def __init__(self, is_safe_handler=False, safe_handler_environment=None): self.logger = LogMechanism() self.logger.trace(is_safe_handler, safe_handler_environment, caller_name='__init__') self.is_safe_handler = is_safe_handler self.safe_handler_environment = safe_handler_environment try: self.logger.info('Getting parameters from parameter store') if not is_safe_handler: parameters = aws_services.get_params_from_param_store() environment = parameters.aob_mode else: environment = self.safe_handler_environment if environment == 'Production': self.logger.info(f'{environment} Environment Detected', DEBUG_LEVEL_DEBUG) self.certificate = "/tmp/server.crt" else: self.certificate = False self.logger.info(f'{environment} Environment Detected', DEBUG_LEVEL_DEBUG) except Exception as e: self.logger.error( f'Failed to retrieve aob_mode parameter: {str(e)}') raise Exception( "Error occurred while retrieving aob_mode parameter")
class PvwaIntegration: def __init__(self, is_safe_handler=False, safe_handler_environment=None): self.logger = LogMechanism() self.logger.trace(is_safe_handler, safe_handler_environment, caller_name='__init__') self.is_safe_handler = is_safe_handler self.safe_handler_environment = safe_handler_environment try: self.logger.info('Getting parameters from parameter store') if not is_safe_handler: parameters = aws_services.get_params_from_param_store() environment = parameters.aob_mode else: environment = self.safe_handler_environment if environment == 'Production': self.logger.info(f'{environment} Environment Detected', DEBUG_LEVEL_DEBUG) self.certificate = "/tmp/server.crt" else: self.certificate = False self.logger.info(f'{environment} Environment Detected', DEBUG_LEVEL_DEBUG) except Exception as e: self.logger.error( f'Failed to retrieve aob_mode parameter: {str(e)}') raise Exception( "Error occurred while retrieving aob_mode parameter") def call_rest_api_get(self, url, header): self.logger.trace(url, header, caller_name='call_rest_api_get') self.url = url self.header = header try: self.logger.info( f'Invoking get request url:{url}, header: {header}', DEBUG_LEVEL_DEBUG) rest_response = requests.get(self.url, timeout=30, verify=self.certificate, headers=self.header) except Exception as e: self.logger.error( f"An error occurred on calling PVWA REST service: {str(e)}") return None return rest_response def call_rest_api_delete(self, url, header): self.logger.trace(url, header, caller_name='call_rest_api_delete') self.url = url self.header = header try: self.logger.info( f'Invoking delete request url {url}, header: {header}', DEBUG_LEVEL_DEBUG) response = requests.delete(self.url, timeout=30, verify=self.certificate, headers=self.header) except Exception as e: self.logger.error(f'Failed to Invoke delete request: {str(e)}') return None return response def call_rest_api_post(self, url, request, header): self.logger.trace(url, header, caller_name='call_rest_api_post') self.url = url self.request = request self.header = header try: self.logger.info( f'Invoking post request url: {url} , header: {header}', DEBUG_LEVEL_DEBUG) rest_response = requests.post(self.url, data=self.request, timeout=30, verify=self.certificate, headers=self.header, stream=True) except Exception as e: self.logger.error( f"Error occurred during POST request to PVWA: {str(e)}") return None return rest_response # PvwaIntegration: # performs logon to PVWA and return the session token def logon_pvwa(self, username, password, pvwa_url, connection_session_id): self.logger.trace(pvwa_url, connection_session_id, caller_name='logon_pvwa') self.username = username self.password = password self.pvwa_url = pvwa_url self.connection_session_id = connection_session_id self.logger.info('Logging to PVWA') logon_url = f'{self.pvwa_url}/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logon' rest_log_on_data = f""" {{ "username": "******", "password": "******", "connectionNumber": "{self.connection_session_id}" }} """ try: rest_response = self.call_rest_api_post(logon_url, rest_log_on_data, DEFAULT_HEADER) except Exception as e: raise Exception(f"Error occurred on Logon to PVWA: {str(e)}") if not rest_response: self.logger.error("Connection to PVWA reached timeout") raise Exception("Connection to PVWA reached timeout") if rest_response.status_code == requests.codes.ok: json_parsed_response = rest_response.json() self.logger.info("User authenticated") return json_parsed_response['CyberArkLogonResult'] self.logger.error( f"Authentication failed with response:\n{rest_response}") raise Exception("PVWA authentication failed") def logoff_pvwa(self, pvwa_url, connection_session_token): self.logger.trace(pvwa_url, connection_session_token, caller_name='logoff_pvwa') self.pvwa_url = pvwa_url self.connection_session_token = connection_session_token self.logger.info('Logging off from PVWA') header = DEFAULT_HEADER header.update({"Authorization": self.connection_session_token}) log_off_url = f'{self.pvwa_url}/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logoff' rest_log_off_data = "" try: rest_response = self.call_rest_api_post(log_off_url, rest_log_off_data, header) except Exception: return if rest_response.status_code == requests.codes.ok: json_parsed_response = rest_response.json() self.logger.info("session logged off successfully") return True self.logger.error("Logoff failed") return False
import subprocess import sys import rsa import base64 from log_mechanism import LogMechanism DEBUG_LEVEL_DEBUG = 'debug' # Outputs all information logger = LogMechanism() def save_key_pair(pemKey): # Save pem to file logger.trace(caller_name='save_key_pair') logger.info('Saving key pair to file') savePemToFileCommand = 'echo {0} > /tmp/pemValue.pem'.format(pemKey) subprocess.call([savePemToFileCommand], shell=True) subprocess.call(["chmod 777 /tmp/pemValue.pem"], shell=True) def decrypt_password(instance_password_data): logger.trace(caller_name='decrypt_password') passwd = base64.b64decode(instance_password_data) with open("/tmp/pemValue.pem", 'r') as f: private = rsa.PrivateKey.load_pkcs1(f.read()) decrypted_password = rsa.decrypt(passwd, private).decode("utf-8") return decrypted_password