python4cpm 1.1.1__tar.gz → 1.1.3__tar.gz

{python4cpm-1.1.1/src/python4cpm.egg-info → python4cpm-1.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python4cpm
-Version: 1.1.1
+Version: 1.1.3
 Summary: Python for CPM
 Author-email: Gonzalo Atienza Rela <gonatienza@gmail.com>
 License-Expression: MIT
@@ -11,9 +11,15 @@ Dynamic: license-file
 
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM/SRS rotations.  This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
+A simple and secure way of using python scripts with CyberArk CPM/SRS password rotations.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
+## How it works
+
+This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into Python.
+
+All objects are collected from the SDK and sent as environment context to be picked up by the `python4cpm` module during the subprocess execution of python. All secrets of such environment are protected and encrypted by [Data Protection API (DPAPI)](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection), until they are explicitely retrieved in your python script runtime, invoking the `Secret.get()` method.  Finally, python controls the termination signal sent back to the SDK, which is consequently used as the return code to CPM/SRS.  Such as a successful or failed (recoverable or not) result of the requested action.
+
+This platform allows you to duplicate it multiple times, simply changing its settings (with regular day two operations from Privilege Cloud/PVWA) to point to different venvs and/or python scripts.
 
 ## Installation
 
@@ -61,7 +67,7 @@ This platform allows you to duplicate it multiple times, simply changing its set
 from python4cpm import Python4CPMHandler
 
 
-class MyRotator(Python4CPMHandler): # create a subclass for the Handler
+class MyRotator(Python4CPMHandler):
     """
     These are the usable properties and methods from Python4CPMHandler:
 
@@ -98,9 +104,7 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
         self.logger.info("this is an info message")
         self.logger.debug("this is a debug message")
 
-        # logs are placed in Logs/ThirdParty/MyRotator.log
-
-        ## The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
+        # The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
 
     =============================
     REQUIRED TERMINATION SIGNALS
@@ -108,75 +112,44 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
     Terminate signals -> MUST use one of the following three signals to terminate the script:
 
         self.close_success()
-        # terminate with success state
+        # terminate and provide CPM/SRS with a success state
 
         self.close_fail()
-        # terminate with recoverable failed state
+        # terminate and provide CPM/SRS with a failed recoverable state
         
         self.close_fail(unrecoverable=True)
-        # terminate with unrecoverable failed state
+        # terminate and provide CPM/SRS with a failed unrecoverable state
 
     When calling a signal sys.exit is invoked and the script is terminated.
     If no signal is called, and the script finishes without any exception,
     it will behave like p4cpm.close_fail(unrecoverable=True) and log an error message.
+
     =============================
+    REQUIRED METHODS
     =============================
+    verify(), logon(), change(), prereconcile(), reconcile()
     """
 
-    # =============================
-    # REQUIRED METHODS (MUST DEFINE)
-    # =============================
-    # verify(), logon(), change(), prereconcile(), reconcile()
-
     def verify(self):
-        self._verify()
-        self.log_info("verification successful")
+        # TODO: use account objects for your logic
         self.close_success()
 
     def logon(self):
+        # TODO: use account objects for your logic
         self.close_success()
 
     def change(self):
-        self._change()
-        self.log_error("something went wrong")
-        self.close_fail()
+        # TODO: use account objects for your logic
+        self.close_success()
 
     def prereconcile(self):
-        self._verify(from_reconcile=True)
+        # TODO: use account objects for your logic
         self.close_success()
 
     def reconcile(self):
-        self._change(from_reconcile=True)
+        # TODO: use account objects for your logic
         self.close_success()
 
-    def _verify(self, from_reconcile=False):
-        if from_reconcile is False:
-            pass
-            # TODO: use account objects for your logic
-        else:
-            pass
-            # TODO: use account objects for your logic
-        result = True
-        if result is True:
-            self.log_info("verification successful")
-        else:
-            self.log_error("something went wrong")
-            self.close_fail()
-
-    def _change(self, from_reconcile=False):
-        if from_reconcile is False:
-            pass
-            # TODO: use account objects for your logic
-        else:
-            pass
-            # TODO: use account objects for your logic
-        result = True
-        if result is True:
-            self.log_info("rotation successful")
-        else:
-            self.log_error("something went wrong")
-            self.close_fail()
-
 
 if __name__ == "__main__":
     MyRotator().run() # initializes the class and calls the action that was requested from CPM/SRS.
@@ -189,9 +162,10 @@ When doing `verify`, `change` or `reconcile` from Privilege Cloud/PVWA:
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
 3. Reconcile -> the sciprt will be executed twice, running first the `MyRotator.prereconcile()` method and secondly the `MyRotator.reconcile()` method.
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
-4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.secrets.new_password.get()` will always return an empty string.
-5. If a logon account is not linked, `self.args.logon_username` and `self.secrets.logon_password.get()` will return empty strings.
-6. If a reconcile account is not linked, `self.args.reconcile_username` and `self.secrets.reconcile_password.get()` will return empty strings.
+4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.target_account.new_password` will always return `None`.
+5. If a logon account is not linked, `self.logon_account` will return `None`.
+6. If a reconcile account is not linked, `self.reconcile_account` will return `None`.
+7. The python `Logger` places its logs in the `Logs/ThirdParty` directory.  The filename will be based on the name of the subclass created (e.g., `MyRotator`).
 
 
 ### Installing dependencies in python venv
@@ -205,14 +179,9 @@ As with any python venv, you can install dependencies in your venv.
 
 ## Dev Helper:
 
-For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin passes arguments and secrets to the modules.
-Install this module (in a dev workstation) with:
-
-```bash
-pip install python4cpm
-```
+For dev purposes, `NETHelper` is a companion helper to test your scripts without CPM/SRS.  It simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin creates the environment context for the python module.
 
-**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the environment of the process.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+**Note**: As CPM and the SRS management agent run in Windows, the plugin was built to encrypt secrets using DPAPI (a windows only library).  For dev purposes in Linux/Mac dev workstations, those secrets put in the environment context by `NETHelper` will be in plaintext.  In windows dev workstations, `NETHelper` encrypts the secrets as the .NET plugin does.  This is informational only, **the module will use its encryption/decryption capabilities automatically based on the platform** it is running on and you do not have to do anything specific to enable it.
 
 ### Example:
 
@@ -223,7 +192,7 @@ from python4cpm import NETHelper, Python4CPM, Python4CPMHandler
 from getpass import getpass
 
 # Get secrets for your password, logon account password, reconcile account password and new password
-# You can use an empty string if it does not apply
+# You may set to None any argument that does not apply or simply leaving it to its default None value.
 target_password = getpass("password: ") # password from account
 logon_password = getpass("logon_password: ") # password from linked logon account
 reconcile_password = getpass("reconcile_password: ") # password from linked reconcile account
@@ -231,16 +200,16 @@ target_new_password = getpass("new_password: ") # new password for the rotation
 
 NETHelper.set(
     action=Python4CPM.ACTION_CHANGE, # use actions from Python4CPM.ACTION_*
-    target_username="jdoe",
-    target_address="myapp.corp.local",
-    target_port="8443",
-    logon_username="ldoe",
-    reconcile_username="rdoe",
+    target_username="jdoe", # -> will fall under MyRotator.target_account.username
+    target_address="myapp.corp.local", # -> will fall under MyRotator.target_account.address
+    target_port="8443", # -> will fall under MyRotator.target_account.port
+    logon_username="ldoe", # -> will fall under MyRotator.logon_account.username
+    reconcile_username="rdoe", # -> will fall under MyRotator.reconcile_account.username
     logging_level="debug", # "critical", "error", "warning", "info" or "debug"
-    target_password=target_password,
-    logon_password=logon_password,
-    reconcile_password=reconcile_password,
-    target_new_password=target_new_password
+    target_password=target_password, # -> will fall under MyRotator.target_account.password.get()
+    logon_password=logon_password, # -> will fall under MyRotator.logon_account.password.get()
+    reconcile_password=reconcile_password, # -> will fall under MyRotator.reconcile_account.password.get()
+    target_new_password=target_new_password # -> will fall under MyRotator.target_account.new_password.get()
 )
 
 class MyRotator(Python4CPMHandler):
@@ -271,5 +240,4 @@ MyRotator().run()
 
 - Remove the import of `NETHelper`.
 - Remove the `NETHelper.set()` call.
-- If applicable, change the definition of `p4cpm` from `p4cpm = NETHelper.get()` to `p4cpm = Python4CPM("MyApp")`.
 - Remove any secrets prompting or interactive interruptions.

{python4cpm-1.1.1 → python4cpm-1.1.3}/README.md

@@ -1,8 +1,14 @@
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM/SRS rotations.  This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
+A simple and secure way of using python scripts with CyberArk CPM/SRS password rotations.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
+## How it works
+
+This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into Python.
+
+All objects are collected from the SDK and sent as environment context to be picked up by the `python4cpm` module during the subprocess execution of python. All secrets of such environment are protected and encrypted by [Data Protection API (DPAPI)](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection), until they are explicitely retrieved in your python script runtime, invoking the `Secret.get()` method.  Finally, python controls the termination signal sent back to the SDK, which is consequently used as the return code to CPM/SRS.  Such as a successful or failed (recoverable or not) result of the requested action.
+
+This platform allows you to duplicate it multiple times, simply changing its settings (with regular day two operations from Privilege Cloud/PVWA) to point to different venvs and/or python scripts.
 
 ## Installation
 
@@ -50,7 +56,7 @@ This platform allows you to duplicate it multiple times, simply changing its set
 from python4cpm import Python4CPMHandler
 
 
-class MyRotator(Python4CPMHandler): # create a subclass for the Handler
+class MyRotator(Python4CPMHandler):
     """
     These are the usable properties and methods from Python4CPMHandler:
 
@@ -87,9 +93,7 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
         self.logger.info("this is an info message")
         self.logger.debug("this is a debug message")
 
-        # logs are placed in Logs/ThirdParty/MyRotator.log
-
-        ## The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
+        # The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
 
     =============================
     REQUIRED TERMINATION SIGNALS
@@ -97,75 +101,44 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
     Terminate signals -> MUST use one of the following three signals to terminate the script:
 
         self.close_success()
-        # terminate with success state
+        # terminate and provide CPM/SRS with a success state
 
         self.close_fail()
-        # terminate with recoverable failed state
+        # terminate and provide CPM/SRS with a failed recoverable state
         
         self.close_fail(unrecoverable=True)
-        # terminate with unrecoverable failed state
+        # terminate and provide CPM/SRS with a failed unrecoverable state
 
     When calling a signal sys.exit is invoked and the script is terminated.
     If no signal is called, and the script finishes without any exception,
     it will behave like p4cpm.close_fail(unrecoverable=True) and log an error message.
+
     =============================
+    REQUIRED METHODS
     =============================
+    verify(), logon(), change(), prereconcile(), reconcile()
     """
 
-    # =============================
-    # REQUIRED METHODS (MUST DEFINE)
-    # =============================
-    # verify(), logon(), change(), prereconcile(), reconcile()
-
     def verify(self):
-        self._verify()
-        self.log_info("verification successful")
+        # TODO: use account objects for your logic
         self.close_success()
 
     def logon(self):
+        # TODO: use account objects for your logic
         self.close_success()
 
     def change(self):
-        self._change()
-        self.log_error("something went wrong")
-        self.close_fail()
+        # TODO: use account objects for your logic
+        self.close_success()
 
     def prereconcile(self):
-        self._verify(from_reconcile=True)
+        # TODO: use account objects for your logic
         self.close_success()
 
     def reconcile(self):
-        self._change(from_reconcile=True)
+        # TODO: use account objects for your logic
         self.close_success()
 
-    def _verify(self, from_reconcile=False):
-        if from_reconcile is False:
-            pass
-            # TODO: use account objects for your logic
-        else:
-            pass
-            # TODO: use account objects for your logic
-        result = True
-        if result is True:
-            self.log_info("verification successful")
-        else:
-            self.log_error("something went wrong")
-            self.close_fail()
-
-    def _change(self, from_reconcile=False):
-        if from_reconcile is False:
-            pass
-            # TODO: use account objects for your logic
-        else:
-            pass
-            # TODO: use account objects for your logic
-        result = True
-        if result is True:
-            self.log_info("rotation successful")
-        else:
-            self.log_error("something went wrong")
-            self.close_fail()
-
 
 if __name__ == "__main__":
     MyRotator().run() # initializes the class and calls the action that was requested from CPM/SRS.
@@ -178,9 +151,10 @@ When doing `verify`, `change` or `reconcile` from Privilege Cloud/PVWA:
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
 3. Reconcile -> the sciprt will be executed twice, running first the `MyRotator.prereconcile()` method and secondly the `MyRotator.reconcile()` method.
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
-4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.secrets.new_password.get()` will always return an empty string.
-5. If a logon account is not linked, `self.args.logon_username` and `self.secrets.logon_password.get()` will return empty strings.
-6. If a reconcile account is not linked, `self.args.reconcile_username` and `self.secrets.reconcile_password.get()` will return empty strings.
+4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.target_account.new_password` will always return `None`.
+5. If a logon account is not linked, `self.logon_account` will return `None`.
+6. If a reconcile account is not linked, `self.reconcile_account` will return `None`.
+7. The python `Logger` places its logs in the `Logs/ThirdParty` directory.  The filename will be based on the name of the subclass created (e.g., `MyRotator`).
 
 
 ### Installing dependencies in python venv
@@ -194,14 +168,9 @@ As with any python venv, you can install dependencies in your venv.
 
 ## Dev Helper:
 
-For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin passes arguments and secrets to the modules.
-Install this module (in a dev workstation) with:
-
-```bash
-pip install python4cpm
-```
+For dev purposes, `NETHelper` is a companion helper to test your scripts without CPM/SRS.  It simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin creates the environment context for the python module.
 
-**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the environment of the process.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+**Note**: As CPM and the SRS management agent run in Windows, the plugin was built to encrypt secrets using DPAPI (a windows only library).  For dev purposes in Linux/Mac dev workstations, those secrets put in the environment context by `NETHelper` will be in plaintext.  In windows dev workstations, `NETHelper` encrypts the secrets as the .NET plugin does.  This is informational only, **the module will use its encryption/decryption capabilities automatically based on the platform** it is running on and you do not have to do anything specific to enable it.
 
 ### Example:
 
@@ -212,7 +181,7 @@ from python4cpm import NETHelper, Python4CPM, Python4CPMHandler
 from getpass import getpass
 
 # Get secrets for your password, logon account password, reconcile account password and new password
-# You can use an empty string if it does not apply
+# You may set to None any argument that does not apply or simply leaving it to its default None value.
 target_password = getpass("password: ") # password from account
 logon_password = getpass("logon_password: ") # password from linked logon account
 reconcile_password = getpass("reconcile_password: ") # password from linked reconcile account
@@ -220,16 +189,16 @@ target_new_password = getpass("new_password: ") # new password for the rotation
 
 NETHelper.set(
     action=Python4CPM.ACTION_CHANGE, # use actions from Python4CPM.ACTION_*
-    target_username="jdoe",
-    target_address="myapp.corp.local",
-    target_port="8443",
-    logon_username="ldoe",
-    reconcile_username="rdoe",
+    target_username="jdoe", # -> will fall under MyRotator.target_account.username
+    target_address="myapp.corp.local", # -> will fall under MyRotator.target_account.address
+    target_port="8443", # -> will fall under MyRotator.target_account.port
+    logon_username="ldoe", # -> will fall under MyRotator.logon_account.username
+    reconcile_username="rdoe", # -> will fall under MyRotator.reconcile_account.username
     logging_level="debug", # "critical", "error", "warning", "info" or "debug"
-    target_password=target_password,
-    logon_password=logon_password,
-    reconcile_password=reconcile_password,
-    target_new_password=target_new_password
+    target_password=target_password, # -> will fall under MyRotator.target_account.password.get()
+    logon_password=logon_password, # -> will fall under MyRotator.logon_account.password.get()
+    reconcile_password=reconcile_password, # -> will fall under MyRotator.reconcile_account.password.get()
+    target_new_password=target_new_password # -> will fall under MyRotator.target_account.new_password.get()
 )
 
 class MyRotator(Python4CPMHandler):
@@ -260,5 +229,4 @@ MyRotator().run()
 
 - Remove the import of `NETHelper`.
 - Remove the `NETHelper.set()` call.
-- If applicable, change the definition of `p4cpm` from `p4cpm = NETHelper.get()` to `p4cpm = Python4CPM("MyApp")`.
 - Remove any secrets prompting or interactive interruptions.

{python4cpm-1.1.1 → python4cpm-1.1.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "python4cpm"
-version = "1.1.1"
+version = "1.1.3"
 description = "Python for CPM"
 authors = [
   { name = "Gonzalo Atienza Rela", email = "gonatienza@gmail.com" }

python4cpm-1.1.3/src/python4cpm/accounts.py

@@ -0,0 +1,70 @@
+from python4cpm.envhandler import EnvHandler, Props
+from python4cpm.secret import Secret
+
+
+class BaseAccount(EnvHandler):
+    PROPS = Props("username", "password")
+
+    def __init__(
+        self,
+        username: str | None,
+        password: str | None
+    ) -> None:
+        self._username = username
+        self._password = Secret.from_env_var(password)
+
+    @classmethod
+    def get(cls) -> object | None:
+        kwargs = cls.get_kwargs()
+        if all(value is None for value in kwargs.values()):
+            return None
+        return cls(**kwargs)
+
+    @property
+    def username(self) -> str:
+        return self._username
+
+    @property
+    def password(self) -> Secret:
+        return self._password
+
+
+class TargetAccount(BaseAccount):
+    OBJ_PREFIX = "target_"
+    PROPS = Props("username", "password", "address", "port", "new_password")
+
+    def __init__(
+        self,
+        username: str | None,
+        password: str | None,
+        address: str | None,
+        port: str | None,
+        new_password: str | None
+    ) -> None:
+        super().__init__(
+            username,
+            password
+        )
+        self._address = address
+        self._port = port
+        self._new_password = Secret.from_env_var(new_password)
+
+    @property
+    def address(self) -> str | None:
+        return self._address
+
+    @property
+    def port(self) -> str | None:
+        return self._port
+
+    @property
+    def new_password(self) -> Secret:
+        return self._new_password
+
+
+class LogonAccount(BaseAccount):
+    OBJ_PREFIX = "logon_"
+
+
+class ReconcileAccount(BaseAccount):
+    OBJ_PREFIX = "reconcile_"

python4cpm-1.1.3/src/python4cpm/args.py

@@ -0,0 +1,22 @@
+from python4cpm.envhandler import EnvHandler, Props
+
+
+class Args(EnvHandler):
+    OBJ_PREFIX = "args_"
+    PROPS = Props("action", "logging_level")
+
+    def __init__(
+        self,
+        action: str | None,
+        logging_level: str | None
+    ) -> None:
+        self._action = action
+        self._logging_level = logging_level
+
+    @property
+    def action(self) -> str:
+        return self._action
+
+    @property
+    def logging_level(self) -> str | None:
+        return self._logging_level

python4cpm-1.1.3/src/python4cpm/envhandler.py

@@ -0,0 +1,32 @@
+import os
+
+
+class Props:
+    def __init__(self, *props):
+        for prop in props:
+            setattr(self, prop, prop)
+
+    def __iter__(self) -> iter:
+        return iter(self.__dict__.values())
+
+
+class EnvHandler:
+    PREFIX = "python4cpm_"
+    OBJ_PREFIX = ""
+    PROPS = Props()
+
+    @classmethod
+    def get_key(cls, key: str) -> str:
+        env_key = f"{cls.PREFIX}{cls.OBJ_PREFIX}{key}"
+        return env_key.upper()
+
+    @classmethod
+    def get_kwargs(cls) -> dict:
+        return {
+            prop: os.environ.get(cls.get_key(prop))
+            for prop in cls.PROPS
+        }
+
+    @classmethod
+    def get(cls) -> object:
+        return cls(**cls.get_kwargs())

{python4cpm-1.1.1 → python4cpm-1.1.3}/src/python4cpm/logger.py

@@ -18,14 +18,15 @@ class Logger:
     def get_logger(
         cls,
         name: str,
-        args_logging_level: str
+        logging_level: str | None
     ) -> logging.Logger:
         os.makedirs(cls._LOGS_DIR, exist_ok=True)
         logs_file = os.path.join(cls._LOGS_DIR, f"{__name__}-{name}.log")
         _id = os.urandom(4).hex()
         logger = logging.getLogger(_id)
-        if args_logging_level.lower() in cls._LOGGING_LEVELS:
-            logger.setLevel(cls._LOGGING_LEVELS[args_logging_level.lower()])
+        is_logging_level_str = isinstance(logging_level, str)
+        if is_logging_level_str and logging_level.lower() in cls._LOGGING_LEVELS:
+            logger.setLevel(cls._LOGGING_LEVELS[logging_level.lower()])
         else:
             logger.setLevel(cls._DEFAULT_LEVEL)
         handler = RotatingFileHandler(

python4cpm-1.1.3/src/python4cpm/nethelper.py

@@ -0,0 +1,61 @@
+from python4cpm.python4cpm import Python4CPM
+from python4cpm.args import Args
+from python4cpm.accounts import TargetAccount, LogonAccount, ReconcileAccount
+from python4cpm.crypto import Crypto
+import os
+
+
+class NETHelper:
+    @classmethod
+    def set(
+        cls,
+        action: str | None = None,
+        logging_level: str | None = None,
+        target_username: str | None = None,
+        target_address: str | None = None,
+        target_port: str | None = None,
+        logon_username: str | None = None,
+        reconcile_username: str | None = None,
+        target_password: str | None = None,
+        logon_password: str | None = None,
+        reconcile_password: str | None = None,
+        target_new_password: str | None = None
+    ) -> None:
+        if Crypto.ENABLED:
+            target_password = Crypto.encrypt(target_password)
+            logon_password = Crypto.encrypt(logon_password)
+            reconcile_password = Crypto.encrypt(reconcile_password)
+            target_new_password = Crypto.encrypt(target_new_password)
+        keys = (
+            Args.get_key(Args.PROPS.action),
+            Args.get_key(Args.PROPS.logging_level),
+            TargetAccount.get_key(TargetAccount.PROPS.username),
+            TargetAccount.get_key(TargetAccount.PROPS.address),
+            TargetAccount.get_key(TargetAccount.PROPS.port),
+            LogonAccount.get_key(LogonAccount.PROPS.username),
+            ReconcileAccount.get_key(ReconcileAccount.PROPS.username),
+            TargetAccount.get_key(TargetAccount.PROPS.password),
+            LogonAccount.get_key(LogonAccount.PROPS.password),
+            ReconcileAccount.get_key(ReconcileAccount.PROPS.password),
+            TargetAccount.get_key(TargetAccount.PROPS.new_password)
+        )
+        values = (
+            action,
+            logging_level,
+            target_username,
+            target_address,
+            target_port,
+            logon_username,
+            reconcile_username,
+            target_password,
+            logon_password,
+            reconcile_password,
+            target_new_password
+        )
+        for i, key in enumerate(keys):
+            if values[i] is not None:
+                os.environ.update({key: values[i]})
+
+    @classmethod
+    def get(cls) -> Python4CPM:
+        return Python4CPM(cls.__name__)

{python4cpm-1.1.1 → python4cpm-1.1.3}/src/python4cpm/python4cpm.py

@@ -1,17 +1,11 @@
-import os
 import sys
 import atexit
 import logging
 from python4cpm.secret import Secret
 from python4cpm.args import Args
-from python4cpm.crypto import Crypto
 from python4cpm.logger import Logger
-from python4cpm.accounts import (
-    BaseAccount,
-    TargetAccount,
-    LogonAccount,
-    ReconcileAccount
-)
+from python4cpm.accounts import TargetAccount, LogonAccount, ReconcileAccount
+
 
 class Python4CPM:
     ACTION_VERIFY = "verifypass"
@@ -29,18 +23,17 @@ class Python4CPM:
     _SUCCESS_CODE = 10
     _FAILED_RECOVERABLE_CODE = 81
     _FAILED_UNRECOVERABLE_CODE = 89
-    _ENV_PREFIX = "PYTHON4CPM_"
 
     def __init__(self, name: str) -> None:
         self._name = name
-        self._args = self._get_args()
+        self._args = Args.get()
+        self._target_account = TargetAccount.get()
+        self._logon_account = LogonAccount.get()
+        self._reconcile_account = ReconcileAccount.get()
         self._logger = Logger.get_logger(self._name, self._args.logging_level)
         self._logger.debug("Initiating...")
         self._log_obj(self._args)
         self._verify_action()
-        self._target_account = self._get_account(TargetAccount)
-        self._logon_account = self._get_account(LogonAccount)
-        self._reconcile_account = self._get_account(ReconcileAccount)
         self._log_obj(self._target_account)
         self._log_obj(self._logon_account)
         self._log_obj(self._reconcile_account)
@@ -67,43 +60,22 @@ class Python4CPM:
     def reconcile_account(self) -> ReconcileAccount:
         return self._reconcile_account
 
-    @classmethod
-    def _get_env_key(cls, key: str) -> str:
-        return f"{cls._ENV_PREFIX}{key.upper()}"
-
-    @classmethod
-    def _get_args(cls) -> Args:
-        kwargs = {}
-        for kwarg in Args.ARGS:
-            _kwarg = os.environ.get(cls._get_env_key(kwarg))
-            kwargs[kwarg] = _kwarg if _kwarg is not None else ""
-        return Args(**kwargs)
-
-    def _get_account(self, account_class: BaseAccount) -> BaseAccount:
-        args = []
-        for arg in account_class.ENV_VARS:
-            _arg = os.environ.get(self._get_env_key(arg))
-            args.append(_arg if _arg is not None else "")
-        return account_class(*args)
-
     def _verify_action(self) -> None:
         if self._args.action not in self._VALID_ACTIONS:
             self._logger.warning(f"Unkonwn action -> '{self._args.action}'")
 
-    def _log_obj(self, obj: object) -> None:
-        for key, value in vars(obj).items():
-            _key = f"{obj.__class__.__name__}.{key.strip('_')}"
-            if value:
-                if not isinstance(value, Secret):
-                    logging_value = f"'{value}'"
-                else:
-                    if Crypto.ENABLED is True:
-                        logging_value = "[ENCRYPTED]"
+    def _log_obj(self, obj: object | None) -> None:
+        if obj is not None:
+            for key, value in vars(obj).items():
+                _key = f"{obj.__class__.__name__}.{key.removeprefix('_')}"
+                if value is not None:
+                    if not isinstance(value, Secret):
+                        logging_value = f"'{value}'"
                     else:
-                        logging_value = "[SET]"
-            else:
-                logging_value = "[NOT SET]"
-            self._logger.debug(f"{_key} -> {logging_value}")
+                        logging_value = str(value)
+                else:
+                    logging_value = "[NOT SET]"
+                self._logger.debug(f"{_key} -> {logging_value}")
 
     def close_fail(self, unrecoverable: bool = False) -> None:
         if unrecoverable is False:

{python4cpm-1.1.1 → python4cpm-1.1.3}/src/python4cpm/python4cpmhandler.py

@@ -18,7 +18,7 @@ class Python4CPMHandler(ABC, Python4CPM):
         if action is not None:
             action()
         else:
-            raise ValueError(f"Unknown action: {self._args.action}")
+            raise ValueError(f"Unknown action: '{self._args.action}'")
 
     @abstractmethod
     def verify(self) -> None:

python4cpm-1.1.3/src/python4cpm/secret.py

@@ -0,0 +1,24 @@
+from python4cpm.crypto import Crypto
+
+
+class Secret:
+    def __init__(self, secret: str) -> None:
+        self._secret = secret
+
+    @classmethod
+    def from_env_var(cls, secret: str | None) -> object | None:
+        if secret is not None:
+            return cls(secret)
+        return None
+
+    def __str__(self) -> str:
+        if Crypto.ENABLED:
+            return "[ENCRYPTED]"
+        else:
+            return "[SET]"
+
+    def get(self) -> str:
+        if Crypto.ENABLED:
+            return Crypto.decrypt(self._secret)
+        else:
+            return self._secret

{python4cpm-1.1.1 → python4cpm-1.1.3/src/python4cpm.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python4cpm
-Version: 1.1.1
+Version: 1.1.3
 Summary: Python for CPM
 Author-email: Gonzalo Atienza Rela <gonatienza@gmail.com>
 License-Expression: MIT
@@ -11,9 +11,15 @@ Dynamic: license-file
 
 # Python4CPM
 
-A simple way of using python scripts with CyberArk CPM/SRS rotations.  This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into a python script.
+A simple and secure way of using python scripts with CyberArk CPM/SRS password rotations.
 
-This platform allows you to duplicate it multiple times, simply changing its settings from Privilege Cloud/PVWA to point to different python scripts leveraging the module `python4cpm`.
+## How it works
+
+This module leverages the [Credential Management .NET SDK](https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pasimp/plug-in-netinvoker.htm) from CyberArk to securely offload a password rotation logic into Python.
+
+All objects are collected from the SDK and sent as environment context to be picked up by the `python4cpm` module during the subprocess execution of python. All secrets of such environment are protected and encrypted by [Data Protection API (DPAPI)](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection), until they are explicitely retrieved in your python script runtime, invoking the `Secret.get()` method.  Finally, python controls the termination signal sent back to the SDK, which is consequently used as the return code to CPM/SRS.  Such as a successful or failed (recoverable or not) result of the requested action.
+
+This platform allows you to duplicate it multiple times, simply changing its settings (with regular day two operations from Privilege Cloud/PVWA) to point to different venvs and/or python scripts.
 
 ## Installation
 
@@ -61,7 +67,7 @@ This platform allows you to duplicate it multiple times, simply changing its set
 from python4cpm import Python4CPMHandler
 
 
-class MyRotator(Python4CPMHandler): # create a subclass for the Handler
+class MyRotator(Python4CPMHandler):
     """
     These are the usable properties and methods from Python4CPMHandler:
 
@@ -98,9 +104,7 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
         self.logger.info("this is an info message")
         self.logger.debug("this is a debug message")
 
-        # logs are placed in Logs/ThirdParty/MyRotator.log
-
-        ## The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
+        # The logging level comes from PythonLoggingLevel (platform parameters) (default is error)
 
     =============================
     REQUIRED TERMINATION SIGNALS
@@ -108,75 +112,44 @@ class MyRotator(Python4CPMHandler): # create a subclass for the Handler
     Terminate signals -> MUST use one of the following three signals to terminate the script:
 
         self.close_success()
-        # terminate with success state
+        # terminate and provide CPM/SRS with a success state
 
         self.close_fail()
-        # terminate with recoverable failed state
+        # terminate and provide CPM/SRS with a failed recoverable state
         
         self.close_fail(unrecoverable=True)
-        # terminate with unrecoverable failed state
+        # terminate and provide CPM/SRS with a failed unrecoverable state
 
     When calling a signal sys.exit is invoked and the script is terminated.
     If no signal is called, and the script finishes without any exception,
     it will behave like p4cpm.close_fail(unrecoverable=True) and log an error message.
+
     =============================
+    REQUIRED METHODS
     =============================
+    verify(), logon(), change(), prereconcile(), reconcile()
     """
 
-    # =============================
-    # REQUIRED METHODS (MUST DEFINE)
-    # =============================
-    # verify(), logon(), change(), prereconcile(), reconcile()
-
     def verify(self):
-        self._verify()
-        self.log_info("verification successful")
+        # TODO: use account objects for your logic
         self.close_success()
 
     def logon(self):
+        # TODO: use account objects for your logic
         self.close_success()
 
     def change(self):
-        self._change()
-        self.log_error("something went wrong")
-        self.close_fail()
+        # TODO: use account objects for your logic
+        self.close_success()
 
     def prereconcile(self):
-        self._verify(from_reconcile=True)
+        # TODO: use account objects for your logic
         self.close_success()
 
     def reconcile(self):
-        self._change(from_reconcile=True)
+        # TODO: use account objects for your logic
         self.close_success()
 
-    def _verify(self, from_reconcile=False):
-        if from_reconcile is False:
-            pass
-            # TODO: use account objects for your logic
-        else:
-            pass
-            # TODO: use account objects for your logic
-        result = True
-        if result is True:
-            self.log_info("verification successful")
-        else:
-            self.log_error("something went wrong")
-            self.close_fail()
-
-    def _change(self, from_reconcile=False):
-        if from_reconcile is False:
-            pass
-            # TODO: use account objects for your logic
-        else:
-            pass
-            # TODO: use account objects for your logic
-        result = True
-        if result is True:
-            self.log_info("rotation successful")
-        else:
-            self.log_error("something went wrong")
-            self.close_fail()
-
 
 if __name__ == "__main__":
     MyRotator().run() # initializes the class and calls the action that was requested from CPM/SRS.
@@ -189,9 +162,10 @@ When doing `verify`, `change` or `reconcile` from Privilege Cloud/PVWA:
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
 3. Reconcile -> the sciprt will be executed twice, running first the `MyRotator.prereconcile()` method and secondly the `MyRotator.reconcile()` method.
     - If both actions are not terminated with `self.close_success()` and the scripts terminates without any exception, CPM/SRS will see this as a `self.close_fail(unrecoverable=True)`.
-4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.secrets.new_password.get()` will always return an empty string.
-5. If a logon account is not linked, `self.args.logon_username` and `self.secrets.logon_password.get()` will return empty strings.
-6. If a reconcile account is not linked, `self.args.reconcile_username` and `self.secrets.reconcile_password.get()` will return empty strings.
+4. When calling `MyRotator.verify()`, `MyRotator.logon()` or `MyRotator.prereconcile()`: `self.target_account.new_password` will always return `None`.
+5. If a logon account is not linked, `self.logon_account` will return `None`.
+6. If a reconcile account is not linked, `self.reconcile_account` will return `None`.
+7. The python `Logger` places its logs in the `Logs/ThirdParty` directory.  The filename will be based on the name of the subclass created (e.g., `MyRotator`).
 
 
 ### Installing dependencies in python venv
@@ -205,14 +179,9 @@ As with any python venv, you can install dependencies in your venv.
 
 ## Dev Helper:
 
-For dev purposes, `NETHelper` is a companion helper that simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin passes arguments and secrets to the modules.
-Install this module (in a dev workstation) with:
-
-```bash
-pip install python4cpm
-```
+For dev purposes, `NETHelper` is a companion helper to test your scripts without CPM/SRS.  It simplifies the instantiation of the `Python4CPM` or `Python4CPMHandler` objects by simulating how the plugin creates the environment context for the python module.
 
-**Note**: As CPM runs in Windows, the plugin was built to pass secrets securely to the `Python4CPM.crypto` module using the Data Protection API (DPAPI).  For dev purposes in Linux/Mac dev workstations, those secrets will appear as plaintext in the environment of the process.  This is informational only, the module will use its encryption/decryption capabilities automatically in Windows and you do not have to do anything specific to enable it.
+**Note**: As CPM and the SRS management agent run in Windows, the plugin was built to encrypt secrets using DPAPI (a windows only library).  For dev purposes in Linux/Mac dev workstations, those secrets put in the environment context by `NETHelper` will be in plaintext.  In windows dev workstations, `NETHelper` encrypts the secrets as the .NET plugin does.  This is informational only, **the module will use its encryption/decryption capabilities automatically based on the platform** it is running on and you do not have to do anything specific to enable it.
 
 ### Example:
 
@@ -223,7 +192,7 @@ from python4cpm import NETHelper, Python4CPM, Python4CPMHandler
 from getpass import getpass
 
 # Get secrets for your password, logon account password, reconcile account password and new password
-# You can use an empty string if it does not apply
+# You may set to None any argument that does not apply or simply leaving it to its default None value.
 target_password = getpass("password: ") # password from account
 logon_password = getpass("logon_password: ") # password from linked logon account
 reconcile_password = getpass("reconcile_password: ") # password from linked reconcile account
@@ -231,16 +200,16 @@ target_new_password = getpass("new_password: ") # new password for the rotation
 
 NETHelper.set(
     action=Python4CPM.ACTION_CHANGE, # use actions from Python4CPM.ACTION_*
-    target_username="jdoe",
-    target_address="myapp.corp.local",
-    target_port="8443",
-    logon_username="ldoe",
-    reconcile_username="rdoe",
+    target_username="jdoe", # -> will fall under MyRotator.target_account.username
+    target_address="myapp.corp.local", # -> will fall under MyRotator.target_account.address
+    target_port="8443", # -> will fall under MyRotator.target_account.port
+    logon_username="ldoe", # -> will fall under MyRotator.logon_account.username
+    reconcile_username="rdoe", # -> will fall under MyRotator.reconcile_account.username
     logging_level="debug", # "critical", "error", "warning", "info" or "debug"
-    target_password=target_password,
-    logon_password=logon_password,
-    reconcile_password=reconcile_password,
-    target_new_password=target_new_password
+    target_password=target_password, # -> will fall under MyRotator.target_account.password.get()
+    logon_password=logon_password, # -> will fall under MyRotator.logon_account.password.get()
+    reconcile_password=reconcile_password, # -> will fall under MyRotator.reconcile_account.password.get()
+    target_new_password=target_new_password # -> will fall under MyRotator.target_account.new_password.get()
 )
 
 class MyRotator(Python4CPMHandler):
@@ -271,5 +240,4 @@ MyRotator().run()
 
 - Remove the import of `NETHelper`.
 - Remove the `NETHelper.set()` call.
-- If applicable, change the definition of `p4cpm` from `p4cpm = NETHelper.get()` to `p4cpm = Python4CPM("MyApp")`.
 - Remove any secrets prompting or interactive interruptions.

{python4cpm-1.1.1 → python4cpm-1.1.3}/src/python4cpm.egg-info/SOURCES.txt

@@ -5,6 +5,7 @@ src/python4cpm/__init__.py
 src/python4cpm/accounts.py
 src/python4cpm/args.py
 src/python4cpm/crypto.py
+src/python4cpm/envhandler.py
 src/python4cpm/logger.py
 src/python4cpm/nethelper.py
 src/python4cpm/python4cpm.py

python4cpm-1.1.1/src/python4cpm/accounts.py

@@ -1,70 +0,0 @@
-from python4cpm.secret import Secret
-
-
-class BaseAccount:
-    def __init__(
-        self: str,
-        username: str,
-        password: str
-    ) -> None:
-        self._username = username
-        self._password = Secret(password)
-
-    @property
-    def username(self) -> str:
-        return self._username
-
-    @property
-    def password(self) -> Secret:
-        return self._password
-
-
-class TargetAccount(BaseAccount):
-    ENV_VARS = (
-        "target_username",
-        "target_password",
-        "target_address",
-        "target_port",
-        "target_new_password"
-    )
-    def __init__(
-        self: str,
-        username: str,
-        password: str,
-        address: str,
-        port: str,
-        new_password: str
-    ) -> None:
-        super().__init__(
-            username,
-            password
-        )
-        self._address = address
-        self._port = port
-        self._new_password = Secret(new_password)
-
-    @property
-    def address(self) -> str:
-        return self._address
-
-    @property
-    def port(self) -> str:
-        return self._port
-
-    @property
-    def new_password(self) -> Secret:
-        return self._new_password
-
-
-class LogonAccount(BaseAccount):
-    ENV_VARS = (
-        "logon_username",
-        "logon_password"
-    )
-
-
-class ReconcileAccount(BaseAccount):
-    ENV_VARS = (
-        "reconcile_username",
-        "reconcile_password"
-    )

python4cpm-1.1.1/src/python4cpm/args.py

@@ -1,21 +0,0 @@
-class Args:
-    ARGS = (
-        "action",
-        "logging_level"
-    )
-
-    def __init__(
-        self: str,
-        action: str,
-        logging_level: str
-    ) -> None:
-        self._action = action
-        self._logging_level = logging_level
-
-    @property
-    def action(self) -> str:
-        return self._action
-
-    @property
-    def logging_level(self) -> str:
-        return self._logging_level

python4cpm-1.1.1/src/python4cpm/nethelper.py

@@ -1,46 +0,0 @@
-from python4cpm.python4cpm import Python4CPM
-from python4cpm.crypto import Crypto
-import os
-
-
-class NETHelper:
-    @classmethod
-    def set(
-        cls,
-        action: str = "",
-        logging_level: str = "",
-        target_username: str = "",
-        target_address: str = "",
-        target_port: str = "",
-        logon_username: str = "",
-        reconcile_username: str = "",
-        target_password: str = "",
-        logon_password: str = "",
-        reconcile_password: str = "",
-        target_new_password: str = ""
-    ) -> None:
-        if Crypto.ENABLED:
-            target_password = Crypto.encrypt(target_password)
-            logon_password = Crypto.encrypt(logon_password)
-            reconcile_password = Crypto.encrypt(reconcile_password)
-            target_new_password = Crypto.encrypt(target_new_password)
-        env = {
-            "ACTION": action,
-            "LOGGING_LEVEL": logging_level,
-            "TARGET_USERNAME": target_username,
-            "TARGET_ADDRESS": target_address,
-            "TARGET_PORT": target_port,
-            "LOGON_USERNAME": logon_username,
-            "RECONCILE_USERNAME": reconcile_username,
-            "TARGET_PASSWORD": target_password,
-            "LOGON_PASSWORD": logon_password,
-            "RECONCILE_PASSWORD": reconcile_password,
-            "TARGET_NEW_PASSWORD": target_new_password
-        }
-        for key, value in env.items():
-            env_var = Python4CPM._ENV_PREFIX + key
-            os.environ[env_var] = value
-
-    @classmethod
-    def get(cls) -> Python4CPM:
-        return Python4CPM(cls.__name__)

python4cpm-1.1.1/src/python4cpm/secret.py

@@ -1,15 +0,0 @@
-from python4cpm.crypto import Crypto
-
-
-class Secret:
-    def __init__(self, secret: str) -> None:
-        self._secret = secret
-
-    def __bool__(self) -> bool:
-        return bool(self._secret)
-
-    def get(self) -> str:
-        if Crypto.ENABLED and self._secret:
-            return Crypto.decrypt(self._secret)
-        else:
-            return self._secret