Initial commit

plugins/filter/gcp_kms_filters.py

@@ -0,0 +1,90 @@
+# (c) 2019, Eric Anderson <eric.sysmin@gmail.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# Usage:
+#     vars:
+#         encrypted_myvar: "{{ var | b64encode | gcp_kms_encrypt(auth_kind='serviceaccount',
+#           service_account_file='gcp_service_account_file', projects='default',
+#           key_ring='key_ring', crypto_key='crypto_key') }}"
+#         decrypted_myvar: "{{ encrypted_myvar | gcp_kms_decrypt(auth_kind='serviceaccount',
+#           service_account_file=gcp_service_account_file, projects='default',
+#           key_ring='key_ring', crypto_key='crypto_key') }}"
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.errors import AnsibleError
+from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import GcpSession
+
+
+class GcpMockModule(object):
+    def __init__(self, params):
+        self.params = params
+
+    def fail_json(self, *args, **kwargs):
+        raise AnsibleError(kwargs['msg'])
+
+
+class GcpKmsFilter():
+    def run(self, method, **kwargs):
+        params = {
+            'ciphertext': kwargs.get('ciphertext', None),
+            'plaintext': kwargs.get('plaintext', None),
+            'additional_authenticated_data': kwargs.get('additional_authenticated_data', None),
+            'key_ring': kwargs.get('key_ring', None),
+            'crypto_key': kwargs.get('crypto_key', None),
+            'projects': kwargs.get('projects', None),
+            'scopes': kwargs.get('scopes', None),
+            'locations': kwargs.get('locations', 'global'),
+            'auth_kind': kwargs.get('auth_kind', None),
+            'service_account_file': kwargs.get('service_account_file', None),
+            'service_account_email': kwargs.get('service_account_email', None),
+        }
+        if not params['scopes']:
+            params['scopes'] = ['https://www.googleapis.com/auth/cloudkms']
+        fake_module = GcpMockModule(params)
+        if method == "encrypt":
+            return self.kms_encrypt(fake_module)
+        elif method == "decrypt":
+            return self.kms_decrypt(fake_module)
+
+    def kms_decrypt(self, module):
+        payload = {"ciphertext": module.params['ciphertext']}
+
+        if module.params['additional_authenticated_data']:
+            payload['additionalAuthenticatedData'] = module.params['additional_authenticated_data']
+
+        auth = GcpSession(module, 'cloudkms')
+        url = "https://cloudkms.googleapis.com/v1/projects/{projects}/locations/{locations}/" \
+            "keyRings/{key_ring}/cryptoKeys/{crypto_key}:decrypt".format(**module.params)
+        response = auth.post(url, body=payload)
+        return response.json()['plaintext']
+
+    def kms_encrypt(self, module):
+        payload = {"plaintext": module.params['plaintext']}
+
+        if module.params['additional_authenticated_data']:
+            payload['additionalAuthenticatedData'] = module.params['additional_authenticated_data']
+
+        auth = GcpSession(module, 'cloudkms')
+        url = "https://cloudkms.googleapis.com/v1/projects/{projects}/locations/{locations}/" \
+            "keyRings/{key_ring}/cryptoKeys/{crypto_key}:encrypt".format(**module.params)
+        response = auth.post(url, body=payload)
+        return response.json()['ciphertext']
+
+
+def gcp_kms_encrypt(plaintext, **kwargs):
+    return GcpKmsFilter().run('encrypt', plaintext=plaintext, **kwargs)
+
+
+def gcp_kms_decrypt(ciphertext, **kwargs):
+    return GcpKmsFilter().run('decrypt', ciphertext=ciphertext, **kwargs)
+
+
+class FilterModule(object):
+
+    def filters(self):
+        return {
+            'gcp_kms_encrypt': gcp_kms_encrypt,
+            'gcp_kms_decrypt': gcp_kms_decrypt
+        }

plugins/filter/json_query.py

@@ -0,0 +1,53 @@
+# (c) 2015, Filipe Niero Felisbino <filipenf@gmail.com>
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.errors import AnsibleError, AnsibleFilterError
+
+try:
+    import jmespath
+    HAS_LIB = True
+except ImportError:
+    HAS_LIB = False
+
+
+def json_query(data, expr):
+    '''Query data using jmespath query language ( http://jmespath.org ). Example:
+    - debug: msg="{{ instance | json_query(tagged_instances[*].block_device_mapping.*.volume_id') }}"
+    '''
+    if not HAS_LIB:
+        raise AnsibleError('You need to install "jmespath" prior to running '
+                           'json_query filter')
+
+    try:
+        return jmespath.search(expr, data)
+    except jmespath.exceptions.JMESPathError as e:
+        raise AnsibleFilterError('JMESPathError in json_query filter plugin:\n%s' % e)
+    except Exception as e:
+        # For older jmespath, we can get ValueError and TypeError without much info.
+        raise AnsibleFilterError('Error in jmespath.search in json_query filter plugin:\n%s' % e)
+
+
+class FilterModule(object):
+    ''' Query filter '''
+
+    def filters(self):
+        return {
+            'json_query': json_query
+        }

plugins/filter/random_mac.py

@@ -0,0 +1,73 @@
+# (c) 2020 Ansible Project
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import re
+from random import Random, SystemRandom
+
+from ansible.errors import AnsibleFilterError
+from ansible.module_utils.six import string_types
+
+
+def random_mac(value, seed=None):
+    ''' takes string prefix, and return it completed with random bytes
+        to get a complete 6 bytes MAC address '''
+
+    if not isinstance(value, string_types):
+        raise AnsibleFilterError('Invalid value type (%s) for random_mac (%s)' %
+                                 (type(value), value))
+
+    value = value.lower()
+    mac_items = value.split(':')
+
+    if len(mac_items) > 5:
+        raise AnsibleFilterError('Invalid value (%s) for random_mac: 5 colon(:) separated'
+                                 ' items max' % value)
+
+    err = ""
+    for mac in mac_items:
+        if not mac:
+            err += ",empty item"
+            continue
+        if not re.match('[a-f0-9]{2}', mac):
+            err += ",%s not hexa byte" % mac
+    err = err.strip(',')
+
+    if err:
+        raise AnsibleFilterError('Invalid value (%s) for random_mac: %s' % (value, err))
+
+    if seed is None:
+        r = SystemRandom()
+    else:
+        r = Random(seed)
+    # Generate random int between x1000000000 and xFFFFFFFFFF
+    v = r.randint(68719476736, 1099511627775)
+    # Select first n chars to complement input prefix
+    remain = 2 * (6 - len(mac_items))
+    rnd = ('%x' % v)[:remain]
+    return value + re.sub(r'(..)', r':\1', rnd)
+
+
+class FilterModule:
+    ''' Ansible jinja2 filters '''
+    def filters(self):
+        return {
+            'random_mac': random_mac,
+        }