python4cpm 1.0.14__tar.gz → 1.0.15__tar.gz

{python4cpm-1.0.14/src/python4cpm.egg-info → python4cpm-1.0.15}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python4cpm
-Version: 1.0.14
+Version: 1.0.15
 Summary: Python for CPM
 Author-email: Gonzalo Atienza Rela <gonatienza@gmail.com>
 License: MIT License
@@ -32,9 +32,9 @@ Dynamic: license-file
 
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM rotations.  This module levereages the [Terminal Plugin Controller](https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/plug-in-terminal-plugin-controller.htm) (TPC) in CPM to offload a password rotation logic into a script.
+A simple way of using python scripts with CyberArk CPM rotations.  This module levereages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module included with the base platform.
+This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
 
 ## Installation
 
@@ -52,15 +52,16 @@ This platform allows you to duplicate it multiple times, simply changing its set
 
 ### Importing the platform
 
-1. Download the [latest platform zip file](https://github.com/gonatienza/python4cpm/releases/download/latest/python4cpm-platform.zip).
-2. Import the platform zip file into Privilege Cloud/PVWA `(Administration -> Platform Management -> Import platform)`.
-3. Craft your python script and place it within the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
-4. Duplicate the imported platform in Privilege Cloud/PVWA `(Administration -> Platform Management -> Application -> Python for CPM)` and name it after your application (e.g., My App).
-5. Edit the duplicated platform and specify the path of your placed script in the bin folder of CPM, under `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonScriptPath -> Value` (e.g., `bin\myapp.py`).
-6. If you used a custom venv location, also update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonExePath -> Value` with the custom path for the venv's `python.exe` file (e.g., `c:\my-venv-path\Scripts\python.exe`).
-7. If you want to disable logging, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLogging -> Value` to `no`.
-8. If you want to change the logging level to `debug`, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLoggingLevel -> Value` to `debug`.
-9. For new applications repeat steps from 3 to 8.
+1. Download the latest [Credential Management .NET SDK](https://community.cyberark.com/marketplace/s/#a3550000000EkA0AAK-a3950000000jjoOAAQ) and place its content in the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
+2. Download the [latest platform zip file](https://github.com/gonatienza/python4cpm/releases/download/latest/python4cpm-platform.zip).
+3. Import the platform zip file into Privilege Cloud/PVWA `(Administration -> Platform Management -> Import platform)`.
+4. Craft your python script and place it within the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
+5. Duplicate the imported platform in Privilege Cloud/PVWA `(Administration -> Platform Management -> Application -> Python for CPM)` and name it after your application (e.g., My App).
+6. Edit the duplicated platform and specify the path of your placed script in the bin folder of CPM, under `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonScriptPath -> Value` (e.g., `bin\myapp.py`).
+7. If you used a custom venv location, also update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonExePath -> Value` with the custom path for the venv's `python.exe` file (e.g., `c:\my-venv-path\Scripts\python.exe`).
+8. If you want to disable logging, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLogging -> Value` to `no`.
+9. If you want to change the logging level to `debug`, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLoggingLevel -> Value` to `debug`.
+10. For new applications repeat steps from 4 to 9.
 
 
 ## Python Script
@@ -137,7 +138,7 @@ def change(from_reconcile=False):
 
 if __name__ == "__main__":
     try:
-        if action == Python4CPM.ACTION_VERIFY: # class attribute ACTION_VERIFY holds the verify action value
+        if p4cpm.args.action == Python4CPM.ACTION_VERIFY: # class attribute ACTION_VERIFY holds the verify action value
             verify()
             p4cpm.close_success() # terminate with success state
         elif p4cpm.args.action == Python4CPM.ACTION_LOGON: # class attribute ACTION_LOGON holds the logon action value
@@ -159,7 +160,7 @@ if __name__ == "__main__":
             ## p4cpm.log_error("reconciliation is not supported") # let the logs know that reconciliation is not supported
             ## p4cpm.close_fail() # let CPM know to check the logs
         else:
-            p4cpm.log_error(f"invalid action: '{action}'") # logs into Logs/ThirdParty/Python4CPM/MyApp.log
+            p4cpm.log_error(f"invalid action: '{p4cpm.args.action}'") # logs into Logs/ThirdParty/Python4CPM/MyApp.log
             p4cpm.close_fail(unrecoverable=True) # terminate with unrecoverable failed state
     except Exception as e:
         p4cpm.log_error(f"{type(e).__name__}: {e}")
@@ -189,14 +190,15 @@ As with any python venv, you can install dependancies in your venv.
 
 ## Dev Helper:
 
-TPC is a binary Terminal Plugin Controller in CPM.  It passes information to Python4CPM through arguments and prompts when calling the script.
-For dev purposes, `TPCHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` object by simulating how TPC passes those arguments and prompts.
+For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` object by simulating how the plugin passes arguments and secrets to `Python4CPM`.
 Install this module (in a dev workstation) with:
 
 ```bash
 pip install python4cpm
 ```
 
+**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the process environment.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+
 ### Example:
 
 ```python

{python4cpm-1.0.14 → python4cpm-1.0.15}/README.md

@@ -1,8 +1,8 @@
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM rotations.  This module levereages the [Terminal Plugin Controller](https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/plug-in-terminal-plugin-controller.htm) (TPC) in CPM to offload a password rotation logic into a script.
+A simple way of using python scripts with CyberArk CPM rotations.  This module levereages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module included with the base platform.
+This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
 
 ## Installation
 
@@ -20,15 +20,16 @@ This platform allows you to duplicate it multiple times, simply changing its set
 
 ### Importing the platform
 
-1. Download the [latest platform zip file](https://github.com/gonatienza/python4cpm/releases/download/latest/python4cpm-platform.zip).
-2. Import the platform zip file into Privilege Cloud/PVWA `(Administration -> Platform Management -> Import platform)`.
-3. Craft your python script and place it within the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
-4. Duplicate the imported platform in Privilege Cloud/PVWA `(Administration -> Platform Management -> Application -> Python for CPM)` and name it after your application (e.g., My App).
-5. Edit the duplicated platform and specify the path of your placed script in the bin folder of CPM, under `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonScriptPath -> Value` (e.g., `bin\myapp.py`).
-6. If you used a custom venv location, also update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonExePath -> Value` with the custom path for the venv's `python.exe` file (e.g., `c:\my-venv-path\Scripts\python.exe`).
-7. If you want to disable logging, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLogging -> Value` to `no`.
-8. If you want to change the logging level to `debug`, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLoggingLevel -> Value` to `debug`.
-9. For new applications repeat steps from 3 to 8.
+1. Download the latest [Credential Management .NET SDK](https://community.cyberark.com/marketplace/s/#a3550000000EkA0AAK-a3950000000jjoOAAQ) and place its content in the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
+2. Download the [latest platform zip file](https://github.com/gonatienza/python4cpm/releases/download/latest/python4cpm-platform.zip).
+3. Import the platform zip file into Privilege Cloud/PVWA `(Administration -> Platform Management -> Import platform)`.
+4. Craft your python script and place it within the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
+5. Duplicate the imported platform in Privilege Cloud/PVWA `(Administration -> Platform Management -> Application -> Python for CPM)` and name it after your application (e.g., My App).
+6. Edit the duplicated platform and specify the path of your placed script in the bin folder of CPM, under `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonScriptPath -> Value` (e.g., `bin\myapp.py`).
+7. If you used a custom venv location, also update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonExePath -> Value` with the custom path for the venv's `python.exe` file (e.g., `c:\my-venv-path\Scripts\python.exe`).
+8. If you want to disable logging, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLogging -> Value` to `no`.
+9. If you want to change the logging level to `debug`, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLoggingLevel -> Value` to `debug`.
+10. For new applications repeat steps from 4 to 9.
 
 
 ## Python Script
@@ -105,7 +106,7 @@ def change(from_reconcile=False):
 
 if __name__ == "__main__":
     try:
-        if action == Python4CPM.ACTION_VERIFY: # class attribute ACTION_VERIFY holds the verify action value
+        if p4cpm.args.action == Python4CPM.ACTION_VERIFY: # class attribute ACTION_VERIFY holds the verify action value
             verify()
             p4cpm.close_success() # terminate with success state
         elif p4cpm.args.action == Python4CPM.ACTION_LOGON: # class attribute ACTION_LOGON holds the logon action value
@@ -127,7 +128,7 @@ if __name__ == "__main__":
             ## p4cpm.log_error("reconciliation is not supported") # let the logs know that reconciliation is not supported
             ## p4cpm.close_fail() # let CPM know to check the logs
         else:
-            p4cpm.log_error(f"invalid action: '{action}'") # logs into Logs/ThirdParty/Python4CPM/MyApp.log
+            p4cpm.log_error(f"invalid action: '{p4cpm.args.action}'") # logs into Logs/ThirdParty/Python4CPM/MyApp.log
             p4cpm.close_fail(unrecoverable=True) # terminate with unrecoverable failed state
     except Exception as e:
         p4cpm.log_error(f"{type(e).__name__}: {e}")
@@ -157,14 +158,15 @@ As with any python venv, you can install dependancies in your venv.
 
 ## Dev Helper:
 
-TPC is a binary Terminal Plugin Controller in CPM.  It passes information to Python4CPM through arguments and prompts when calling the script.
-For dev purposes, `TPCHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` object by simulating how TPC passes those arguments and prompts.
+For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` object by simulating how the plugin passes arguments and secrets to `Python4CPM`.
 Install this module (in a dev workstation) with:
 
 ```bash
 pip install python4cpm
 ```
 
+**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the process environment.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+
 ### Example:
 
 ```python

{python4cpm-1.0.14 → python4cpm-1.0.15}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "python4cpm"
-version = "1.0.14"
+version = "1.0.15"
 description = "Python for CPM"
 authors = [
   { name = "Gonzalo Atienza Rela", email = "gonatienza@gmail.com" }

python4cpm-1.0.15/src/python4cpm/__init__.py

@@ -0,0 +1,17 @@
+from python4cpm.python4cpm import Python4CPM
+from python4cpm.args import Args
+from python4cpm.secrets import SecureString, Secrets
+from python4cpm.crypto import Crypto
+from python4cpm.nethelper import NETHelper
+from importlib.metadata import version as __version
+
+__version__ = __version(__name__)
+
+__all__ = [
+    Args,
+    SecureString,
+    Secrets,
+    Python4CPM,
+    Crypto,
+    NETHelper
+]

python4cpm-1.0.15/src/python4cpm/args.py

@@ -0,0 +1,56 @@
+class Args:
+    ARGS = (
+        "action",
+        "address",
+        "username",
+        "logon_username",
+        "reconcile_username",
+        "logging",
+        "logging_level"
+    )
+
+    def __init__(
+        self: str,
+        action: str,
+        address: str,
+        username: str,
+        reconcile_username: str,
+        logon_username: str,
+        logging: str,
+        logging_level: str
+    ) -> None:
+        self._action = action
+        self._address = address
+        self._username = username
+        self._reconcile_username = reconcile_username
+        self._logon_username = logon_username
+        self._logging = logging
+        self._logging_level = logging_level
+
+    @property
+    def action(self) -> str:
+        return self._action
+
+    @property
+    def address(self) -> str:
+        return self._address
+
+    @property
+    def username(self) -> str:
+        return self._username
+
+    @property
+    def reconcile_username(self) -> str:
+        return self._reconcile_username
+
+    @property
+    def logon_username(self) -> str:
+        return self._logon_username
+
+    @property
+    def logging(self) -> str:
+        return self._logging
+
+    @property
+    def logging_level(self) -> str:
+        return self._logging_level

python4cpm-1.0.15/src/python4cpm/crypto.py

@@ -0,0 +1,74 @@
+import sys
+import ctypes
+import ctypes.wintypes
+import base64
+
+
+class Crypto:
+    if sys.platform == "win32":
+        ENABLED = True
+    else:
+        ENABLED = False
+
+    class DataBlob(ctypes.Structure):
+        _fields_ = [
+            ("cbData", ctypes.wintypes.DWORD),
+            ("pbData", ctypes.POINTER(ctypes.c_ubyte))
+        ]
+
+    @classmethod
+    def _verify_enabled(cls):
+        if not cls.ENABLED:
+            raise OSError("DPAPI is only available on Windows")
+
+    @classmethod
+    def decrypt(cls, base64_enc_string: str) -> str:
+        cls._verify_enabled()
+        encrypted_bytes = base64.b64decode(base64_enc_string.encode())
+        buffer = ctypes.create_string_buffer(encrypted_bytes)
+        input_blob = cls.DataBlob(
+            len(encrypted_bytes),
+            ctypes.cast(buffer, ctypes.POINTER(ctypes.c_ubyte))
+        )
+        output_blob = cls.DataBlob()
+        crypt_res = ctypes.windll.crypt32.CryptUnprotectData(
+            ctypes.byref(input_blob),
+            None,
+            None,
+            None,
+            None,
+            0,
+            ctypes.byref(output_blob)
+        )
+        if crypt_res:
+            plaintext = ctypes.string_at(output_blob.pbData, output_blob.cbData)
+            ctypes.windll.kernel32.LocalFree(output_blob.pbData)
+            return plaintext.decode()
+        else:
+            raise ctypes.WinError()
+
+    @classmethod
+    def encrypt(cls, plaintext: str) -> str:
+        cls._verify_enabled()
+        plain_bytes = plaintext.encode()
+        buffer = ctypes.create_string_buffer(plain_bytes)
+        input_blob = cls.DataBlob(
+            len(plain_bytes),
+            ctypes.cast(buffer, ctypes.POINTER(ctypes.c_ubyte))
+        )
+        output_blob = cls.DataBlob()
+        crypt_res = ctypes.windll.crypt32.CryptProtectData(
+            ctypes.byref(input_blob),
+            None,
+            None,
+            None,
+            None,
+            0,
+            ctypes.byref(output_blob)
+        )
+        if crypt_res:
+            encrypted = ctypes.string_at(output_blob.pbData, output_blob.cbData)
+            ctypes.windll.kernel32.LocalFree(output_blob.pbData)
+            return base64.b64encode(encrypted).decode()
+        else:
+            raise ctypes.WinError()

python4cpm-1.0.15/src/python4cpm/logger.py

@@ -0,0 +1,46 @@
+import os
+import logging
+from logging.handlers import RotatingFileHandler
+
+
+_LOGS_DIR = os.path.join("Logs", "ThirdParty", "Python4CPM")
+_CPM_ROOT_DIR = "C:\\Program Files (x86)\\CyberArk\\Password Manager"
+if os.path.exists(_CPM_ROOT_DIR):
+    _LOGS_DIR = os.path.join(_CPM_ROOT_DIR, _LOGS_DIR)
+_LOGGING_ENABLED_VALUE = "yes"
+_LOGGING_LEVELS = {
+    "info": logging.INFO,
+    "debug": logging.DEBUG
+    }
+
+
+def get_logger(
+    name: str,
+    args_logging: str,
+    args_logging_level: str
+) -> logging.Logger:
+    if args_logging is None:
+        return None
+    if args_logging.lower() != _LOGGING_ENABLED_VALUE:
+        return None
+    os.makedirs(_LOGS_DIR, exist_ok=True)
+    logs_file = os.path.join(_LOGS_DIR, f"{name}.log")
+    _id = os.urandom(4).hex()
+    logger = logging.getLogger(_id)
+    logging_level = args_logging_level.lower()
+    if logging_level in _LOGGING_LEVELS:
+        logger.setLevel(_LOGGING_LEVELS[logging_level])
+    else:
+        logger.setLevel(_LOGGING_LEVELS["info"])
+    handler = RotatingFileHandler(
+        filename=logs_file,
+        maxBytes=1 * 1024 * 1024,
+        backupCount=1
+    )
+    formatter = logging.Formatter(
+        fmt="%(asctime)s | %(name)s | %(levelname)s | %(message)s",
+        datefmt="%Y-%m-%d %H:%M:%S"
+    )
+    handler.setFormatter(formatter)
+    logger.addHandler(handler)
+    return logger

python4cpm-1.0.15/src/python4cpm/nethelper.py

@@ -0,0 +1,47 @@
+from python4cpm.python4cpm import Python4CPM
+from python4cpm.args import Args
+from python4cpm.secrets import Secrets
+from python4cpm.crypto import Crypto
+import os
+
+
+class NETHelper:
+    @classmethod
+    def run(
+        cls,
+        action: str = "",
+        address: str = "",
+        username: str = "",
+        logon_username: str = "",
+        reconcile_username: str = "",
+        logging: str = "",
+        logging_level: str = "",
+        password: str = "",
+        logon_password: str = "",
+        reconcile_password: str = "",
+        new_password: str = ""
+    ) -> Python4CPM:
+        _args = [
+            action,
+            address,
+            username,
+            logon_username,
+            reconcile_username,
+            logging,
+            logging_level
+        ]
+        for i, arg in enumerate(Args.ARGS):
+            os.environ[f"PYTHON4CPM_{arg.upper()}"] = _args[i]
+        _secrets = [
+            password,
+            logon_password,
+            reconcile_password,
+            new_password
+        ]
+        for i, secret in enumerate(Secrets.SECRETS):
+            if Crypto.ENABLED:
+                _secret = Crypto.encrypt(_secrets[i])
+            else:
+                _secret = _secrets[i]
+            os.environ[f"PYTHON4CPM_{secret.upper()}"] = _secret
+        return Python4CPM(cls.__name__)

python4cpm-1.0.15/src/python4cpm/python4cpm.py

@@ -0,0 +1,118 @@
+import os
+import sys
+import logging
+from python4cpm.secrets import Secrets
+from python4cpm.args import Args
+from python4cpm.logger import get_logger
+
+
+class Python4CPM:
+    ACTION_VERIFY = "verifypass"
+    ACTION_LOGON = "logon"
+    ACTION_CHANGE = "changepass"
+    ACTION_PRERECONCILE = "prereconcilepass"
+    ACTION_RECONCILE = "reconcilepass"
+    _VALID_ACTIONS = (
+        ACTION_VERIFY,
+        ACTION_LOGON,
+        ACTION_CHANGE,
+        ACTION_PRERECONCILE,
+        ACTION_RECONCILE,
+    )
+    _SUCCESS_CODE = 0
+    _FAILED_RECOVERABLE_CODE = 81
+    _FAILED_UNRECOVERABLE_CODE = 89
+    _ENV_PREFIX = "PYTHON4CPM_"
+
+    def __init__(self, name: str) -> None:
+        self._name = name
+        args = self._get_args()
+        self._args = Args(**args)
+        self._logger = get_logger(
+            self._name,
+            self._args.logging,
+            self._args.logging_level
+        )
+        self.log_info("Python4CPM.__init__: initiating...")
+        self._log_args()
+        self._verify_action()
+        secrets = self._get_secrets()
+        self._secrets = Secrets(**secrets)
+
+    @property
+    def args(self) -> Args:
+        return self._args
+
+    @property
+    def secrets(self) -> Secrets:
+        return self._secrets
+
+    @property
+    def logger(self) -> logging.Logger:
+        return self._logger
+
+    def log_debug(self, message: str) -> None:
+        if self._logger is not None:
+            self._logger.debug(message)
+
+    def log_info(self, message: str) -> None:
+        if self._logger is not None:
+            self._logger.info(message)
+
+    def log_warning(self, message: str) -> None:
+        if self._logger is not None:
+            self._logger.warning(message)
+
+    def log_error(self, message: str) -> None:
+        if self._logger is not None:
+            self._logger.error(message)
+
+    @classmethod
+    def _get_env_key(cls, key: str) -> str:
+        return f"{cls._ENV_PREFIX}{key.upper()}"
+
+    @classmethod
+    def _get_args(cls) -> dict:
+        args = {}
+        for arg in Args.ARGS:
+            args[arg] = os.environ.get(cls._get_env_key(arg))
+        return args
+
+    def _get_secrets(self) -> dict:
+        secrets = {}
+        for secret in Secrets.SECRETS:
+            secrets[secret] = os.environ.get(self._get_env_key(secret))
+            common_message = f"Python4CPM._get_secrets: {secret} ->"
+            if secrets[secret]:
+                self.log_info(f"{common_message} [*******]")
+            else:
+                self.log_info(f"{common_message} [NOT SET]")
+        return secrets
+
+    def _verify_action(self) -> None:
+        if self.args.action not in self._VALID_ACTIONS:
+            self.log_warning(
+                f"Python4CPM._verify_action: unkonwn action -> {self.args.action}"
+            )
+
+    def _log_args(self) -> None:
+        for key, value in vars(self._args).items():
+            common_message = f"Python4CPM._log_args: {key.strip('_')} ->"
+            if value:
+                self.log_info(f"{common_message} {value}")
+            else:
+                self.log_info(f"{common_message} [NOT SET]")
+
+    def close_fail(self, unrecoverable: bool = False) -> None:
+        if unrecoverable is False:
+            code = self._FAILED_RECOVERABLE_CODE
+        else:
+            code = self._FAILED_UNRECOVERABLE_CODE
+        self.log_error(f"Python4CPM.close_fail: closing with code {code}")
+        sys.exit(code)
+
+    def close_success(self) -> None:
+        self.log_info(
+            f"Python4CPM.close_success: closing with code {self._SUCCESS_CODE}"
+        )
+        sys.exit(self._SUCCESS_CODE)

python4cpm-1.0.15/src/python4cpm/secrets.py

@@ -0,0 +1,54 @@
+from python4cpm.crypto import Crypto
+
+
+class SecureString:
+    def __init__(self, secret: str) -> None:
+        self._secret = secret
+        self._is_encrypted = Crypto.ENABLED
+
+    @property
+    def is_encrypted(self):
+        return self._is_encrypted
+
+    def get(self) -> str:
+        if self._is_encrypted and self._secret:
+            return Crypto.decrypt(self._secret)
+        else:
+            return self._secret
+
+
+class Secrets:
+    SECRETS = (
+        "password",
+        "logon_password",
+        "reconcile_password",
+        "new_password"
+    )
+
+    def __init__(
+        self: str,
+        password: str,
+        logon_password: str,
+        reconcile_password: str,
+        new_password: str
+    ) -> None:
+        self._password = SecureString(password)
+        self._logon_password = SecureString(logon_password)
+        self._reconcile_password = SecureString(reconcile_password)
+        self._new_password = SecureString(new_password)
+
+    @property
+    def password(self) -> str:
+        return self._password
+
+    @property
+    def new_password(self) -> str:
+        return self._new_password
+
+    @property
+    def logon_password(self) -> str:
+        return self._logon_password
+
+    @property
+    def reconcile_password(self) -> str:
+        return self._reconcile_password

{python4cpm-1.0.14 → python4cpm-1.0.15/src/python4cpm.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python4cpm
-Version: 1.0.14
+Version: 1.0.15
 Summary: Python for CPM
 Author-email: Gonzalo Atienza Rela <gonatienza@gmail.com>
 License: MIT License
@@ -32,9 +32,9 @@ Dynamic: license-file
 
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM rotations.  This module levereages the [Terminal Plugin Controller](https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/plug-in-terminal-plugin-controller.htm) (TPC) in CPM to offload a password rotation logic into a script.
+A simple way of using python scripts with CyberArk CPM rotations.  This module levereages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module included with the base platform.
+This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
 
 ## Installation
 
@@ -52,15 +52,16 @@ This platform allows you to duplicate it multiple times, simply changing its set
 
 ### Importing the platform
 
-1. Download the [latest platform zip file](https://github.com/gonatienza/python4cpm/releases/download/latest/python4cpm-platform.zip).
-2. Import the platform zip file into Privilege Cloud/PVWA `(Administration -> Platform Management -> Import platform)`.
-3. Craft your python script and place it within the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
-4. Duplicate the imported platform in Privilege Cloud/PVWA `(Administration -> Platform Management -> Application -> Python for CPM)` and name it after your application (e.g., My App).
-5. Edit the duplicated platform and specify the path of your placed script in the bin folder of CPM, under `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonScriptPath -> Value` (e.g., `bin\myapp.py`).
-6. If you used a custom venv location, also update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonExePath -> Value` with the custom path for the venv's `python.exe` file (e.g., `c:\my-venv-path\Scripts\python.exe`).
-7. If you want to disable logging, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLogging -> Value` to `no`.
-8. If you want to change the logging level to `debug`, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLoggingLevel -> Value` to `debug`.
-9. For new applications repeat steps from 3 to 8.
+1. Download the latest [Credential Management .NET SDK](https://community.cyberark.com/marketplace/s/#a3550000000EkA0AAK-a3950000000jjoOAAQ) and place its content in the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
+2. Download the [latest platform zip file](https://github.com/gonatienza/python4cpm/releases/download/latest/python4cpm-platform.zip).
+3. Import the platform zip file into Privilege Cloud/PVWA `(Administration -> Platform Management -> Import platform)`.
+4. Craft your python script and place it within the bin folder of CPM (`C:\Program Files (x86)\CyberArk\Password Manager\bin`).
+5. Duplicate the imported platform in Privilege Cloud/PVWA `(Administration -> Platform Management -> Application -> Python for CPM)` and name it after your application (e.g., My App).
+6. Edit the duplicated platform and specify the path of your placed script in the bin folder of CPM, under `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonScriptPath -> Value` (e.g., `bin\myapp.py`).
+7. If you used a custom venv location, also update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonExePath -> Value` with the custom path for the venv's `python.exe` file (e.g., `c:\my-venv-path\Scripts\python.exe`).
+8. If you want to disable logging, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLogging -> Value` to `no`.
+9. If you want to change the logging level to `debug`, update `Target Account Platform -> Automatic Platform Management -> Additional Policy Settings -> Parameters -> PythonLoggingLevel -> Value` to `debug`.
+10. For new applications repeat steps from 4 to 9.
 
 
 ## Python Script
@@ -137,7 +138,7 @@ def change(from_reconcile=False):
 
 if __name__ == "__main__":
     try:
-        if action == Python4CPM.ACTION_VERIFY: # class attribute ACTION_VERIFY holds the verify action value
+        if p4cpm.args.action == Python4CPM.ACTION_VERIFY: # class attribute ACTION_VERIFY holds the verify action value
             verify()
             p4cpm.close_success() # terminate with success state
         elif p4cpm.args.action == Python4CPM.ACTION_LOGON: # class attribute ACTION_LOGON holds the logon action value
@@ -159,7 +160,7 @@ if __name__ == "__main__":
             ## p4cpm.log_error("reconciliation is not supported") # let the logs know that reconciliation is not supported
             ## p4cpm.close_fail() # let CPM know to check the logs
         else:
-            p4cpm.log_error(f"invalid action: '{action}'") # logs into Logs/ThirdParty/Python4CPM/MyApp.log
+            p4cpm.log_error(f"invalid action: '{p4cpm.args.action}'") # logs into Logs/ThirdParty/Python4CPM/MyApp.log
             p4cpm.close_fail(unrecoverable=True) # terminate with unrecoverable failed state
     except Exception as e:
         p4cpm.log_error(f"{type(e).__name__}: {e}")
@@ -189,14 +190,15 @@ As with any python venv, you can install dependancies in your venv.
 
 ## Dev Helper:
 
-TPC is a binary Terminal Plugin Controller in CPM.  It passes information to Python4CPM through arguments and prompts when calling the script.
-For dev purposes, `TPCHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` object by simulating how TPC passes those arguments and prompts.
+For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` object by simulating how the plugin passes arguments and secrets to `Python4CPM`.
 Install this module (in a dev workstation) with:
 
 ```bash
 pip install python4cpm
 ```
 
+**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the process environment.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+
 ### Example:
 
 ```python

{python4cpm-1.0.14 → python4cpm-1.0.15}/src/python4cpm.egg-info/SOURCES.txt

@@ -2,8 +2,12 @@ LICENSE
 README.md
 pyproject.toml
 src/python4cpm/__init__.py
+src/python4cpm/args.py
+src/python4cpm/crypto.py
+src/python4cpm/logger.py
+src/python4cpm/nethelper.py
 src/python4cpm/python4cpm.py
-src/python4cpm/tpchelper.py
+src/python4cpm/secrets.py
 src/python4cpm.egg-info/PKG-INFO
 src/python4cpm.egg-info/SOURCES.txt
 src/python4cpm.egg-info/dependency_links.txt

python4cpm-1.0.14/src/python4cpm/__init__.py

@@ -1,13 +0,0 @@
-from python4cpm.python4cpm import Args, Secret, Secrets, Python4CPM
-from python4cpm.tpchelper import TPCHelper
-from importlib.metadata import version as __version
-
-__version__ = __version(__name__)
-
-__all__ = [
-    Args,
-    Secret,
-    Secrets,
-    Python4CPM,
-    TPCHelper
-]

python4cpm-1.0.14/src/python4cpm/python4cpm.py

@@ -1,257 +0,0 @@
-import os
-import sys
-import logging
-from logging.handlers import RotatingFileHandler
-from argparse import ArgumentParser
-
-
-class Args:
-    ARGS = (
-        "action",
-        "address",
-        "username",
-        "logon_username",
-        "reconcile_username",
-        "logging",
-        "logging_level"
-    )
-
-    def __init__(
-        self: str,
-        action: str,
-        address: str,
-        username: str,
-        reconcile_username: str,
-        logon_username: str,
-        logging: str,
-        logging_level: str
-    ) -> None:
-        self._action = action
-        self._address = address
-        self._username = username
-        self._reconcile_username = reconcile_username
-        self._logon_username = logon_username
-        self._logging = logging
-        self._logging_level = logging_level
-
-    @property
-    def action(self) -> str:
-        return self._action
-
-    @property
-    def address(self) -> str:
-        return self._address
-
-    @property
-    def username(self) -> str:
-        return self._username
-
-    @property
-    def reconcile_username(self) -> str:
-        return self._reconcile_username
-
-    @property
-    def logon_username(self) -> str:
-        return self._logon_username
-
-    @property
-    def logging(self) -> str:
-        return self._logging
-
-    @property
-    def logging_level(self) -> str:
-        return self._logging_level
-
-
-class Secret:
-    def __init__(self, value: str) -> None:
-        self._secret = value
-
-    def __repr__(self) -> str:
-        return f"{self.__class__.__name__}('***')"
-
-    def get(self) -> str:
-        return self._secret
-
-
-class Secrets:
-    SECRETS = (
-        "password",
-        "logon_password",
-        "reconcile_password",
-        "new_password"
-    )
-
-    def __init__(
-        self: str,
-        password: str,
-        logon_password: str,
-        reconcile_password: str,
-        new_password: str
-    ) -> None:
-        self._password = Secret(password)
-        self._logon_password = Secret(logon_password)
-        self._reconcile_password = Secret(reconcile_password)
-        self._new_password = Secret(new_password)
-
-    @property
-    def password(self) -> str:
-        return self._password
-
-    @property
-    def new_password(self) -> str:
-        return self._new_password
-
-    @property
-    def logon_password(self) -> str:
-        return self._logon_password
-
-    @property
-    def reconcile_password(self) -> str:
-        return self._reconcile_password
-
-
-class Python4CPM:
-    ACTION_VERIFY = "verifypass"
-    ACTION_LOGON = "logon"
-    ACTION_CHANGE = "changepass"
-    ACTION_PRERECONCILE = "prereconcilepass"
-    ACTION_RECONCILE = "reconcilepass"
-    _VALID_ACTIONS = (
-        ACTION_VERIFY,
-        ACTION_LOGON,
-        ACTION_CHANGE,
-        ACTION_PRERECONCILE,
-        ACTION_RECONCILE,
-    )
-    _LOGS_DIR = os.path.join("Logs", "ThirdParty", "Python4CPM")
-    _CPM_ROOT_DIR = "C:\\Program Files (x86)\\CyberArk\\Password Manager"
-    if os.path.exists(_CPM_ROOT_DIR):
-        _LOGS_DIR = os.path.join(_CPM_ROOT_DIR, _LOGS_DIR)
-    _LOGGING_ENABLED_VALUE = "yes"
-    _LOGGING_LEVELS = {
-        "info": logging.INFO,
-        "debug": logging.DEBUG
-    }
-    _SECRETS_PADDING = "@@@"
-    _SUCCESS_PROMPT = "~~~SUCCESS~~~"
-    _FAILED_RECOVERABLE_PROMPT = "~~~FAILED_RECOVERABLE~~~"
-    _FAILED_UNRECOVERABLE_PROMPT = "~~~FAILED_UNRECOVERABLE~~~"
-
-    def __init__(self, name: str) -> None:
-        self._name = name
-        args = self._get_args()
-        self._args = Args(**args)
-        self._logger = self._get_logger(self._name)
-        self.log_info("Python4CPM.__init__: initiating...")
-        self._log_args()
-        self._verify_action()
-        secrets = self._get_secrets()
-        self._secrets = Secrets(**secrets)
-
-    @property
-    def args(self) -> Args:
-        return self._args
-
-    @property
-    def secrets(self) -> Secrets:
-        return self._secrets
-
-    @property
-    def logger(self) -> logging.Logger:
-        return self._logger
-
-    def log_debug(self, message: str) -> None:
-        if self._logger is not None:
-            self._logger.debug(message)
-
-    def log_info(self, message: str) -> None:
-        if self._logger is not None:
-            self._logger.info(message)
-
-    def log_warning(self, message: str) -> None:
-        if self._logger is not None:
-            self._logger.warning(message)
-
-    def log_error(self, message: str) -> None:
-        if self._logger is not None:
-            self._logger.error(message)
-
-    @staticmethod
-    def _get_args() -> dict:
-        parser = ArgumentParser()
-        for arg in Args.ARGS:
-            parser.add_argument(f"--{arg}")
-        args = parser.parse_args()
-        return dict(vars(args))
-
-    def _get_secrets(self) -> dict:
-        secrets = {}
-        try:
-            for secret in Secrets.SECRETS:
-                prompt = self._SECRETS_PADDING + secret + self._SECRETS_PADDING
-                secrets[secret] = input(prompt)
-                common_message = f"Python4CPM._get_secrets: {secret} ->"
-                if secrets[secret]:
-                    self.log_info(f"{common_message} [*******]")
-                else:
-                    self.log_info(f"{common_message} [NOT SET]")
-        except Exception as e:
-            self.log_error(f"Python4CPM._get_secrets: {type(e).__name__}: {e}")
-            self.close_fail()
-        return secrets
-
-    def _verify_action(self) -> None:
-        if self.args.action not in self._VALID_ACTIONS:
-            self.log_warning(
-                f"Python4CPM._verify_action: unkonwn action -> {self.args.action}"
-            )
-
-    def _log_args(self) -> None:
-        for key, value in vars(self._args).items():
-            common_message = f"Python4CPM._log_args: {key.strip('_')} ->"
-            if value:
-                self.log_info(f"{common_message} {value}")
-            else:
-                self.log_info(f"{common_message} [NOT SET]")
-
-    def _get_logger(self, name: str) -> logging.Logger:
-        if self._args.logging is None:
-            return None
-        if self._args.logging.lower() != self._LOGGING_ENABLED_VALUE:
-            return None
-        os.makedirs(self._LOGS_DIR, exist_ok=True)
-        logs_file = os.path.join(self._LOGS_DIR, f"{name}.log")
-        logger = logging.getLogger(name)
-        logging_level = self._args.logging_level.lower()
-        if logging_level in self._LOGGING_LEVELS:
-            logger.setLevel(self._LOGGING_LEVELS[logging_level])
-        else:
-            logger.setLevel(self._LOGGING_LEVELS["info"])
-        handler = RotatingFileHandler(
-            filename=logs_file,
-            maxBytes=1 * 1024 * 1024,
-            backupCount=2
-        )
-        formatter = logging.Formatter(
-            fmt="%(asctime)s | %(levelname)s | %(message)s",
-            datefmt="%Y-%m-%d %H:%M:%S"
-        )
-        handler.setFormatter(formatter)
-        logger.addHandler(handler)
-        return logger
-
-    def close_fail(self, unrecoverable: bool = False) -> None:
-        if unrecoverable is False:
-            prompt = self._FAILED_RECOVERABLE_PROMPT
-        else:
-            prompt = self._FAILED_UNRECOVERABLE_PROMPT
-        self.log_error(f"Python4CPM.close_fail: closing with {prompt}")
-        print(prompt)
-        sys.exit(1)
-
-    def close_success(self) -> None:
-        prompt = self._SUCCESS_PROMPT
-        self.log_info(f"Python4CPM.close_success: closing with {prompt}")
-        print(prompt)
-        sys.exit(0)

python4cpm-1.0.14/src/python4cpm/tpchelper.py

@@ -1,44 +0,0 @@
-from .python4cpm import Python4CPM, Args
-from unittest import mock
-
-
-class TPCHelper:
-    @classmethod
-    def run(
-        cls,
-        action: str = "",
-        address: str = "",
-        username: str = "",
-        logon_username: str = "",
-        reconcile_username: str = "",
-        logging: str = "",
-        logging_level: str = "",
-        password: str = "",
-        logon_password: str = "",
-        reconcile_password: str = "",
-        new_password: str = ""
-    ) -> Python4CPM:
-        args = [
-            "", # sys.argv[0] is ignored by argparse
-            f"--{Args.ARGS[0]}={action}",
-            f"--{Args.ARGS[1]}={address}",
-            f"--{Args.ARGS[2]}={username}",
-            f"--{Args.ARGS[3]}={logon_username}",
-            f"--{Args.ARGS[4]}={reconcile_username}",
-            f"--{Args.ARGS[5]}={logging}",
-            f"--{Args.ARGS[6]}={logging_level}"
-        ]
-        secrets = (
-            password,
-            logon_password,
-            reconcile_password,
-            new_password
-        )
-        with mock.patch(
-            "sys.argv",
-            args
-        ), mock.patch(
-            "builtins.input",
-            side_effect=secrets
-        ):
-            return Python4CPM(cls.__name__)