I thought I had the Ansible lookup plugin working since solving Ansible lookup plugin throws TypeError: encoding without a string argument, however the tests I did there where freshly created passwords by the dedicated Ansible Passbolt user. And that all seems to work correctly now.
But now I tried looking up a password that has been in our Passbolt instance for a long time, I just shared it with the Ansible Passbolt user so that the lookup plugin would be able to read the resource.
On that password resource the plugin now fails with:
exception during Jinja2 execution: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/ansible/template/__init__.py", line 831, in _lookup
ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
File "/usr/share/ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/passbolt.py", line 305, in run
or json.loads(
File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.9/json/decoder.py", line 340, in decode
raise JSONDecodeError("Extra data", s, end)
json.decoder.JSONDecodeError: Extra data: line 1 column 2 (char 1)
fatal: [localhost]: FAILED! => {
"msg": "An unhandled exception occurred while running the lookup plugin 'anatomicjc.passbolt.passbolt'. Error was a <class 'json.decoder.JSONDecodeError'>, original message: Extra data: line 1 column 2 (char 1). Extra data: line 1 column 2 (char 1)"
I tried both a lookup on the name of the resource and on the uuid with the per_uuid='true'
flag. The result is the same.
I added
print(self.p.decrypt(self.p.get_resource_secret(resource.get("id"))))
on line 295 of /usr/share/ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/passbolt.py
to debug this:
When I lookup a recent password created by the Ansible Passbolt user itself, it prints out a valid JSON:
{"description": "Ansible Generated", "password": "Test123"}
and the plugin works as expected.
On the lookup of the password that was created previously and shared with that user, it just prints out the password without quotes or any JSON formatting thus is not a valid JSON. Hence the plugin fails to interpret the string as a JSON and bails out.
I’m not sure, but possibly that password was defined in a Passbolt version prior to when it was possible to encrypt the description field. Could that be the cause ?