feat(gpg_secretstore): add file locking

plugins/module_utils/gpg_utils.py

@@ -79,7 +79,7 @@ class SecretStore:
         self.gpg = self.__gpg
 
     def __load(self, slug: str) -> str:
-        file = (
+        file = Path(
             (self.password_store_path / (slug + self.file_extension))
             .expanduser()
             .absolute()

plugins/modules/gpg_secretstore.py

@@ -8,6 +8,7 @@ from __future__ import absolute_import, division, print_function
 
 __metaclass__ = type
 
+import hashlib
 import traceback
 
 ANSIBLE_METADATA = {
@@ -24,6 +25,7 @@ author:
     - Lars Kaiser (@lrsksr)
 requirements:
     - PyYAML >= 6.0
+    - filelock >= 3.0.12
     - python >= 3.7
     - python-gnupg >= 0.4.7
 short_description: Save and retrieve secrets from pass compatible files
@@ -174,6 +176,7 @@ from ansible.utils.display import Display
 
 LIB_IMP_ERR = None
 try:
+    from filelock import FileLock
     import gnupg
 
     HAS_LIB = True
@@ -302,6 +305,11 @@ def main():
     recrypt = module.params["recrypt"]
     secret_type = module.params["secret_type"]
 
+    lock = FileLock(
+        (Path("/tmp/") / hashlib.md5(password_slug.encode()).hexdigest()).as_posix()
+    )
+
+    with lock:
         if overwrite or recrypt:
             try:
                 secret = store.get(slug=password_slug, data_type=data_type)
@@ -356,7 +364,9 @@ def main():
                         "msg"
                     ] = "Not a pass-compatible secret database! Couldn't find .gpg-id file."
                 else:
-                result["secret"] = store.get(slug=password_slug, data_type=data_type)
+                    result["secret"] = store.get(
+                        slug=password_slug, data_type=data_type
+                    )
                     result["changed"] = True
                     result["action"] = "add"
             if isinstance(e, PasswordDecodeError):