立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 7.5.1 - Creating Custom Credential Store Plugins

get_remote_app_credentials

Called when the RemoteApp Launcher requests the application credentials. Can be called multiple times for the same session.

Input arguments

  • asset

    Type: string

    Description: The asset /database etc./ password requested for.

  • connection_name

    Type: string

    Description: The connection name the RemoteApp session uses. This is required if your SPS is linked to SPP.

  • session_id

    Type: string

    Description: The unique identifier of the session.

  • cookie

    Type: dictionary

    Description: The cookie returned by the previous hook in the session. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by one of the previous calls in this particular custom Credential Store plugin. You can use the cookie to maintain the state for each particular connection or to transfer information between the different methods of the plugin. For an example that transfers information in the cookie between two methods, see Examples in the Creating Custom Authentication and Authorization Plugins.

  • session_cookie

    Type: dictionary

    Description: You can use the session cookie to maintain global state between plugins for each particular connection. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by a previous plugin hook in the session.

  • protocol

    Type: string

    Description: The protocol name, in lowercase letters (http, ica, rdp, ssh, telnet, vnc).

  • client_hostname

    Type: string

    Description: A string containing the hostname of the client, if DNS lookup has been successful. If not, the value of this parameter is None.

  • client_ip

    Type: string

    Description: A string containing the IP address of the client.

  • gateway_username

    Type: string
  • gateway_password

    Type: string
  • gateway_groups

    Type: list
  • gateway_domain

    string
  • target_username - DEPRECATED

    string
  • target_host - DEPRECATED

    string
  • target_port - DEPRECATED

    Type: int
  • target_domain - DEPRECATED

    Type: string
  • server_username

    string
  • server_ip

    string
  • server_hostname

    string
  • server_port

    Type: int
  • server_domain

    Type: string

Returned values

  • cookie

    Type: dictionary
    Required: no

    Description: The cookie returned by the previous hook in the session. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by one of the previous calls in this particular custom Credential Store plugin. You can use the cookie to maintain the state for each particular connection or to transfer information between the different methods of the plugin. For an example that transfers information in the cookie between two methods, see Examples in the Creating Custom Authentication and Authorization Plugins.

  • session_cookie

    Type: dictionary
    Required: no

    Description: You can use the session cookie to maintain global state between plugins for each particular connection. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by a previous plugin hook in the session.

  • passwords

    Type: string list
    Required: no

    Description: If the plugin returns multiple passwords, SPS tries to use them to authenticate on the target server (in the order they are listed).

Plugin modification examples

The following example shows a simple plugin that can return both passwords and private keys based on usernames:

Example: return passwords and username-based private keys
class Plugin(object):
    passdb = {
        "user": ["password"],
    }
    privkeydb = {
        "user1": [('ssh-rsa', """
-----BEGIN RSA PRIVATE KEY-----
ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6
aBHymY/+Xwf08GiuLg2hFmfLNGZlJNnF9YB4+3o7MfjPDZJR1ne8Vr9hkte/SuK2
OhZbAeWbxHLsdOv0+ZCm7h5/nEM1gj4va+uKgpShVbxqEH7RglyUDvKUgQ7KwUZE
GW+RPApnXFN3OVjFdAqOpzeayH0kA52A3W/ske81JFGEHvfP54EePJx1qncJAX1z
jFPllYjPlMSLujbH7sabL0+LbnZDfMxOw2NXwnaKPgVlJ7I7YQDE11NLhiWbC2f1
pTLIerTOG9lovC3caa7TaIRs8VfZLjjNXWnS5wIDAQABAoIBAB6HLgz5eXIFT+ai
ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6
QScd2MYvJ9dIdumxbk5dK7+5I3fGHroXTRgUF6AIKI2FCsnQtDyTY1mjZ99+dGjH
AjOKnIbKPuaj+Mpx3dLhlhDgi+DncGSizhOtb3jK1tq++YLoA7W/7n9av5Ybz8c0
iqF0WUwcd6KYphuL9583OPP6Gv33Br4jP729EkqXnJa8PcniX8y3ZlFcVmxOGqnL
ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6
UumxiQECgYEA9yPcGBo/R/2IyjyKBXjYcd/1u0kYZRWvloahjNoWQjs/EHvbBMlM
xmtowOHbbEg4BgymPmVR8Ux24B3XJR6SbAPMF15wJ7oD1WwG8djQSw0RrbuPgP4s
OJnRpCn4blpa15n5qUF8wCwnEJow+UUaYY1znMlmAyeWjaK1VHV7tEUCgYEA8MH1
guHR+hHyZcLTT2+QTuL2Pu2MrwLhXNz5hPcCRH72dKBdfrvpRwLKj3XJKBK4r4gN
hByiT2sJKCNks4LkyOlWQtd0khRuan/xkliH7a6Fcx+d5odQsZrRbrjpsUQFlnTB
AFv6kSnhAtmJVDalYWfPSQCuE0nwB9TaDU6UGzsCgYAItvwA4ZQPrtIPB5l6XeuM
ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6
QDIHNO5RiE6wTPHlv1aA/wH7lVyXGN9oU4w/9Lbs9US0y5oxLL0Abc4m2LkXYSdv
ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6
FykNgS4dhrCG3NmpP4zQbKnS+VDQrLJ/qbSG59Ida8nIs74yanQX17EPuzqD/iJT
LoahB2128G7BiEfcIpFVCgI0OqikYQkM4oOQD3sUw8ySfi/rZMxGtT34uf7398FH
bBRnAoGBANRNw9oTcSh/ScLNqhB1pld81UX8jf+4+9hj9U+gpQCkujVxTs7xil8R
ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6
31nME0D1kojABIMeW8cITVHx4PD7I8jp+3sIPRXzCr8bfTzGSOAA
-----END RSA PRIVATE KEY-----
""")],
    }
    def get_private_key_list(self, session_id, cookie, protocol, client_ip,
                            gateway_username, gateway_password,
                            target_username, target_host, target_port,
                            target_domain=None, gateway_domain=None, 
                            gateway_groups=None):
        keylist = []
        if target_username in self.privkeydb:
            keylist = self.privkeydb[target_username]
            print "Retrieved private keys;"
            print keylist
        else:
            print "User not found;"
        return {
            "private_keys": keylist,
        }
    def get_password_list(self, session_id, cookie, protocol, client_ip,
                        gateway_username, gateway_password,
                        target_username, target_host, target_port,
                        target_domain=None, gateway_domain=None
                        gateway_groups=None):
        pwlist = []
        if target_username in self.passdb:
            pwlist = self.passdb[target_username]
            print "Retrieved passwords;"
        else:
            print "User not found;"
        return {
            "passwords": pwlist,
        }
    def authentication_completed(self, session_id, cookie):
        return None
        def session_ended(self, session_id, cookie):
            return None

The following example demonstrates how the predefined hooks can be enhanced with additional logic:

Example: enhance predefined hooks
import inspect

class Plugin(object):
    passdb = {
        "joe": ["joespw1", "joespw2", ],
        "jack": ["jackspw", ],
    }

    def get_password_list(self, session_id, cookie, protocol, client_ip,
                        gateway_username, gateway_password,
                        target_username, target_host, target_port,
                        target_domain=None, gateway_domain=None, gateway_groups=None):

        # Discard "None" parameters, log all other returned parameters
        args = list(inspect.getargvalues(inspect.currentframe()).args)
        logkws = ["{arg}='{value}'".format(arg=arg, value=locals()[arg])
        for arg in args if arg != 'self' and locals()[arg] is not None]

        if "call_count" in cookie:
            call_count = cookie["call_count"]
        else:
            call_count = 0

        logkws.append("call_count='{0}'".format(call_count))

        print ("Retrieving passwords, non-null parameters follow; " + ', '.join(logkws))

        # Return the password list for the user
        pwlist = []
        if target_username in self.passdb:
            pwlist = self.passdb[target_username]
            print "Retrieved passwords;"
        else:
            print "User not found;"

        return {
            "passwords": pwlist,
            "cookie": {"call_count": call_count + 1}
        }

    def authentication_completed(self, session_id, cookie):
        call_count = cookie["call_count"] if "call_count" in cookie else None
        print ("Received notification about completed authentication; "
            "call_count='{call_count}'").format(call_count=call_count)
        return None

    def session_ended(self, session_id, cookie):
        call_count = cookie["call_count"] if "call_count" in cookie else None
        print ("Received notification about session end; "
            "call_count='{call_count}'").format(call_count=call_count)
        return None
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级