cyberark / ansible-security-automation-collection Goto Github PK

SUMMARY

While trying to retrieve credential from Cyberark using cyberark_credential module the error thrown is misleading.

"msg": "Unknown error while retrieving credential.\n*** end_point=https://x.y.z/AIMWebService/api/Accounts?AppId=Ansible&Query=Safe%ABC-Ansible%3BObject%3A-B-C-D.a.b.c&ConnectionTimeout=30&QueryFormat=Mytestformat&reason=Test%20Ansible%20Playbook\n<urlopen error [Errno 104] Connection reset by peer>", 
    "status_code": -1

We can enhance the error thrown, to something which makes it clear or obvious that the issue lies with incorrect proxy configuration & not with Cyberark side.

ADDITIONAL INFORMATION
This would be helpful for Customers using cyberark.pas.cyberark_credential plugin from cyberark.pas collection

Create a new release in this project following the contributing guide.

Release version: 1.0.17

Issues / PRs that should be included in this release:

• #44
• #50

Hi! As part of the ansible community package release process,
we've determined that versions 1.0.18 and 1.0.19 of cyberark.pas were released to
Ansible Galaxy but not properly tagged in this Git repository.
This violates the repository management section of the Collection Requirements:

Every collection MUST have a public git repository. Releases of the collection MUST be tagged in said repository. This means that releases MUST be git taged and that the tag name MUST exactly match the Galaxy version number. Tag names MAY have a v prefix, but a collection's tag names MUST have a consistent format from release to release.

Additionally, collection artifacts released to Galaxy MUST be built from the sources that are tagged in the collection's git repository as that release. Any changes made during the build process MUST be clearly documented so the collection artifact can be reproduced.

If the collection maintainers do not respond to this issue within a
reasonable a amount of time,
the collection is subject to Removal from ansible.

Note that we've already reported this issue once in #46 and the collection is again violating this requirement.

Hi! The Ansible Community Steering Committee has determined that this collection does not tag its releases in its git repository. This violates the repository management section of the Collection Requirements:

Every collection MUST have a public git repository. Releases of the collection MUST be tagged in said repository. This means that releases MUST be git taged and that the tag name MUST exactly match the Galaxy version number. Tag names MAY have a v prefix, but a collection's tag names MUST have a consistent format from release to release.

Additionally, collection artifacts released to Galaxy MUST be built from the sources that are tagged in the collection's git repository as that release. Any changes made during the build process MUST be clearly documented so the collection artifact can be reproduced.

Note that this requirement has recently been clarified, but its intent remains the same. Please tag at least the previous 1-2 releases of your collection to come into compliance.

Please keep us updated and let us know if you have any questions. Thanks!

Summary

Login failure on privliegecloud if user-agent not set

Steps to Reproduce

Simple ansible playbook to auth again privlige cloud API:

---
- name: cyberark
  hosts: localhost
  tasks:
    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark.pas.cyberark_authentication:
        api_base_url: https://totallyfakedomain.privilegecloud.cyberark.com
        username: "apitest"
        password: "password123!"
        use_cyberark_authentication: yes

Expected Results

I would expect it to return me a token for my session as per the result when doing:

curl -X POST --header 'Content-Type: application/json' -d '{ "username": "apitest", "password": "password123!" }' https://totallyfakedomain.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon

Actual Results

fatal: [localhost]: FAILED! => changed=false 
  headers:
    Content-Type: application/json
  msg: |-
    Error while performing authentication.Please validate parameters provided, and ability to logon to CyberArk.
    *** end_point=https://totallyfakedomain.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon
     ==> HTTP Error 403: Forbidden
  payload: '{"username": "apitest", "password": "********"}'
  status_code: 403

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

ansible [core 2.11.4]
python version = 3.8.10 (default, Jun 2 2021, 10:49:15) [GCC 9.4.0]
jinja version = 2.11.2

Environment setup

Simple ubuntu linux desktop host. Ansible installed from pip. Tried cyberark module from galaxy and from git (ansible-galaxy collection install git+https://github.com/cyberark/ansible-security-automation-collection)

Additional Information

Appears that it needs a user-agent that isn't python-urllib, editing:

~/.ansible/collections/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py

and modifying the block at line 232 from:

        response = open_url(
            api_base_url + end_point,
            method="POST",
            headers=headers,
            data=payload,
            validate_certs=validate_certs
        )

to

        response = open_url(
            api_base_url + end_point,
            method="POST",
            headers=headers,
            data=payload,
            validate_certs=validate_certs,
            http_agent="DefinitelyNotPython-urllib/3.8"
        )

Makes it work.

By default it sends User-Agent: Python-urllib/3.8 and something doesn't like this it seems.

Hello,
would it be possible to take into account the "groupname" and "groupplatformid" parameters
to be able to manage groups, the parameter seems to work following different tests outside the collection

it would therefore be necessary to add the 2 parameters in the python code

I can possibly suggest a fix

Summary

The latest collection seems to be breaking backwards compatibility with API 1.0 instances.

The following (copied from the official examples) doesn't work anymore in 1.0.6 but it works in 1.0.5

- name: Logon - Not use_shared_logon_authentication
  cyberark_authentication:
    api_base_url: "{{ web_services_base_url }}"
    username: "{{ password_object.password }}"
    password: "{{ password_object.passprops.username }}"
    use_shared_logon_authentication: no

Steps to Reproduce

Using 1.0.6 Run the example authentication against API 1.0 SAM Vault server

Expected Results

Authenticate and retrieve token in ansible_facts

Actual Results (including error logs, if applicable)

fatal: [server]: FAILED! => {"changed": false, "headers": {"Content-Type": "application/json"}, "msg": "Error while performing authentication.Please validate parameters provided, and ability to logon to CyberArk.\n*** end_point=https://sam.example.com/PasswordVault/API/Auth/CyberArk/Logon\n ==> HTTP Error 403: Forbidden", "payload": "{\"username\": \"USERNAME\", \"password\": \"********\"}", "status_code": 403}

Reproducible

• Always

Version/Tag number

• Ansible v. 2.10
• collection v1.0.6

Additional Information

It seems that the wrong URL is sent with 1.0.6. It is sending to /PasswordVault/API/Auth/CyberArk/Logon when it should be sending to /PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logon. I.e. it is not detecting which API version is being used.

Summary

When creating accounts with a "GroupName" property using the cyberark.pas.cyberark_account module, any subsequent task run on this account is systematically marked as "changed", despite the provided values being the same.

This does not happen with accounts that are not part of a group (no "GroupName" property given).

Steps to Reproduce

Using the cyberark.pas.cyberark_account module, create an account with a "GroupName" property under "platform_account_properties".

Then, run the task again without changing any values.

Expected Results

I expect the task to return as "ok" when no value has actually changed (idempotency).

Actual Results

The task returns as "changed".

In the log of the task below, you can see a GroupName is passed in the module_args, but does not show in the result section, which may be linked to the issue.

changed: [host.domain.tld] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "address": "host.domain.tld",
            "api_base_url": "********/PasswordVault/api/",
            "cyberark_session": {
                "api_base_url": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "validate_certs": true
            },
            "identified_by": "username,address,platform_id",
            "logging_file": "/tmp/cyberark_role_20210621_1041",
            "logging_level": "INFO",
            "name": "MY_ACCOUNT_NAME",
            "new_secret": null,
            "platform_account_properties": {
                "CustomDescription": "foo",
                "CustomIP": "1.2.3.4",
                "ExtraPass3Folder": "RECONCILE_FOLDER",
                "ExtraPass3Name": "RECONCILE_NAME",
                "ExtraPass3Safe": "RECONCILE_SAFE",
                "GroupName": "MY_GROUP",
                "IP": "1.2.3.4",
                "Location": "foo"
            },
            "platform_id": "MY_PLATFORM",
            "remote_machines_access": null,
            "safe": "MY_SAFE",
            "secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "secret_management": {
                "automatic_management_enabled": true,
                "management_action": "change",
                "manual_management_reason": null,
                "new_secret": null,
                "perform_management_action": "on_create"
            },
            "secret_type": "password",
            "state": "present",
            "username": "my_account",
            "validate_certs": true
        }
    },
    "result": {
        "result": {
            "address": "host.domain.tld",
            "categoryModificationTime": 1624029563,
            "createdTime": 1623171048,
            "id": "161_2626",
            "name": "MY_ACCOUNT_NAME",
            "platformAccountProperties": {
                "CustomDescription": "foo",
                "CustomIP": "1.2.3.4",
                "ExtraPass3Folder": "RECONCILE_FOLDER",
                "ExtraPass3Name": "RECONCILE_NAME",
                "ExtraPass3Safe": "RECONCILE_SAFE",
                "Hostname": "HOST",
                "IP": "1.2.3.4",
                "Location": "foo"
            },
            "platformId": "MY_PLATFORM",
            "safeName": "MY_SAFE",
            "secretManagement": {
                "automaticManagementEnabled": true,
                "lastModifiedTime": 1623946613,
                "lastReconciledTime": 1623946649,
                "status": "success"
            },
            "secretType": "password",
            "userName": "my_account"
        }
    },
    "status_code": 200
}

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

Collection cyberark.pas v1.0.7.

Environment setup

Running in a venv, with ansible v2.9.12 and python v3.6.8.

Additional Information

Add any other context about the problem here.

Is your feature request related to a problem? Please describe.

Could you please add 'timeout' parameter to all modules and pass it to open_url ansible core function. Default value is petty low and sometimes it happens that modules fail due to timeout.

Describe the solution you would like

A 'timeout' parameter similar to what we have in uri module.

Hi,
I see from https://galaxy.ansible.com/cyberark/bizdev that it's deprecated, though it took some hunting around to see where that content lives now.

Can you please publish an update so the README.md only has a single line which points to https://galaxy.ansible.com/cyberark/pas

To display EDA content on Ansible Automation Hub, there is an additional file needed in the collection.

Add the meta/extensions.yml file to the collection with the following contents:

extensions:
  - args:
      ext_dir: eda/plugins/event_filter
  - args:
      ext_dir: eda/plugins/event_source

This will cause the EDA plugin to display under the collection's "Contents" tab in Automation Hub.

See the ansible.eda collection source for reference.

(Note: Depends on #67 to work properly)

This collection will be included in Ansible 2.10 because it contains modules and/or plugins that were included in Ansible 2.9. Please review:

• The list of requirements for inclusion in Ansible: https://github.com/ansible-collections/overview/blob/master/collection_requirements.rst
• The roadmap with all important dates for Ansible 2.10: https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/COLLECTIONS_2_10.rst

DEADLINE: 2020-08-18

The latest version of the collection available on August 18 will be included in Ansible 2.10.0, except possibly newer versions which differ only in the patch level. (For details, see the roadmap). Please release version 1.0.0 of your collection by this date! If 1.0.0 does not exist, the same 0.x.y version will be used in all of Ansible 2.10 without updates, and your 1.x.y release will not be included until Ansible 2.11 (unless you request an exception at a community working group meeting and go through a demanding manual process to vouch for backwards compatibility . . . you want to avoid this!).

Follow semantic versioning rules

Your collection versioning must follow all semver rules. This means:

• Patch level releases can only contain bugfixes;
• Minor releases can contain new features, new modules and plugins, and bugfixes, but must not break backwards compatibility;
• Major releases can break backwards compatibility.

Changelogs and Porting Guide

Your collection should provide data for the Ansible 2.10 changelog and porting guide. The changelog and porting guide are automatically generated from ansible-base, and from the changelogs of the included collections. All changes from the breaking_changes, major_changes, removed_features and deprecated_features sections will appear in both the changelog and the porting guide. You have two options for providing changelog fragments to include:

1. If possible, use the antsibull-changelog tool, which uses the same changelog fragment as the ansible/ansible repository (see the documentation).
2. If you cannot use antsibull-changelog, you can provide the changelog in a machine-readable format as changelogs/changelog.yaml inside your collection (see the documentation of changelogs/changelog.yaml format).

If you cannot contribute to the integrated Ansible changelog using one of these methods, please provide a link to your collection's changelog by creating an issue in https://github.com/ansible-community/ansible-build-data/. If you do not provide changelogs/changelog.yml or a link, users will not be able to find out what changed in your collection from the Ansible changelog and porting guide.

Make sure your collection passes the sanity tests

Run ansible-test sanity --docker -v in the collection with the latest ansible-base or stable-2.10 ansible/ansible checkout.

Keep informed

Be sure you're subscribed to:

• Changes impacting Collections to track changes that Collection maintainers should be aware of;
• The Bullhorn, a newsletter for the Ansible developer community, back issues and how to add content.

Questions and Feedback

If you have questions or want to provide feedback, please see the Feedback section in the collection requirements.

(Internal link to keep track of issues: ansible-collections/overview#102)

Summary

cyberark_account url is not properly url encoded when state=absent and safe is None.

I want to delete an account but I do not have the same name. The CyberArk API does not require a safe name.

Steps to Reproduce

      - name: Remove account   
        cyberark.pas.cyberark_account:
          identified_by: "address,username"
          address: "{{ inventory_hostname_short }}"
          safe:
          username: "admin"
          cyberark_session: "{{ cyberark_session }}"
          state: absent

Expected Results

Account is removed

Actual Results

FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\\n  File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py\\", line 1102, in get_account\\n  File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible/module_utils/urls.py\\", line 1384, in open_url\\n  File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible/module_utils/urls.py\\", line 1294, in open\\n  File \\"/usr/lib64/python3.8/urllib/request.py\\", line 222, in urlopen\\n    return opener.open(url, data, timeout)\\n  File \\"/usr/lib64/python3.8/urllib/request.py\\", line 525, in open\\n    response = self._open(req, data)\\n  File \\"/usr/lib64/python3.8/urllib/request.py\\", line 542, in _open\\n    result = self._call_chain(self.handle_open, protocol, protocol +\\n  File \\"/usr/lib64/python3.8/urllib/request.py\\", line 502, in _call_chain\\n    result = func(*args)\\n  File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible/module_utils/urls.py\\", line 443, in https_open\\n  File \\"/usr/lib64/python3.8/urllib/request.py\\", line 1354, in do_open\\n    h.request(req.get_method(), req.selector, req.data, headers,\\n  File \\"/usr/lib64/python3.8/http/client.py\\", line 1256, in request\\n    self._send_request(method, url, body, headers, encode_chunked)\\n  File \\"/usr/lib64/python3.8/http/client.py\\", line 1267, in _send_request\\n    self.putrequest(method, url, **skips)\\n  File \\"/usr/lib64/python3.8/http/client.py\\", line 1101, in putrequest\\n    self._validate_path(url)\\n  File \\"/usr/lib64/python3.8/http/client.py\\", line 1201, in _validate_path\\n    raise InvalidURL(f\\"URL can't contain control characters. {url!r} \\"\\nhttp.client.InvalidURL: URL can't contain control characters. '/PasswordVault/api/accounts?search=REDACTED.redacted.com admin' (found at least ' ')\\n\\nDuring handling of the above exception, another exception occurred:\\n\\nTraceback (most recent call last):\\n  File \\"/home/runner/.ansible/tmp/ansible-tmp-1691432082.671086-58-126268203065216/AnsiballZ_cyberark_account.py\\", line 102, in <module>\\n    _ansiballz_main()\\n  File \\"/home/runner/.ansible/tmp/ansible-tmp-1691432082.671086-58-126268203065216/AnsiballZ_cyberark_account.py\\", line 94, in _ansiballz_main\\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\\n  File \\"/home/runner/.ansible/tmp/ansible-tmp-1691432082.671086-58-126268203065216/AnsiballZ_cyberark_account.py\\", line 40, in invoke_module\\n    runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_account', init_globals=None, run_name='__main__', alter_sys=True)\\n  File \\"/usr/lib64/python3.8/runpy.py\\", line 207, in run_module\\n    return _run_module_code(code, init_globals, run_name, mod_spec)\\n  File \\"/usr/lib64/python3.8/runpy.py\\", line 97, in _run_module_code\\n    _run_code(code, mod_globals, init_globals,\\n  File \\"/usr/lib64/python3.8/runpy.py\\", line 87, in _run_code\\n    exec(code, run_globals)\\n  File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py\\", line 1309, in <module>\\n  File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py\\", line 1267, in main\\n  File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py\\", line 1165, in get_account\\nAttributeError: 'InvalidURL' object has no attribute 'code'\\n", "module_stdout": "", "msg": "MODULE FAILURE\\nSee stdout/stderr for the exact error", "rc": 1}

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

1.0.19

Environment setup

Ansible 2.13

Additional Information

It seems the search_string is only properly encoded when the safe_filter is Not None

I believe Line 1087 should be

    end_point = ("/PasswordVault/api/accounts?search=%s") % (quote(search_string.lstrip()))

Currently Galaxy has version 1.0.7, but it doesn't support v2 api or ldap authentication as referenced in the documentation

Also, automationhub references version 1.0.5, which is old information. Please update automationhug to reference the actual galaxy version as the official release

Is your feature request related to a problem? Please describe.

The README for cyberark_credential does not provide steps on how to use the results returned from the module in subsequent tasks. The README currently suggests that the module itself will return a URI to do the lookup, not that the module returns values from the module that can be used in tasks later in the playbook:

See: cyberark_credential.md

Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault.

Describe the solution you would like

• Fix the description of the module to say "returns values to be consumed in the playbook" rather than saying the module returns a URI
• Correctly comment the "result" section that is not in YAML format which exists in the task playbook example from the README. Example provided below:

result:
{ api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }

and

result:
{ api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }"&ConnectionTimeout="{ connection_timeout }"&QueryFormat="{ query_format }"&FailRequestOnPasswordChange="{ fail_request_on_password_change }

If these two lines incorrectly copied into a playbook, the yaml parser will fail. These should be separated from the task examples to prevent confusion.

Additionally, the task examples should accompany some example module that uses the secret:

- name: credential retrieval basic
  cyberark_credential:
    api_base_url: "http://10.10.0.1"
    app_id: "TestID"
    query: "Safe=test;UserName=admin"
  register: result
  
##  result:
#     { api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }

- name: Using the secret
  shell: 'some_command --some-arg {{ result.content }}'
  no_log: true

Summary

Attempting to use collection version 1.0.7 with cyberark_account after a successful cyberark_authentication results in an error with api_base_url

Steps to Reproduce

1. Install latest collection: ansible-galaxy collection install cyberark.pas:1.0.7
2. Write a playbook with contents similar to the following:

    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark.pas.cyberark_authentication:
        api_base_url: "http://components.cyberark.local"
        validate_certs: no
        username: "bizdev"
        password: "Cyberark1"

    - name: Creating an Account using the PAS WebServices SDK
      cyberark.pas.cyberark_account:
        logging_level: DEBUG
        identified_by: "address,username"
        safe: "Test"
        address: "cyberark.local"
        username: "administrator-x"
        platform_id: WinServerLocal
        secret: "@N&Ibl3!"
        platform_account_properties:
            LogonDomain: "cyberark"
            OwnerName: "ansible_user"
        secret_management:
            automatic_management_enabled: true
        state: present
        cyberark_session: "{{ cyberark_session }}"
      register: cyberarkaction

3. Run the playbook

Expected Results

Account created

Actual Results

Line: cyberark_account.py#L1075 fails with key error

Traceback (most recent call last):
  File "/var/lib/awx/.ansible/tmp/ansible-tmp-1623780866.6344018-975949-190468678997879/AnsiballZ_cyberark_account.py", line 247, in <module>
    _ansiballz_main()
  File "/var/lib/awx/.ansible/tmp/ansible-tmp-1623780866.6344018-975949-190468678997879/AnsiballZ_cyberark_account.py", line 237, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/var/lib/awx/.ansible/tmp/ansible-tmp-1623780866.6344018-975949-190468678997879/AnsiballZ_cyberark_account.py", line 108, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_account', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
    mod_name, mod_spec, pkg_name, script_name)
  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_cyberark.pas.cyberark_account_payload_tjanvl99/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1300, in <module>
  File "/tmp/ansible_cyberark.pas.cyberark_account_payload_tjanvl99/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1258, in main
  File "/tmp/ansible_cyberark.pas.cyberark_account_payload_tjanvl99/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1075, in get_account
KeyError: 'api_base_url'

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

1.0.7

Environment setup

• RHEL8
• python3

Is your feature request related to a problem? Please describe.

We want to utilize Ansible to publish root accounts of newly deployed servers. However, when we utilize the ansible modules to use the PVWA path through our netscaler loadbalancers, we get error "401" (unauthorized)......when we use an "api_base_url" pointing directly to one of the servers behind the loadbalancer the logon and provisioning functions as expected.

At this point we think this is result of the (within our organisation) standard configuration of the netscalers, which provides a cookie to handle session persistancy (https://docs.netscaler.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-persistence/http-cookie-persistence.html)

Describe the solution you would like

within powershell rest calls (invoke-restmethod), there are options to use a websession/sessionvariable to parse cookie info during a restcall (https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod?view=powershell-7.4)....making the used loadbalancer config "transparent" for the restcall.

is it possible to also build such handling in the Ansible cyberark authentication modules to also make it possible to use session persistency based on cookies?

Describe alternatives you have considered

A clear and concise description of any alternative solutions or features that may be related to this that
you have considered.

Additional context

code and results sofar:

• name: Create computeraccount in Cyberark
  hosts: localhost
  become: false
  gather_facts: false
  collections:

  • cyberark.pas

  vars:
  cyberark_url: https://pamserver.localdns.nl
  cyberark_username: causer

  vars_prompt:

  • name: cyberark_password
    prompt: cyberark password

  tasks:

  • name: Logon to CyberArk Vault using PAS Web Services SDK
    cyberark_authentication:
    api_base_url: "{{ cyberark_url }}"
    validate_certs: false
    concurrentSession: true
    username: "{{ cyberark_username }}"
    password: "{{ cyberark_password }}"

  • name: Cyberark output
    ansible.builtin.debug:
    var: cyberark_session

  • name: Create computer account
    register: cyberarkaction
    cyberark_account:
    cyberark_session: "{{ cyberark_session }}"
    logging_level: DEBUG
    identified_by: "address"
    name: "root-srv9999.localdns.nl"
    safe: "T-LINUX-ROOT"
    address: "srv9999.localdns.nl"
    username: "root"
    platform_id: "T-Linux-root-00000"
    secret: "##123$$"
    secret_management:
    automatic_management_enabled: true
    state: present

  • name: Cyberark create account output
    ansible.builtin.debug:
    var: cyberarkaction

  • name: Logoff from CyberArk Vault
    cyberark_authentication:
    state: absent
    cyberark_session: "{{ cyberark_session }}"

failure code

fatal: [localhost]: FAILED! => changed=false
headers:
Authorization: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
Content-Type: application/json
User-Agent: CyberArk/1.0 (Ansible; cyberark.pas)
msg: |-
Error while performing get_account.Please validate parameters provided.
*** end_point=********/PasswordVault/api/accounts?filter=safeName%20eq%20T-LINUX-ROOT&search=srv9999.localdns.nl
==> HTTP Error 401: Unauthorized
status_code: 401

Examples referencing "cyberark_credential" instead of "cyberark.pas.cyberark_credential". This is causing the prior module located at "https://github.com/cyberark/ansible-modules" to be loaded resulting in failures.

Based on the community decision to use true/false for boolean values in documentation and examples, we ask that you evaluate booleans in this collection and consider changing any that do not use true/false (lowercase).

See documentation block format for more info (specifically, option defaults).

If you have already implemented this or decide not to, feel free to close this issue.

P.S. This is auto-generated issue, please raise any concerns here

Is your feature request related to a problem? Please describe.

We noticed now we have turned on two factor we have a problem with the module timing out before we have pressed the push notification.

Describe the solution you would like

Adding a timeout option to the authentication module.

Describe alternatives you have considered

N/A

Additional context

I have a pull request that will fix this.

Summary

Attempting to use collection version 1.1 with cyberark_account after a successful cyberark_authentication results in an error with AttributeError: 'module' object has no attribute 'parse'

Steps to Reproduce

• name: Logon to CyberArk Vault using PAS Web Services SDK
  cyberark_authentication:
  api_base_url: "https://{{ cal_host }}"
  validate_certs: no
  username: "{{ cal_login }}"
  password: "{{ cal_password }}"

• name: Debug message
  debug:
  var: cyberark_session

• name: Account
  cyberark_account:
  identified_by: "address,username"
  safe: "{{ cal_safe }}"
  address: "https://{{ cal_host }}"
  username: "{{ cal_username }}"
  platform_id: "{{ cal_platformID }}"
  secret: "{{ cal_mdp }}"
  platform_account_properties:
  secret_management:
  automatic_management_enabled: true
  state: present
  cyberark_session: "{{ cyberark_session }}"
  register: cyberarkaction

Expected Results

Account not created

Actual Results

The full traceback is:
Traceback (most recent call last):
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py", line 114, in
_ansiballz_main()
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py", line 106, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py", line 49, in invoke_module
imp.load_module('main', mod, module, MOD_DESC)
File "/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py", line 1378, in
File "/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py", line 1326, in main
File "/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py", line 1108, in get_account
AttributeError: 'module' object has no attribute 'parse'

fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py\", line 114, in \n _ansiballz_main()\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py\", line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py\", line 49, in invoke_module\n imp.load_module('main', mod, module, MOD_DESC)\n File \"/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py\", line 1378, in \n File \"/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py\", line 1326, in main\n File \"/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py\", line 1108, in get_account\nAttributeError: 'module' object has no attribute 'parse'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}

Reproducible

• [x ] Always
• Sometimes
• Non-Reproducible

Version/Tag number

1.1

Environment setup

RHEL7
python2

Additional Information

library does not exist in path

Is your feature request related to a problem? Please describe.

https://github.com/cyberark/ansible-aim-provider is not a part of the cyberark.pas collection.

Describe the solution you would like

It should be added as a role.

Describe alternatives you have considered

n/a

Additional context

n/a

Hi,

Currently, cyberark_account.py does not work out of the box when downloaded from Galaxy.
The latest commit fa1c6ed seems to fix those issues, but is not included in v.1.0.5 of the cyberark.pas collection on Galaxy.
Could you update the collection ?

Best,

pint2oo

cc @cyberark-bizdev @enunez-cyberark @erasmix
Since CyberArk Version 10 a new API Version was introduced and should be used.
This affects for example the cyberark_authentication module and many other.
V10.x and above Logon example
Actually there's only API Version integrated and no longer supported (CyberArk Version 9.x is outdated whicht had API V1).
When will this be updated?

Summary

For Red Hat Ansible certification, collections must now have a "requires_ansible" value of ">=2.14.0" or above. This is because all lower versions of Ansible are now EoL and unsupported. See the Red Hat Ansible Life Cycle doc here.

Steps to Reproduce

N/A

Expected Results

N/A

Actual Results

N/A

Reproducible

N?A

Version/Tag number

1.0.25 collection release

Environment setup

Automation Hub

Additional Information

This is a gate for certification, so any releases not containing this change will be rejected.

Hello,

I'm trying to getting an update of an existing User Account our Cyberark Vault to work. The Creation of the Account works fine. But when I try to update the Secret manually, I receive the following Error.

"msg": "Error while performing update_account.Please validate parameters provided.\n*** end_point=********/PasswordVault/api/Accounts/36_9\n ==> {'ErrorCode': 'PASWS125E', 'ErrorMessage': \"Property 'secretmanagement' cannot be added\"}",

The Payload looks like this:

    "payload": [
        {
            "op": "replace",
            "path": "/secretManagement",
            "value": {
                "manualManagementReason": "Test"
            }
        }

It seems to me, that the URL + Endpoint is concatinated wrongly by the account module. Following the API Documentation, the path should be /secretManagement/manualManagementReason and the Value alone should be "Test".

Here's my Playbook Code (The Authentication is excluded):

- name: Create Account
  cyberark_account:
    username: "UsertoUpdate"
    address: "Testserver"
    secret: "InitialPassword"
    logging_level: INFO
    state: present
    safe: "CUSA_Linux"
    platform_id: "CUSA_Linux_unmanaged"
    cyberark_session: "{{ cyberark_session }}"
    secret_management:
      automatic_management_enabled: false
  register: cyberark_account_creation

- name: Update Account
  cyberark_account:
    username: "UsertoUpdate"
    address: "Testserver"
    logging_level: DEBUG
    state: present
    safe: "CUSA_Linux"
    platform_id: "CUSA_Linux_unmanaged"
    cyberark_session: "{{ cyberark_session }}"
    secret_management:
      automatic_management_enabled: false
      manual_management_reason: "Test"
      new_secret: "ChangedPassword"
  register: cyberark_account_update

SUMMARY

Dear maintainers,

This is important for your collections!

• In accordance with the Community decision, we have created the news-for-maintainers repository for announcements of changes impacting collection maintainers (see the examples) instead of Issue 45 that will be closed soon.

  • To keep yourself well-informed and, therefore, things in your collection working, please subscribe to the repository by using the Watch button in the upper right corner on the repository's home page.
  • If you do not want to get notifications about related discussions, please subscribe only to Issues.
  • Please read the brief guidelines on how the repository should be used.
  • Please avoid unnecessary discussions in issues, use the Discussions feature. Every comment posted will notify a lot of folks!

• Also we would like to remind you about the Bullhorn contributor newsletter which has recently started to be released weekly. To learn what it looks like, see the past releases. Please subscribe and talk to the Community via Bullhorn!

• Join us in #ansible-social (for news reporting & chat), #ansible-community (for discussing collection & maintainer topics), and other channels on Matrix/IRC.

• Help the Community and the Steering Committee to make right decisions by taking part in discussing and voting on the Community Topics that impact the whole project and the collections in particular. Your opinion there will be much appreciated!

Thank you!

Summary

There is no support currently for having multiple sessions.
Seems to be a bug in the code:
concurrentSessions is not a valid body parameter for the API (v2).
The field name is concurrentSession (without 's').

Steps to Reproduce

Try to use concurrentsessions in a play, does not work.

Expected Results

Multiple sessions allowed by same user

Actual Results

Session is logged out when another token is requested

Reproducible

• [*] Always
• Sometimes
• Non-Reproducible

Version/Tag number

v12.1

Environment setup

• Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
  VM
• Which cloud provider? Which container orchestrator (including version)?
• The more info you can share about your runtime environment, the better we may be able to reproduce the issue.
  Ansible 2.9.21

Additional Information

Add any other context about the problem here.

I'm getting these warnings when building ansible 2.10:

/usr/lib/python3.8/site-packages/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py:532: SyntaxWarning: 'str' object is not callable; perhaps you missed a comma?
/usr/lib/python3.8/site-packages/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py:573: SyntaxWarning: 'str' object is not callable; perhaps you missed a comma?
/usr/lib/python3.8/site-packages/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py:634: SyntaxWarning: 'str' object is not callable; perhaps you missed a comma?

Could you please check this?

Summary

https://raw.githubusercontent.com/cyberark/ansible-security-automation-collection/master/docs/images/full-cyberark-logo.jpg
and
https://raw.githubusercontent.com/cyberark/ansible-security-automation-collection/master/docs/images/cyberark_logo.jpg
are named as JPEG files, but are really PNGs.

Steps to Reproduce

Steps to reproduce the behavior:

1. curl https://raw.githubusercontent.com/cyberark/ansible-security-automation-collection/master/docs/images/cyberark_logo.jpg | file -
2. It's a PNG
3. Same for the other one

Expected Results

They're named *.png or they're JPEG files.

Actual Results

/dev/stdin: PNG image data, 200 x 200, 8-bit/color RGB, non-interlaced

• Always

Version/Tag number

main branch as of posting

Summary

SSH key cannot be delete using cyberark.pas.cyberark_account module, task fails.

Steps to Reproduce

Use cyberark_account module to delete an ssh key from the Vault:

- name: "Delete SSH key"
  cyberark.pas.cyberark_account:
    identified_by: "address,username,platform_id"
    username: "{{ user }}"
    address: "{{ address }}"
    safe: "{{ safe_name }}"
    platform_id: "{{ platform_id }}"
    secret_type: "key"
    state: absent
    cyberark_session: "{{ cyberark_session }}"

Expected Results

• Account is deleted from Cyberark Vault
• Task succeed in ansible, http response code 200 from pvwa

Actual Results

• Account is not deleted from Cyberark Vault
• Task fails in ansible, http response code 400, body contains:

{
 "ErrorCode": "PASWS056E",
 "ErrorMessage": "The account is not valid for delete"
}

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

cyberark.pas collection version 1.0.13

Environment setup

• Privilege Access Manager v12.2
• Ansible Tower

Additional Information

According to this answer on Cyberark Technical Community, v10 pvwa api isn't able to delete ssh keys.

Deletion works using v9 api and uri module. Here is my workaround:

- name: "Get ssh key id"
  cyberark.pas.cyberark_account:
    identified_by: "address,username,platform_id"
    username: "{{ user }}"
    address: "{{ address }}"
    safe: "{{ safe_name }}"
    platform_id: "{{ platform_id }}"
    secret_type: "key"
    state: present
    cyberark_session: "{{ cyberark_session }}"
  register: getaction

- name: "Delete ssh key"
  uri:
    url: "https://{{ pvwa_url }}/PasswordVault/WebServices/PIMServices.svc/Accounts/{{ getaction.result.result.id }}"
    method: DELETE
    validate_certs: yes
    return_content: yes
    headers:
      Authorization: "{{ cyberark_session.token }}"
    status_code: 200

Hi Team,

I am unable to add account using cyberark account module, the error says "'Missing Mandatory parameter: [AccountDetails].'" Could please check and let me know if i missed anything on this.

ansible version i have used: ansible [core 2.13.10]
cyberark module version : 1.0.19

ansible code:

- name: Logon - Not use_shared_logon_authentication
  cyberark_authentication:
    api_base_url: https://pv.test.com/
    username: "test user"
    password: "test123"
    use_radius_authentication: yes
- debug:
    msg: "{{ cyberark_session }}" 

- name: Creating an Account using the PAS WebServices SDK
  cyberark_account:
    logging_level: DEBUG
    identified_by: "address,username,platform_id"
    safe: "IT_Infrastructure"
    address: "cyberark.local"
    username: "test account"
    platform_id: test account
    secret: "@N&Ibl3!"
    platform_account_properties:
        LogonDomain: "test account"
        OwnerName: "test user"
    secret_management:
        automatic_management_enabled: true
    state: present
    cyberark_session: "{{ cyberark_session }}"
  register: cyberarkaction

Error while running the playbook:

"msg": "Error while performing add_account.Please validate parameters provided.\n*** end_point=********/PasswordVault/api/Accounts\n ==> {'ErrorCode': 'PASWS017E', 'ErrorMessage': 'Missing Mandatory parameter: [AccountDetails].'}",

According to the Authentication documentation, it says it supports LDAP. I don't see an option on how to use the module while using an LDAP account. I took at look at the Python module and only see support for Shared Auth and CyberArk Auth.

https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/cyberark_authentication.md

Summary

Provide brief overview and context for the discovered bug.
Using the cyberark_account certified collection throws an error stating the urllib is missing the attribute quote

Steps to Reproduce

1. Install version of collection from certified content: ansible-galaxy collection install cyberark.pas:1.0.5
2. Write a playbook with contents similar to the following:

    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark.pas.cyberark_authentication:
        api_base_url: "http://components.cyberark.local"
        validate_certs: no
        username: "bizdev"
        password: "Cyberark1"

    - name: Creating an Account using the PAS WebServices SDK
      cyberark.pas.cyberark_account:
        logging_level: DEBUG
        identified_by: "address,username"
        safe: "Test"
        address: "cyberark.local"
        username: "administrator-x"
        platform_id: WinServerLocal
        secret: "@N&Ibl3!"
        platform_account_properties:
            LogonDomain: "cyberark"
            OwnerName: "ansible_user"
        secret_management:
            automatic_management_enabled: true
        state: present
        cyberark_session: "{{ cyberark_session }}"
      register: cyberarkaction

3. Run the playbook

Expected Results

Module runs successfully and the account is created

Actual Results

Traceback (most recent call last):
  File "/var/lib/awx/.ansible/tmp/ansible-tmp-1621636925.806195-27-106588692905683/AnsiballZ_cyberark_account.py", line 102, in <module>
    _ansiballz_main()
  File "/var/lib/awx/.ansible/tmp/ansible-tmp-1621636925.806195-27-106588692905683/AnsiballZ_cyberark_account.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/var/lib/awx/.ansible/tmp/ansible-tmp-1621636925.806195-27-106588692905683/AnsiballZ_cyberark_account.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_account', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
    mod_name, mod_spec, pkg_name, script_name)
  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_cyberark.pas.cyberark_account_payload_0sethuqa/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1378, in <module>
  File "/tmp/ansible_cyberark.pas.cyberark_account_payload_0sethuqa/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1326, in main
  File "/tmp/ansible_cyberark.pas.cyberark_account_payload_0sethuqa/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1108, in get_account
AttributeError: module 'urllib' has no attribute 'quote'

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

What version of the product are you running? Any version info that you can
share is helpful. For example, you might give the version from Docker logs,
the Docker tag, a specific download URL, the output of the /info route, etc.
1.0.5

Environment setup

• RHEL 8
• ansible_python_interpreter is python3

Additional Information

Using the upstream version of the collection 1.0.7 results in a new error with api_base_url #31

Cyberark_Account.py uses urllib - specifically for handling HTTP Errors;

Line 378 -

from ansible.module_utils.six.moves.urllib.error import HTTPError

returns the following error; "No name 'urllib' in module '_MovedItems'"

Summary

EDA structure requires event_source and event_filter plugins to be under an extensions/eda/event_source or extensions/eda/event_filter respectively. The collection's EDA plugin is currently located under plugins/event_source/syslog.py.

This should be moved to extensions/eda/event_source/syslog.py. See EDA docs here for more info.

Steps to Reproduce

N/A

Expected Results

N/A

Actual Results

N/A

Reproducible

N/A

Version/Tag number

1.0.25 collection release

Environment setup

Collection source

Additional Information

This may result in new failures on Automation Hub, since existing test tooling does not evaluate under the extensions/ directory and there is a separate test process for this content. This is subject to change in the future, but currently we use the common python testing tool tox to perform static code analysis with a set of linters.

The linters used for EDA are: pylint, darglint, and ruff. These linters run specifically over the <root>/extensions/eda/plugins dir or deeper. We have built a tox template you can plug into your CI to mimic the tests on Automation Hub. We highly recommend using this template, as some of these linter tests have been deemed irrelevant for certification and are skipped. The link to the templates and documentation is here: https://github.com/ansible/eda-partner-testing

Is your feature request related to a problem? Please describe.

I'm facing an issue deleting accounts that have very similar parameters (same username, address, safe and platform), and that can't be distinguished except by some parameters in "platform_account_properties", and by their "name".

I have been unable to make "name" work as a value of "identified_by" (API returns a 200 as if the account was already absent), and there is currently no option to give the account's id to the module (despite it being handled by the API).

Describe the solution you would like

I would like to be able to delete accounts using either their unique "name" or "id".

Describe alternatives you have considered

I'm reverting back to using the Ansible uri module to send DELETE requests to the API. as described here : https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Delete%20Account.htm

Additional context

/

SUMMARY

The "Big Migration" has now taken place.

As this collection already exists, we need to carefully check to see if any further commits went into devel since this repo was created.

Please check the contents of https://github.com/ansible-collection-migration/skydive.skydive against this repo

In particular:

• Please do a per-file level diff against every file in the ansible-collection-migration repo and this one
• Pay care to files added and removed.
• During the last two weeks there have been lots of fixes, especially around and tests, dependencies, and new collection features e.g. meta/action_groups.yml

ISSUE TYPE

• Bug Report

Summary

Unbound error when using use_ldap_authentication parameter for cyberark_authentication.py

Steps to Reproduce

ansible-galaxy collection install cyberark.pas:1.0.7
ansible localhost -m cyberark.pas.cyberark_authentication -a "use_ldap_authentication=yes api_base_url=127.0.0.1 username=test password=test"

Expected Results

attempt to auth against the api_base_url with LDAP auth

Actual Results

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnboundLocalError: local variable 'payload_dict' referenced before assignment
localhost | FAILED! => {
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_authentication', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python3.9/runpy.py\", line 210, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.9/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.9/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py\", line 374, in <module>\n  File \"/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py\", line 368, in main\n  File \"/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py\", line 213, in processAuthentication\nUnboundLocalError: local variable 'payload_dict' referenced before assignment\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

module_stderr:

Traceback (most recent call last):
  File "/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py", line 102, in <module>
    _ansiballz_main()
  File "/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_authentication', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib64/python3.9/runpy.py", line 210, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py", line 374, in <module>
  File "/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py", line 368, in main
  File "/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py", line 213, in processAuthentication
UnboundLocalError: local variable 'payload_dict' referenced before assignment

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

1.0.7

Additional Information

Potentially an accidental indent here?
https://github.com/cyberark/ansible-security-automation-collection/blob/master/plugins/modules/cyberark_authentication.py#L201

The payload_dict from above hasn't changed in 2 years, but it looks like the conditionals around it have changed quite a bit in the last year:
https://github.com/cyberark/ansible-security-automation-collection/blame/ccea4d8d31e9514ca54c7b494dbf1177f66d81f3/plugins/modules/cyberark_authentication.py#L201

L201 might be out of place and indented to the wrong level based on the new conditionals in the module.

SUMMARY

We are running sanity tests across every collection included in the Ansible community package (as part of this issue) and found that ansible-test sanity --docker against cyberpark.pas 1.0.13 fails with ansible-core 2.13.0rc1 in ansible 6.0.0a2.

ISSUE TYPE

• Bug Report

COMPONENT NAME

n/a

ANSIBLE VERSION

ansible [core 2.13.0rc1]

COLLECTION VERSION

1.0.13

STEPS TO REPRODUCE

ansible-test sanity --docker

EXPECTED RESULTS

Tests are either passing or ignored.

ACTUAL RESULTS

ERROR: Found 29 validate-modules issue(s) which need to be resolved:
ERROR: plugins/modules/cyberark_account.py:0:0: doc-default-does-not-match-spec: Argument 'automatic_management_enabled' in argument_spec found in secret_management defines default as (None) but documentation defines default as (False)
ERROR: plugins/modules/cyberark_account.py:0:0: doc-required-mismatch: Argument 'api_base_url' in argument_spec is not required, but is documented as being required
ERROR: plugins/modules/cyberark_account.py:0:0: doc-required-mismatch: Argument 'logging_level' in argument_spec is not required, but is documented as being required
ERROR: plugins/modules/cyberark_account.py:0:0: doc-required-mismatch: Argument 'state' in argument_spec is not required, but is documented as being required
ERROR: plugins/modules/cyberark_account.py:0:0: invalid-documentation: DOCUMENTATION.version_added: expected str for dictionary value @ data['version_added']. Got 2.4
ERROR: plugins/modules/cyberark_account.py:0:0: invalid-documentation-markup: DOCUMENTATION.options.cyberark_session.description: Directive "M(cyberark_authentication)" must contain a FQCN for dictionary value @ data['options']['cyberark_session']['description']. Got ['Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark_authentication) module for an example of cyberark_session.']
ERROR: plugins/modules/cyberark_account.py:0:0: no-default-for-required-parameter: DOCUMENTATION.options.state: Argument is marked as required but specifies a default. Arguments with a default should not be marked as required for dictionary value @ data['options']['state']. Got {'description': ['Assert the desired state of the account C(present) to creat or update and account object. Set to C(absent) for deletion of an account object.'], 'required': True, 'default': 'present', 'choices': ['present', 'absent'], 'type': 'str'}
ERROR: plugins/modules/cyberark_account.py:0:0: no-log-needed: Argument 'secret_management' in argument_spec could be a secret, though doesn't have `no_log` set
ERROR: plugins/modules/cyberark_account.py:0:0: return-syntax-error: RETURN.result.contains.secretManagement.contains: required key not provided @ data['result']['contains']['secretManagement']['contains']. Got None
ERROR: plugins/modules/cyberark_authentication.py:0:0: doc-default-does-not-match-spec: Argument 'concurrentSession' in argument_spec defines default as (False) but documentation defines default as (None)
ERROR: plugins/modules/cyberark_authentication.py:0:0: invalid-documentation: DOCUMENTATION.author: Invalid author for dictionary value @ data['author']. Got ['Edward Nunez (@enunez-cyberark) CyberArk BizDev', 'Cyberark Bizdev (@cyberark-bizdev)', 'Edgar Mota']
ERROR: plugins/modules/cyberark_authentication.py:0:0: invalid-documentation: DOCUMENTATION.version_added: expected str for dictionary value @ data['version_added']. Got 2.4
ERROR: plugins/modules/cyberark_authentication.py:0:0: parameter-type-not-in-doc: Argument 'concurrentSession' in argument_spec defines type as 'bool' but documentation doesn't define type
ERROR: plugins/modules/cyberark_authentication.py:0:0: undocumented-parameter: Argument 'concurrentSession' is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/cyberark_credential.py:0:0: invalid-documentation: DOCUMENTATION.version_added: expected str for dictionary value @ data['version_added']. Got 2.4
ERROR: plugins/modules/cyberark_credential.py:0:0: no-log-needed: Argument 'client_key' in argument_spec could be a secret, though doesn't have `no_log` set
ERROR: plugins/modules/cyberark_credential.py:0:0: return-syntax-error: RETURN.result.contains.Safe.type: not a valid value for dictionary value @ data['result']['contains']['Safe']['type']. Got 'string'
ERROR: plugins/modules/cyberark_user.py:0:0: doc-default-does-not-match-spec: Argument 'change_password_on_the_next_logon' in argument_spec defines default as (None) but documentation defines default as (False)
ERROR: plugins/modules/cyberark_user.py:0:0: doc-default-does-not-match-spec: Argument 'disabled' in argument_spec defines default as (None) but documentation defines default as (False)
ERROR: plugins/modules/cyberark_user.py:0:0: doc-required-mismatch: Argument 'logging_level' in argument_spec is not required, but is documented as being required
ERROR: plugins/modules/cyberark_user.py:0:0: invalid-documentation: DOCUMENTATION.version_added: expected str for dictionary value @ data['version_added']. Got 2.4
ERROR: plugins/modules/cyberark_user.py:0:0: invalid-documentation-markup: DOCUMENTATION.options.cyberark_session.description: Directive "M(cyberark_authentication)" must contain a FQCN for dictionary value @ data['options']['cyberark_session']['description']. Got ['Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark_authentication) module for an example of cyberark_session.']
ERROR: plugins/modules/cyberark_user.py:0:0: no-default-for-required-parameter: DOCUMENTATION.options.logging_level: Argument is marked as required but specifies a default. Arguments with a default should not be marked as required for dictionary value @ data['options']['logging_level']. Got {'description': ['Parameter used to define the level of troubleshooting output to the C(logging_file) value.'], 'required': True, 'choices': ['NOTSET', 'DEBUG', 'INFO'], 'default': 'NOTSET', 'type': 'str'}
ERROR: plugins/modules/cyberark_user.py:0:0: parameter-list-no-elements: Argument 'authorization' in argument_spec defines type as list but elements is not defined
ERROR: plugins/modules/cyberark_user.py:0:0: parameter-list-no-elements: DOCUMENTATION.options.authorization: Argument defines type as list but elements is not defined for dictionary value @ data['options']['authorization']. Got {'description': ['A list of authorization options for this user.', 'Options can include AddSafes and AuditUsers', 'The default provides backwards compatability with older versions of the collection'], 'type': 'list', 'default': ['AddSafes', 'AuditUsers']}
ERROR: plugins/modules/cyberark_user.py:0:0: parameter-type-not-in-doc: Argument 'domain_name' in argument_spec defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/cyberark_user.py:0:0: parameter-type-not-in-doc: Argument 'member_type' in argument_spec defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/cyberark_user.py:0:0: undocumented-parameter: Argument 'domain_name' is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/cyberark_user.py:0:0: undocumented-parameter: Argument 'member_type' is listed in the argument_spec, but not documented in the module documentation
ERROR: The 1 sanity test(s) listed below (out of 43) failed. See error output above for details.
validate-modules
ERROR: Command "podman exec ansible-test-controller-6Yf4ICQQ /usr/bin/env ANSIBLE_TEST_CONTENT_ROOT=/root/ansible_collections/cyberark/pas LC_ALL=en_US.UTF-8 /usr/bin/python3.10 /root/ansible/bin/ansible-test sanity --containers '{}' --skip-test pylint --metadata tests/output/.tmp/metadata-7cv3_z7e.json --truncate 0 --color no --host-path tests/output/.tmp/host-ganac95w" returned exit status 1.

Is your feature request related to a problem? Please describe.

The concurrentSession parameter is not mentioned in the Ansible documentation for the collection :
https://docs.ansible.com/ansible/latest/collections/cyberark/pas/cyberark_authentication_module.html

It is not mentioned in the module's documentation either :

In its stead, there is connection_number which is commented out and not processed by the module :

Describe the solution you would like

Adding the concurrentSession parameter in the module documentation, as well as in the official Ansible documentation,
and removing connection_number as it is not functional.

Describe alternatives you have considered

Additional context

Add any other context information about the feature request here.

Summary

Provide a brief overview and context for the discovered bug.
When we try to update the `Remmote Machines" of an existing account, the task failed with the following message.

  "msg": "Error while performing update_account.Please validate parameters provided.\n*** end_point=********/PasswordVault/api/Accounts/70_8\n ==> {'ErrorCode': 'PASWS125E', 'ErrorMessage': \"Property 'remotemachinesaccess' cannot be added\"}",

Steps to Reproduce

1. Create an account in CyberArk (if doesn't exist). (This is also working with the Ansible playbook to create the new Account)
2. Add some remote machine IP address in the "Remote Machines" section (eg: 1.1.1.1, 2.2.2.2, 3.3.3.3).
3. Use the playbook to append the new IP address to the list (eg: 4.4.4.4.

- name: Logon to CyberArk Vault using PAS Web Services SDK
  delegate_to: localhost
  cyberark.pas.cyberark_authentication:
    api_base_url: "{{ lookup('ansible.builtin.env', 'CYBERARK_VAULT_URL') }}"
    validate_certs: false
    username: "{{ lookup('ansible.builtin.env', 'CYBERARK_AUTH_USERNAME') }}"
    password: "{{ lookup('ansible.builtin.env', 'CYBERARK_AUTH_PASSWORD') }}"
    use_ldap_authentication: true
  no_log: true

- name: Updating the account with new remote_machines
  block:
    - name: Update Account using the PAS WebServices SDK
      delegate_to: localhost
      cyberark.pas.cyberark_account:
        safe: "{{ cyberark_safe_name }}"
        address: "{{ cyberark_entry_address }}"
        username: "{{ cyberark_account_username }}"
        platform_id: "{{ cyberark_platform_id }}"
        remote_machines_access:
          remote_machines: "4.4.4.4"          
        state: present
        cyberark_session: "{{ cyberark_session }}"
      register: cyberark_action

  always:    
    - name: Logoff from CyberArk Vault
      delegate_to: localhost
      cyberark.pas.cyberark_authentication:
        state: absent
        cyberark_session: "{{ cyberark_session }}"

Expected Results

A clear and concise description of what you expected to happen.
The new IP address (eg: 4.4.4.4) should be appended to the remote machines list. (eg: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4).

Actual Results

A clear and concise description of what did happen. Include logs and
screens shots, whenever possible

{
  "payload": [
    {
      "op": "replace",
      "path": "/remoteMachinesAccess",
      "value": {
        "remoteMachines": "4.4.4.4"
      }
    }
  ],
  "headers": {
    "Content-Type": "application/json",
    "Authorization": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
    "User-Agent": "CyberArk/1.0 (Ansible; cyberark.pas)"
  },
  "status_code": 400,
  "msg": "Error while performing update_account.Please validate parameters provided.\n*** end_point=********/PasswordVault/api/Accounts/70_8\n ==> {'ErrorCode': 'PASWS125E', 'ErrorMessage': \"Property 'remotemachinesaccess' cannot be added\"}",
  "invocation": {
    "module_args": {
      "safe": "<removed>",
      "address": "example.com",
      "username": "demouser",
      "platform_id": "DEMO_SSH_ANSIBLE",
      "remote_machines_access": {
        "remote_machines": "10.1.10.11",
        "access_restricted_to_remote_machines": true
      },
      "state": "present",
      "cyberark_session": {
        "token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
        "api_base_url": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
        "validate_certs": false
      },
      "logging_file": "/tmp/ansible_cyberark.log",
      "validate_certs": true,
      "identified_by": "username,address,platform_id",
      "secret_type": "password",
      "logging_level": null,
      "api_base_url": null,
      "name": null,
      "secret": null,
      "new_secret": null,
      "secret_management": null,
      "platform_account_properties": null
    }
  },
  "_ansible_no_log": null,
  "changed": false,
  "_ansible_delegated_vars": {
    "ansible_host": "localhost",
    "ansible_port": null,
    "ansible_user": "admin",
    "ansible_connection": "local"
  }
}

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

What version of the product are you running? Any version info that you can
share is helpful. For example, you might give the version from Docker logs,
the Docker tag, a specific download URL, the output of the /info route, etc.

• Ansible Automation Platform 2.2
• cyberark.pas collection 1.0.4 from Automation Hub

Environment setup

• Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
• Running from Ansible execution environment (also tested from VM)
• Which cloud provider? Which container orchestrator (including version)? - NA
• The more info you can share about your runtime environment, the better we may be able to reproduce the issue.

Additional Information

Add any other context about the problem here.

I was wondering if there is way to link accounts when creating new objects in. For example login accounts.

Need to be able to point to alternate sites on the CCP to allow for different authentications settings. Some applications require client certificate while others are not able to leverage certificate. This connector as written forces me to install two separate CCP to support all my applications instead of just adding a second security configuration per the documentation, I have to have one CCP to require client certs and another that doesn't.

https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CCP/Configure_CCPWindows.htm?tocpath=Administration%7CCentral%20Credential%20Provider%7CCentral%20Credential%20Provider%20web%20service%20configuration%7C_____0#MultiplesecurityconfigurationsandauthenticationmethodsfortheCentralCredentialProviderwebservice