nexpose_thycotic 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 72d72a2f1294229464df29985e8c3a0145f18d60
-  data.tar.gz: 13e76a6eaeb8f69879b2a808251f9ad2a4bb2716
+  metadata.gz: def1949052dd9744a7b1803cf32153ca840c3e04
+  data.tar.gz: 616f386251fa0515e8d0df1a4b6a67b88eaa7a0b
 SHA512:
-  metadata.gz: 0b6f9d979b6064ca1eadfa76d0026461057701110fcddb172bde51429412a97589e4de7b4e1c96bab5b0f5e760337620f955f4d95b7294d1b5d03fbc6d606bef
-  data.tar.gz: c9f6ab9b22517feb3035b214492ab2cd7fffa1b0a3b5a4e2c4ef1823ed9e7e41113fa20d7cf25f2db5600346acc2b94b93a4f6911fbef3579d2bc1ca0349e635
+  metadata.gz: cb7b619bf897b98bc5910ee284711366dc3be9cbe4dde8653c9e23fc981d9373cd54c0fb96bf43f04ece34f5e2fd76f1bccafdeddc9979fe73a8044996686ce6
+  data.tar.gz: 4922dcd8ee3930d85c0ddffb277fb38251c943bce86d906b6e54093e8b14cbfe9090a7357b13786fb98f2707ccbf64cbfe56273099b77ab89185ab660fee3b57

data/README.md

@@ -63,6 +63,11 @@ The gem is available as open source under the terms of the [MIT License](http://
 
 ## Changelog
 
+### 0.2.0
+- User may configure the gem to delete or preserve existing credentials.
+- A customisable comment is now attached to password retrieval requests.
+- Multiple credentials for the same address may be imported.
+
 ### 0.0.7
 - User now has the option to configure the gem using a configuration file as well as with environment variables. Nexpose and Thycotic options have been added to the configuration file.
 - Added an encryption configuration file. Usernames and passwords within the configuration file are now encrypted when the application runs.

data/bin/nexpose_thycotic

@@ -24,15 +24,18 @@ options = settings[:options]
 
 vault_options = { url: thycotic_options[:thycotic_url],
                   username: thycotic_options[:thycotic_username],
-                  password: thycotic_options[:thycotic_password] }
+                  password: thycotic_options[:thycotic_password],
+                  comment: thycotic_options[:comment] }
 
 nexpose_options = { nexpose_ip: nexpose_options[:nexpose_url], 
                     nexpose_username: nexpose_options[:nexpose_username], 
                     nexpose_password: nexpose_options[:nexpose_password], 
                     nexpose_port: nexpose_options[:nexpose_port], 
                     sites: options[:sites],
+                    clear_creds: options[:clear_creds],
                     logging_enabled: options[:logging_enabled],
                     log_level: options[:log_level],
-                    log_console: options[:log_console] }       
+                    log_console: options[:log_console] }
+
 NexposeThycotic.update_credentials(vault_options, nexpose_options)
 

data/lib/nexpose_thycotic.rb

@@ -3,55 +3,86 @@ require 'nexpose_thycotic/operations'
 require 'nexpose_thycotic/utilities/nx_logger'
 require 'nexpose'
 
-module NexposeThycotic  
+module NexposeThycotic
   def self.update_credentials(vault_options, nexpose_options = nil)
+    #TODO: Should we add the logging alias' from the SCCM gem?
     log = NexposeThycotic::NxLogger.instance
-    log.setup_statistics_collection(NexposeThycotic::VENDOR, 
-                                    NexposeThycotic::PRODUCT, 
+    log.setup_statistics_collection(NexposeThycotic::VENDOR,
+                                    NexposeThycotic::PRODUCT,
                                     NexposeThycotic::VERSION)
-    log.setup_logging(true, nexpose_options[:log_level], nexpose_options[:log_console])
-    log.log_message('Starting integration.')
-    
-    ss = ThycoticOperations.new(vault_options[:url])
-    log.log_message("Logging to Thycotic at #{vault_options[:url]}")
+    log.setup_logging(true,
+                      nexpose_options[:log_level],
+                      nexpose_options[:log_console])
+    log.info('Starting integration.')
+
+    ss = ThycoticOperations.new(vault_options[:url], vault_options[:comment])
+    log.info("Logging into Thycotic at #{vault_options[:url]}")
     token = ss.authenticate(vault_options[:username], vault_options[:password])
-    
-    @nx = NexposeOperations.new(nexpose_options[:nexpose_ip], 
-                                nexpose_options[:nexpose_username], 
-                                nexpose_options[:nexpose_password], 
+
+    @nx = NexposeOperations.new(nexpose_options[:nexpose_ip],
+                                nexpose_options[:nexpose_username],
+                                nexpose_options[:nexpose_password],
                                 nexpose_options[:nexpose_port])
-    log.log_message('Processing sites')
+    log.info('Processing sites')
 
     nexpose_options[:sites].each do |site_id|
       log.log_debug_message("Processing site #{site_id}")
-      ips = @nx.get_ips_from_site(site_id)
+      addresses = @nx.get_device_addresses(site_id)
+
       site_credentials = []
+      if nexpose_options[:clear_creds]
+        log.debug('Clearing existing credentials.')
+      else
+        log.debug('Preserving existing credentials.')
+        site_credentials = @nx.get_existing_credentials(site_id)
+      end
+
+      addresses.each do |addr|
+        log.debug("Getting credentials for #{addr}")
+        summaries = ss.get_secret_summaries(token, addr)
+        next if summaries.empty?
+
+        log.debug("Discovered #{summaries.count} credentials for #{addr}")
+
+        summaries.each do |summary|
+          cred = self.create_credential(ss, token, summary, addr)
 
-      ips.each do |ip|
-        ip_from = ip.instance_of?(Nexpose::HostName) ? ip.host : ip.from
-        log.log_debug_message("Getting credentials for #{ip_from}")
-        secret_summary = ss.get_secret_id(token, ip_from)
-        unless secret_summary.nil?
-          log.log_debug_message("Found credentials for #{ip_from}")
-          # Gets OS
-          asset_data = {}
-          asset_data[:ip] = ip_from
-          res = ss.get_secret_simple(token, secret_summary[:secret_id])
-          asset_data[:username] = res[:username]
-          asset_data[:password] = res[:password]
-          credential = Nexpose::Credential.for_service(ss.check_type(secret_summary[:secret_type]), 
-                                                       asset_data[:username], 
-                                                       asset_data[:password], 
-                                                       nil, 
-                                                       ip.from)
-          site_credentials.push(credential)
+          site_credentials.reject! do |c|
+            c.host_restriction == cred.host_restriction &&
+                c.user_name == cred.user_name && c.service == cred.service
+          end
+
+          site_credentials.push(cred)
         end
       end
+
       @nx.save_site(site_id, site_credentials)
-      log.log_message("Finished processing #{site_id}")
+      log.info("Finished processing #{site_id}")
     end
   end
 
+  def self.create_credential(connection, token, secret_summary, address)
+    # Get the kind of credential e.g. ssh, cifs
+    service = connection.check_type(secret_summary[:secret_type])
+
+    # Define the credential's base properties
+    cred_name = secret_summary[:secret_name]
+    cred_desc = "Thycotic imported Credential for #{address}"
+
+    credential = Nexpose::SiteCredentials.for_service(cred_name,
+                                                      -1,
+                                                      cred_desc,
+                                                      address,
+                                                      nil,
+                                                      service)
+    # Retrieve and store the credentials
+    res = connection.get_secret(token, secret_summary[:secret_id])
+    credential.user_name = res[:username]
+    credential.password = res[:password]
+
+    credential
+  end
+
   def self.set_variables(options)
     settings = {}
     options.each_key do |key|

data/lib/nexpose_thycotic/config/nexpose_thycotic.config

@@ -13,6 +13,8 @@
   # Filters to specific sites one per line, leave empty to generate for all sites.
   :sites:
   - '1'
+  # Delete existing credentials for the site before importing
+  :clear_creds: true
 :nexpose_options:
   # (M) Nexpose IP address
   :nexpose_url: 127.0.0.1
@@ -29,6 +31,8 @@
   :thycotic_username: user
   # (M) The password for the above user
   :thycotic_password: password
+  # (M) The comment used when retrieving each password
+  :comment: 'Retrieved via Thycotic gem.'
 :encryption_options:
 # (M) Path to the encryption.config file
   :directory: ../../config/encryption.config

data/lib/nexpose_thycotic/operations.rb

@@ -1,3 +1,6 @@
+require 'nexpose_thycotic/utilities/nx_logger'
+require 'set'
+
 module NexposeThycotic
   class NexposeOperations
     require 'nexpose'
@@ -7,28 +10,58 @@ module NexposeThycotic
     def initialize(ip, user, pass, port = 3780)
       @nsc = Connection.new(ip, user, pass, port)
       @nsc.login
-      NexposeThycotic::NxLogger.instance.on_connect(ip, port, @nsc.session_id, "{}")
+
+      @logger = NexposeThycotic::NxLogger.instance
+      @logger.on_connect(ip, port, @nsc.session_id, '{}')
+    end
+
+    def get_site(site_id)
+      Site.load(@nsc, site_id)
+    end
+
+    def get_devices_from_site(site_id)
+      @nsc.list_devices(site_id)
+    end
+
+    def get_device_addresses(site_id)
+      site = get_site(site_id)
+      included_targets = site.included_addresses
+
+      # Get a list of known IP addresses from a site
+      devices = get_devices_from_site(site_id)
+      device_ips = devices.map { |d| d.address }
+
+      hosts = []
+      ips = device_ips.to_set
+      included_targets.each do |address|
+        if address.instance_of?(Nexpose::HostName)
+          hosts << address.host
+        elsif address.to.nil?
+          ips.add(address.from)
+        end
+      end
+
+      @logger.debug("Discovered #{hosts.count} hosts and #{ips.count} IPs.")
+      ips.to_a + hosts
     end
 
-    def get_ips_from_site(site_id)
-      site = Site.load(@nsc, site_id)
-      site.assets
+    def get_existing_credentials(site_id)
+      site = get_site(site_id)
+      site.site_credentials
     end
 
     def save_site(site_id, credentials)
-      site = Site.load(@nsc, site_id)
-      site.credentials = credentials
+      site = get_site(site_id)
+      site.site_credentials = credentials
       site.save(@nsc)
     end
 
     def delete_site_credentials(site_id)
-      site = Site.load(@nsc, site_id)
-      site.credentials = []
-      site.save(@nsc)
+      save_site(site_id, [])
     end
 
     def start_scan(site_id)
-      site = Site.load(@nsc, site_id)
+      site = get_site(site_id)
       site.scan(@nsc)
     end
 
@@ -40,11 +73,12 @@ module NexposeThycotic
   class ThycoticOperations
     require 'savon'
     attr_accessor :client
-    def initialize(url = nil)
+    def initialize(url = nil, comment = '')
       # log: true, log_level: :info
-      @client = Savon.client(
-          wsdl: url,
-          ssl_verify_mode: :none)
+      @client = Savon.client(wsdl: url, ssl_verify_mode: :none)
+
+      # Comment used when retrieving passwords
+      @comment = comment
     end
 
     def operations
@@ -70,67 +104,83 @@ module NexposeThycotic
     end
 
     def authenticate(username, password)
-      auth = @client.call(:authenticate, message: { username: username, password: password })
-      auth_response = auth.hash
-      auth_result = auth_response[:envelope][:body][:authenticate_response][:authenticate_result]
-      CheckForErrors(auth_result)
+      operation = :authenticate
+      message = { username: username, password: password }
+      auth_result = get_secret_result(operation, message)
+      check_for_errors(auth_result)
       @token = auth_result[:token]
     end
 
-    def parse_field(secret_response_result, fieldName)
-      items = secret_response_result[:secret][:items]
-      for item in items[:secret_item]
-        if	item[:field_display_name].downcase == fieldName.downcase then
-          return item[:value]
-        end
-      end
+    def parse_field(secret_response_result, field_name)
+      items = secret_response_result[:secret][:items][:secret_item]
+      item = items.find  { |i| i[:field_display_name].casecmp(field_name) == 0 }
+      item[:value]
     end
 
-    def get_secret_id(token, ip)
-      secret_id = @client.call( :search_secrets_by_field_value, message: { token: token, fieldName: 'machine', searchTerm: ip, showDeleted: true, showRestricted: true})
-      secret_result = secret_id.hash
-      unless secret_result[:envelope][:body][:search_secrets_by_field_value_response][:search_secrets_by_field_value_result][:secret_summaries].nil? then
-        secret_summary = secret_result[:envelope][:body][:search_secrets_by_field_value_response][:search_secrets_by_field_value_result][:secret_summaries][:secret_summary]
-        secret_info = { secret_id: secret_summary[:secret_id], secret_type: secret_summary[:secret_type_name] }
-      end
+    def get_secret_result(operation, message)
+      secret = @client.call(operation, message: message)
+      resp = secret.hash[:envelope][:body]["#{operation}_response".to_sym]
+      resp["#{operation}_result".to_sym]
     end
 
-    def get_secret_simple(token, secret_id)
-      secret = @client.call( :get_secret_legacy, message: { token: token, secretId: secret_id } )
-      secret_response = secret.hash
-      secret_response_result = secret_response[:envelope][:body][:get_secret_legacy_response][:get_secret_legacy_result]
-      CheckForErrors(secret_response_result)
-      username = parse_field(secret_response_result, "Username")
-      password = parse_field(secret_response_result, "Password")
-      asset = { username: username, password: password }
+    def get_secret_summaries(token, ip)
+      operation = :search_secrets_by_field_value
+      message = {
+        token: token,
+        fieldName: 'machine',
+        searchTerm: ip,
+        showDeleted: true,
+        showRestricted: true
+      }
+      secret_result = get_secret_result(operation, message)
+
+      secrets = []
+      unless secret_result[:secret_summaries].nil?
+        summaries = secret_result[:secret_summaries][:secret_summary]
+
+        # Ensure summaries is iterable
+        summaries = [summaries] if summaries.is_a?(Hash)
+
+        summaries.each do |secret|
+          secret_info = {
+            secret_id: secret[:secret_id],
+            secret_type: secret[:secret_type_name],
+            secret_name: secret[:secret_name]
+          }
+          secrets << secret_info
+        end
+      end
 
+      secrets
     end
 
     def get_secret(token, secret_id)
-      #Code Responses are used if additional information is required when getting the Secret (Ex: Requires Comment is turned on so need to pass Code Response as..)
-      code_response = nil
-      #code_response = @client.new("codeResponse")  #Code is not working, need to create object of type codeResponse from the wsdl
-      #code_response.ErrorCode = "COMMENT";
-      #code_response.Comment = "Running scan";
-
-      #CodeResponses is an array because there could be multiple additional responses needed
-      code_responses = [code_response]
-
-      secret = @client.call( :get_secret, message: { token: token, secretId: secret_id, CodeResponse: code_responses } )
-      secret_response = secret.hash
-      secret_response_result = secret_response[:envelope][:body][:get_secret_response][:get_secret_result]
-      CheckForErrors(secret_response_result)
-      username = parse_field(secret_response_result, "Username")
-      password = parse_field(secret_response_result, "Password")
+      operation = :get_secret
+      message = { token: token,
+                  secretId: secret_id,
+                  loadSettingsAndPermissions: false,
+                  "codeResponses" => {"CodeResponse" =>
+                                          [{
+                                               "ErrorCode" => "COMMENT",
+                                               "Comment" => @comment
+                                           }]
+                  }}
+      secret_result = get_secret_result(operation, message)
+
+      check_for_errors(secret_result)
+      username = parse_field(secret_result, 'Username')
+      password = parse_field(secret_result, 'Password')
+
+      { username: username, password: password }
     end
 
-    def CheckForErrors(result)
+    def check_for_errors(result)
       errors = result[:errors]
-      if !errors.blank? then
+      unless errors.blank?
         puts errors
+        #TODO: Logging
         raise Exception.new(errors)
       end
-
     end
   end
-end
+end

data/lib/nexpose_thycotic/utilities/nx_logger.rb

@@ -31,7 +31,11 @@ module NexposeThycotic
       end
     end
 
-    def setup_logging(enabled, log_level = 'info', stdout=false)
+    def setup_logging(enabled,
+                      log_level = 'info',
+                      stdout=false,
+                      rotation='weekly',
+                      log_size=nil)
       @stdout = stdout
 
       log_message('Logging disabled.') unless enabled || @log.nil?
@@ -46,9 +50,9 @@ module NexposeThycotic
       io = IO.for_fd(IO.sysopen(@logger_file, 'a'), 'a')
       io.autoclose = false
       io.sync = true
-      @log = Logger.new(io, 'weekly')
-      @log.level = if log_level.to_s.casecmp('info') == 0 
-                     Logger::INFO 
+      @log = Logger.new(io, rotation, log_size)
+      @log.level = if log_level.to_s.casecmp('info') == 0
+                     Logger::INFO
                    else
                      Logger::DEBUG
                    end
@@ -58,11 +62,12 @@ module NexposeThycotic
     def create_calls
       levels = [:info, :debug, :error, :warn]
       levels.each do |level|
-        method_name = 
-        define_singleton_method("log_#{level.to_s}_message") do |message|
+        method_name = "log_#{level.to_s}_message"
+        define_singleton_method(method_name) do |message|
           puts message if @stdout
           @log.send(level, message) unless !@enabled || @log.nil?
         end
+        singleton_class.send(:alias_method, level, method_name.to_sym)
       end
     end
 
@@ -93,8 +98,8 @@ module NexposeThycotic
     end
 
     def get_product(product, version)
-      return nil if ((product.nil? || product.empty?) || 
-                     (version.nil? || version.empty?))
+      return nil if ((product.nil? || product.empty?) ||
+          (version.nil? || version.empty?))
 
       product.gsub!('-', '_')
       product.slice! product.rindex('_') until product.count('_') <= 1
@@ -148,7 +153,7 @@ module NexposeThycotic
         log_stat_message('Statistics collection not enabled.')
         return
       end
-      
+
       begin
         payload = generate_payload value
         send(nexpose_address, nexpose_port, session_id, payload)

data/lib/nexpose_thycotic/version.rb

@@ -1,5 +1,5 @@
 module NexposeThycotic
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
   VENDOR = "Thycotic"
   PRODUCT = "Secret Server"
   def self.show_version

metadata

@@ -1,43 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: nexpose_thycotic
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Damian Finol, Adam Robinson
+- David Valente
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-30 00:00:00.000000000 Z
+date: 2018-04-06 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: savon
   requirement: !ruby/object:Gem::Requirement
@@ -52,34 +25,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: rubyntlm
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: nexpose
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '7.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '7.2'
 - !ruby/object:Gem::Dependency
   name: symmetric-encryption
   requirement: !ruby/object:Gem::Requirement
@@ -143,7 +102,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: Nexpose Thycotic Gem Integration