Skip to content

Commit 053f5cf

Browse files
sk-keeperaaunario-keeper
sk-keeper
authored and
aaunario-keeper
committed
PAM: send default password complexity if it is not set
1 parent 6c896dc commit 053f5cf

File tree

2 files changed

+62
-20
lines changed

2 files changed

+62
-20
lines changed

keepercommander/commands/discoveryrotation.py

Lines changed: 61 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,7 @@ class PAMCreateRecordRotationCommand(Command):
164164
parser = argparse.ArgumentParser(prog='pam rotation new')
165165
parser.add_argument('--record', '-r', required=True, dest='record_uid', action='store', help='Record UID that will be rotated manually or via schedule')
166166
parser.add_argument('--config', '-c', dest='config_uid', action='store', help='UID of the PAM Configuration.')
167-
parser.add_argument('--resource', '-rs', required=False, dest='resource_uid', action='store', help='UID of the resource recourd.')
167+
parser.add_argument('--resource', '-rs', required=False, dest='resource_uid', action='store', help='UID of the resource record.')
168168
schedule_group = parser.add_mutually_exclusive_group()
169169
schedule_group.add_argument('--schedulejson', '-sj', required=False, dest='schedule_json_data', action='append', help='Json of the scheduler. Example: -sj \'{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY", "intervalCount": 1}\'')
170170
schedule_group.add_argument('--schedulecron', '-sc', required=False, dest='schedule_cron_data', action='append', help='Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "0 56 17 * * ?"')
@@ -228,28 +228,29 @@ def execute(self, params, **kwargs):
228228
pass
229229

230230
# 2. Load password complexity rules
231-
if not pwd_complexity:
231+
if pwd_complexity is None:
232232
if current_record_rotation:
233233
pwd_complexity_rule_list_encrypted = utils.base64_url_decode(current_record_rotation['pwd_complexity'])
234234
else:
235235
pwd_complexity_rule_list_encrypted = b''
236236
else:
237-
pwd_complexity_list = [s.strip() for s in pwd_complexity.split(',')]
238-
if len(pwd_complexity_list) != 5 or not all(n.isnumeric() for n in pwd_complexity_list):
239-
logging.warning(
240-
'Invalid rules to generate password. Format is "length, upper, lower, digits, symbols". Ex: 32,5,5,5,5'
241-
)
242-
return
243-
244-
rule_list_dict = {
245-
'length': int(pwd_complexity_list[0]),
246-
'caps': int(pwd_complexity_list[1]),
247-
'lowercase': int(pwd_complexity_list[2]),
248-
'digits': int(pwd_complexity_list[3]),
249-
'special': int(pwd_complexity_list[4])
250-
}
251-
252-
pwd_complexity_rule_list_encrypted = router_helper.encrypt_pwd_complexity(rule_list_dict, record.record_key)
237+
if pwd_complexity:
238+
pwd_complexity_list = [s.strip() for s in pwd_complexity.split(',')]
239+
if len(pwd_complexity_list) != 5 or not all(n.isnumeric() for n in pwd_complexity_list):
240+
logging.warning(
241+
'Invalid rules to generate password. Format is "length, upper, lower, digits, symbols". Ex: 32,5,5,5,5'
242+
)
243+
return
244+
rule_list_dict = {
245+
'length': int(pwd_complexity_list[0]),
246+
'caps': int(pwd_complexity_list[1]),
247+
'lowercase': int(pwd_complexity_list[2]),
248+
'digits': int(pwd_complexity_list[3]),
249+
'special': int(pwd_complexity_list[4])
250+
}
251+
pwd_complexity_rule_list_encrypted = router_helper.encrypt_pwd_complexity(rule_list_dict, record.record_key)
252+
else:
253+
pwd_complexity_rule_list_encrypted = b''
253254

254255

255256
# 3. Resource record check
@@ -1061,14 +1062,42 @@ def execute(self, params, **kwargs):
10611062
if rri_status_name == 'RRS_ONLINE':
10621063

10631064
print(f'Rotation Status: {bcolors.OKBLUE}Ready to rotate ({rri_status_name}){bcolors.ENDC}')
1064-
print(f'PAM Config UID: {bcolors.OKBLUE}{utils.base64_url_encode(rri.configurationUid)}{bcolors.ENDC}')
1065+
configuration_uid = utils.base64_url_encode(rri.configurationUid)
1066+
print(f'PAM Config UID: {bcolors.OKBLUE}{configuration_uid}{bcolors.ENDC}')
10651067
print(f'Node ID: {bcolors.OKBLUE}{rri.nodeId}{bcolors.ENDC}')
10661068

10671069
print(f"Gateway Name where the rotation will be performed: {bcolors.OKBLUE}{(rri.controllerName if rri.controllerName else '-')}{bcolors.ENDC}")
10681070
print(f"Gateway Uid: {bcolors.OKBLUE}{(utils.base64_url_encode(rri.controllerUid) if rri.controllerUid else '-') } {bcolors.ENDC}")
1071+
if rri.resourceUid:
1072+
resource_id = utils.base64_url_encode(rri.resourceUid)
1073+
resource_ok = False
1074+
if resource_id in params.record_cache:
1075+
configuration = vault.KeeperRecord.load(params, configuration_uid)
1076+
if isinstance(configuration, vault.TypedRecord):
1077+
field = configuration.get_typed_field('pamResources')
1078+
if field and isinstance(field.value, list) and len(field.value) == 1:
1079+
rv = field.value[0]
1080+
if isinstance(rv, dict):
1081+
resources = rv.get('resourceRef')
1082+
if isinstance(resources, list):
1083+
resource_ok = resource_id in resources
1084+
print(f"Admin Resource Uid: {bcolors.OKBLUE if resource_ok else bcolors.FAIL}{resource_id}{bcolors.ENDC}")
1085+
10691086
# print(f"Router Cookie: {bcolors.OKBLUE}{(rri.cookie if rri.cookie else '-')}{bcolors.ENDC}")
10701087
# print(f"scriptName: {bcolors.OKGREEN}{rri.scriptName}{bcolors.ENDC}")
1071-
print(f"Password Complexity: {bcolors.OKGREEN}{rri.pwdComplexity if rri.pwdComplexity else '[not set]'}{bcolors.ENDC}")
1088+
if rri.pwdComplexity:
1089+
print(f"Password Complexity: {bcolors.OKGREEN}{rri.pwdComplexity}{bcolors.ENDC}")
1090+
try:
1091+
record = params.record_cache.get(record_uid)
1092+
if record:
1093+
complexity = crypto.decrypt_aes_v2(utils.base64_url_decode(rri.pwdComplexity), record['record_key_unencrypted'])
1094+
c = json.loads(complexity.decode())
1095+
print(f"Password Complexity Data: {bcolors.OKBLUE}Length: {c.get('length')}; Lowercase: {c.get('lowercase')}; Uppercase: {c.get('caps')}; Digits: {c.get('digits')}; Symbols: {c.get('special')} {bcolors.ENDC}")
1096+
except:
1097+
pass
1098+
else:
1099+
print(f"Password Complexity: {bcolors.OKGREEN}[not set]{bcolors.ENDC}")
1100+
10721101
print(f"Is Rotation Disabled: {bcolors.OKGREEN}{rri.disabled}{bcolors.ENDC}")
10731102
print(f"\nCommand to manually rotate: {bcolors.OKGREEN}pam action rotate -r {record_uid}{bcolors.ENDC}")
10741103
else:
@@ -1402,6 +1431,18 @@ def execute(self, params, **kwargs):
14021431
# Find record by record uid
14031432
ri = record_rotation_get(params, utils.base64_url_decode(record.record_uid))
14041433
ri_pwd_complexity_encrypted = ri.pwdComplexity
1434+
if not ri_pwd_complexity_encrypted:
1435+
rule_list_dict = {
1436+
'length': 20,
1437+
'caps': 1,
1438+
'lowercase': 1,
1439+
'digits': 1,
1440+
'special': 1,
1441+
}
1442+
ri_pwd_complexity_encrypted = utils.base64_url_encode(router_helper.encrypt_pwd_complexity(rule_list_dict, record.record_key))
1443+
# else:
1444+
# rule_list_json = crypto.decrypt_aes_v2(utils.base64_url_decode(ri_pwd_complexity_encrypted), record.record_key)
1445+
# complexity = json.loads(rule_list_json.decode())
14051446

14061447
ri_rotation_setting_uid = utils.base64_url_encode(ri.configurationUid) # Configuration on the UI is "Rotation Setting"
14071448
resource_uid = utils.base64_url_encode(ri.resourceUid)

keepercommander/record_types.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@
5050
FieldType('script', {'fileRef': '', 'command': '', 'recordRef': [], }, 'Post rotation script'),
5151
FieldType('recordRef', '', 'reference to other record'),
5252
FieldType('appFiller', {'macroSequence': '', 'applicationTitle': '', 'contentFilter': ''}, 'Native Application Filler'),
53+
FieldType('pamResources', {'controllerUid': '', 'folderUid': '', 'resourceRef': []}, 'PAM resources'),
5354
)} # type: Dict[str, FieldType]
5455

5556

0 commit comments

Comments
 (0)