Last active
January 11, 2018 04:27
-
-
Save furqanbaqai/07e250fc3f11e42071c8f4d8c2729562 to your computer and use it in GitHub Desktop.
Utility procedure for updating BMC True Sight Security Vault with password fetched from other Enterprise Password Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
Utility for fetching password from ARCOS and updating | |
BMC True Sight Vault | |
https://gist.github.com/furqanbaqai/07e250fc3f11e42071c8f4d8c2729562 | |
Authur: Muhammad Furqan Baqai [MFB] (baqai.furqan@gmail.com) | |
Change History | |
[MFB:2018-01-08] Initial checkin | |
""" | |
from urllib.request import urlopen | |
from urllib.request import Request | |
import uuid | |
import sys | |
import socket | |
import logging | |
import os | |
import ssl | |
import json | |
import base64 | |
mw_url = 'https://<web-service-url-of-entVault>' | |
bmc_vault_url = 'http://<bmc-hostname>/tsws/10.0/api/unifiedadmin/MonitoringPolicy/' | |
mw_userID = '<userid-used-in-ent-vault>' | |
mw_password = '<security-token-used-in-entvault>' | |
bmc_users = [['<userid-to-sync>','<IP to get it sync with>','<Type of Service>','<URL Postix>','<file where curl command was residing>'] | |
] | |
mw_api_header = {'Content-type':'application/xml'} | |
bmc_key = '<aes-encryption-key>' | |
bmc_api_key = 'authtoken <permenant-auth-token>' | |
bmc_api_header = {"content-type":"application/json","Authorization":bmc_api_key} | |
class PasswordManager: | |
'Class for fetching password and saving it to the vault' | |
def __init__(self,bmc_userName,bmc_serverIP,bmc_serviceType,bmc_api_ct,jsonStr): | |
self.bmc_userName = bmc_userName | |
self.bmc_serverIP = bmc_serverIP | |
self.bmc_serviceType = bmc_serviceType | |
self.bmc_api_ct = bmc_api_ct | |
self.jsonStr = jsonStr | |
def createUser(self): | |
logging.info("**Fetching password for user:"+bmc_userName) | |
password = self.__getMWPassword() | |
if password != None and len(password) > 2: | |
self.__insertPassword(password,bmc_api_ct) | |
else: | |
logging.error("Error in decrypting password") | |
def __getMWPassword(self): | |
req_str = '<xml-string-of ent vault>' | |
# Step#1: replacing variables | |
req_str = req_str.replace('$mwUserID',mw_userID) | |
req_str = req_str.replace('$mwPassword',mw_password) | |
req_str = req_str.replace('$refNumber',str(uuid.uuid4()).replace('-','')) | |
req_str = req_str.replace('$serverIP',self.bmc_serverIP) | |
req_str = req_str.replace('$serviceType',self.bmc_serviceType) | |
req_str = req_str.replace('$userName',self.bmc_userName) | |
# Step#2: Creating request object | |
logging.info('Initiating request to url:'+mw_url) | |
req = Request(url=mw_url,data=req_str.encode('utf-8'),headers=mw_api_header,method='POST') | |
socket.setdefaulttimeout(30) | |
response = urlopen(req,context=ssl._create_unverified_context()) | |
if response.getcode() == 200: | |
# Step#4: Decrypt password | |
logging.info('Response received. Response Code:'+str(response.getcode())) | |
resp = response.read() | |
resp = resp.decode('utf-8') | |
retCode = self.__getReturnCode(resp) | |
logging.info("Return code received:"+retCode) | |
if retCode == "0000": | |
password = self.__getPassword(resp) | |
pStr = "java -jar TrippleDesDecryptorV1.0.0.jar "+bmc_key+" " + password | |
unencPass = os.popen("java -jar TrippleDesDecryptorV1.0.0.jar "+bmc_key+" " + password).read() | |
return unencPass | |
else: | |
logging.error("Error received while fetching user. Skipping the retrival") | |
return None | |
else: | |
return None | |
logging.error('Error response received. ResponseCode:' + str(response.getcode())) | |
def __getPassword(self,resp_str): | |
logging.info('Extracting password') | |
start = resp_str.index('<sfx:password>') + len('<sfx:password>') | |
end = resp_str.index('</sfx:password>',start) | |
logging.info('Password extracted..') | |
return resp_str[start:end] | |
def __getReturnCode(self,resp_str): | |
logging.info('Checking return code') | |
start = resp_str.index('<sfx:returnCode>') + len('<sfx:returnCode>') | |
end = resp_str.index('</sfx:returnCode>',start) | |
return resp_str[start:end] | |
def __insertPassword(self,password,bmc_api_ct): | |
logging.info("Syncing password with the vault") | |
# CALL BMC API for updating password only | |
# data = '{"password": "'+password+'"}' | |
# Open file mentioned | |
logging.info("Loading file: "+self.jsonStr) | |
with open(self.jsonStr,"r") as curlCmd: | |
command = curlCmd.readline() | |
command = str(command).replace('$userID',self.bmc_userName) | |
command = str(command).replace('$password',base64.b64encode(password.encode('utf-8')).decode('utf-8')) | |
if len(command) >=1: | |
output = os.popen(command).read() | |
if self.__getTrueSightResponseCode(output) == '200': | |
logging.info("Password updated in the vault sucessfully") | |
else: | |
logging.error("Error recieved from the true sight") | |
logging.debug("Output Dump: "+output) | |
def __getTrueSightResponseCode(self,output): | |
jsData = json.loads(output) | |
return jsData['statusCode'] | |
logging.basicConfig(format='[%(levelname)s] %(asctime)s:%(message)s', level=logging.DEBUG) | |
if __name__ == "__main__": | |
for index,item in enumerate(bmc_users): | |
bmc_userName = item[0] | |
bmc_serverIP = item[1] | |
bmc_serviceType = item[2] | |
bmc_api_ct = item[3] | |
jsonStr = item[4] | |
pwMgr = PasswordManager(bmc_userName,bmc_serverIP,bmc_serviceType,bmc_api_ct,jsonStr) | |
pwMgr.createUser() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment