pyivia 0.2.0__tar.gz

pyivia-0.2.0/AUTHORS.md

@@ -0,0 +1,14 @@
+PyISAM (now called PyIVIA) was originally developed by Benjamin Martin. It is now actively being extended and maintained with the help of various collaborators.
+
+## Moderators
+- Benjamin Martin
+- Lachlan Gleeson
+
+## Bug Fixes and Enhancements
+- Charles Wang \<charleswang@au1.ibm.com\>
+- Jasmine Smith \<jasmsmit@au1.ibm.com\>
+- Peter Calvert \<pcalvert@us.ibm.com\>
+- John Sedgmen \<jsedgmen@au1.ibm.com\>
+- Alex Jansons \<alexjans@au1.ibm.com\>
+- Jared Page \<jaredpa@au1.ibm.com\>
+- Leo Farrell \<lfarrell@au1.ibm.com\>

pyivia-0.2.0/LICENSE.txt

@@ -0,0 +1,21 @@
+
+Copyright (c) 2022 IBM
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

pyivia-0.2.0/PKG-INFO

@@ -0,0 +1,86 @@
+Metadata-Version: 2.2
+Name: pyivia
+Version: 0.2.0
+Summary: Python API for IBM Verify Identity Access
+Author: Lachlan Gleeson
+Author-email: lgleeson@au1.ibm.com
+License: MIT
+Project-URL: Homepage, https://github.com/lachlan-ibm/pyivia
+Project-URL: Documentation, https://lachlan-ibm.github.io/pyivia
+Project-URL: Source, https://github.com/lachlan-ibm/pyivia
+Project-URL: Tracker, https://github.com/lachlan-ibm/pyivia/issues
+Description-Content-Type: text/markdown
+License-File: LICENSE.txt
+License-File: AUTHORS.md
+Requires-Dist: requests
+Dynamic: author
+Dynamic: author-email
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: license
+Dynamic: project-url
+Dynamic: requires-dist
+Dynamic: summary
+
+# PyIVIA
+
+PyIVIA is a Python library that wraps the IBM Verify Identity Access RESTful Web services to provide a
+quick and easy way to construct configuration scripts for appliances.
+
+**Supported Versions**
+
+- IBM Verify Identity Access 11.0.0.0
+- IBM Security Verify Access 10.0.9.0
+- IBM Security Verify Access 10.0.8.0
+- IBM Security Verify Access 10.0.7.0
+- IBM Security Verify Access 10.0.6.0
+- IBM Security Verify Access 10.0.5.0
+- IBM Security Verify Access 10.0.4.0
+- IBM Security Verify Access 10.0.3.1
+- IBM Security Verify Access 10.0.3.0
+- IBM Security Verify Access 10.0.2.0
+- IBM Security Verify Access 10.0.1.0
+- IBM Security Verify Access 10.0.0.0
+- IBM Security Access Manager 9.0.7.3
+- IBM Security Access Manager 9.0.7.2
+- IBM Security Access Manager 9.0.7.1
+- IBM Security Access Manager 9.0.7.0
+- IBM Security Access Manager 9.0.6.0
+- IBM Security Access Manager 9.0.5.0
+- IBM Security Access Manager 9.0.4.0
+- IBM Security Access Manager 9.0.3.0
+- IBM Security Access Manager 9.0.2.1
+- IBM Security Access Manager 9.0.2.0
+
+## Installation
+
+For Linux/macOS: if you clone the library to `~/repos/pyivia`, add this to `~/.profile`:
+```sh
+# add pyivia library to Python's search path
+export PYTHONPATH="${PYTHONPATH}:${HOME}/repos/pyivia"
+```
+
+## From IBM Security Verify Access 10.0.0.0 onwards:
+Module has been build into a package Currently hosted on PyPi that can be installed using pip:
+
+```sh
+pip install pyivia
+```
+
+## Usage
+
+```python
+>>> import pyivia
+>>> factory = pyivia.Factory("https://isam.mmfa.ibm.com", "admin", "Passw0rd")
+>>> web = factory.get_web_settings()
+>>> resp = web.reverse_proxy.restart_instance("default")
+>>> if resp.success:
+...     print("Successfully restarted the default instance.")
+... else:
+...     print("Failed to restart the default instance. status_code: %s, data: %s" % (resp.status_code, resp.data))
+...
+Successfully restarted the default instance.
+```
+
+## Documentation
+Documentation for using this library can be found on [pyivia GitHub pages](https://lachlan-ibm.github.io/pyivia/index.html).

pyivia-0.2.0/README.md

@@ -0,0 +1,62 @@
+# PyIVIA
+
+PyIVIA is a Python library that wraps the IBM Verify Identity Access RESTful Web services to provide a
+quick and easy way to construct configuration scripts for appliances.
+
+**Supported Versions**
+
+- IBM Verify Identity Access 11.0.0.0
+- IBM Security Verify Access 10.0.9.0
+- IBM Security Verify Access 10.0.8.0
+- IBM Security Verify Access 10.0.7.0
+- IBM Security Verify Access 10.0.6.0
+- IBM Security Verify Access 10.0.5.0
+- IBM Security Verify Access 10.0.4.0
+- IBM Security Verify Access 10.0.3.1
+- IBM Security Verify Access 10.0.3.0
+- IBM Security Verify Access 10.0.2.0
+- IBM Security Verify Access 10.0.1.0
+- IBM Security Verify Access 10.0.0.0
+- IBM Security Access Manager 9.0.7.3
+- IBM Security Access Manager 9.0.7.2
+- IBM Security Access Manager 9.0.7.1
+- IBM Security Access Manager 9.0.7.0
+- IBM Security Access Manager 9.0.6.0
+- IBM Security Access Manager 9.0.5.0
+- IBM Security Access Manager 9.0.4.0
+- IBM Security Access Manager 9.0.3.0
+- IBM Security Access Manager 9.0.2.1
+- IBM Security Access Manager 9.0.2.0
+
+## Installation
+
+For Linux/macOS: if you clone the library to `~/repos/pyivia`, add this to `~/.profile`:
+```sh
+# add pyivia library to Python's search path
+export PYTHONPATH="${PYTHONPATH}:${HOME}/repos/pyivia"
+```
+
+## From IBM Security Verify Access 10.0.0.0 onwards:
+Module has been build into a package Currently hosted on PyPi that can be installed using pip:
+
+```sh
+pip install pyivia
+```
+
+## Usage
+
+```python
+>>> import pyivia
+>>> factory = pyivia.Factory("https://isam.mmfa.ibm.com", "admin", "Passw0rd")
+>>> web = factory.get_web_settings()
+>>> resp = web.reverse_proxy.restart_instance("default")
+>>> if resp.success:
+...     print("Successfully restarted the default instance.")
+... else:
+...     print("Failed to restart the default instance. status_code: %s, data: %s" % (resp.status_code, resp.data))
+...
+Successfully restarted the default instance.
+```
+
+## Documentation
+Documentation for using this library can be found on [pyivia GitHub pages](https://lachlan-ibm.github.io/pyivia/index.html).

pyivia-0.2.0/pyivia/__init__.py

@@ -0,0 +1 @@
+from .factory import AuthenticationError, Factory

pyivia-0.2.0/pyivia/core/access/accesscontrol.py

@@ -0,0 +1,463 @@
+"""
+@copyright: IBM
+"""
+
+import logging
+
+from pyivia.util.model import DataObject
+from pyivia.util.restclient import RESTClient
+
+
+POLICIES = "/iam/access/v8/policies"
+POLICY_ATTACHMENTS = "/iam/access/v8/policyattachments"
+POLICY_ATTACHMENTS_PDADMIN = "/iam/access/v8/policyattachments/pdadmin"
+OBLIGATIONS = "/iam/access/v8/obligations"
+
+logger = logging.getLogger(__name__)
+
+
+class AccessControl(object):
+
+    def __init__(self, base_url, username, password):
+        super(AccessControl, self).__init__()
+        self.client = RESTClient(base_url, username, password)
+
+    def create_policy(self, name=None, description=None, dialect="urn:oasis:names:tc:xacml:2.0:policy:schema:os", 
+                    policy=None, attributes_required=False):
+        '''
+        Create an AAC Access Policy. 
+
+        Args:
+            name (:obj:`str`): Name of policy to be created.
+            description (:obj:`str`, optional): Description of policy to be created
+            dialect (:obj:`str`, optional): Format of policy XML. Only "urn:oasis:names:tc:xacml:2.0:policy:schema:os" is supported
+            policy (:obj:`str`, optional): XML of policy steps.
+            attributes_required (:obj:`list` of :obj:`str`, optional): Additional attribute mappings used by the policy
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+            If the request is successful the id of the created policy can be access from the 
+            response.id_from_location attribute.
+
+        '''
+        data = DataObject()
+        data.add_value_string("name", name)
+        data.add_value_string("description", description)
+        data.add_value_string("dialect", dialect)
+        data.add_value_string("policy", policy)
+        data.add_value_boolean("attributesRequired", attributes_required)
+        data.add_value_boolean("predefined", False)
+
+        response = self.client.post_json(POLICIES, data.data)
+        response.success = response.status_code == 201
+
+        return response
+
+
+    def delete_policy(self, id=None):
+        '''
+        Delete an AAC Access Policy.
+
+        Args:
+            id (:obj:`str`): Policy id to be removed.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        endpoint = "%s/%s" % (POLICIES, id)
+        response = self.client.delete_json(endpoint)
+        response.success = response.status_code == 204
+
+        return response
+
+
+    def list_policies(self, sort_by=None, filter=None):
+        '''
+        List all of the configured AAC Access Policies.
+
+        Args:
+            sort_by (:obj:`str`, optional): Optional sorting of returned policies
+            filter (:obj:`str`, optional): Optional filter for returned policies
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+            If the request is successful the policies are returned as JSON and can be accessed from
+            the response.json attribute.
+
+        '''
+        parameters = DataObject()
+        parameters.add_value_string("sortBy", sort_by)
+        parameters.add_value_string("filter", filter)
+
+        response = self.client.get_json(POLICIES, parameters.data)
+        response.success = response.status_code == 200
+
+        return response
+
+
+    def authenticate_security_access_manager(self, username=None, password=None, domain=None):
+        '''
+        Authenticate to the Verify Identity Access policy server. This is required before an administrator can modify 
+        mapping from policies to resources.
+
+        Args:
+            username (:obj:`str`): Username used to authenticate to the policy server.
+            password (:obj:`str`): Password used to authenticate to the policy server.
+            domain (:obj:`str`): Security domain to authenticate to.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        data = DataObject()
+        data.add_value_string("username", username)
+        data.add_value_string("password", password)
+        data.add_value_string("domain", domain)
+        data.add_value_string("command", "setCredential")
+
+        response = self.client.post_json(POLICY_ATTACHMENTS_PDADMIN, data.data)
+        response.success = response.status_code == 200
+
+        return response
+
+    def configure_resource(
+            self, server=None, resource_uri=None,
+            policy_combining_algorithm=None, policies=None):
+        '''
+        Create a new resource in the policy server which can be attached to an authentication policy.
+
+        Args:
+            server (:obj:`str`): Name of WebSEAL instance in the policy server where resource will be created.
+            resource_uri (:obj:`str`): URI of resource to be created.
+            policy_combining_algorithm (:obj:`str`): Algorithm to use: "denyOverrides" or "permitOverrides".
+            policies (:obj:`list` of :obj:`str`): List of policies, policy sets or API protection clients.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+            If the request is successful the id of the created policy can be accessed from the
+            response.id_from_location attribute.
+
+        '''
+        data = DataObject()
+        data.add_value_string("server", server)
+        data.add_value_string("resourceUri", resource_uri)
+        data.add_value_string("policyCombiningAlgorithm", policy_combining_algorithm)
+        data.add_value("policies", policies)
+
+        response = self.client.post_json(POLICY_ATTACHMENTS, data.data)
+        response.success = response.status_code == 201
+
+        return response
+
+
+    def remove_resource(self, id):
+        '''
+        Delete a resource from the policy server.
+
+        Args:
+            id (:obj:`str`): The id of the resource to be removed.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        endpoint = "%s/%s" % (POLICY_ATTACHMENTS, id)
+        response = self.client.delete_json(endpoint)
+        response.success = response.status_code == 204
+
+        return response
+
+
+    def list_resources(self, sort_by=None, filter=None):
+        '''
+        Return the list of configured resources.
+
+        Args:
+            sort_by (:obj:`str`, optional): Optionally specify the attribute to sort the returned list by.
+            filter (:obj:`str`): Optionally specify whether the returned list shouldb e filtered based on an attribute.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        parameters = DataObject()
+        parameters.add_value_string("sortBy", sort_by)
+        parameters.add_value_string("filter", filter)
+
+        response = self.client.get_json(POLICY_ATTACHMENTS, parameters.data)
+        response.success = response.status_code == 200
+
+        return response
+
+
+    def publish_policy_attachment(self, id):
+        '''
+        Publish the changes to the policy server. This will require a restart of the corresponding WebSEAL instance.
+
+        Args:
+            id (:obj:`str`): The id of the resource to publish.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        endpoint = "%s/deployment/%s" % (POLICY_ATTACHMENTS, id)
+
+        response = self.client.put_json(endpoint)
+        response.success = response.status_code == 204
+
+        return response
+
+
+    def publish_multiple_policy_attachments(self, ids=[]):
+        '''
+        Publish the changes to the policy server for one or more resources. This will require a restart of the
+        corresponding WebSEAL instance.
+
+        Args:
+            ids (:obj:`list` of :obj:`str`): List of resource ids to publish.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        id_string = ""
+        for id in ids:
+
+            if len(id_string) > 0:
+                id_string += ", "
+            id_string += str(id)
+
+        data = DataObject()
+        data.add_value_string("policyAttachmentIds", id_string)
+
+        endpoint = "%s/deployment" % POLICY_ATTACHMENTS
+
+        response = self.client.put_json(endpoint, data.data)
+        response.success = response.status_code == 204
+
+        return response
+
+
+    def list_obligations(self, sort_by=None, filter=None):
+        '''
+        Return the list of configured obligations for AAC.
+
+        Args:
+            sort_by (:obj:`str`, optional): Optional sorting of returned policies.
+            filter (:obj:`str`, optional): Optional filter for returned policies.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+            If the request is successful the obligations are returned as JSON and can be accessed from
+            the response.json attribute.
+
+        '''
+        parameters = DataObject()
+        parameters.add_value_string("sortBy", sort_by)
+        parameters.add_value_string("filter", filter)
+
+        response = self.client.get_json(OBLIGATIONS, parameters.data)
+        response.success = response.status_code == 200
+
+        return response
+
+
+    def create_obligation(self, name=None, description=None, obligation_uri=None,
+                        type="Obligation", type_id="1", parameters=None, properties=None):
+        '''
+        Create a new obligation for use with RBA.
+
+        Args:
+            name (:obj:`str`): Name of obligation.
+            description (:obj:`str`, optional): Description of the obligation.
+            obligation_uri (:obj:`str`): URI of the obligation.
+            type (:obj:`str`): The obligation type, "Obligation".
+            type_id (:obj:`str`, optional): The obligation type id. If not provided, the value will be set to "1", which is the "Enforcement Point" type.
+            parameters (:obj:`list` of :obj:`str`, optional): List of parameters used by the obligation when making a decision.
+            properties (:obj:`list` of :obj:`str`, optional): Properties used by the obligation.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+            If the request is successful the id of the created obligation can be accessed from the 
+            response.id_from_location attribute.
+
+        '''
+        data = DataObject()
+        data.add_value_string("name", name)
+        data.add_value_string("description", description)
+        data.add_value_string("obligationURI", obligation_uri)
+        data.add_value_string("type", type)
+        data.add_value("parameters", parameters)
+        data.add_value_string("typeId", type_id)
+        data.add_value("properties", properties)
+
+        response = self.client.post_json(OBLIGATIONS, data.data)
+        response.success = response.status_code == 201
+
+        return response
+
+
+    def update_obligation(self, id, name=None, description=None, obligation_uri=None,
+                        type="Obligation", type_id=None, parameters=None, properties=None):
+        '''
+        Update an existing obligation for use with RBA
+
+        Args:
+            id (:obj:`str`): The generated unique id of the obligation to update.
+            name (:obj:`str`): Name of obligation.
+            description (:obj:`str`, optional): Description of the obligation.
+            obligationURI (:obj:`str`): URI of the obligation.
+            type (:obj:`str`, optional): The obligation type, "Obligation".
+            parameters (:obj:`list` of :obj:`str`, optional): List of parameters used by the obligation when making a decision.
+            properties (:obj:`list` of :obj:`str`, optional): Properties used by the obligation.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+            If the request is successful the id of the created obligation can be accessed from the 
+            response.id_from_location attribute.
+
+        '''
+        data = DataObject()
+        data.add_value_string("name", name)
+        data.add_value_string("description", description)
+        data.add_value_string("obligationURI", obligation_uri)
+        data.add_value_string("type", type)
+        data.add_value("parameters", parameters)
+        data.add_value_string("typeId", type_id)
+        data.add_value("properties", properties)
+
+        response = self.client.post_json(OBLIGATIONS, data.data)
+        response.success = response.status_code == 201
+
+        return response
+
+
+    def delete_obligation(self, id):
+        '''
+        Delete an existing obligation from the policy server
+
+        Args:
+            id (:obj:`str`): The id of the obligation to be removed.
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        endpoint = "%s/%s" % (OBLIGATIONS, id)
+        response = self.client.delete_json(endpoint)
+        response.success = response.status_code == 204
+
+        return response
+
+
+class AccessControl9030(AccessControl):
+
+    def __init__(self, base_url, username, password):
+        super(AccessControl9030, self).__init__(base_url, username, password)
+
+
+    def configure_resource(self, server=None, resource_uri=None, policy_combining_algorithm=None, 
+                        policies=None, type="reverse_proxy"):
+        '''
+        Create a new resource in the policy server which can be attached to an authentication policy.
+
+        Args:
+            server (:obj:`str`): Name of WebSEAL instance in the policy server where resource will be created.
+            resource_uri (:obj:`str`): URI of resource to be created.
+            policy_combining_algorithm (:obj:`str`): Algorithm to use: "denyOverrides" or "permitOverrides".
+            policies (:obj:`list` of :obj:`str`): List of policies, policy sets or API protection clients.
+            type (:obj:`str`, optional): Resource type to be created. Default is "reverse_proxy".
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        data = DataObject()
+        data.add_value_string("server", server)
+        data.add_value_string("resourceUri", resource_uri)
+        data.add_value_string(
+            "policyCombiningAlgorithm", policy_combining_algorithm)
+        data.add_value("policies", policies)
+        data.add_value_string("type", type)
+
+        response = self.client.post_json(POLICY_ATTACHMENTS, data.data)
+        response.success = response.status_code == 201
+
+        return response
+
+
+class AccessControl10000(AccessControl9030):
+
+    def __init__(self, base_url, username, password):
+        super(AccessControl10000, self).__init__(base_url, username, password)
+
+
+    def configure_resource(self, server=None, resource_uri=None, policy_combining_algorithm=None, 
+                        policies=None, cache=None):
+        '''
+        Create a new resource in the policy server which can be attached to an authentication policy.
+
+        Args:
+            server (:obj:`str`): Name of WebSEAL instance in the policy server where resource will be created.
+            resource_uri (:obj:`str`): URI of resource to be created.
+            policy_combining_algorithm (:obj:`str`): Algorithm to use: "denyOverrides" or "permitOverrides".
+            policies (:obj:`list` of :obj:`str`): List of policies, policy sets or API protection clients.
+            cache (`int`, optional): 0 to disable the cache for this resource, -1 to cache the decision for 
+                                    the lifetime of the session or any number greater than 1 to set a 
+                                    specific timeout (in seconds) for the cached decision. If not specified 
+                                    a default of 0 will be used. 
+
+        Returns:
+            :obj:`~requests.Response`: The response from verify identity access. 
+
+            Success can be checked by examining the response.success boolean attribute.
+
+        '''
+        data = DataObject()
+        data.add_value_string("server", server)
+        data.add_value_string("resourceUri", resource_uri)
+        data.add_value_string(
+            "policyCombiningAlgorithm", policy_combining_algorithm)
+        data.add_value("policies", policies)
+        data.add_value("cache", cache)
+
+        response = self.client.post_json(POLICY_ATTACHMENTS, data.data)
+        response.success = response.status_code == 201
+
+        return response