Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/add cyberark provider #127

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from

Conversation

Never77
Copy link

@Never77 Never77 commented Feb 28, 2024

Closes: #26

What's Changed

This PR adds the CyberARK AIM provider to the nautobot-secrets-providers package and let the user retrieve a Password from the PWVA of a self-hosted CyberARK instance.

To Do

  • Explanation of Change(s)
  • Added change log fragment(s) (for more information see the documentation)
  • Attached Screenshots, Payload Example
  • Unit, Integration Tests
  • Documentation Updates (when adding/changing features)
  • Example App Updates (when adding/changing features)
  • Outline Remaining Work, Constraints from Design

@Never77 Never77 requested a review from a team as a code owner February 28, 2024 23:30
@Never77
Copy link
Author

Never77 commented Feb 28, 2024

The provider can obviously be improved, if you're able to collaborate on this, feel free ! I will take into account any suggestion and implement it as is can. I didn't put any test because i can only test this code at the office. If someone have any solution to leverage a CyberARK AIM instance using a VM or Docker, don't hesitate to contact me, i will add the tests then.

@gsnider2195
Copy link
Contributor

Thanks for the contribution @Never77! We're going to have the same issue working on this as you without having access to a test instance, but if we figure out an easy way to test locally we'll let you know. Did you happen to look into the possibility of leveraging this library for this integration? I don't know anything about it myself so I was wondering if you had done any research into existing libraries before implementing this.

@Never77
Copy link
Author

Never77 commented Feb 29, 2024

I made some tests with this library and had pretty bad performances. Then i tried to made as simple as possible to tests if it was coming from the library itself or the CyberARK instance. It was CyberARK instance that had a bad setup (we have about 20 seconds to wait before having the response). I didn't made any changes to the code after that. I can make some tests and try to put pyAIM for a better handling. I will check that again and let you know when i have my results.

The API call that takes 20 seconds to reply is the search one. After that it's instant.

@nathanielfernandez
Copy link

I'd love to help test this one on our lab instance. But I haven't done testing from new feature branches on Nautobot before. :( Can you give me some high level steps on how I could get this feature on our lab instance?

@Never77
Copy link
Author

Never77 commented Feb 29, 2024

If you have everything needed in your lab (Nautobot 2.x minimum and CyberARK AIM with the API reachable), you can install the plugin with source for example by cloning/downloading the repository from the branch i created and install the source in the Nautobot virutal environment like that :

source /path/to/nautobot/venv/bin/activate
cd /path/to/the/cloned/branch/uncompressed
pip install -e .
nautobot-server post_upgrade

Don't forgot to use the PLUGINS_CONFIG dictionnary i have prepared in the README.md file of the project and give an account that can reach a vault in CyberARK. Try to store an account in a vault that the user can read and get it from Nautobot by creating a secret group. If you want to check by hand directly in CLI, i can give you the Python code you can run in the Nautobot python shell also (it's a little bit hard to find it in my mind but the example exists in the documentation).

@nathanielfernandez
Copy link

nathanielfernandez commented Feb 29, 2024

Can you check if I understand the steps correctly? I also have a few questions later since I might be using cyber ark in a different way...

Steps

  1. Clone repo, on branch add-cyberark-provider (Is the link correct?)
    git clone https://github.com/Never77/nautobot-app-secrets-providers/tree/feature/add-cyberark-provider

  2. Create a virtual env and activate it
    source /path/to/nautobot/venv/bin/activate

  3. pip install -e .

  4. pip install nautobot-secrets-providers[cyberark]

  5. update PLUGINS_CONFIG dictionary

	# In your nautobot_config.py
	PLUGINS = ["nautobot_secrets_providers"]

	PLUGINS_CONFIG = {
		"nautobot_secrets_providers": {
			"cyberark": {
				"url": os.getenv("NAUTOBOT_CYBERARK_URL", None),
				"token": os.getenv("NAUTOBOT_CYBERARK_TOKEN", None),
				"username": os.getenv("NAUTOBOT_CYBERARK_USERNAME", None),
				"password": os.getenv("NAUTOBOT_CYBERARK_PASSWORD", None),
			}
		}
	}
  1. Perform "nautobot-server post_upgrade"

@nathanielfernandez
Copy link

We're using cyber ark privilege cloud rest api where we get a token using our client id and client secret. And that token is only valid for retrieving passwords for 5 minutes. Is this what we're supposed to use for the token in the PLUGINS_CONFIG dict?

@Never77
Copy link
Author

Never77 commented Feb 29, 2024

Yes it's quite the good way to do it, just install Nautobot before installing the plugin. The link is the good one.
More precisely:

Create a Virtual Environment

python -m venv nautobot

Sourcing this venv

source nautobot/bin/activate

Install Nautobot

pip install nautobot # Ensure here Nautobot is installed with version 2 or more 

Retrieve the code

You'll need to do a git clone or downloading the ZIP archive by hand and put in the server using SCP or any file transfer protocol like FTP/sFTP.

Then you can go inside and install the code (make sure you are in my branch to test the CyberARK provider)

git clone https://github.com/Never77/nautobot-app-secrets-providers.git
cd nautobot-app-secrets-providers
git checkout  feature/add-cyberark-provider

Install the plugin

pip install -e .

You must install the plugin this way because the package with my code is not published yet, since it needs to be merged to be published then.

Put the cofniguration

Here you have perfectly understand the steps to configure the plugin. You'll need to put some Environment Variables on you rmachine with the user that launch the Nautobot server, in a dirty way you can put directly your variables in the dict to test.
Like this for example:

PLUGINS_CONFIG = {
    "nautobot_secrets_providers": { 
        "cyberark": {
            "url": "https://cyberark..example.com",
            "token": "decinablesprewad",
            "username": "test",
            "password": "test",  # Either you put the token or the user/passwd here, if you put everything it will use the token by default
        }
    }
}

Finally

You can finally do the post-upgrade operation and restart nautobot to take into account the modification you made and try the provider.

@Never77
Copy link
Author

Never77 commented Feb 29, 2024

For the moment you can use that token yes, i am looking into using the pyAIM library like suggested by @gsnider2195. Sorry for the inconvenience, we use an on prem server that doesn't have that setup. We use a token that can be valid forever.

@nathanielfernandez
Copy link

Thanks @Never77. Unfortunately I ran out of time and I would need to resume this next week when I come back. I'll start to plan this for our lab instance.

@Never77
Copy link
Author

Never77 commented Feb 29, 2024

No problem, meanwhile i'll make my search on pyAIM and looks after the comments of this PR.

@glennmatthews
Copy link
Contributor

Hi @nathanielfernandez, were you able to make any progress on trying this out?

@nathanielfernandez
Copy link

Hi Glenn, sorry I haven't tested yet. At this point I have to test if our account would work with the pyaim module. We're using python's requests module to obtain a token that expires after 5 minutes from generation. I'm trying to talk with our IAM team to see if someone else has tried this module, and whether we could use a test token that doesn't expire like Never77's.

@nathanielfernandez
Copy link

Seems there are different versions of cyber ark. And there are some differences with how we're set up.
The one we're using on our end is privilege cloud (SaaS) and not in on-prem.
We also don't have the Central Credential Provider (CCP) license.
Due to this I would probably not be able to use pyaim on my end to test.

@DistantVoyager
Copy link
Contributor

I believe this current code is for CyberArk's Privileged Access Manager (PAM) product. It does not have a Python SDK, hence needing to send API requests directly.

They also have a newer product called CyberArk Conjur. This product does include a Python SDK:
Open Source version docs: https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Integrations/python.htm?tocpath=Developer%7CClient%20libraries%7C_____5
Enterprise version docs: https://docs.cyberark.com/conjur-enterprise/latest/en/Content/Integrations/python.htm?tocpath=Developer%7CClient%20libraries%7C_____5
The enterprise and open source versions look like they can have the same code; there's no difference between them.

We should probably handle both CyberArk products in this secrets provider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CyberArk Digital Vault secrets provider plugin
5 participants