Add Thycotic DevOps Secrets Vault support

awx/main/credential_plugins/dsv.py

@@ -0,0 +1,71 @@
+from .plugin import CredentialPlugin
+
+from django.conf import settings
+from django.utils.translation import get_language, to_locale, ugettext_lazy as _
+from thycotic.secrets.vault import SecretsVault
+
+
+dsv_inputs = {
+    'fields': [
+        {
+            'id': 'tenant',
+            'label': _('Tenant'),
+            'help_text': _('The tenant e.g. "ex" when the URL is https://ex.secretservercloud.com'),
+            'type': 'string',
+        },
+        {'id': 'client_id', 'label': _('Client ID'), 'type': 'string'},
+        {
+            'id': 'client_secret',
+            'label': _('Client Secret'),
+            'type': 'string',
+            'secret': True,
+        },
+    ],
+    'metadata': [
+        {
+            'id': 'path',
+            'label': _('Secret Path'),
+            'type': 'string',
+            'help_text': _('The secret path e.g. /test/secret1'),
+        },
+        {
+            'id': 'expr',
+            'label': _('Attribute Expression'),
+            'type': 'string',
+            'help_text': _('A Python expression on the dict representation of the secret e.g. "data.username"'),
+        },
+    ],
+    'required': ['tenant', 'client_id', 'client_secret', 'path'],
+}
+
+if settings.DEBUG:
+    dsv_inputs['fields'].append(
+        {
+            'id': 'url_template',
+            'label': _('URL template'),
+            'type': 'string',
+            'default': 'https://{}.secretsvaultcloud.{}/v1',
+        }
+    )
+
+if to_locale(get_language()) != 'en_US':
+    dsv_inputs['fields'].append(
+        {
+            'id': 'tld',
+            'label': _('Top-level Domain (TLD)'),
+            'help_text': _('The Top-level domain of the tenant e.g. "com" when the URL is https://ex.secretservercloud.com'),
+            'type': 'string',
+            'default': 'com',
+            'choices': ['ca', 'com', 'com.au', 'com.sg', 'eu'],
+        }
+    )
+
+
+dsv_plugin = CredentialPlugin(
+    'Thycotic DevOps Secrets Vault',
+    dsv_inputs,
+    lambda **kwargs: eval(
+        kwargs['expr'],
+        SecretsVault(**{k: v for (k, v) in kwargs.items() if k in [field['id'] for field in dsv_inputs['fields']]}).get_secret(kwargs['path']),
+    ),
+)

awx/settings/defaults.py

@@ -701,6 +701,12 @@ SATELLITE6_INSTANCE_ID_VAR = 'foreman_id'
 INSIGHTS_INSTANCE_ID_VAR = 'insights_id'
 INSIGHTS_EXCLUDE_EMPTY_GROUPS = False
 
+# ---------------------
+# --- Thycotic DSV ----
+# ---------------------
+DSV_SHOW_TLD = False  # overridden when LOCALE != en_US
+DSV_SHOW_URL_TEMPLATE = False
+
 # ---------------------
 # ----- Custom -----
 # ---------------------

requirements/requirements.in

@@ -42,6 +42,7 @@ psutil
 pygerduty
 pyparsing
 python3-saml
+python-dsv-sdk
 python-ldap>=3.3.1 # https://github.com/python-ldap/python-ldap/issues/270
 pyyaml>=5.4.1  # minimum to fix https://github.com/yaml/pyyaml/issues/478
 receptorctl

requirements/requirements.txt

@@ -274,6 +274,8 @@ python-dateutil==2.8.1
     #   adal
     #   kubernetes
     #   receptorctl
+python-dsv-sdk==0.0.1
+    # via -r /awx_devel/requirements/requirements.in
 python-ldap==3.3.1
     # via
     #   -r /awx_devel/requirements/requirements.in
@@ -316,6 +318,7 @@ requests==2.23.0
     #   django-oauth-toolkit
     #   kubernetes
     #   msrest
+    #   python-dsv-sdk
     #   requests-oauthlib
     #   slackclient
     #   social-auth-core

setup.py

@@ -130,6 +130,7 @@ setup(
             'azure_kv = awx.main.credential_plugins.azure_kv:azure_keyvault_plugin',
             'aim = awx.main.credential_plugins.aim:aim_plugin',
             'centrify_vault_kv = awx.main.credential_plugins.centrify_vault:centrify_plugin',
+            'thycotic_dsv = awx.main.credential_plugins.dsv:dsv_plugin',
         ],
     },
     data_files=proc_data_files(