Created
October 3, 2023 16:29
-
-
Save infamousjoeg/a2461f9d3c63830c5aab47a48316c771 to your computer and use it in GitHub Desktop.
OSUser authentication from ADBridged Linux host to CyberArk CCP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
from requests_negotiate import HTTPNegotiateAuth | |
import urllib3 | |
import urllib.parse | |
import os | |
import re | |
import subprocess | |
urllib3.disable_warnings() | |
cyberark_app_id = "EPM LCD Onboarding" | |
cyberark_safe = "EPM API User" | |
cyberark_object = "epmlcd.pass" | |
# klist logic to determine principal name | |
principal_name = "" | |
principal_name_re = r".*(\b.+\$)@.+" | |
klist_args = ['/usr/bin/klist', '-kt', '/etc/krb5.keytab'] | |
print("\nDetermining principal name from keytab...", end='') | |
klist_out = "" | |
try: | |
klist_out = subprocess.run(klist_args, check=True, stdout=subprocess.PIPE).stdout.decode('utf-8') | |
except subprocess.CalledProcessError: | |
print("Error running subprocess for klist, aborting") | |
quit() | |
match = re.search(principal_name_re, klist_out) | |
if match: | |
if match.group(1): | |
principal_name = match.group(1) | |
print("SUCCESS!") | |
print(f"Principal Name Found: {principal_name}\n") | |
else: | |
print("FAILED") | |
print("Principal name not found, aborting") | |
quit() | |
# kinit logic to setup the credential cache | |
print("Creating credential cache...", end='') | |
krb5ccname = f"/tmp/krb5cc_{os.getpid()}" | |
kinit_args = ['/usr/bin/kinit', '-kt', '/etc/krb5.keytab', '-c', krb5ccname, principal_name] | |
kdest_args = ['/usr/bin/kdestroy', '-c', krb5ccname] | |
try: | |
subprocess.run(kinit_args, check=True) | |
print("SUCCESS!") | |
except subprocess.CalledProcessError: | |
print("FAILED") | |
print("Error running subprocess for kinit, aborting") | |
quit() | |
# Setting KRB5CCNAME so that HTTPNegotiateAuth() leverages the host cred cache | |
if os.path.exists(krb5ccname): | |
os.environ["KRB5CCNAME"] = krb5ccname | |
uri = 'https://pam.cybr.com/AIMWebService/api/Accounts' \ | |
f'?AppId={urllib.parse.quote_plus(cyberark_app_id)}' \ | |
f'&Safe={urllib.parse.quote_plus(cyberark_safe)}' \ | |
f'&Object={urllib.parse.quote_plus(cyberark_object)}' \ | |
f'&Reason={urllib.parse.quote_plus("Hello from Python on Linux!")}' | |
# Calling CCP | |
print(f"\nLooking up user details from CCP as AppId [{cyberark_app_id}]...", end='') | |
result = "" | |
try: | |
result = requests.get(uri, auth=HTTPNegotiateAuth(), verify=False) | |
if result.ok: | |
print("SUCCESS :)\n\n--DETAILS---\n") | |
info = result.json() | |
print(f'Username: {info.get("UserName")}') | |
print(f'Address: {info.get("Address")}') | |
print(f'Platform: {info.get("PolicyID")}') | |
print(f'Password: {info.get("Content")}') | |
else: | |
print("FAILED :(\n") | |
print(result.text) | |
except requests.exceptions.RequestException as e: | |
print("FAILED") | |
print("An unexpected error occurred on the request to CCP") | |
finally: | |
if os.path.exists(krb5ccname): | |
print("\nAttempting to remove credential cache...", end='') | |
try: | |
subprocess.run(kdest_args, check=True) | |
print("SUCCESS!\n") | |
except subprocess.CalledProcessError: | |
print("FAILED") | |
print("Error removing credential cache, consider removing manually\n") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment