cybr-cli and ccp

[adam0306]

Is your feature request related to a problem? Please describe. Feature Request

Describe the solution you'd like Add the ability to retrieve credentials to be used for cybr-cli logon via CCP.

[AndrewCopeland]

This is an amazing idea. I think as a starting place we should implement a ccp command with a retrieve-account action like below:

cybr ccp retrieve-account --app-id appIdHere --query "Query=Safe=Billing;Object=MonthlyBilling" --field password

Once we have this command in the cybr-cli we could easily add a cybr logon-ccp command that will leverage the ccp for PAS REST API credentials.

Let me know your thoughts and if this aligned with your end goal.

[adam0306]

That sounds perfect

[AndrewCopeland]

I have created another issue to track the cybr ccp command found here https://github.com/infamousjoeg/cybr-cli/issues/67

Once that issue has been resolved we can work on implementing it as a logon feature.

Thank you for the awesome feature request and for using the cybr-cli

[AndrewCopeland]

The cybr-cli now has the cybr ccp command to easily retrieve a credential from CCP. Now we want to leverage this feature to dynamically retrieve a credential and log into the cybr-cli. Example command should be the following:

cybr ccp logon --safe PAS_REST_API --object name-of-the-object-in-PAS --url https://ccp.company.local

This command will retrieve the account in the PAS_REST_API safe with the object name of name-of-the-object-in-PAS and then use this credential to log into the PAS REST API and initialize the ~/.cybr session file.

@adam0306 Is this a desirable work flow?

[infamousjoeg]

@adam0306 Is this a desirable work flow?

It better be!

[adam0306]

That sounds great. I tested the CCP retrieval without logon via Windows exe this morning. I'll test with logon next. But that works for me.

@infamousjoeg watch out, I may just have to make a trip down to Tampa.

[AndrewCopeland]

Hi @adam0306 ,

After some internal discussion we are running into some snags regarding this feature. The problem is we do not know the authentication type of the returned object. Also we do not know if the returned object address will be the correct PVWA address because a LDAP platform will have the AD as the address and a Cyberark local account will have the vault hostname as the address. So moving forward we are thinking about adding a --password flag.

Of course this brings up another concern, we do not want to make it easy for developers to put the --password field in the command in-turn writing the password to the history of the shell.

So the newly proposed solution goes as the following:

cybr logon -a LDAP -b https://pvwa.company.com -u MyUsername --non-interactive -p "$(cyb ccp get-account -s safeName -o REST-API-ObjectName -f Content)"

I know this command is rather long but it helps us couple of ways.

1. Reduce duplicate code
2. User must specific --non-interactice if they are using the --password flag
3. No need to worry about the account type (ldap, cyberark, etc)
4. The password will not be present in the shell history

I understand this is a different approach than what you proposed but I think it would help us significantly maintain this product.

Thanks, Andrew

[adam0306]

I hadn't even thought about the auth type either. Looking ahead the way that I see us using the CCP is via a script so making it longer is no big deal. I agree protecting users from themselves is always a good thing like not printing creds to history. But at the same time they will also find a way depending on their desire.

[infamousjoeg]

At the end of the day, a human user should be using interactive cybr logon and be prompted securely to enter their password. Automation should use the cybr logon --non-interactive command and either an environment variable containing the PAS_PASSWORD value (default) -OR- provide the -p/--password flag to provide it through command substitution, as @AndrewCopeland provided in his code example above.

I understand that users will always try to find a way around things. However, I don't want to make it too easy for them to be insecure and lazy.

[adam0306]

Completely agree. Just having the ability to retrieve the creds using CCP is a win for me.