Init: mediaserver

lib/python3.10/site-packages/ansible_collections/cyberark/pas/roles/aimprovider/README.md

@@ -0,0 +1,91 @@
+cyberark.pas.aimprovider
+====================
+
+Role to install/uninstall CyberArk's AIM Credential Provider.
+
+Requirements
+------------
+
+- CyberArk Privileged Account Security Web Services SDK.
+- `cyberark.pas` Collection from Ansible Galaxy or Automation Hub
+
+Role Variables
+--------------
+```
+# CyberArk's Privileged Account Security Web Services SDK api base URL (example: https://components.cyberark.local)
+rest_api_url: ""
+
+# Whether to validate certificates for REST api calls. If false, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates.
+validate_certs: true
+
+# Zip file with distribution of AIM Provider (example: /tmp/binaries/RHELinux x64-Rls-v9.8.zip); this file is located in the Ansible server, and it will be copied to the Ansible nodes. It should point to the current version of AIM distribution to be used when delivering to the nodes in a central folder within the Ansible server.
+zip_file_name: ""
+
+# Folder name within the ZIP file that will be used. By default, it's taken from zip file name, for example: "RHELinux x64"
+folder_name: '{{zip_file_name.split("/")[-1].split("-Rls")[0]}}'
+
+# CyberArk location for App Provider user to be created
+app_provider_user_location: "\\Applications"
+
+# CyberArk Vault Address
+vault_address: ""
+
+# Whether to use shared logon authentication. If true, it will use the "Shared Logon Authentication" as described in the CyberArk's document "Privileged Account Security Web Services SDK Implementation Guide"
+use_shared_logon_authentication: false
+
+# State - can be "present"/"absent" for install/uninstall.
+state: "present"
+```
+
+
+Additionally:
+- **app_provider_user_group**: The name of the group the Provider user will be added to.
+
+Dependencies
+------------
+
+None.
+
+
+Example Playbook
+----------------
+
+1) Install CyberArk AIM Provider.
+
+```
+---
+- hosts: all
+
+  roles:
+
+    - role: cyberark.pas.aimprovider
+      api_base_url: "https://components.cyberark.local"
+      validate_certs: false
+      zip_file_name: "/tmp/binaries/RHELinux x64-Rls-v9.8.zip"
+      vault_address: "10.0.1.10"
+      use_shared_logon_authentication: true
+```
+
+2) Uninstall CyberArk AIM Provider.
+```
+---
+- hosts: all
+
+  roles:
+
+    - role: cyberark.pas.aimprovider
+      api_base_url: "https://components.cyberark.local"
+      use_shared_logon_authentication: true
+      state: "absent"
+      validate_certs: false
+```
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+- Edward Nunez (edward.nunez@cyberark.com)

lib/python3.10/site-packages/ansible_collections/cyberark/pas/roles/aimprovider/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+
+# Default values for possible input parameters
+
+# CyberArk's Privileged Account Security Web Services SDK api base URL
+rest_api_url: ""
+
+# Whether to validate certificates for REST api calls
+validate_certs: true
+
+# Zip file with distribution of AIM Provider
+zip_file_name: ""
+
+# Folder name within the ZIP file that will be used by default is taken from zip file name.
+folder_name: '{{zip_file_name.split("/")[-1].split("-Rls")[0]}}'
+
+# CyberArk location for App Provider user to be created
+app_provider_user_location: "\\Applications"
+
+# CyberArk Vault Address
+vault_address: ""
+
+# Whether to use shared logon authentication
+use_shared_logon_authentication: false
+
+# State - the state of the provider: present mean installing the provide and Absent means uninstalling
+state: "present"

lib/python3.10/site-packages/ansible_collections/cyberark/pas/roles/aimprovider/tasks/installAIMProvider.yml

@@ -0,0 +1,152 @@
+---
+- name: Validating Role Parameters
+  assert:
+    that:
+      - zip_file_name != ''
+      - vault_address != ''
+      - api_base_url != ''
+      - folder_name != ''
+      - app_provider_user_location != ''
+      - state == "present"
+      - (not use_shared_logon_authentication|default(false) and password_object is defined) or
+        (use_shared_logon_authentication|default(false) and password_object is not defined)
+
+
+- debug: msg="Installation params => zip_file_name = {{zip_file_name}}  folder_name={{folder_name}}"
+
+- block:
+
+  - name: Copy provider zip to target and unzip
+    unarchive: src="{{zip_file_name}}" dest=/tmp
+
+  - name: Rename aimparms and copy to var/tmp
+    command: cp "/tmp/{{folder_name}}/aimparms.sample" /var/tmp/aimparms
+
+  - name: Replace parameters" in /var/tmp/aimparms
+    replace:
+      dest: /var/tmp/aimparms
+      regexp: "{{item.regexp}}"
+      replace: "{{item.replace}}"
+    with_items:
+      - {regexp: '^AcceptCyberArkEULA=.*$', replace: 'AcceptCyberArkEULA=Yes'}
+      - {regexp: '^LicensedProducts=.*$', replace: 'LicensedProducts=AIM'}
+      - {regexp: '^.?CreateVaultEnvironment=.*$', replace: 'CreateVaultEnvironment=no'}
+      - {regexp: '^VaultFilePath=.*$', replace: 'VaultFilePath=/tmp/{{folder_name}}/Vault.ini'}
+
+
+  - name: Change Vault.ini to the right address
+    replace:
+      dest: "/tmp/{{folder_name}}/Vault.ini"
+      regexp: '^ADDRESS=.*$'
+      replace: 'ADDRESS={{vault_address}}'
+
+  - name: Change permission on createcredfile
+    file:
+      path: "/tmp/{{folder_name}}/CreateCredFile"
+      mode: 0755
+
+  - find:
+      paths: "/tmp/{{folder_name}}"
+      patterns: "CARKaim-*.rpm"
+    register: aimrpm
+
+  # debug: msg="{{aimrpm.files[0].path}}"
+
+  - name: Install Provider
+    package: name='{{aimrpm.files[0].path}}' state=present
+
+  - name: Verify status of service after installing Provider
+    command: service aimprv status
+    register: command_result
+    ignore_errors: yes
+    args:
+      warn: false
+
+  # debug: msg="status of service RC={{command_result.rc}}"
+
+  - name: Logon to CyberArk Vault using PAS Web Services SDK - use_shared_logon_authentication
+    cyberark.pas.cyberark_authentication:
+      api_base_url: "{{ api_base_url }}"
+      use_shared_logon_authentication: true
+      validate_certs: "{{ validate_certs }}"
+    changed_when: false
+    when: (command_result.rc != 0 and use_shared_logon_authentication|default(false))
+
+  - name: Logon to CyberArk Vault using PAS Web Services SDK - Not use_shared_logon_authentication
+    cyberark.pas.cyberark_authentication:
+      api_base_url: "{{ api_base_url }}"
+      username: "{{ password_object.password }}"
+      password: "{{ password_object.passprops.username }}"
+      validate_certs: "{{ validate_certs }}"
+    changed_when: false
+    when: (command_result.rc != 0 and not use_shared_logon_authentication|default(false))
+
+  # name: Debug message
+  #  debug:
+  #    msg: "{{ cyberark_session.token }}"
+  #  when: (command_result.rc != 0)
+
+  - name: Create provider user
+    cyberark.pas.cyberark_user:
+      username: "Prov_{{ ansible_hostname }}"
+      initial_password: "Cyberark1"
+      user_type_name: "AppProvider"
+      location: "{{ app_provider_user_location }}"
+      group_name: "{{ app_provider_user_group }}"
+      change_password_on_the_next_logon: false
+      state: present
+      cyberark_session: "{{ cyberark_session }}"
+    register: cyberarkaction
+    when: (command_result.rc != 0)
+
+  # debug:
+  #    msg: "USERCREATED => {{cyberarkaction}}"
+  #  when: (command_result.rc != 0 and cyberarkaction.status_code == 201)
+
+  - name: Reset provider user credential
+    cyberark.pas.cyberark_user:
+      username: "Prov_{{ ansible_hostname }}"
+      new_password: "Cyberark1"
+      disabled: false
+      state: present
+      cyberark_session: "{{ cyberark_session }}"
+    register: cyberarkaction
+    when: (command_result.rc != 0 and cyberarkaction.status_code == 200)
+
+  - name: Logoff from CyberArk Vault
+    cyberark.pas.cyberark_authentication:
+      state: absent
+      cyberark_session: "{{ cyberark_session }}"
+    changed_when: false
+    when: (command_result.rc != 0)
+
+  - name: Create Provider Initial Cred File
+    command: /opt/CARKaim/bin/createcredfile /etc/opt/CARKaim/vault/appprovideruser.cred Password -Username Prov_{{ ansible_hostname }} -Password Cyberark1
+    when: (command_result.rc != 0)
+
+  - name: Set vault.ini Into Place
+    command: cp "/tmp/{{folder_name}}/Vault.ini" /etc/opt/CARKaim/vault/vault.ini
+
+  - name: Start Provider Service
+    service: name=aimprv state=started
+    when: (command_result.rc != 0)
+
+  - name: Remove /tmp/{{folder_name}}
+    file:
+      path: '/tmp/{{folder_name}}'
+      state: absent
+
+  - name: Remove /var/tmp/aimparms
+    file:
+      path: '/var/tmp/aimparms'
+      state: absent
+
+  rescue:
+
+    - name: Remove /tmp/{{folder_name}}
+      file:
+        path: '/tmp/{{folder_name}}'
+        state: absent
+
+    - fail:
+        msg: "AIM Credential Provider Installation failed!"

lib/python3.10/site-packages/ansible_collections/cyberark/pas/roles/aimprovider/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Validating Role Parameters
+  assert:
+    that:
+      - api_base_url != ''
+      - state in ["present", "absent"]
+      - (not use_shared_logon_authentication|default(false) and password_object is defined) or
+        (use_shared_logon_authentication|default(false) and password_object is not defined)
+
+- name: Verify status of aimprv service initially
+  command: service aimprv status
+  register: service_already_running
+  ignore_errors: yes
+  changed_when: false
+  args:
+    warn: false
+
+- debug: msg="status of service RC={{service_already_running.rc}}"
+
+- import_tasks: installAIMProvider.yml
+  when: (state == "present" and service_already_running.rc != 0)
+
+- import_tasks: uninstallAIMProvider.yml
+  when: (state == "absent" and service_already_running.rc == 0)

lib/python3.10/site-packages/ansible_collections/cyberark/pas/roles/aimprovider/tasks/uninstallAIMProvider.yml

@@ -0,0 +1,61 @@
+---
+- block:
+
+  - name: Uninstall Provider
+    package: name='CARKaim' state=absent
+
+  - name: Logon to CyberArk Vault using PAS Web Services SDK - use_shared_logon_authentication
+    cyberark.pas.cyberark_authentication:
+      api_base_url: "{{ api_base_url }}"
+      use_shared_logon_authentication: true
+      validate_certs: "{{ validate_certs }}"
+    when: (use_shared_logon_authentication)
+
+  - name: Logon to CyberArk Vault using PAS Web Services SDK - Not use_shared_logon_authentication
+    cyberark.pas.cyberark_authentication:
+      api_base_url: "{{ api_base_url }}"
+      username: "{{ password_object.password }}"
+      password: "{{ password_object.passprops.username }}"
+      validate_certs: "{{ validate_certs }}"
+    changed_when: false
+    when: (not use_shared_logon_authentication)
+
+  # name: Debug message
+  #  debug:
+  #    msg: "{{ cyberark_session }}"
+  #  when: (cyberark_session.token is defined)
+
+  - name: Remove Provider User
+    cyberark.pas.cyberark_user:
+      username: "Prov_{{ansible_hostname}}"
+      state: absent
+      cyberark_session: "{{ cyberark_session }}"
+    register: cyberarkaction
+    ignore_errors: yes
+    when: (cyberark_session.token is defined)
+
+  # debug:
+  #    msg: "USERDETAILS => {{cyberarkaction}}"
+  #  when: (cyberarkaction.status_code == 200)
+
+  - name: Logoff from CyberArk Vault
+    cyberark.pas.cyberark_authentication:
+      state: absent
+      cyberark_session: "{{ cyberark_session }}"
+    changed_when: false
+    when: (cyberark_session.token is defined)
+
+  - name: Remove /etc/opt/CARKaim
+    file:
+      path: '/etc/opt/CARKaim'
+      state: absent
+
+  - name: Remove /var/opt/CARKaim
+    file:
+      path: '/var/opt/CARKaim'
+      state: absent
+
+  rescue:
+
+    - fail:
+        msg: "AIM Credential Provider Uninstall failed!"