python4cpm 1.1.1__tar.gz → 1.1.2__tar.gz

{python4cpm-1.1.1/src/python4cpm.egg-info → python4cpm-1.1.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python4cpm
-Version: 1.1.1
+Version: 1.1.2
 Summary: Python for CPM
 Author-email: Gonzalo Atienza Rela <gonatienza@gmail.com>
 License-Expression: MIT
@@ -11,9 +11,15 @@ Dynamic: license-file
 
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM/SRS rotations.  This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
+A simple and secure way of using python scripts with CyberArk CPM/SRS password rotations.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
+## How it works
+
+This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into Python.
+
+All objects are collected from the SDK and sent as environment context to be picked up by the `python4cpm` module during the subprocess execution of python. All secrets of such environment are protected and encrypted by [Data Protection API (DPAPI)](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection), until they are explicitely retrieved in your python script runtime, invoking the `Secret.get()` method.  Finally, python controls the termination signal sent back to the SDK, which is consequently used as the return code to CPM/SRS.  Such as a successful or failed (recoverable or not) result of the requested action.
+
+This platform allows you to duplicate it multiple times, simply changing its settings (with regular day two operations from Privilege Cloud/PVWA) to point to different venvs and/or python scripts.
 
 ## Installation
 
@@ -98,9 +104,7 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
         self.logger.info("this is an info message")
         self.logger.debug("this is a debug message")
 
-        # logs are placed in Logs/ThirdParty/MyRotator.log
-
-        ## The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
+        # The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
 
     =============================
     REQUIRED TERMINATION SIGNALS
@@ -108,13 +112,13 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
     Terminate signals -> MUST use one of the following three signals to terminate the script:
 
         self.close_success()
-        # terminate with success state
+        # terminate and provide CPM/SRS with a success state
 
         self.close_fail()
-        # terminate with recoverable failed state
+        # terminate and provide CPM/SRS with a failed recoverable state
         
         self.close_fail(unrecoverable=True)
-        # terminate with unrecoverable failed state
+        # terminate and provide CPM/SRS with a failed unrecoverable state
 
     When calling a signal sys.exit is invoked and the script is terminated.
     If no signal is called, and the script finishes without any exception,
@@ -189,9 +193,10 @@ When doing `verify`, `change` or `reconcile` from Privilege Cloud/PVWA:
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
 3. Reconcile -> the sciprt will be executed twice, running first the `MyRotator.prereconcile()` method and secondly the `MyRotator.reconcile()` method.
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
-4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.secrets.new_password.get()` will always return an empty string.
-5. If a logon account is not linked, `self.args.logon_username` and `self.secrets.logon_password.get()` will return empty strings.
-6. If a reconcile account is not linked, `self.args.reconcile_username` and `self.secrets.reconcile_password.get()` will return empty strings.
+4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.target_account.new_password.get()` will always return an empty string.
+5. If a logon account is not linked, `self.logon_account.username` and `self.logon_account.password.get()` will return empty strings.
+6. If a reconcile account is not linked, `self.reconcile_account.username` and `self.reconcile_account.password.get()` will return empty strings.
+7. The python `Logger` places its logs in the `Logs/ThirdParty` directory.  The filename will be based on the name of the subclass created (e.g., `MyRotator`).
 
 
 ### Installing dependencies in python venv
@@ -205,14 +210,9 @@ As with any python venv, you can install dependencies in your venv.
 
 ## Dev Helper:
 
-For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin passes arguments and secrets to the modules.
-Install this module (in a dev workstation) with:
-
-```bash
-pip install python4cpm
-```
+For dev purposes, `NETHelper` is a companion helper to test your scripts before shipping to CPM/SRS.  It simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin creates the environment context for the python module.
 
-**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the environment of the process.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+**Note**: As CPM and the SRS management agent run in Windows, the plugin was built to encrypt secrets using DPAPI (a windows only library).  For dev purposes in Linux/Mac dev workstations, those secrets put in the environment context by `NETHelper` will be in plaintext.  In windows dev workstations, `NETHelper` encrypts the secrets as the .NET plugin does.  This is informational only, **the module will use its encryption/decryption capabilities automatically based on the platform** it is running on and you do not have to do anything specific to enable it.
 
 ### Example:
 
@@ -231,16 +231,16 @@ target_new_password = getpass("new_password: ") # new password for the rotation
 
 NETHelper.set(
     action=Python4CPM.ACTION_CHANGE, # use actions from Python4CPM.ACTION_*
-    target_username="jdoe",
-    target_address="myapp.corp.local",
-    target_port="8443",
-    logon_username="ldoe",
-    reconcile_username="rdoe",
+    target_username="jdoe", # -> will fall under MyRotator.target_account.username
+    target_address="myapp.corp.local", # -> will fall under MyRotator.target_account.address
+    target_port="8443", # -> will fall under MyRotator.target_account.port
+    logon_username="ldoe", # -> will fall under MyRotator.logon_account.username
+    reconcile_username="rdoe", # -> will fall under MyRotator.reconcile_account.username
     logging_level="debug", # "critical", "error", "warning", "info" or "debug"
-    target_password=target_password,
-    logon_password=logon_password,
-    reconcile_password=reconcile_password,
-    target_new_password=target_new_password
+    target_password=target_password, # -> will fall under MyRotator.target_account.password.get()
+    logon_password=logon_password, # -> will fall under MyRotator.logon_account.password.get()
+    reconcile_password=reconcile_password, # -> will fall under MyRotator.reconcile_account.password.get()
+    target_new_password=target_new_password # -> will fall under MyRotator.target_account.new_password.get()
 )
 
 class MyRotator(Python4CPMHandler):

{python4cpm-1.1.1 → python4cpm-1.1.2}/README.md

@@ -1,8 +1,14 @@
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM/SRS rotations.  This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
+A simple and secure way of using python scripts with CyberArk CPM/SRS password rotations.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
+## How it works
+
+This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into Python.
+
+All objects are collected from the SDK and sent as environment context to be picked up by the `python4cpm` module during the subprocess execution of python. All secrets of such environment are protected and encrypted by [Data Protection API (DPAPI)](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection), until they are explicitely retrieved in your python script runtime, invoking the `Secret.get()` method.  Finally, python controls the termination signal sent back to the SDK, which is consequently used as the return code to CPM/SRS.  Such as a successful or failed (recoverable or not) result of the requested action.
+
+This platform allows you to duplicate it multiple times, simply changing its settings (with regular day two operations from Privilege Cloud/PVWA) to point to different venvs and/or python scripts.
 
 ## Installation
 
@@ -87,9 +93,7 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
         self.logger.info("this is an info message")
         self.logger.debug("this is a debug message")
 
-        # logs are placed in Logs/ThirdParty/MyRotator.log
-
-        ## The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
+        # The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
 
     =============================
     REQUIRED TERMINATION SIGNALS
@@ -97,13 +101,13 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
     Terminate signals -> MUST use one of the following three signals to terminate the script:
 
         self.close_success()
-        # terminate with success state
+        # terminate and provide CPM/SRS with a success state
 
         self.close_fail()
-        # terminate with recoverable failed state
+        # terminate and provide CPM/SRS with a failed recoverable state
         
         self.close_fail(unrecoverable=True)
-        # terminate with unrecoverable failed state
+        # terminate and provide CPM/SRS with a failed unrecoverable state
 
     When calling a signal sys.exit is invoked and the script is terminated.
     If no signal is called, and the script finishes without any exception,
@@ -178,9 +182,10 @@ When doing `verify`, `change` or `reconcile` from Privilege Cloud/PVWA:
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
 3. Reconcile -> the sciprt will be executed twice, running first the `MyRotator.prereconcile()` method and secondly the `MyRotator.reconcile()` method.
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
-4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.secrets.new_password.get()` will always return an empty string.
-5. If a logon account is not linked, `self.args.logon_username` and `self.secrets.logon_password.get()` will return empty strings.
-6. If a reconcile account is not linked, `self.args.reconcile_username` and `self.secrets.reconcile_password.get()` will return empty strings.
+4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.target_account.new_password.get()` will always return an empty string.
+5. If a logon account is not linked, `self.logon_account.username` and `self.logon_account.password.get()` will return empty strings.
+6. If a reconcile account is not linked, `self.reconcile_account.username` and `self.reconcile_account.password.get()` will return empty strings.
+7. The python `Logger` places its logs in the `Logs/ThirdParty` directory.  The filename will be based on the name of the subclass created (e.g., `MyRotator`).
 
 
 ### Installing dependencies in python venv
@@ -194,14 +199,9 @@ As with any python venv, you can install dependencies in your venv.
 
 ## Dev Helper:
 
-For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin passes arguments and secrets to the modules.
-Install this module (in a dev workstation) with:
-
-```bash
-pip install python4cpm
-```
+For dev purposes, `NETHelper` is a companion helper to test your scripts before shipping to CPM/SRS.  It simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin creates the environment context for the python module.
 
-**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the environment of the process.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+**Note**: As CPM and the SRS management agent run in Windows, the plugin was built to encrypt secrets using DPAPI (a windows only library).  For dev purposes in Linux/Mac dev workstations, those secrets put in the environment context by `NETHelper` will be in plaintext.  In windows dev workstations, `NETHelper` encrypts the secrets as the .NET plugin does.  This is informational only, **the module will use its encryption/decryption capabilities automatically based on the platform** it is running on and you do not have to do anything specific to enable it.
 
 ### Example:
 
@@ -220,16 +220,16 @@ target_new_password = getpass("new_password: ") # new password for the rotation
 
 NETHelper.set(
     action=Python4CPM.ACTION_CHANGE, # use actions from Python4CPM.ACTION_*
-    target_username="jdoe",
-    target_address="myapp.corp.local",
-    target_port="8443",
-    logon_username="ldoe",
-    reconcile_username="rdoe",
+    target_username="jdoe", # -> will fall under MyRotator.target_account.username
+    target_address="myapp.corp.local", # -> will fall under MyRotator.target_account.address
+    target_port="8443", # -> will fall under MyRotator.target_account.port
+    logon_username="ldoe", # -> will fall under MyRotator.logon_account.username
+    reconcile_username="rdoe", # -> will fall under MyRotator.reconcile_account.username
     logging_level="debug", # "critical", "error", "warning", "info" or "debug"
-    target_password=target_password,
-    logon_password=logon_password,
-    reconcile_password=reconcile_password,
-    target_new_password=target_new_password
+    target_password=target_password, # -> will fall under MyRotator.target_account.password.get()
+    logon_password=logon_password, # -> will fall under MyRotator.logon_account.password.get()
+    reconcile_password=reconcile_password, # -> will fall under MyRotator.reconcile_account.password.get()
+    target_new_password=target_new_password # -> will fall under MyRotator.target_account.new_password.get()
 )
 
 class MyRotator(Python4CPMHandler):

{python4cpm-1.1.1 → python4cpm-1.1.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "python4cpm"
-version = "1.1.1"
+version = "1.1.2"
 description = "Python for CPM"
 authors = [
   { name = "Gonzalo Atienza Rela", email = "gonatienza@gmail.com" }

{python4cpm-1.1.1 → python4cpm-1.1.2}/src/python4cpm/accounts.py

@@ -1,9 +1,12 @@
+from python4cpm.envhandler import EnvHandler, Props
 from python4cpm.secret import Secret
 
 
-class BaseAccount:
+class BaseAccount(EnvHandler):
+    PROPS = Props("username", "password")
+
     def __init__(
-        self: str,
+        self,
         username: str,
         password: str
     ) -> None:
@@ -20,15 +23,11 @@ class BaseAccount:
 
 
 class TargetAccount(BaseAccount):
-    ENV_VARS = (
-        "target_username",
-        "target_password",
-        "target_address",
-        "target_port",
-        "target_new_password"
-    )
+    OBJ_PREFIX = "target_"
+    PROPS = Props("username", "password", "address", "port", "new_password")
+
     def __init__(
-        self: str,
+        self,
         username: str,
         password: str,
         address: str,
@@ -57,14 +56,8 @@ class TargetAccount(BaseAccount):
 
 
 class LogonAccount(BaseAccount):
-    ENV_VARS = (
-        "logon_username",
-        "logon_password"
-    )
+    OBJ_PREFIX = "logon_"
 
 
 class ReconcileAccount(BaseAccount):
-    ENV_VARS = (
-        "reconcile_username",
-        "reconcile_password"
-    )
+    OBJ_PREFIX = "reconcile_"

{python4cpm-1.1.1 → python4cpm-1.1.2}/src/python4cpm/args.py

@@ -1,11 +1,12 @@
-class Args:
-    ARGS = (
-        "action",
-        "logging_level"
-    )
+from python4cpm.envhandler import EnvHandler, Props
+
+
+class Args(EnvHandler):
+    OBJ_PREFIX = "args_"
+    PROPS = Props("action", "logging_level")
 
     def __init__(
-        self: str,
+        self,
         action: str,
         logging_level: str
     ) -> None:

python4cpm-1.1.2/src/python4cpm/envhandler.py

@@ -0,0 +1,29 @@
+import os
+
+
+class Props:
+    def __init__(self, *props):
+        for prop in props:
+            setattr(self, prop, prop)
+
+    def __iter__(self) -> iter:
+        return iter(self.__dict__.values())
+
+
+class EnvHandler:
+    PREFIX = "python4cpm_"
+    OBJ_PREFIX = ""
+    PROPS = Props()
+
+    @classmethod
+    def get_key(cls, key: str) -> str:
+        env_key = f"{cls.PREFIX}{cls.OBJ_PREFIX}{key}"
+        return env_key.upper()
+
+    @classmethod
+    def get(cls) -> object:
+        kwargs = {}
+        for prop in cls.PROPS:
+            value = os.environ.get(cls.get_key(prop))
+            kwargs[prop] = value if value is not None else ""
+        return cls(**kwargs)

{python4cpm-1.1.1 → python4cpm-1.1.2}/src/python4cpm/logger.py

@@ -18,14 +18,14 @@ class Logger:
     def get_logger(
         cls,
         name: str,
-        args_logging_level: str
+        logging_level: str
     ) -> logging.Logger:
         os.makedirs(cls._LOGS_DIR, exist_ok=True)
         logs_file = os.path.join(cls._LOGS_DIR, f"{__name__}-{name}.log")
         _id = os.urandom(4).hex()
         logger = logging.getLogger(_id)
-        if args_logging_level.lower() in cls._LOGGING_LEVELS:
-            logger.setLevel(cls._LOGGING_LEVELS[args_logging_level.lower()])
+        if logging_level.lower() in cls._LOGGING_LEVELS:
+            logger.setLevel(cls._LOGGING_LEVELS[logging_level.lower()])
         else:
             logger.setLevel(cls._DEFAULT_LEVEL)
         handler = RotatingFileHandler(

python4cpm-1.1.2/src/python4cpm/nethelper.py

@@ -0,0 +1,60 @@
+from python4cpm.python4cpm import Python4CPM
+from python4cpm.args import Args
+from python4cpm.accounts import TargetAccount, LogonAccount, ReconcileAccount
+from python4cpm.crypto import Crypto
+import os
+
+
+class NETHelper:
+    @classmethod
+    def set(
+        cls,
+        action: str = "",
+        logging_level: str = "",
+        target_username: str = "",
+        target_address: str = "",
+        target_port: str = "",
+        logon_username: str = "",
+        reconcile_username: str = "",
+        target_password: str = "",
+        logon_password: str = "",
+        reconcile_password: str = "",
+        target_new_password: str = ""
+    ) -> None:
+        if Crypto.ENABLED:
+            target_password = Crypto.encrypt(target_password)
+            logon_password = Crypto.encrypt(logon_password)
+            reconcile_password = Crypto.encrypt(reconcile_password)
+            target_new_password = Crypto.encrypt(target_new_password)
+        keys = (
+            Args.get_key(Args.PROPS.action),
+            Args.get_key(Args.PROPS.logging_level),
+            TargetAccount.get_key(TargetAccount.PROPS.username),
+            TargetAccount.get_key(TargetAccount.PROPS.address),
+            TargetAccount.get_key(TargetAccount.PROPS.port),
+            LogonAccount.get_key(LogonAccount.PROPS.username),
+            ReconcileAccount.get_key(ReconcileAccount.PROPS.username),
+            TargetAccount.get_key(TargetAccount.PROPS.password),
+            LogonAccount.get_key(LogonAccount.PROPS.password),
+            ReconcileAccount.get_key(ReconcileAccount.PROPS.password),
+            TargetAccount.get_key(TargetAccount.PROPS.new_password)
+        )
+        values = (
+            action,
+            logging_level,
+            target_username,
+            target_address,
+            target_port,
+            logon_username,
+            reconcile_username,
+            target_password,
+            logon_password,
+            reconcile_password,
+            target_new_password
+        )
+        for i, key in enumerate(keys):
+            os.environ.update({key: values[i]})
+
+    @classmethod
+    def get(cls) -> Python4CPM:
+        return Python4CPM(cls.__name__)

{python4cpm-1.1.1 → python4cpm-1.1.2}/src/python4cpm/python4cpm.py

@@ -1,4 +1,3 @@
-import os
 import sys
 import atexit
 import logging
@@ -6,12 +5,8 @@ from python4cpm.secret import Secret
 from python4cpm.args import Args
 from python4cpm.crypto import Crypto
 from python4cpm.logger import Logger
-from python4cpm.accounts import (
-    BaseAccount,
-    TargetAccount,
-    LogonAccount,
-    ReconcileAccount
-)
+from python4cpm.accounts import TargetAccount, LogonAccount, ReconcileAccount
+
 
 class Python4CPM:
     ACTION_VERIFY = "verifypass"
@@ -29,18 +24,17 @@ class Python4CPM:
     _SUCCESS_CODE = 10
     _FAILED_RECOVERABLE_CODE = 81
     _FAILED_UNRECOVERABLE_CODE = 89
-    _ENV_PREFIX = "PYTHON4CPM_"
 
     def __init__(self, name: str) -> None:
         self._name = name
-        self._args = self._get_args()
+        self._args = Args.get()
+        self._target_account = TargetAccount.get()
+        self._logon_account = LogonAccount.get()
+        self._reconcile_account = ReconcileAccount.get()
         self._logger = Logger.get_logger(self._name, self._args.logging_level)
         self._logger.debug("Initiating...")
         self._log_obj(self._args)
         self._verify_action()
-        self._target_account = self._get_account(TargetAccount)
-        self._logon_account = self._get_account(LogonAccount)
-        self._reconcile_account = self._get_account(ReconcileAccount)
         self._log_obj(self._target_account)
         self._log_obj(self._logon_account)
         self._log_obj(self._reconcile_account)
@@ -67,25 +61,6 @@ class Python4CPM:
     def reconcile_account(self) -> ReconcileAccount:
         return self._reconcile_account
 
-    @classmethod
-    def _get_env_key(cls, key: str) -> str:
-        return f"{cls._ENV_PREFIX}{key.upper()}"
-
-    @classmethod
-    def _get_args(cls) -> Args:
-        kwargs = {}
-        for kwarg in Args.ARGS:
-            _kwarg = os.environ.get(cls._get_env_key(kwarg))
-            kwargs[kwarg] = _kwarg if _kwarg is not None else ""
-        return Args(**kwargs)
-
-    def _get_account(self, account_class: BaseAccount) -> BaseAccount:
-        args = []
-        for arg in account_class.ENV_VARS:
-            _arg = os.environ.get(self._get_env_key(arg))
-            args.append(_arg if _arg is not None else "")
-        return account_class(*args)
-
     def _verify_action(self) -> None:
         if self._args.action not in self._VALID_ACTIONS:
             self._logger.warning(f"Unkonwn action -> '{self._args.action}'")

{python4cpm-1.1.1 → python4cpm-1.1.2/src/python4cpm.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python4cpm
-Version: 1.1.1
+Version: 1.1.2
 Summary: Python for CPM
 Author-email: Gonzalo Atienza Rela <gonatienza@gmail.com>
 License-Expression: MIT
@@ -11,9 +11,15 @@ Dynamic: license-file
 
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM/SRS rotations.  This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
+A simple and secure way of using python scripts with CyberArk CPM/SRS password rotations.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
+## How it works
+
+This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into Python.
+
+All objects are collected from the SDK and sent as environment context to be picked up by the `python4cpm` module during the subprocess execution of python. All secrets of such environment are protected and encrypted by [Data Protection API (DPAPI)](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection), until they are explicitely retrieved in your python script runtime, invoking the `Secret.get()` method.  Finally, python controls the termination signal sent back to the SDK, which is consequently used as the return code to CPM/SRS.  Such as a successful or failed (recoverable or not) result of the requested action.
+
+This platform allows you to duplicate it multiple times, simply changing its settings (with regular day two operations from Privilege Cloud/PVWA) to point to different venvs and/or python scripts.
 
 ## Installation
 
@@ -98,9 +104,7 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
         self.logger.info("this is an info message")
         self.logger.debug("this is a debug message")
 
-        # logs are placed in Logs/ThirdParty/MyRotator.log
-
-        ## The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
+        # The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
 
     =============================
     REQUIRED TERMINATION SIGNALS
@@ -108,13 +112,13 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
     Terminate signals -> MUST use one of the following three signals to terminate the script:
 
         self.close_success()
-        # terminate with success state
+        # terminate and provide CPM/SRS with a success state
 
         self.close_fail()
-        # terminate with recoverable failed state
+        # terminate and provide CPM/SRS with a failed recoverable state
         
         self.close_fail(unrecoverable=True)
-        # terminate with unrecoverable failed state
+        # terminate and provide CPM/SRS with a failed unrecoverable state
 
     When calling a signal sys.exit is invoked and the script is terminated.
     If no signal is called, and the script finishes without any exception,
@@ -189,9 +193,10 @@ When doing `verify`, `change` or `reconcile` from Privilege Cloud/PVWA:
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
 3. Reconcile -> the sciprt will be executed twice, running first the `MyRotator.prereconcile()` method and secondly the `MyRotator.reconcile()` method.
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
-4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.secrets.new_password.get()` will always return an empty string.
-5. If a logon account is not linked, `self.args.logon_username` and `self.secrets.logon_password.get()` will return empty strings.
-6. If a reconcile account is not linked, `self.args.reconcile_username` and `self.secrets.reconcile_password.get()` will return empty strings.
+4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.target_account.new_password.get()` will always return an empty string.
+5. If a logon account is not linked, `self.logon_account.username` and `self.logon_account.password.get()` will return empty strings.
+6. If a reconcile account is not linked, `self.reconcile_account.username` and `self.reconcile_account.password.get()` will return empty strings.
+7. The python `Logger` places its logs in the `Logs/ThirdParty` directory.  The filename will be based on the name of the subclass created (e.g., `MyRotator`).
 
 
 ### Installing dependencies in python venv
@@ -205,14 +210,9 @@ As with any python venv, you can install dependencies in your venv.
 
 ## Dev Helper:
 
-For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin passes arguments and secrets to the modules.
-Install this module (in a dev workstation) with:
-
-```bash
-pip install python4cpm
-```
+For dev purposes, `NETHelper` is a companion helper to test your scripts before shipping to CPM/SRS.  It simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin creates the environment context for the python module.
 
-**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the environment of the process.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+**Note**: As CPM and the SRS management agent run in Windows, the plugin was built to encrypt secrets using DPAPI (a windows only library).  For dev purposes in Linux/Mac dev workstations, those secrets put in the environment context by `NETHelper` will be in plaintext.  In windows dev workstations, `NETHelper` encrypts the secrets as the .NET plugin does.  This is informational only, **the module will use its encryption/decryption capabilities automatically based on the platform** it is running on and you do not have to do anything specific to enable it.
 
 ### Example:
 
@@ -231,16 +231,16 @@ target_new_password = getpass("new_password: ") # new password for the rotation
 
 NETHelper.set(
     action=Python4CPM.ACTION_CHANGE, # use actions from Python4CPM.ACTION_*
-    target_username="jdoe",
-    target_address="myapp.corp.local",
-    target_port="8443",
-    logon_username="ldoe",
-    reconcile_username="rdoe",
+    target_username="jdoe", # -> will fall under MyRotator.target_account.username
+    target_address="myapp.corp.local", # -> will fall under MyRotator.target_account.address
+    target_port="8443", # -> will fall under MyRotator.target_account.port
+    logon_username="ldoe", # -> will fall under MyRotator.logon_account.username
+    reconcile_username="rdoe", # -> will fall under MyRotator.reconcile_account.username
     logging_level="debug", # "critical", "error", "warning", "info" or "debug"
-    target_password=target_password,
-    logon_password=logon_password,
-    reconcile_password=reconcile_password,
-    target_new_password=target_new_password
+    target_password=target_password, # -> will fall under MyRotator.target_account.password.get()
+    logon_password=logon_password, # -> will fall under MyRotator.logon_account.password.get()
+    reconcile_password=reconcile_password, # -> will fall under MyRotator.reconcile_account.password.get()
+    target_new_password=target_new_password # -> will fall under MyRotator.target_account.new_password.get()
 )
 
 class MyRotator(Python4CPMHandler):

{python4cpm-1.1.1 → python4cpm-1.1.2}/src/python4cpm.egg-info/SOURCES.txt

@@ -5,6 +5,7 @@ src/python4cpm/__init__.py
 src/python4cpm/accounts.py
 src/python4cpm/args.py
 src/python4cpm/crypto.py
+src/python4cpm/envhandler.py
 src/python4cpm/logger.py
 src/python4cpm/nethelper.py
 src/python4cpm/python4cpm.py

python4cpm-1.1.1/src/python4cpm/nethelper.py

@@ -1,46 +0,0 @@
-from python4cpm.python4cpm import Python4CPM
-from python4cpm.crypto import Crypto
-import os
-
-
-class NETHelper:
-    @classmethod
-    def set(
-        cls,
-        action: str = "",
-        logging_level: str = "",
-        target_username: str = "",
-        target_address: str = "",
-        target_port: str = "",
-        logon_username: str = "",
-        reconcile_username: str = "",
-        target_password: str = "",
-        logon_password: str = "",
-        reconcile_password: str = "",
-        target_new_password: str = ""
-    ) -> None:
-        if Crypto.ENABLED:
-            target_password = Crypto.encrypt(target_password)
-            logon_password = Crypto.encrypt(logon_password)
-            reconcile_password = Crypto.encrypt(reconcile_password)
-            target_new_password = Crypto.encrypt(target_new_password)
-        env = {
-            "ACTION": action,
-            "LOGGING_LEVEL": logging_level,
-            "TARGET_USERNAME": target_username,
-            "TARGET_ADDRESS": target_address,
-            "TARGET_PORT": target_port,
-            "LOGON_USERNAME": logon_username,
-            "RECONCILE_USERNAME": reconcile_username,
-            "TARGET_PASSWORD": target_password,
-            "LOGON_PASSWORD": logon_password,
-            "RECONCILE_PASSWORD": reconcile_password,
-            "TARGET_NEW_PASSWORD": target_new_password
-        }
-        for key, value in env.items():
-            env_var = Python4CPM._ENV_PREFIX + key
-            os.environ[env_var] = value
-
-    @classmethod
-    def get(cls) -> Python4CPM:
-        return Python4CPM(cls.__name__)