Adding the possibility to decode base64 decoded strings to Delinea's …

…Devops Secret Vault (DSV) (#14646) Adding the possibility to decode base64 decoded strings to Delinea's Devops Secret Vault (DSV). This is necessary as uploading files to DSV is not possible (and not meant to be) and files should be added base64 encoded. The commit is making sure to remain backward compatible (no secret decoding), as a default is supplied. This has been tested with DSV and works for secrets that are base64 encoded and secrets that are not base64 encoded (which is the default). Signed-off-by: Steffen Scheib <[email protected]>
ansible · Nov 15, 2023 · 0b8fedf · 0b8fedf
1 parent 72a8173
commit 0b8fedf
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/awx/main/credential_plugins/dsv.py b/awx/main/credential_plugins/dsv.py
@@ -3,6 +3,7 @@
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from delinea.secrets.vault import PasswordGrantAuthorizer, SecretsVault
+from base64 import b64decode
 
 dsv_inputs = {
     'fields': [
@@ -44,8 +45,16 @@
             'help_text': _('The field to extract from the secret'),
             'type': 'string',
         },
+        {
+            'id': 'secret_decoding',
+            'label': _('Should the secret be base64 decoded?'),
+            'help_text': _('Specify whether the secret should be base64 decoded, typically used for storing files, such as SSH keys'),
+            'choices': ['No Decoding', 'Decode Base64'],
+            'type': 'string',
+            'default': 'No Decoding',
+        },
     ],
-    'required': ['tenant', 'client_id', 'client_secret', 'path', 'secret_field'],
+    'required': ['tenant', 'client_id', 'client_secret', 'path', 'secret_field', 'secret_decoding'],
 }
 
 if settings.DEBUG:
@@ -67,12 +76,18 @@ def dsv_backend(**kwargs):
     client_secret = kwargs['client_secret']
     secret_path = kwargs['path']
     secret_field = kwargs['secret_field']
+    # providing a default value to remain backward compatible for secrets that have not specified this option
+    secret_decoding = kwargs.get('secret_decoding', 'No Decoding')
 
     tenant_url = tenant_url_template.format(tenant_name, tenant_tld.strip("."))
 
     authorizer = PasswordGrantAuthorizer(tenant_url, client_id, client_secret)
     dsv_secret = SecretsVault(tenant_url, authorizer).get_secret(secret_path)
 
+    # files can be uploaded base64 decoded to DSV and thus decoding it only, when asked for
+    if secret_decoding == 'Decode Base64':
+        return b64decode(dsv_secret['data'][secret_field]).decode()
+
     return dsv_secret['data'][secret_field]