Esempio n. 1
0
def rotate_password(params, record_uid):
    """ Rotate the password for the specified record UID """

    record_uid = record_uid.strip()

    if not record_uid:
        print('No record UID provided')
        return False

    if not params.record_cache:
        print('No record cache.  Sync down first.')
        return False

    if not record_uid in params.record_cache:
        print('Record UID not found.')
        return False

    # get the record object
    cached_rec = params.record_cache[record_uid]

    # extract data and extra from record
    if 'data' in cached_rec:
        data = json.loads(cached_rec['data'].decode('utf-8')) 
    else: data = {}

    if 'extra' in cached_rec:
        extra = json.loads(cached_rec['extra'].decode('utf-8')) 
    else: extra = {}

    # check for edit permissions
    can_edit = False
    if 'can_edit' in cached_rec:
        if params.debug: print('Edit permissions found in record')
        can_edit = True

    # If record permission not there, check shared folders
    found_shared_folder_uid = ''
    if can_edit == False:
        for shared_folder_uid in params.shared_folder_cache:
            shared_folder = params.shared_folder_cache[shared_folder_uid]
            sf_key = shared_folder['shared_folder_key']
            if 'records' in shared_folder:
                sf_records = shared_folder['records']
                for sf_record in sf_records:
                    if 'record_uid' in sf_record:
                        if sf_record['record_uid'] == record_uid:
                            found_shared_folder_uid = shared_folder_uid
                            if 'can_edit' in sf_record:
                                can_edit = True
                                if params.debug: 
                                    print('Edit permissions found in folder')
                                break

    if not can_edit:
        print('You do not have permissions to edit this record.')
        return False

    if not params.server:
        raise CommunicationError('No server provided')

    if not params.user:
        raise CommunicationError('No username provided')

    # save previous password
    if params.debug: print('Data: ' + str(data))
    if params.debug: print('Extra: ' + str(extra))

    # generate friendly datestamp
    modified_time = int(round(time.time()))
    modified_time_milli = modified_time * 1000 
    datestamp = datetime.datetime.fromtimestamp(
        modified_time).strftime('%Y-%m-%d %H:%M:%S')

    # Backup old password in a custom field
    custom_dict = {}
    custom_dict['name'] = 'cmdr:Rotation @ '+str(datestamp)
    custom_dict['value'] = data['secret2']
    custom_dict['type'] = 'text' 

    # serialize this dict
    serialized = json.dumps(custom_dict)

    # load as json
    custom_dict_json = json.loads(serialized)

    # Append to the current structure
    data['custom'].append(custom_dict_json)
    
    if params.debug: 
        print('Old password: '******'secret2']))

    # load the data into a record object for convenience
    record_object = Record()
    record_object.load(data)

    new_password = generator.generate()

    # generate a new password with any specified rules
    rules = record_object.get("cmdr:rules")
    if rules:
        new_password = generator.generateFromRules(rules)

    # execute rotation plugin associated with this record
    plugin_name = record_object.get("cmdr:plugin")
    if plugin_name:
        print("Rotating with plugin " + str(plugin_name))
        plugin = plugin_manager.get_plugin(plugin_name)
        if plugin:
            success =  plugin.rotate(record_object, new_password)

            if success:
                if params.debug: 
                    print('Password rotation on target system is successful.')
            else:
                print('Password rotation failed')
                return False
        else:
            return False

    # Proceed with Keeper password rotation
    data['secret2'] = new_password 

    if params.debug: 
        print('New password: '******'secret2']))

    if params.debug: 
        print('New record data: ' + str(data))

    # Update the record cache with the cleartext data
    if params.debug: print('data is ' + str(isinstance(data, dict)))
    if params.debug: print('params.record_cache is ' + \
        str(isinstance(params.record_cache, dict)))

    # convert dict back to json then encode it 
    params.record_cache[record_uid]['data'] = json.dumps(data).encode()

    if params.debug: 
        print('New record: ' + str(params.record_cache[record_uid]))
        print('Data: ' + str(data))
        print('Extra: ' + str(extra))

    # Convert the data and extra dictionary to string object
    # with double quotes instead of single quotes
    data_serialized = json.dumps(data)
    extra_serialized = json.dumps(extra)

    if params.debug: print('data_serialized: ' + str(data_serialized))
    if params.debug: print('extra_serialized: ' + str(extra_serialized))

    # encrypt data and extra
    if not 'record_key_unencrypted' in params.record_cache[record_uid]:
        if plugin_name: 
            print('Plugin updated password to: ' + new_password)
        raise CryptoError('No record_key_unencrypted found for ' + record_uid)

    if not 'record_key' in params.record_cache[record_uid]:
        if plugin_name: 
            print('Plugin updated password to: ' + new_password)
        raise CryptoError('No record_key found for ' + record_uid)

    record_key_unencrypted = \
        params.record_cache[record_uid]['record_key_unencrypted']
    iv = os.urandom(16)
    cipher = AES.new(record_key_unencrypted, AES.MODE_CBC, iv)
    encrypted_data = iv + cipher.encrypt(pad(data_serialized))

    iv = os.urandom(16)
    cipher = AES.new(record_key_unencrypted, AES.MODE_CBC, iv)
    encrypted_extra = iv + cipher.encrypt(pad(extra_serialized))

    if params.debug: print('encrypted_data: ' + str(encrypted_data))
    if params.debug: print('encrypted_extra: ' + str(encrypted_extra))

    # note: decode() converts bytestream (b') to string
    encoded_data = base64.urlsafe_b64encode(encrypted_data).decode()
    encoded_extra = base64.urlsafe_b64encode(encrypted_extra).decode()

    if params.debug: print('encoded_data: ' + str(encoded_data))
    if params.debug: print('encoded_extra: ' + str(encoded_extra))

    # build a record object
    new_record = {}
    new_record['record_uid'] = record_uid
    new_record['version'] = 2 
    new_record['data'] = encoded_data
    new_record['extra'] = encoded_extra
    new_record['client_modified_time'] = modified_time_milli
    new_record['revision'] = params.record_cache[record_uid]['revision']
    if found_shared_folder_uid:
        new_record['shared_folder_uid'] = found_shared_folder_uid

    if 'udata' in params.record_cache[record_uid]:
        new_record['udata'] = params.record_cache[record_uid]['udata']
        
    if params.debug: print('new_record: ' + str(new_record))

    # create updated records
    update_records = []
    update_records.append(new_record)

    def make_json(params, update_records):
        return {
               'client_time':current_milli_time(),
               'device_id':'Commander', 
               'device_name':'Commander', 
               'command':'record_update', 
               'update_records':update_records,
               'protocol_version':1, 
               'client_version':CLIENT_VERSION,
               '2fa_token':params.mfa_token,
               '2fa_type':params.mfa_type, 
               'session_token':params.session_token, 
               'username':params.user
        }
        
    if not params.session_token:
        try:
            login(params)
        except:
            if plugin_name: 
                print('Plugin updated password to: ' + new_password)
            raise
            
    payload = make_json(params, update_records)

    if params.debug: print('payload: ' + str(payload))
    
    try:
        r = requests.post(params.server, json=payload)
    except:
        if plugin_name: 
            print('Plugin updated password to: ' + new_password)
        raise CommunicationError(sys.exc_info()[0])

    response_json = r.json()

    if params.debug:
        debug_response(params, payload, r)

    if response_json['result_code'] == 'auth_failed':
        if params.debug: print('Re-authorizing.')

        try:
            login(params)
        except:
            if plugin_name: 
                print('Plugin updated password to: ' + new_password)
            raise

        payload = make_json(params, update_records)

        try:
            r = requests.post(params.server, json=payload)
        except:
            print('Comm error during re-auth')
            if plugin_name: 
                print('Plugin updated password to: ' + new_password)
            raise CommunicationError(sys.exc_info()[0])
    
        response_json = r.json()
    
        if params.debug:
            debug_response(params, payload, r)

    if response_json['result'] == 'success':
        new_revision = 0
        if 'update_records' in response_json:
            for info in response_json['update_records']:
                if info['record_uid'] == record_uid:
                    if info['status'] == 'success':
                        # all records in the transaction get the 
                        # same revision.  this just checks 100% success
                        new_revision = response_json['revision']
             
        if new_revision == 0:
            print('Error: Revision not updated')
            if plugin_name: 
                print('Plugin updated password to: ' + new_password)
            return False

        if new_revision == new_record['revision']:
            print('Error: Revision did not change')
            if plugin_name: 
                print('Plugin updated password to: ' + new_password)
            return False

        print('Rotation successful for record_uid=' + \
            str(new_record['record_uid']) + ', revision=' + \
            str(new_record['revision']), ', new_revision=' + \
            str(new_revision))

        # update local cache
        params.record_cache[record_uid]['revision'] = new_revision

    else :
        if response_json['result_code']:
            if plugin_name: 
                print('Plugin updated password to: ' + new_password)
            raise CommunicationError('Unexpected problem: ' + \
                response_json['result_code'])

    return True