hybrid_platforms_conductor 33.2.0 → 33.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f284e0fbe4ad4a3f1731a4c3b1bc61aa0bbe315d37241845bebdfe384e5f366
-  data.tar.gz: 1f731fef465da4333a435ebfbbc1a4b4f592d85110e02e4ed4f38984275502b0
+  metadata.gz: c0707386d30d5e671d5ceac5e1fec9d971cdccd2b7057c6ed3a75cb5d8bb6d85
+  data.tar.gz: e9e5c023662e7aa9283905f4ae54f4b8995d14f61bea1d844ef4fef32cba68dc
 SHA512:
-  metadata.gz: 8d061127dcc4caeb2e5f5984c4e91b50e46fc9687f4ae4353fb37812232dd69d1289196303f4586c0ad5e6311559679c4937844951ca6daf7a3f902e9b9fe519
-  data.tar.gz: 5561ebc29c31d61fb0c009faf3b0dc661ce72c7078f55dad2e6e8a5630027137121ea69c536928646f3ac7271a1cf6a2b492d6a3ed0979ee1f1d35e85aed9ac3
+  metadata.gz: 1b70dedf6605d48081ead37771b8f94e29d26334fb1c0f7f15ed8ed70cabc24809b145bd681af9e829cd0c968accd18cf87886987391709a7252908a00104096
+  data.tar.gz: cbe9033432aae4b83b4153501efad2330651696ba0fc8b487d21f5927430d481661e5d3bf2c3617ffb20c2ba7e254f82328d4225aeba4f98295873c55fe4cca9

data/CHANGELOG.md

@@ -1,3 +1,64 @@
+# [v33.3.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.2.4...v33.3.0) (2021-07-02 17:20:58)
+
+## Global changes
+### Patches
+
+* [[Feature(secrets_reader_keepass)] [#79] Add Keepass secrets reader plugin to get secrets from KeePass databases](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/7ace48653a74f03ed535ee6b41b21242a6454ff3)
+
+## Changes for secrets_reader_keepass
+### Features
+
+* [[Feature(secrets_reader_keepass)] [#79] Add Keepass secrets reader plugin to get secrets from KeePass databases](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/7ace48653a74f03ed535ee6b41b21242a6454ff3)
+
+# [v33.2.4](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.2.3...v33.2.4) (2021-06-23 15:14:20)
+
+## Global changes
+### Patches
+
+* [[Hotfix(platform_handler_serverless_chef)] Forward environment in sudo commands](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/fd3b58875665c29dd071b5af2055eab0c45c0974)
+* [[Hotfix] Fixed unbundled environment not cleaned + Moved deployer config DSL in deployer.rb](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/2bce6dbc31d98b27f196ed646eb9aa669b0f9a86)
+
+## Changes for platform_handler_serverless_chef
+### Patches
+
+* [[Hotfix(platform_handler_serverless_chef)] Forward environment in sudo commands](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/fd3b58875665c29dd071b5af2055eab0c45c0974)
+
+# [v33.2.3](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.2.2...v33.2.3) (2021-06-23 13:45:56)
+
+## Global changes
+### Patches
+
+* [[Hotfix(provisioner_proxmox)] Add missing require in synchronization script](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/7a6c71595789c9180e1d95323fc5cf5051f2e2cd)
+
+## Changes for provisioner_proxmox
+### Patches
+
+* [[Hotfix(provisioner_proxmox)] Add missing require in synchronization script](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/7a6c71595789c9180e1d95323fc5cf5051f2e2cd)
+
+# [v33.2.2](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.2.1...v33.2.2) (2021-06-21 12:41:35)
+
+## Global changes
+### Patches
+
+* [[Hotfix(cmd_runner)] Retain dynamically set environment while executing commands](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/d709d5d2871e43196cc1f5f9eaf5b2155b34ed4e)
+
+## Changes for cmd_runner
+### Patches
+
+* [[Hotfix(cmd_runner)] Retain dynamically set environment while executing commands](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/d709d5d2871e43196cc1f5f9eaf5b2155b34ed4e)
+
+# [v33.2.1](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.2.0...v33.2.1) (2021-06-21 10:23:51)
+
+## Global changes
+### Patches
+
+* [[Hotfix(platform_handler_serverless_chef)] Corrected dry-run mode not working](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/4800a0f4255c1999eed33651c1e66c445acd17bb)
+
+## Changes for platform_handler_serverless_chef
+### Patches
+
+* [[Hotfix(platform_handler_serverless_chef)] Corrected dry-run mode not working](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/4800a0f4255c1999eed33651c1e66c445acd17bb)
+
 # [v33.2.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.1.1...v33.2.0) (2021-06-18 23:22:21)
 
 ## Global changes

data/docs/plugins.md

@@ -196,6 +196,7 @@ Check the [sample plugin file](../lib/hybrid_platforms_conductor/hpc_plugins/sec
 
 Plugins shipped by default:
 * [`cli`](plugins/secrets_reader/cli.md)
+* [`keepass`](plugins/secrets_reader/keepass.md)
 * [`thycotic`](plugins/secrets_reader/thycotic.md)
 
 <a name="test"></a>

data/docs/plugins/secrets_reader/keepass.md

@@ -0,0 +1,62 @@
+# Secrets reader plugin: `keepass`
+
+The `keepass` secrets reader plugin retrieves secrets from [KeePass](https://keepass.info/) databases, using an actual KeePass installation with the [KPScript plugin](https://keepass.info/plugins.html#kpscript).
+
+It is configured by giving the KPScript command-line (using `use_kpscript_from` config DSL method), the KeePass databases to be read (using `secrets_from_keepass` config DSL method) and uses the `keepass` credential ID to authenticate along with extra environment variables for eventual key files or encrypted passwords.
+
+## Config DSL extension
+
+### `use_kpscript_from`
+
+Provide the KPScript command-line to be used. If KPScript is already in your path, using `KPScript.exe` or `kpscript` should be enough, otherwise the full path to the command-line will be needed. On Windows it is needed to also include double quotes if the path contains spaces (like `"C:\Program Files\KeePass\KPScript.exe"`).
+
+It takes a simple `String` as parameter to get the command line.
+
+Example:
+```ruby
+use_kpscript_from '/path/to/kpscript'
+```
+
+### `secrets_from_keepass`
+
+Define a KeePass database to read secrets from.
+A base group path of the KeePass database can also be specified to only read secrets from this group path.
+
+All entries, attachments and sub-groups from the base group will be read as secrets.
+
+Can be applied to subset of nodes using the [`for_nodes` DSL method](/docs/config_dsl.md#for_nodes).
+
+It takes the following parameters:
+* **database** (`String`): Database file path.
+* **group_path** (`Array<String>`): Group path to extract from [default: `[]`].
+
+Example:
+```ruby
+secrets_from_keepass(
+  database: '/path/to/database.kdbx',
+  group_path: %w[Secrets Automation]
+)
+```
+
+## Used credentials
+
+| Credential | Usage
+| --- | --- |
+| `keepass` | Used to get the password to the database. No need to be set if the database opens without password. |
+
+## Used Metadata
+
+| Metadata | Type | Usage
+| --- | --- | --- |
+
+## Used environment variables
+
+| Variable | Usage
+| --- | --- |
+| `hpc_key_file_for_keepass` | Optional path to the key file needed to open the database |
+| `hpc_password_enc_for_keepass` | Optional encrypted password needed to open the database |
+
+## External tools dependencies
+
+* [KeePass](https://keepass.info/) to open databases.
+* [KPScript KeePass plugin](https://keepass.info/plugins.html#kpscript) to query KeePass API.

data/lib/hybrid_platforms_conductor/cmd_runner.rb

@@ -130,7 +130,7 @@ module HybridPlatformsConductor
               (log_to_stdout ? [@logger_stderr] : []) +
               (file_output.nil? ? [] : [file_output])
           ) do
-            Bundler.with_unbundled_env do
+            Bundler.without_bundled_env do
               cmd_result = TTY::Command.new(
                 printer: :null,
                 pty: true,

data/lib/hybrid_platforms_conductor/config.rb

@@ -47,12 +47,6 @@ module HybridPlatformsConductor
     # Array<Hash,Symbol,Object>
     attr_reader :expected_failures
 
-    # List of retriable errors. Each info has the following properties:
-    # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by those errors
-    # * *errors_on_stdout* (Array<String or Regexp>): List of errors match (as exact string match or using a regexp) to check against stdout
-    # * *errors_on_stderr* (Array<String or Regexp>): List of errors match (as exact string match or using a regexp) to check against stderr
-    attr_reader :retriable_errors
-
     # List of deployment schedules. Each info has the following properties:
     # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by this rule
     # * *schedule* (IceCube::Schedule): The deployment schedule
@@ -81,11 +75,6 @@ module HybridPlatformsConductor
       # * *reason* (String): Reason for this expected failure
       # Array<Hash,Symbol,Object>
       @expected_failures = []
-      # List of retriable errors. Each info has the following properties:
-      # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by those errors
-      # * *errors_on_stdout* (Array<String or Regexp>): List of errors match (as exact string match or using a regexp) to check against stdout
-      # * *errors_on_stderr* (Array<String or Regexp>): List of errors match (as exact string match or using a regexp) to check against stderr
-      @retriable_errors = []
       # List of deployment schedules. Each info has the following properties:
       # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by this rule
       # * *schedule* (IceCube::Schedule): The deployment schedule
@@ -162,30 +151,6 @@ module HybridPlatformsConductor
     end
     expose :expect_tests_to_fail
 
-    # Mark some errors on stdout to be retriable during a deploy
-    #
-    # Parameters::
-    # * *errors* (String, Regexp or Array<String or Regexp>): Single (or list of) errors matching pattern (either as exact string match or using a regexp).
-    def retry_deploy_for_errors_on_stdout(errors)
-      @retriable_errors << {
-        errors_on_stdout: errors.is_a?(Array) ? errors : [errors],
-        nodes_selectors_stack: current_nodes_selectors_stack
-      }
-    end
-    expose :retry_deploy_for_errors_on_stdout
-
-    # Mark some errors on stderr to be retriable during a deploy
-    #
-    # Parameters::
-    # * *errors* (String, Regexp or Array<String or Regexp>): Single (or list of) errors matching pattern (either as exact string match or using a regexp).
-    def retry_deploy_for_errors_on_stderr(errors)
-      @retriable_errors << {
-        errors_on_stderr: errors.is_a?(Array) ? errors : [errors],
-        nodes_selectors_stack: current_nodes_selectors_stack
-      }
-    end
-    expose :retry_deploy_for_errors_on_stderr
-
     # Set a deployment schedule
     #
     # Parameters::

data/lib/hybrid_platforms_conductor/core_extensions/bundler/without_bundled_env.rb

@@ -0,0 +1,54 @@
+# Add a way to clean the current env from Bundler variables
+module Bundler
+
+  class << self
+
+    # Run block with all bundler-related variables removed from the current environment
+    def without_bundled_env(&block)
+      with_env(current_unbundled_env, &block)
+    end
+
+    # @return [Hash] Environment with all bundler-related variables removed
+    def current_unbundled_env
+      env = ENV.clone.to_hash
+      %w[
+        PATH
+        RUBYLIB
+        RUBYOPT
+      ].each do |env_name|
+        if original_env.key?(env_name)
+          env[env_name] = original_env[env_name]
+        else
+          env.delete(env_name)
+        end
+      end
+
+      env['MANPATH'] = env['BUNDLER_ORIG_MANPATH'] if env.key?('BUNDLER_ORIG_MANPATH')
+
+      env.delete_if do |k, _|
+        %w[
+          GEM_
+          BUNDLE_
+          BUNDLER_
+        ].any? { |prefix| k.start_with?(prefix) }
+      end
+
+      if env.key?('RUBYOPT')
+        rubyopt = env['RUBYOPT'].split
+        rubyopt.delete("-r#{File.expand_path('bundler/setup', __dir__)}")
+        rubyopt.delete('-rbundler/setup')
+        env['RUBYOPT'] = rubyopt.join(' ')
+      end
+
+      if env.key?('RUBYLIB')
+        rubylib = env['RUBYLIB'].split(File::PATH_SEPARATOR)
+        rubylib.delete(File.expand_path(__dir__))
+        env['RUBYLIB'] = rubylib.join(File::PATH_SEPARATOR)
+      end
+
+      env
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/deployer.rb

@@ -9,6 +9,7 @@ require 'hybrid_platforms_conductor/logger_helpers'
 require 'hybrid_platforms_conductor/nodes_handler'
 require 'hybrid_platforms_conductor/services_handler'
 require 'hybrid_platforms_conductor/plugins'
+require 'hybrid_platforms_conductor/safe_merge'
 
 module HybridPlatformsConductor
 
@@ -18,6 +19,12 @@ module HybridPlatformsConductor
     # Extend the Config DSL
     module ConfigDSLExtension
 
+      # List of retriable errors. Each info has the following properties:
+      # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by those errors
+      # * *errors_on_stdout* (Array<String or Regexp>): List of errors match (as exact string match or using a regexp) to check against stdout
+      # * *errors_on_stderr* (Array<String or Regexp>): List of errors match (as exact string match or using a regexp) to check against stderr
+      attr_reader :retriable_errors
+
       # List of log plugins. Each info has the following properties:
       # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by this rule.
       # * *log_plugins* (Array<Symbol>): List of log plugins to be used to store deployment logs.
@@ -36,6 +43,11 @@ module HybridPlatformsConductor
       # Mixin initializer
       def init_deployer_config
         @packaging_timeout_secs = 60
+        # List of retriable errors. Each info has the following properties:
+        # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by those errors
+        # * *errors_on_stdout* (Array<String or Regexp>): List of errors match (as exact string match or using a regexp) to check against stdout
+        # * *errors_on_stderr* (Array<String or Regexp>): List of errors match (as exact string match or using a regexp) to check against stderr
+        @retriable_errors = []
         @deployment_logs = []
         @secrets_readers = []
       end
@@ -48,6 +60,28 @@ module HybridPlatformsConductor
         @packaging_timeout_secs = packaging_timeout_secs
       end
 
+      # Mark some errors on stdout to be retriable during a deploy
+      #
+      # Parameters::
+      # * *errors* (String, Regexp or Array<String or Regexp>): Single (or list of) errors matching pattern (either as exact string match or using a regexp).
+      def retry_deploy_for_errors_on_stdout(errors)
+        @retriable_errors << {
+          errors_on_stdout: errors.is_a?(Array) ? errors : [errors],
+          nodes_selectors_stack: current_nodes_selectors_stack
+        }
+      end
+
+      # Mark some errors on stderr to be retriable during a deploy
+      #
+      # Parameters::
+      # * *errors* (String, Regexp or Array<String or Regexp>): Single (or list of) errors matching pattern (either as exact string match or using a regexp).
+      def retry_deploy_for_errors_on_stderr(errors)
+        @retriable_errors << {
+          errors_on_stderr: errors.is_a?(Array) ? errors : [errors],
+          nodes_selectors_stack: current_nodes_selectors_stack
+        }
+      end
+
       # Set the deployment log plugins to be used
       #
       # Parameters::
@@ -467,34 +501,7 @@ module HybridPlatformsConductor
 
     private
 
-    # Safe-merge 2 hashes.
-    # Safe-merging is done by:
-    # * Merging values that are hashes.
-    # * Reporting errors when values conflict.
-    # When values are conflicting, the initial hash won't modify those conflicting values and will stop the merge.
-    #
-    # Parameters::
-    # * *hash* (Hash): Hash to be modified merging hash_to_merge
-    # * *hash_to_merge* (Hash): Hash to be merged into hash
-    # Result::
-    # * nil or Array<Object>: nil in case of success, or the keys path leading to a conflicting value in case of error
-    def safe_merge(hash, hash_to_merge)
-      conflicting_path = nil
-      hash_to_merge.each do |key, value_to_merge|
-        if hash.key?(key)
-          if hash[key].is_a?(Hash) && value_to_merge.is_a?(Hash)
-            sub_conflicting_path = safe_merge(hash[key], value_to_merge)
-            conflicting_path = [key] + sub_conflicting_path unless sub_conflicting_path.nil?
-          elsif hash[key] != value_to_merge
-            conflicting_path = [key]
-          end
-        else
-          hash[key] = value_to_merge
-        end
-        break unless conflicting_path.nil?
-      end
-      conflicting_path
-    end
+    include SafeMerge
 
     # Get the list of retriable errors a node got from deployment logs.
     # Useful to know if an error is non-deterministic (due to external and temporary factors).

data/lib/hybrid_platforms_conductor/executable.rb

@@ -1,4 +1,6 @@
 require 'English'
+require 'bundler'
+require 'hybrid_platforms_conductor/core_extensions/bundler/without_bundled_env'
 require 'optparse'
 require 'logger'
 require 'hybrid_platforms_conductor/config'

data/lib/hybrid_platforms_conductor/hpc_plugins/platform_handler/serverless_chef.rb

@@ -227,13 +227,14 @@ module HybridPlatformsConductor
         # * Array< Hash<Symbol,Object> >: List of actions to be done
         def actions_to_deploy_on(node, service, use_why_run: true)
           package_dir = "#{@repository_path}/dist/#{@local_env ? 'local' : 'prod'}/#{service}"
+          gems_to_install = []
           # Generate the nodes attributes file
           unless @cmd_runner.dry_run
             FileUtils.mkdir_p "#{package_dir}/nodes"
             File.write("#{package_dir}/nodes/#{node}.json", (known_nodes.include?(node) ? metadata_for(node) : {}).merge(@nodes_handler.metadata_of(node)).to_json)
+            # Get the gems to be installed
+            gems_to_install = JSON.parse(File.read("#{package_dir}/gems.json"))
           end
-          # Get the gems to be installed
-          gems_to_install = JSON.parse(File.read("#{package_dir}/gems.json"))
           client_options = [
             '--local-mode',
             '--chef-license', 'accept',
@@ -262,7 +263,7 @@ module HybridPlatformsConductor
             raise "Missing file #{chef_versions_file} specifying the Chef Infra Client version to be deployed" unless File.exist?(chef_versions_file)
 
             required_chef_client_version = YAML.load_file(chef_versions_file)['client']
-            sudo = (@actions_executor.connector(:ssh).ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} ")
+            sudo = (@actions_executor.connector(:ssh).ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} -E ")
             [
               {
                 # Install dependencies

data/lib/hybrid_platforms_conductor/hpc_plugins/provisioner/proxmox/reserve_proxmox_container

@@ -34,6 +34,7 @@
 #   * *hpc_password_for_proxmox*: Password to be used to query Proxmox API
 #   * *hpc_realm_for_proxmox*: Realm used to connect to the Proxmox API [default = 'pam']
 
+require 'English'
 require 'json'
 
 reserved_resource = nil

data/lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/keepass.rb

@@ -0,0 +1,173 @@
+require 'base64'
+require 'nokogiri'
+require 'tempfile'
+require 'keepass_kpscript'
+require 'zlib'
+require 'hybrid_platforms_conductor/credentials'
+require 'hybrid_platforms_conductor/safe_merge'
+require 'hybrid_platforms_conductor/secrets_reader'
+
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module SecretsReader
+
+      # Get secrets from a KeePass database
+      class Keepass < HybridPlatformsConductor::SecretsReader
+
+        include SafeMerge
+
+        # Extend the Config DSL
+        module ConfigDSLExtension
+
+          # List of defined KeePass secrets. Each info has the following properties:
+          # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by this rule.
+          # * *database* (String): Database file path.
+          # * *group_path* (Array<String>): Group path to extract from.
+          # Array< Hash<Symbol, Object> >
+          attr_reader :keepass_secrets
+
+          # String: The KPScript command line
+          attr_reader :kpscript
+
+          # Mixin initializer
+          def init_keepass_config
+            @keepass_secrets = []
+            @kpscript = nil
+          end
+
+          # Set the KPScript command line
+          #
+          # Parameters::
+          # * *cmd* (String): KPScript command line
+          def use_kpscript_from(cmd)
+            @kpscript = cmd
+          end
+
+          # Set a KeePass database configuration
+          #
+          # Parameters::
+          # * *database* (String): Database file path.
+          # * *group_path* (Array<String>): Group path to extract from [default: []].
+          def secrets_from_keepass(database:, group_path: [])
+            @keepass_secrets << {
+              nodes_selectors_stack: current_nodes_selectors_stack,
+              database: database,
+              group_path: group_path
+            }
+          end
+
+        end
+
+        Config.extend_config_dsl_with ConfigDSLExtension, :init_keepass_config
+
+        # Return secrets for a given service to be deployed on a node.
+        # [API] - This method is mandatory
+        # [API] - The following API components are accessible:
+        # * *@config* (Config): Main configuration API.
+        # * *@cmd_runner* (CmdRunner): Command Runner API.
+        # * *@nodes_handler* (NodesHandler): Nodes handler API.
+        #
+        # Parameters::
+        # * *node* (String): Node to be deployed
+        # * *service* (String): Service to be deployed
+        # Result::
+        # * Hash: The secrets
+        def secrets_for(node, service)
+          secrets = {}
+          # As we are dealing with global secrets, cache the reading for performance between nodes and services.
+          # Keep secrets cache grouped by URL/ID
+          @secrets = {} unless defined?(@secrets)
+          @nodes_handler.select_confs_for_node(node, @config.keepass_secrets).each do |keepass_secrets_info|
+            secret_id = "#{keepass_secrets_info[:database]}:#{keepass_secrets_info[:group_path].join('/')}"
+            unless @secrets.key?(secret_id)
+              raise 'Missing KPScript configuration. Please use use_kpscript_from to set it.' if @config.kpscript.nil?
+
+              Credentials.with_credentials_for(:keepass, @logger, @logger_stderr) do |_user, password|
+                Tempfile.create('hpc_keepass') do |xml_file|
+                  key_file = ENV['hpc_key_file_for_keepass']
+                  password_enc = ENV['hpc_password_enc_for_keepass']
+                  keepass_credentials = {}
+                  keepass_credentials[:password] = password if password
+                  keepass_credentials[:password_enc] = password_enc if password_enc
+                  keepass_credentials[:key_file] = key_file if key_file
+                  KeepassKpscript.
+                    use(@config.kpscript, debug: log_debug?).
+                    open(keepass_secrets_info[:database], **keepass_credentials).
+                    export('KeePass XML (2.x)', xml_file.path, group_path: keepass_secrets_info[:group_path].empty? ? nil : keepass_secrets_info[:group_path])
+                  @secrets[secret_id] = parse_xml_secrets(Nokogiri::XML(xml_file).at_xpath('KeePassFile/Root/Group'))
+                end
+              end
+            end
+            conflicting_path = safe_merge(secrets, @secrets[secret_id])
+            raise "Secret set at path #{conflicting_path.join('->')} by #{keepass_secrets_info[:database]}#{keepass_secrets_info[:group_path].empty? ? '' : " from group #{keepass_secrets_info[:group_path].join('/')}"} for service #{service} on node #{node} has conflicting values (#{log_debug? ? "#{@secrets[secret_id].dig(*conflicting_path)} != #{secrets.dig(*conflicting_path)}" : 'set debug for value details'})." unless conflicting_path.nil?
+          end
+          secrets
+        end
+
+        private
+
+        # List of fields to include in the secrets and their corresponding XML name
+        FIELDS = {
+          notes: 'Notes',
+          password: 'Password',
+          url: 'URL',
+          user_name: 'UserName'
+        }
+
+        # Parse XML secrets from a Nokogiri XML group node
+        #
+        # Parameters::
+        # * *group* (Nokogiri::XML::Element): The group to parse
+        # Result::
+        # * Hash: The JSON secrets parsed from this group
+        def parse_xml_secrets(group)
+          # Parse all entries
+          group.xpath('Entry').map do |entry|
+            [
+              entry.at_xpath('String/Key[contains(.,"Title")]/../Value').text,
+              FIELDS.map do |property, field|
+                value = entry.at_xpath("String/Key[contains(.,\"#{field}\")]/../Value")&.text
+                if value.nil? || value.empty?
+                  nil
+                else
+                  [
+                    property.to_s,
+                    value
+                  ]
+                end
+              end.compact.to_h.merge(
+                entry.xpath('Binary').map do |binary|
+                  binary_meta = group.document.at_xpath("KeePassFile/Meta/Binaries/Binary[@ID=#{Integer(binary.xpath('Value').attr('Ref').value)}]")
+                  binary_content = Base64.decode64(binary_meta.text)
+                  if binary_meta.attr('Compressed') == 'True'
+                    gz = Zlib::GzipReader.new(StringIO.new(binary_content))
+                    binary_content = gz.read
+                    gz.close
+                  end
+                  [
+                    binary.xpath('Key').text,
+                    binary_content
+                  ]
+                end.to_h
+              )
+            ]
+          end.to_h.merge(
+            # Add children groups
+            group.xpath('Group').map do |sub_group|
+              [
+                sub_group.at_xpath('Name').text,
+                parse_xml_secrets(sub_group)
+              ]
+            end.to_h
+          )
+        end
+
+      end
+
+    end
+
+  end
+
+end