nexpose_cyberark 0.0.4-java → 0.0.5-java

checksums.yaml

@@ -1,7 +1,15 @@
 ---
-SHA1:
-  metadata.gz: 31488ff05e81489acc3af0ac332479ca64cc3331
-  data.tar.gz: dd1b49654a42402cf6bd5e20a3033fc5645804e4
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    MDIzMGQ4MWQxMmJhYTEwYWUyNjI2OGNjMWE5ZDllMmViZjhhMTg1Yg==
+  data.tar.gz: !binary |-
+    ZDBiNTUzMWNkOGI4OTIyOWQ4Njk2YzRmZGVjOWVkMThhNGQzNzUzNg==
 SHA512:
-  metadata.gz: 5b8c5b52afc4cd3d4a245adad43da70438bc66edfae16bed1f71f5e068ad2b0b74e9de6ce9715ebdc380cd332b98bbbf050a923bf4f6a36899641faace656a9f
-  data.tar.gz: 30e9aea26b744e948f38c2612f0c4cfc4797de9e8cc0f2e28a8adc3765b24c5c12e11c75a6dbff67012a2a8941ea78d7cd7fb7f6dda4fdcd7cf2471c0bbf1f7b
+  metadata.gz: !binary |-
+    NTlkNTI2MTdlOWUyZDdmZjg3NWE3YjQ2OThhZDVlZjA0M2ViMDNiMmVhODQz
+    M2ZkYWU3NWI2M2JiMmZmNmQ4YzFjNDc1ZDQyNDkyYjM4N2Y3M2I0YTZlOGUz
+    M2ExYmFiZDJlMTQ0YTQ4MjAzMzViZjEzNmNmYzE3NzU3OGM1YmY=
+  data.tar.gz: !binary |-
+    ZTA1NmVmOTc4Y2RhZWVlZTcxODQ1MzA3ODE3MDBjNjc4NzUwODM0N2Q5ZmY1
+    NjhjOWEyMjA5ODBmZWU4ZjM2ZDMxMmE1ZjdiY2VkNWE3NzZjNDllZmU1NjVl
+    MDY2NDczZDYxNjYxNDM2MTljYjk4MDM2ZDczOTQwYzU1YjU3ZDA=

data/bin/nx_cyberark.rb

@@ -3,43 +3,40 @@
 # Please refer to the configuration documentation for instructions on how to run this gem
 # Do NOT run this gem without proper pre-configuration.
 require 'nexpose_cyberark'
+require 'nexpose_cyberark/version'
+require 'nexpose_cyberark/nx_logger'
+require 'yaml'
 
-# ---- CyberArk Configuration ---- #
-# Vault Options
-# App ID
-app_id = ''
-# Safe
-safe = ''
-# Folder
-folder = ''
-# Objects should have the same name as their counterparts in Nexpose
-#  IE: 'serverx01.mydomain.com' in both Cyberark and Nexpose.
-#  Individual IP's will be queried and should also correspond to Object names.
-#  For ranges, this integration will use the first IP as the credential for all the range.
-#  Finally, PolicyIDs in Cyberark should have 'unix' or 'windows' as part of their name for proper credential
-#     type assignment in Nexpose (ssh / cifs)
-# ---- End CyberArk Configuration ---- #
+CONFIG_PATH =  File.join(File.dirname(__FILE__), '../lib/nexpose_cyberark/config/nexpose_cyberark.config')
 
-# ---- Nexpose Configuration ---- #
-# Nexpose username
-nxuser = 'nxadmin'
-# Nexpose password
-nxpasswd = 'nxadmin'
-# Nexpose IP Address
-nxip = 'localhost'
-# Sites to process credentials, separated by commas, ie: [3, 4, 6]
-sites = [ 1 ]
-# Start scans?
-# This setting will start scans on those sites, wait for the site to complete and then remove the credentials
-# If you prefer to let the scans run on schedule, set this to false, otherwise set to true.
-start_scans = false
-# ---- End Nexpose Configuration ---- #
+# Obtain Nexpose settings from Environment Variables.
+configuration_settings = begin
+  YAML.load_file(CONFIG_PATH)
+rescue ArgumentError => e
+  raise "Could not parse YAML #{CONFIG_PATH} : #{e.message}"
+end
+
+raise 'Must configure nexpose settings before starting' if ENV['NEXPOSE_URL'].nil? || ENV['NEXPOSE_USERNAME'].nil? || ENV['NEXPOSE_PASSWORD'].nil?
+configuration_settings[:nexpose_address] = ENV['NEXPOSE_URL']
+configuration_settings[:nexpose_port] = ENV['NEXPOSE_PORT']
+configuration_settings[:nexpose_username] = ENV['NEXPOSE_USERNAME']
+configuration_settings[:nexpose_password] = ENV['NEXPOSE_PASSWORD']
 
 
 
 # --- DO NOT EDIT BELOW THIS LINE --- #
 
-vault_options = { :app_id => app_id, :safe => safe, :folder => folder }
-nexpose_options = { :nxip => nxip, :nxuser => nxuser, :nxpassword => nxpasswd, :sites => sites }
+vault_options = { :app_id => configuration_settings[:ca_options][:app_id], :safe => configuration_settings[:ca_options][:safe], :folder => configuration_settings[:ca_options][:folder] }
+nexpose_options = { :nxip => configuration_settings[:nexpose_address],
+                    :nxport => configuration_settings[:nexpose_port],
+                    :nxuser => configuration_settings[:nexpose_username],
+                    :nxpassword => configuration_settings[:nexpose_password],
+                    :sites => configuration_settings[:ca_options][:sites],
+                    :windows_policy_ids => configuration_settings[:ca_options][:windows_policy_ids],
+                    :unix_policy_ids => configuration_settings[:ca_options][:unix_policy_ids],
+                    :logging => configuration_settings[:ca_options][:logging],
+                    :log_level => configuration_settings[:ca_options][:log_level]}
 NexposeCyberark::Vault.update_credentials(vault_options, nexpose_options)
-NexposeCyberark::Vault.start_scans(nexpose_options) if start_scans
+NexposeCyberark::Vault.start_scans(nexpose_options) if configuration_settings[:ca_options][:start_scans].casecmp('y') == 0
+log = NexposeCyberark::NxLogger.instance
+log.log_message('Importing credentials complete. Exiting...')

data/lib/nexpose_cyberark.rb

@@ -1,49 +1,195 @@
-require "nexpose_cyberark/version"
 Dir[File.dirname(__FILE__)+'/nexpose_cyberark/lib/java/*.jar'].each { |jar| require jar }
-require "nexpose_cyberark/password_ops"
-require "nexpose_cyberark/nexpose_ops"
+require 'nexpose_cyberark/password_ops'
+require 'nexpose_cyberark/nexpose_ops'
+require 'nexpose_cyberark/version'
+require 'waitutil'
+require 'Resolv'
+
 module NexposeCyberark
   module Vault
+
     def self.update_credentials(vault_options, nexpose_options = nil)
-      @nx = Ops::Nexpose.new(nexpose_options[:nxip], nexpose_options[:nxuser], nexpose_options[:nxpassword])
+      #Setup logger
+      @log = NexposeCyberark::NxLogger.instance
+      @log.setup_logging(nexpose_options[:logging] || true, nexpose_options[:log_level] || 'info')
+      @log.setup_statistics_collection(NexposeCyberark::VENDOR, NexposeCyberark::PRODUCT_NAME, NexposeCyberark::VERSION)
+
+      @nx = Ops::Nexpose.new(nexpose_options[:nxip], nexpose_options[:nxport], nexpose_options[:nxuser], nexpose_options[:nxpassword])
+      @log.log_message('Connection to the Nexpose console complete!')
+
       # Parse sites from config
       nexpose_options[:sites].each do |site_id|
-        # Get ips for each site
-        site_ips = @nx.get_ips_from_site(site_id)
+        # Get included scan targets
+        site_scan_target_addresses = @nx.get_site_scan_target_addresses(site_id)
+
+
+        # We now have all Nexpose scan targets. Defined scan targets can be IP/Host where
+        # devices that have been scanned before will be an IP. Get the scan targets & subtract
+        # the defined devices to produce a list of new devices to be scanned.
+
+        # Nexpose site credentials expect the credential to match the scan target which may not be the IP.
+        site_devices = @nx.get_site_devices(site_id)
+
+        all_asset_details = []
+        site_devices.each { |device|
+          # Start by getting all the details we have on current devices
+          asset = @nx.load_asset(device.id)
+          asset_details= {}
+          asset_details[:address] = device.address
+          asset_details[:host_names] = asset.host_names
+          asset_details[:os_name] = [asset.os_name]
+
+
+          # Next subtract the defined assets from the defined scan targets to get devices never scanned before.
+          # Also monitor the deleted identifier. We need to remember this to sync the credential to the site for scanning.
+          scan_target_idq = site_scan_target_addresses.delete(device.address)
+          asset_details[:scan_target_idq] = scan_target_idq unless scan_target_idq.nil?
+          asset.host_names.each do |host_name|
+            scan_target_idq = site_scan_target_addresses.delete(host_name)
+            asset_details[:scan_target_idq] = scan_target_idq unless scan_target_idq.nil?
+          end unless asset.host_names.nil?
+          # Handle the case that a device may have been scanned before but is no longer in the scan target list.
+          # in this case we do not add it to the list of assets to import credentials for (think old sites with many inactive devices)
+          # asset_details[:scan_target_idq] = asset_details[:address] if asset_details[:scan_target_idq].nil?
+          if asset_details[:scan_target_idq].nil?
+            @log.log_warn_message("Found a site device not in the scan target list. Not fetching credentials for address <#{asset_details[:address]}>")
+          else
+            all_asset_details << asset_details
+          end
+        }
+
+        #Start by trying to get credentials for defined assets.
+        @log.log_message('Starting to query CyberArk for defined asset credentials...')
         site_credentials = []
-        # Get password for each IP
-        site_ips.each do |asset|
-          host = ''
-          host = asset.host if asset.is_a?(HostName)
-          host = asset.from if asset.is_a?(IPRange)
-          range_scenario = false
-          if asset.is_a?(IPRange) then range_scenario = true  unless asset.from.nil? end
-          vault_options[:object] = host
-          asset_data = PasswordOps::get_password(vault_options)
-          host = nil if range_scenario
-          unless asset_data[:password].nil?
-            asset_data[:os] == 'cifs' ? user = 'Administrator' : user = 'root'
-            credential = Credential.for_service(asset_data[:os], user, asset_data, nil, host)
+        credential_data = nil
+        all_asset_details.each do |asset_details|
+          #The address stored in the vault could be any of the values we have.. so try and find it!
+          vault_options[:address] = asset_details[:address]
+          vault_options[:nexpose_os] = asset_details[:os_name]
+          credential_data = PasswordOps::get_password(nexpose_options, vault_options)
+
+          if credential_data.empty?
+            @log.log_debug_message("Failed to fetch credential for IP <#{asset_details[:address]}>")
+            # No credential for the IP. Let's check if Nexpose has any hostnames and if these match credentials
+            # within CyberArk. If they do not then try and resolve one from the IP.
+            if asset_details[:host_names].nil?
+              asset_details[:host_names] = resolve_address(asset_details[:address])
+            end
+
+            @log.log_debug_message("Trying to fetch credentials for resolved addresses <#{asset_details[:address]}> instead...")
+
+            asset_details[:host_names].each do |hostname|
+              vault_options[:address] = hostname
+              vault_options[:nexpose_os] = asset_details[:os_name]
+              credential_data = PasswordOps::get_password(nexpose_options, vault_options)
+              break unless credential_data.empty?
+            end
+          end
+
+          if credential_data.empty?
+            @log.log_error_message("Failed to get credential for asset with IP <#{asset_details[:address]}> and names <#{asset_details[:host_names]}>. Please check configuration!!!")
+          else
+            credential = @nx.credential_for_service(asset_details[:scan_target_idq], nil, "Automated import for Nexpose scan target <#{asset_details[:scan_target_idq]}> and CyberArk credential <#{vault_options[:address]}>", asset_details[:scan_target_idq], nil, credential_data[:service])
+            credential.user_name = credential_data[:user]
+            credential.password = credential_data[:password]
+            # Only Linux SUDO support currently
+            credential.permission_elevation_user = credential_data[:p_e_user] unless credential_data[:p_e_user].nil?
+            credential.permission_elevation_password = credential_data[:password] unless credential_data[:password].nil?
+            credential.permission_elevation_type = credential_data[:p_e_type]
             site_credentials.push(credential)
           end
         end
+
+        @log.log_message('Starting to query CyberArk for new scan target credentials...')
+
+        # Now let's deal with assets that have never been scanned.
+        # These are more difficult as we only have the scan target address (whatever that may be).
+        site_scan_target_addresses.each do |address|
+          vault_options[:address] = address
+          credential_data = PasswordOps::get_password(nexpose_options, vault_options)
+
+          if credential_data.empty?
+            @log.log_debug_message("Failed to fetch credential for IP <#{address}>")
+            other_addresses = resolve_address(address)
+            @log.log_debug_message("Trying to fetch credentials for resolved addresses <#{other_addresses}> instead...")
+            other_addresses.each do |other_address|
+              vault_options[:address] = other_address
+              credential_data = PasswordOps::get_password(nexpose_options, vault_options)
+              break unless credential_data.empty?
+            end
+          end
+
+          if credential_data.empty?
+            @log.log_error_message("Failed to get credential for asset with IP <#{address}> and names <#{other_addresses}>. Please check configuration!!!")
+          else
+              credential = @nx.credential_for_service(address, nil, "Automated import for Nexpose scan target <#{address}> and CyberArk credential <#{vault_options[:address]}>",address, nil, credential_data[:service])
+              credential.user_name = credential_data[:user]
+              credential.password = credential_data[:password]
+              #Only Linux SUDO support currently
+              credential.permission_elevation_user = credential_data[:p_e_user] unless credential_data[:p_e_user].nil?
+              credential.permission_elevation_password = credential_data[:password] unless credential_data[:password].nil?
+              credential.permission_elevation_type = credential_data[:p_e_type]
+              site_credentials.push(credential)
+            end
+        end
+        @log.log_message("Saving credentials for site <#{site_id}>. Number of credentials to be saved <#{site_credentials.size}>.")
         # Save site
         @nx.save_site(site_id, site_credentials)
       end
     end
+
     def self.start_scans(nexpose_options = nil)
-      @nx = Ops::Nexpose.new(nexpose_options[:nxip], nexpose_options[:nxuser], nexpose_options[:nxpassword])
+      @nx = Ops::Nexpose.new(nexpose_options[:nxip], nexpose_options[:nxport], nexpose_options[:nxuser], nexpose_options[:nxpassword])
+      all_site_scan_details = []
       nexpose_options[:sites].each do |site_id|
-        puts "Starting scan #{site_id}"
         scan = @nx.start_scan(site_id)
-        begin
-          sleep(30)
-          status = @nx.scan_status(scan.id)
-          puts "Waiting for scan #{scan.id} to finish"
-        end while status == Scan::Status::RUNNING
-        puts "Deleting creds for #{site_id}"
-        @nx.delete_site_credentials(site_id)
+        if scan.nil?
+          @log.log_error_message("Failed to start scan for site <#{site_id}>!")
+          next
+        end
+        @log.log_message("Started scan for site <#{site_id}>. Scan ID is <#{scan.id}>.")
+        site_scan_details = {}
+        site_scan_details[:site_id] = site_id
+        site_scan_details[:scan_id] = scan.id
+        all_site_scan_details << site_scan_details
+      end
+
+      WaitUtil.wait_for_condition('wait_for_all_scans_to_finish', :timeout_sec => 10800, :delay_sec => 60) do
+        @completed = false
+        all_site_scan_details.delete_if do |site_scan_details|
+          status = @nx.scan_status(site_scan_details[:scan_id])
+          @log.log_debug_message("Scan status for scan ID <#{site_scan_details[:scan_id]}> is <#{status}>.")
+          if status == Scan::Status::RUNNING
+            @log.log_debug_message("Waiting for scan <#{site_scan_details[:scan_id]}> for site <#{site_scan_details[:site_id]}> to finish.")
+            false
+          else
+            @log.log_message("Scan <#{site_scan_details[:scan_id]}> for site <#{site_scan_details[:scan_id]}> finished. Removing credentials")
+            @nx.delete_site_credentials(site_scan_details[:site_id])
+            true
+          end
+        end
+        @completed = true if all_site_scan_details.empty?
+      end
+    end
+
+    def self.resolve_address(address)
+      is_ip = !!((address =~ Resolv::IPv4::Regex) || (address =~ Resolv::IPv6::Regex))
+      resolved_addresses = []
+      @log.log_debug_message("Resolving address <#{address}>.")
+      begin
+        if is_ip
+          resolved_addresses = Resolv.getnames address
+          @log.log_debug_message("Address <#{address}> is an IP. Resolved names are <#{resolved_addresses}>.")
+        else
+          resolved_addresses = Resolv.getaddress address
+          @log.log_debug_message("Address <#{address}> is a name. Resolved IPs are <#{resolved_addresses}>.")
+        end
+        resolved_addresses = [resolved_addresses] unless resolved_addresses.kind_of?(Array)
+      rescue Resolv::ResolvError => e
+        @log.log_error_message("Unable to resolve address <#{address}>. Error was <#{e}>")
       end
+      return resolved_addresses
     end
+
   end
 end

data/lib/nexpose_cyberark/config/nexpose_cyberark.config

@@ -0,0 +1,30 @@
+---
+# This configuration file defines all the particular options necessary to run the service.
+# Fields marked (M) are mandatory.
+#
+# Service options:
+:ca_options:
+  # Vault Options
+  # App ID
+  :app_id: my_app_id
+  # Safe
+  :safe: my_safe
+  # Folder
+  :folder: my_folder
+  # This setting will start scans on those sites, wait for the site to complete and then remove the credentials
+  # If you prefer to let the scans run on schedule, set this to 'N', otherwise set to 'Y'.
+  :start_scans: 'Y'
+  # CyberArk policy IDs that apply to assets that will require a CIFS connection for authenticated scanning
+  :windows_policy_ids:
+    - 'WinServerLocal'
+  # CyberArk policy IDs that apply to assets that will require an SSH connection for authenticated scanning
+  :unix_policy_ids:
+    - 'UnixSSH'
+  # Nexpose sites to import CyberArk credentials for.
+  :sites:
+  - '1'
+#  - '2'
+  # Enable or disable logging ('N' or 'Y'.)
+  :logging: 'Y'
+  #Support version are 'info' and 'debug'
+  :log_level: 'info'

data/lib/nexpose_cyberark/nexpose_ops.rb

@@ -1,37 +1,100 @@
 require 'nexpose'
 include Nexpose
+
 module Ops
   class Nexpose
     attr_accessor :nsc
-    def initialize(nxip, nxuser, nxpasword)
+    def initialize(nxip, nxport, nxuser, nxpasword)
+      @log = NexposeCyberark::NxLogger.instance
+      @log.log_message('Connecting to the Nexpose console..')
       @nsc = Connection.new(nxip, nxuser, nxpasword)
       @nsc.login
+      @log.on_connect(nxip, nxport, @nsc.session_id, '{}')
     end
 
-    def get_ips_from_site(site_id)
+    def get_site_scan_targets(site_id)
+      @log.log_debug_message("Fetching list of scan targets for site <#{site_id}> from console")
       site = Site.load(@nsc, site_id)
-      site.assets
+      site.included_addresses
+    end
+
+    def get_site_scan_target_addresses(site_id)
+      @log.log_debug_message("Fetching list of scan targets addresses for site <#{site_id}>")
+      site_scan_targets = get_site_scan_targets(site_id)
+      @log.log_message('Console returned scan targets!')
+
+      site_scan_target_addresses = []
+      #Convert this to a list of only addresses
+      site_scan_targets.each do |scan_target|
+        host = scan_target.host if scan_target.is_a?(HostName)
+        host = scan_target.from if scan_target.is_a?(IPRange)
+
+        range_scenario = false
+        range_scenario = true if scan_target.is_a?(IPRange)
+
+        if range_scenario
+            start_ip = IPAddr.new(scan_target.from)
+            end_ip = IPAddr.new(scan_target.to) unless scan_target.to.nil?
+            end_ip = IPAddr.new(scan_target.from) if scan_target.to.nil?
+            site_scan_target_addresses.concat (start_ip..end_ip).map(&:to_s)
+        else
+            site_scan_target_addresses << host
+        end
+      end
+      @log.log_debug_message('Processed scan targets. Returning addresses.')
+      return site_scan_target_addresses
+    end
+
+    def get_site_devices(site_id)
+      @log.log_debug_message("Fetching list of devices for site <#{site_id}>")
+      @nsc.list_site_devices(site_id)
+    end
+
+    def load_asset(device_id)
+      @log.log_debug_message("Fetching asset details for asset <#{device_id}>")
+      Asset.load(@nsc, device_id)
+    end
+
+    def credential_for_service(address, id, description, host, port, service)
+      @log.log_debug_message("Generating credential for address <#{address}>")
+      SiteCredentials.for_service(address, id, description, host, port, service)
     end
 
     def save_site(site_id, credentials)
+      @log.log_debug_message("Saving <#{credentials.size}> credentials for site <#{site_id}>")
       site = Site.load(@nsc, site_id)
-      site.credentials = credentials
+      site.site_credentials = credentials
       site.save(@nsc)
     end
 
     def delete_site_credentials(site_id)
+      @log.log_debug_message("Deleting existing credentials for site <#{site_id}>")
       site = Site.load(@nsc, site_id)
-      site.credentials = []
+      site.site_credentials.clear
       site.save(@nsc)
     end
 
+    def load_site(site_id)
+      @log.log_debug_message("Fetching details for site <#{site_id}>")
+      Site.load(@nsc, site_id)
+    end
+
     def start_scan(site_id)
-      site = Site.load(@nsc, site_id)
-      site.scan(@nsc)
+      @log.log_debug_message("Starting for site <#{site_id}>")
+      scan_details = nil
+      begin
+        site = load_site(site_id)
+        scan_details = site.scan(@nsc)
+      rescue Exception => e
+        @log.log_error_message("Failed to start scan for site <#{site_id}>. Error is <#{e}>")
+      end
+      scan_details
     end
 
     def scan_status(scan_id)
-      @nsc.scan_status(scan_id)
+      status = @nsc.scan_status(scan_id)
+      @log.log_debug_message("Scan status for scan ID <#{scan_id}> is <#{status}>.")
+      status
     end
   end
 end

data/lib/nexpose_cyberark/nx_logger.rb

@@ -0,0 +1,150 @@
+require 'fileutils'
+require 'json'
+require 'net/http'
+require 'singleton'
+
+module NexposeCyberark
+  class NxLogger
+    include Singleton
+    attr_accessor :options, :statistic_key, :product, :logger_file
+    LOG_PATH = "./logs/rapid7_%s.log"
+    KEY_FORMAT = "external.integration.%s"
+    PRODUCT_FORMAT = "%s_%s"
+
+    DEFAULT_LOG = 'integration'
+    PRODUCT_RANGE = 3..30
+    KEY_RANGE = 3..15
+
+    ENDPOINT = '/data/external/statistic/'
+
+    def initialize()
+      @logger_file = get_log_path product
+      setup_logging(true, 'info')
+    end
+
+    def setup_statistics_collection(vendor, product_name, gem_version)
+      #Remove illegal characters
+      vendor.to_s.gsub!('-', '_')
+      product_name.to_s.gsub!('-', '_')
+
+      begin
+        @statistic_key = get_statistic_key vendor
+        @product = get_product product_name, gem_version
+      rescue => e
+        #Continue
+      end
+    end
+
+    def setup_logging(enabled, log_level = nil)
+      unless enabled || @log.nil?
+        log_message('Logging disabled.')
+        return
+      end
+
+      @logger_file = get_log_path product
+
+      require 'logger'
+      directory = File.dirname(@logger_file)
+      FileUtils.mkdir_p(directory) unless File.directory?(directory)
+      io = IO.for_fd(IO.sysopen(@logger_file, 'a'))
+      io.autoclose = false
+      io.sync = true
+      @log = Logger.new(io, 'weekly')
+      @log.level = if log_level.casecmp('info') == 0
+                     Logger::INFO
+                   else
+                     Logger::DEBUG
+                   end
+      log_message("Logging enabled at level <#{log_level}>")
+    end
+
+    # Logs an info message
+    def log_message(message)
+      @log.info(message) unless @log.nil?
+    end
+
+    # Logs a debug message
+    def log_debug_message(message)
+      @log.debug(message) unless @log.nil?
+    end
+
+    # Logs an error message
+    def log_error_message(message)
+      @log.error(message) unless @log.nil?
+    end
+
+    # Logs a warn message
+    def log_warn_message(message)
+      @log.warn(message) unless @log.nil?
+    end
+
+    def log_stat_message(message)
+    end
+
+    def get_log_path(product)
+      product.downcase! unless product.nil?
+      File.join(File.dirname(__FILE__), LOG_PATH % (product || DEFAULT_LOG))
+    end
+
+    def get_statistic_key(vendor)
+      if vendor.nil? || vendor.length < KEY_RANGE.min
+        log_stat_message("Vendor length is below minimum of <#{KEY_RANGE}>")
+        return nil
+      end
+
+      KEY_FORMAT % vendor[0...KEY_RANGE.max].downcase
+    end
+
+    def get_product(product, version)
+      return nil if (product.nil? || version.nil?)
+      product = (PRODUCT_FORMAT % [product, version])[0...PRODUCT_RANGE.max]
+
+      if product.length < PRODUCT_RANGE.min
+        log_stat_message("Product length below minimum <#{PRODUCT_RANGE.min}>.")
+        return nil
+      end
+      product.downcase
+    end
+
+    def generate_payload(statistic_value='')
+      payload = {'statistic-key' => @statistic_key,
+                 'statistic-value' => statistic_value,
+                 'product' => @product}
+      JSON.generate(payload)
+    end
+
+    def send(nexpose_address, nexpose_port, session_id, payload)
+      header = {'Content-Type' => 'application/json',
+                'nexposeCCSessionID' => session_id,
+                'Cookie' => "nexposeCCSessionID=#{session_id}"}
+      req = Net::HTTP::Put.new(ENDPOINT, header)
+      req.body = payload
+      http_instance = Net::HTTP.new(nexpose_address, nexpose_port)
+      http_instance.use_ssl = true
+      http_instance.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      response = http_instance.start { |http| http.request(req) }
+      log_stat_message "Received code #{response.code} from Nexpose console."
+      log_stat_message "Received message #{response.msg} from Nexpose console."
+      log_stat_message 'Finished sending statistics data to Nexpose.'
+      response.code
+    end
+
+    def on_connect(nexpose_address, nexpose_port, session_id, value)
+      log_stat_message 'Sending statistics data to Nexpose'
+
+      if @product.nil? || @statistic_key.nil?
+        log_stat_message('Invalid product name and/or statistics key.')
+        log_stat_message('Statistics collection not enabled.')
+        return
+      end
+
+      begin
+        payload = generate_payload value
+        send(nexpose_address, nexpose_port, session_id, payload)
+      rescue => e
+        #Let the program continue
+      end
+    end
+
+  end
+end

data/lib/nexpose_cyberark/password_ops.rb

@@ -1,28 +1,47 @@
 module PasswordOps
-
+  require 'nexpose'
+  include Nexpose
   def self.cyberark
     Java::javapasswordsdk
   end
 
-  def self.get_password(vault_options = {}, password_req_sdk = nil, password_sdk = nil )
+  def self.get_password(nexpose_options = {}, vault_options = {}, password_req_sdk = nil, password_sdk = nil )
+    @log = NexposeCyberark::NxLogger.instance
     password_req_sdk = cyberark.PSDKPasswordRequest.new if password_req_sdk.nil?
     asset_data = {}
     begin
       password_req_sdk.set_app_id(vault_options[:app_id])
       password_req_sdk.set_safe(vault_options[:safe])
       password_req_sdk.set_folder(vault_options[:folder])
-      password_req_sdk.set_object(vault_options[:object])
+      password_req_sdk.set_address(vault_options[:address])
       password_sdk = cyberark.PasswordSDK if password_sdk.nil?
       password_result = password_sdk.getPassword(password_req_sdk)
-      if password_result.get_policy_id.downcase.include? 'unix'
-        #puts password_result.get_policy_id.downcase.include? 'unix'
-        asset_data[:os] = 'ssh'
+      if nexpose_options[:windows_policy_ids].any?{ |policy| policy.casecmp(password_result.get_policy_id)==0 }
+        if nexpose_options[:unix_policy_ids].any?{ |policy| policy.casecmp(password_result.get_policy_id)==0 }
+          # Has both Windows and Unix policies. Check Nexpose to see if we have an OS listing
+          @log.log_error_message("Asset with credential address <#{vault_options[:address]}> has a conflicting policy configuration! Checking Nexpose fingerprint.. ")
+          if vault_options[:nexpose_os].downcase.include? 'windows'
+            @log.log_debug_message('Nexpose fingerprinting estimates the system is Windows.')
+            asset_data[:service] = Credential::Service::CIFS
+          else
+            @log.log_debug_message('Nexpose fingerprinting estimates the system is Unix based.')
+            asset_data[:service] = Credential::Service::SSH
+            asset_data[:p_e_user] = 'root'
+            asset_data[:p_e_type] = Nexpose::Credential::ElevationType::SUDO
+          end
+        end
+          @log.log_debug_message('Policy ID indicates the system is Windows based.')
+          asset_data[:service] = Credential::Service::CIFS
       else
-        asset_data[:os] = 'cifs'
+        @log.log_debug_message('Policy ID indicates the system is Unix based.')
+        asset_data[:service] = Credential::Service::SSH
+        asset_data[:p_e_user] = 'root'
+        asset_data[:p_e_type] = Nexpose::Credential::ElevationType::SUDO
       end
       asset_data[:password] = password_result.get_content
+      asset_data[:user] = password_result.get_user_name
     rescue Exception => e
-
+      @log.log_debug_message("Error fetching credential for address <#{vault_options[:address]}>. Error was <#{e}>")
     end
     asset_data
   end

data/lib/nexpose_cyberark/version.rb

@@ -1,3 +1,5 @@
 module NexposeCyberark
-  VERSION = "0.0.4"
+  VERSION = "0.0.5"
+  VENDOR = "Cyberark"
+  PRODUCT_NAME = "nexpose_cyberark"
 end

metadata

@@ -1,93 +1,107 @@
 --- !ruby/object:Gem::Specification
 name: nexpose_cyberark
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: java
 authors:
 - Damian Finol
+- JJ Cassidy
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-14 00:00:00.000000000 Z
+date: 2015-12-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.6'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.4'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.1'
 - !ruby/object:Gem::Dependency
   name: nexpose
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: waitutil
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.2'
 description: Nexpose Cyberark integration provides credentials for authenticated scans
   in Nexpose.
 email:
-- damian_finol@rapid7.com
+- integrations_support@rapid7.com
 executables:
 - nx_cyberark.rb
 extensions: []
 extra_rdoc_files: []
 files:
 - Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
 - bin/nx_cyberark.rb
 - lib/nexpose_cyberark.rb
+- lib/nexpose_cyberark/config/nexpose_cyberark.config
 - lib/nexpose_cyberark/lib/java/JavaPasswordSDK.jar
 - lib/nexpose_cyberark/nexpose_ops.rb
+- lib/nexpose_cyberark/nx_logger.rb
 - lib/nexpose_cyberark/password_ops.rb
 - lib/nexpose_cyberark/version.rb
-- nexpose_cyberark-0.0.3-java.gem
-- nexpose_cyberark.gemspec
 homepage: http://www.rapid7.com/
 licenses:
 - MIT
@@ -98,17 +112,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.4
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Nexpose Cyberark integration.

data/Gemfile.lock

@@ -1,30 +0,0 @@
-PATH
-  remote: .
-  specs:
-    nexpose_cyberark (0.0.2-java)
-      nexpose (~> 0.6.0)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    diff-lcs (1.2.5)
-    librex (0.0.999)
-    nexpose (0.6.5)
-      librex (~> 0.0, >= 0.0.68)
-      rex (~> 1.0, >= 1.0.2)
-    rex (1.0.2)
-    rspec (2.99.0)
-      rspec-core (~> 2.99.0)
-      rspec-expectations (~> 2.99.0)
-      rspec-mocks (~> 2.99.0)
-    rspec-core (2.99.2)
-    rspec-expectations (2.99.2)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.99.3)
-
-PLATFORMS
-  java
-
-DEPENDENCIES
-  nexpose_cyberark!
-  rspec (~> 2.1)

data/nexpose_cyberark.gemspec

@@ -1,27 +0,0 @@
-  # coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'nexpose_cyberark/version'
-
-Gem::Specification.new do |spec|
-  spec.name          = 'nexpose_cyberark'
-  spec.version       = NexposeCyberark::VERSION
-  spec.authors       = ['Damian Finol']
-  spec.email         = ['damian_finol@rapid7.com']
-  spec.summary       = %q{Nexpose Cyberark integration.}
-  spec.description   = %q{Nexpose Cyberark integration provides credentials for authenticated scans in Nexpose.}
-  spec.homepage      = 'http://www.rapid7.com/'
-  spec.license       = 'MIT'
-
-  spec.files         = Dir['[A-Z]*'] + Dir['lib/**/*'] + Dir['bin/**']
-  spec.files.reject! { |fn| fn.include? "CVS" }
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ['lib']
-  spec.platform      = 'java'
-
-  spec.add_development_dependency 'bundler', '~> 1.6'
-  spec.add_development_dependency 'rake'
-  spec.add_development_dependency 'rspec', '~> 2.1'
-  spec.add_runtime_dependency('nexpose', '~> 0.6.0')
-end