 145 insertions(+) create mode 100644 plugins/modules/azure_rm_access_token_info.py create mode 100644 tests/integration/targets/azure_rm_access_token_info/aliases create mode 100644 tests/integration/targets/azure_rm_access_token_info/meta/main.yml create mode 100644 tests/integration/targets/azure_rm_access_token_info/tasks/main.yml diff --git a/plugins/modules/azure_rm_access_token_info.py b/plugins/modules/azure_rm_access_token_info.py new file mode 100644 index 0000000000..59eef97695 --- /dev/null +++ b/plugins/modules/azure_rm_access_token_info.py @@ -0,0 +1,127 @@ +#!/usr/bin/python +# +# Copyright (c) 2023 Patrick Uiterwijk <@puiterwijk> +# +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +DOCUMENTATION = ''' +--- +module: azure_rm_access_token_info + +version_added: "1.19.0" + +short_description: Get Azure API access token + +description: + - Get an access token for Azure APIs. + +options: + scopes: + description: + - The scopes to request. + type: list + elements: str + required: True + claims: + description: + - Additional claims required in the token. + type: list + elements: str + token_tenant_id: + description: + - Tenant to include in the token request. + type: str + enable_cae: + description: + - Whether to enable Continuous Access Evaluation (CAE) for the requested token. + default: false + type: bool + +extends_documentation_fragment: + - azure.azcollection.azure + +author: + - Patrick Uiterwijk (@puiterwijk) +''' + +EXAMPLES = ''' +- name: Get access token for Microsoft Graph + azure.azcollection.azure_rm_access_token: + scopes: + - https://graph.microsoft.com/.default +''' + +RETURN = ''' +access_token: + description: + - API access token. + returned: success + type: str + sample: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c +expires_on: + description: + - Timestamp the token expires on. + returned: success + type: int + sample: 1699337824 +''' + + +from ansible_collections.azure.azcollection.plugins.module_utils.azure_rm_common import AzureRMModuleBase + + +class AzureRMAccessToken(AzureRMModuleBase): + + def __init__(self): + + self.module_arg_spec = dict( + scopes=dict(type='list', elements='str'), + claims=dict(type='list', elements='str'), + token_tenant_id=dict(type='str'), + enable_cae=dict(type='bool', default=False), + ) + + self.scopes = None + self.claims = None + self.token_tenant_id = None + self.enable_cae = False + + self.results = dict(changed=False) + + super(AzureRMAccessToken, self).__init__(derived_arg_spec=self.module_arg_spec, + supports_check_mode=True, + supports_tags=False, + is_ad_resource=False, + required_one_of=[['scopes']]) + + def exec_module(self, **kwargs): + for key in list(self.module_arg_spec.keys()): + setattr(self, key, kwargs[key]) + + claims = None + if self.claims is not None: + claims = ' '.join(self.claims) + + cred = self.azure_auth.azure_credential_track2 + token = cred.get_token( + *self.scopes, + claims=claims, + tenant_id=self.token_tenant_id, + enable_cae=self.enable_cae, + ) + + self.results['access_token'] = token.token + self.results['expires_on'] = token.expires_on + return self.results + + +def main(): + AzureRMAccessToken() + + +if __name__ == '__main__': + main() diff --git a/tests/integration/targets/azure_rm_access_token_info/aliases b/tests/integration/targets/azure_rm_access_token_info/aliases new file mode 100644 index 0000000000..3c63edec57 --- /dev/null +++ b/tests/integration/targets/azure_rm_access_token_info/aliases @@ -0,0 +1,3 @@ +cloud/azure +shippable/azure/group15 +destructive diff --git a/tests/integration/targets/azure_rm_access_token_info/meta/main.yml b/tests/integration/targets/azure_rm_access_token_info/meta/main.yml new file mode 100644 index 0000000000..95e1952f98 --- /dev/null +++ b/tests/integration/targets/azure_rm_access_token_info/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - setup_azure diff --git a/tests/integration/targets/azure_rm_access_token_info/tasks/main.yml b/tests/integration/targets/azure_rm_access_token_info/tasks/main.yml new file mode 100644 index 0000000000..9b6977e62d --- /dev/null +++ b/tests/integration/targets/azure_rm_access_token_info/tasks/main.yml @@ -0,0 +1,13 @@ +- name: Get access token for graphql + azure.azcollection.azure_rm_access_token: + scopes: + - https://graph.microsoft.com/.default + register: result + +- name: Assert the facts + ansible.builtin.assert: + that: + - result is not changed + - result is not failed + - "'access_token' in result" + - "'expires_on' in result"