Issue with anatomicjc.passbolt plugin

I would like to use anatomicjc.passbolt plugin . i 've followed this : Managing Secrets in Ansible using passbolt | by Jean-Christophe Vassort | passbolt

i’ve encrypted my passphrase and my recovery key with ansible-vault. i’ve a file with my password for ansible-vault.

But i have an issue :

TASK [Passbolt lookup plugin / fetch one] ***********************************************************************************************************************
task path: /home/Ansible/test/play.yml:9
exception during Jinja2 execution: Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/ansible/template/init.py”, line 1032, in _lookup
ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
File “/home/Ansible/.ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/passbolt.py”, line 278, in run
self.passbolt_init(variables, kwargs)
File “/home/Ansible/.ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/passbolt.py”, line 248, in passbolt_init
self.p = PassboltAPI(dict_config=self.dict_config)
File “/usr/local/lib/python3.9/dist-packages/passbolt/init.py”, line 47, in init
self.login()
File “/usr/local/lib/python3.9/dist-packages/passbolt/init.py”, line 158, in login
self.nonce = self.decrypt(self.pgp_message).decode()
File “/usr/local/lib/python3.9/dist-packages/passbolt/init.py”, line 92, in decrypt
with self.key.unlock(self.config.get(“passphrase”)):
File “/usr/lib/python3.9/contextlib.py”, line 117, in enter
return next(self.gen)
File “/usr/local/lib/python3.9/dist-packages/pgpy/pgp.py”, line 1811, in unlock
sk._key.unprotect(passphrase)
File “/usr/local/lib/python3.9/dist-packages/pgpy/packet/packets.py”, line 941, in unprotect
self.keymaterial.decrypt_keyblob(passphrase)
File “/usr/local/lib/python3.9/dist-packages/pgpy/packet/fields.py”, line 1353, in decrypt_keyblob
kb = super(RSAPriv, self).decrypt_keyblob(passphrase)
File “/usr/local/lib/python3.9/dist-packages/pgpy/packet/fields.py”, line 1264, in decrypt_keyblob
raise PGPDecryptionError(“Passphrase was incorrect!”)
pgpy.errors.PGPDecryptionError: Passphrase was incorrect!
fatal: [localhost]: FAILED! => {
“msg”: “An unhandled exception occurred while running the lookup plugin ‘anatomicjc.passbolt.passbolt’. Error was a <class ‘pgpy.errors.PGPDecryptionError’>, original message: Passphrase was incorrect!. Passphrase was incorrect!”

i don’t understand why.

thanks for answer.

Luc

Hi @Luc

I guess the issue if the encrypted passphrase. Can you confirm you have no issue if passphrase is not encrypted ?

Can you try this (add a string filter) ?

PASSBOLT_PASSPHRASE: "{{ your_passphrase_vault | string }}"

Cheers,

hi,

I confirm I haven’t got the issue with my passphrase not encrypted.
with PASSBOLT_PASSPHRASE: “{{ your_passphrase_vault | string }}”, i’ve got the issue too.

thanks a lot for your answer

Ok, so the | string is useless in my opinion.

Can you check if your passphrase is well encrypted with no line return ?

The below command should return your GPG passphrase in clear text, ensure it is correct without line return:

ansible -m debug -a "var=your_passphrase_vault" localhost

Of course, replace your_passphrase_vault with your variable name.

Thanks,

hi,

yes, i’ve had a return line. Now that works.

i have an another question :
With your plugin, could we create new password ? and how ?

thanks a lot

I’m glad to read you sorted out your issue.

I don’t know if you noticed that, but there is an example ansible playbook here: lab-passbolt-ansible-poc/example-playbook.yml at main · passbolt/lab-passbolt-ansible-poc · GitHub

It contains many samples.

You can use these environment variables to create a new resource if it doesn’t exist:

    PASSBOLT_CREATE_NEW_RESOURCE: "true"
    PASSBOLT_NEW_RESOURCE_PASSWORD_LENGTH: 20
    PASSBOLT_NEW_RESOURCE_PASSWORD_SPECIAL_CHARS: "true"

Don’t hesitate if you have further questions.

Best,

Hi,

i have not try but thanks for your answers.
i didn’t see if we could create directories on Passbolt with your plugin or if we could create the password in a specific directory.

Best,

No, the main topic of this plugin is to retrieve passwords to use them with ansible.

that didn’t worked. I’ve my playbook like this

The passwords haven’t been created.
Where have I an error ?

Hi,

Can you show the output of your ansible-playbook command ?

Best,

As an example, here is how I perform my tests.

In this repository, there is a docker-compose.yml file: GitHub - passbolt/lab-passbolt-ansible-poc

I launch the compose stack:

docker-compose up

I create a new profile in my Brave browser and perform a recovery: http://localhost:12380/

I use ada@passbolt.dev as email address.

There is a webmail in the compose stack you can reach here: http://localhost:12325/

I wait for the recovery email and click on the link to recover the ada@passbolt.dev account

I install the passbolt extension, the account private recovery key is here: https://raw.githubusercontent.com/anatomicjc/passbolt-test-data/master/config/gpg/ada_private.key

At this step, I have a passbolt demo instance:

From another terminal, I enter in the passbolt container:

docker-compose run ansible bash

Then I launch the demo playbook:

ansible-playbook playbooks/example-playbook.yml

One task of this playbook is the password creation:

If I check in the passbolt web UI, I can see the resource has been created:

That’s I would like to see your playbook output :slight_smile:

Cheers,

I reproduced your issue, the first arg of the lookup function in your playbook is a variable:

 lookup(anatomicjc.passbolt.passbolt, ...)

It should be a string, with quotes:

 lookup('anatomicjc.passbolt.passbolt', ...)

Cheers,

2 Likes

thanks for your answers.

that was the quotes the issue. that works now.

Thanks a lot

best regards

2 Likes

Hello,

i’ve got a question. Could i use the plugin like this:

  • name: ‘insert pwd isp’
    environment:
    PASSBOLT_BASE_URL: “https://[name_passbolt]”
    PASSBOLT_PRIVATE_KEY: “{{ private_key_vault }}”
    PASSBOLT_PASSPHRASE: “{{ passphrase_vault }}”
    debug:
    msg: “{{ lookup(‘anatomicjc.passbolt.passbolt’, ‘{{ item.db }}’, username= ‘{{ item.dbu }}’ ).password }}”
    with_items:
    • “{{ database }}”

because if yes, i’ve got this error:
fatal: [localhost]: FAILED! => {
“msg”: “An unhandled exception occurred while running the lookup plugin ‘anatomicjc.passbolt.passbolt’. Error was a <class ‘Exception’>, original message: resource [first_data] not found. [first_data] not found”
}

with one data, that’s worked.

Hum, I don’t understand from where come from first_data in your error message.

You have a working example with loop instead of with_items here: lab-passbolt-ansible-poc/example-playbook.yml at main · passbolt/lab-passbolt-ansible-poc · GitHub

Regards,

hi,

i have a vars file database like this:

database:

  • { a: “first_data”, b: “second_data” }
  • { …}
    -{ …}

firstly, i create my passwords for resource “a” with user “b”
secondly , i want to use them. For this task, i’ve written :

  • name: ‘insert pwd isp’
    environment:
    PASSBOLT_BASE_URL: “https://[name_passbolt]”
    PASSBOLT_PRIVATE_KEY: “{{ private_key_vault }}”
    PASSBOLT_PASSPHRASE: “{{ passphrase_vault }}”
    debug:
    msg: “{{ lookup(‘anatomicjc.passbolt.passbolt’, ‘{{ item.a }}’, username= ‘{{ item.a }}’ ).password }}”
    with_items:
    • “{{ database }}”

but i’ve had this error :
fatal: [localhost]: FAILED! => {
“msg”: “An unhandled exception occurred while running the lookup plugin ‘anatomicjc.passbolt.passbolt’. Error was a <class ‘Exception’>, original message: resource [first_data] not found. [first_data] not found”
}
i’ve tried to use loop in place of with_items, but that did’nt succeed.

thanks for your help

With {{ item.a }}, ansible is searching for a variable named first_data as it is the value of item.a.

If you want to use the value of item.a you should remove the brackets and using var instead of msg with something like this:

debug:
  var: lookup(‘anatomicjc.passbolt.passbolt’, item.a, username=item.a ).password
with_items:
"{{ database }}"

yes, the issue is when ansible is searching first_data. Ansible did’nt find the resource first_data.

fatal: [localhost]: FAILED! => {
“msg”: “An unhandled exception occurred while templating ‘{{ lookup(‘anatomicjc.passbolt.passbolt’, ‘{{item.db}}’, username= ‘{{item.dbu}}’ ).password }}’. Error was a <class ‘ansible.errors.AnsibleError’>, original message: An unhandled exception occurred while running the lookup plugin ‘anatomicjc.passbolt.passbolt’. Error was a <class ‘Exception’>, original message: resource d----------g not found. resource d----------------g not found”
}

Diidd you try this ?