Skip to content

Commit

Permalink
Add secret to login module (#858)
Browse files Browse the repository at this point in the history
Signed-off-by: Martin Jackson <[email protected]>
Co-authored-by: Sergey <[email protected]>
  • Loading branch information
mhjacks and sshnaidm authored Oct 7, 2024
1 parent 8daec72 commit e46c7eb
Show file tree
Hide file tree
Showing 2 changed files with 126 additions and 10 deletions.
48 changes: 39 additions & 9 deletions plugins/modules/podman_login.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@
password:
description:
- Password for the registry server.
required: True
type: str
registry:
description:
Expand All @@ -59,14 +58,18 @@
username:
description:
- Username for the registry server.
required: True
type: str
executable:
description:
- Path to C(podman) executable if it is not in the C($PATH) on the
machine running C(podman)
default: 'podman'
type: str
secret:
description:
- Name of an existing C(podman) secret to use for authentication
to target registry
type: str
'''

EXAMPLES = r"""
Expand All @@ -81,16 +84,24 @@
password: 'p4ssw0rd'
registry: quay.io
- name: Login to quay.io using existing secret called password
containers.podman.podman_login:
username: user
secret: password
registry: quay.io
"""
# noqa: F402

import hashlib
import os
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.containers.podman.plugins.module_utils.podman.common import LooseVersion
from ansible_collections.containers.podman.plugins.module_utils.podman.common import get_podman_version


def login(module, executable, registry, authfile,
certdir, tlsverify, username, password):
certdir, tlsverify, username, password, secret):

command = [executable, 'login']
changed = False
Expand All @@ -99,6 +110,8 @@ def login(module, executable, registry, authfile,
command.extend(['--username', username])
if password:
command.extend(['--password', password])
if secret:
command.extend(['--secret', secret])
if authfile:
command.extend(['--authfile', authfile])
authfile = os.path.expandvars(authfile)
Expand Down Expand Up @@ -146,15 +159,19 @@ def main():
executable=dict(type='str', default='podman'),
registry=dict(type='str'),
authfile=dict(type='path'),
username=dict(type='str', required=True),
password=dict(type='str', required=True, no_log=True),
username=dict(type='str'),
password=dict(type='str', no_log=True),
certdir=dict(type='path'),
tlsverify=dict(type='bool'),
secret=dict(type='str', no_log=False),
),
supports_check_mode=True,
required_together=(
['username', 'password'],
)
required_by={
'password': 'username',
},
mutually_exclusive=[
['password', 'secret'],
],
)

registry = module.params['registry']
Expand All @@ -163,10 +180,23 @@ def main():
password = module.params['password']
certdir = module.params['certdir']
tlsverify = module.params['tlsverify']
secret = module.params['secret']
executable = module.get_bin_path(module.params['executable'], required=True)

podman_version = get_podman_version(module, fail=False)

if (
(podman_version is not None) and
(LooseVersion(podman_version) < LooseVersion('4.7.0')) and
secret
):
module.fail_json(msg="secret option may not be used with podman < 4.7.0")

if username and ((not password) and (not secret)):
module.fail_json(msg="Must pass either password or secret with username")

changed, out, err = login(module, executable, registry, authfile,
certdir, tlsverify, username, password)
certdir, tlsverify, username, password, secret)

results = {
"changed": changed,
Expand Down
88 changes: 87 additions & 1 deletion tests/integration/targets/podman_login/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,19 @@
- name: Test podman_login
block:
- name: Discover podman version
shell: podman version | grep "^Version:" | awk {'print $2'}
register: podman_v

- name: Set podman version fact
set_fact:
podman_version: "{{ podman_v.stdout | string }}"

- name: Set podman version fact to gt than 4.7.0 if so
set_fact:
podman_version_gt470: "{{ podman_version is version('4.7.0', '>=') }}"

- name: Print podman version
command: podman version
debug: var=podman_v.stdout

- name: Logout from docker if it exists
command: docker logout
Expand Down Expand Up @@ -35,6 +46,19 @@
that:
- loginf is failed

- name: Ensure we catch exception from not specifying password or secret
containers.podman.podman_login:
executable: "{{ test_executable | default('podman') }}"
username: foo
registry: docker.io
register: loginf2
ignore_errors: true

- name: Check login from just username
assert:
that:
- loginf2 is failed

- name: Login to registry.fedoraproject.org
containers.podman.podman_login:
executable: "{{ test_executable | default('podman') }}"
Expand All @@ -48,3 +72,65 @@
assert:
that:
- login is not failed

- name: Create a secret to login with
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: foo
data: bar
when: podman_version_gt470

- name: Login using secret foo
containers.podman.podman_login:
executable: "{{ test_executable | default('podman') }}"
username: foo
secret: foo
registry: registry.fedoraproject.org
when: podman_version_gt470
register: loginsecret
ignore_errors: true

- name: Check login with secret
assert:
that:
- loginsecret is not failed
when: podman_version_gt470

- name: Login just using secret foo - implies username foo
containers.podman.podman_login:
executable: "{{ test_executable | default('podman') }}"
secret: foo
registry: registry.fedoraproject.org
when: podman_version_gt470
register: loginsecret2
ignore_errors: true

- name: Check login with just secret
assert:
that:
- loginsecret2 is not failed
when: podman_version_gt470

- name: Login just using both secret and passsword - should fail
containers.podman.podman_login:
executable: "{{ test_executable | default('podman') }}"
username: foo
secret: foo
password: bar
registry: registry.fedoraproject.org
when: podman_version_gt470
register: loginsecret3
ignore_errors: true

- name: Ensure failure specifying both secret and password
assert:
that:
- loginsecret3 is failed
when: podman_version_gt470

- name: Remove the foo secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: foo
state: absent
when: podman_version_gt470

0 comments on commit e46c7eb

Please sign in to comment.