Python Flask application which permits Aruba Clearpass local DB users to change their passwords through API calls without Clearpass administrator intervention
- Install python and app's required dependencies.
- Copy project files.
- Rename example configuration files config/params_1_example.cfg and config/params_2_example.cfg to config/params_1.cfg and config/params_2.cfg
- Fill in configuration to these files according to your Clearpass settings
### Configuration File for Clearpass Change Password (local users)
### Passwords are stored in the different file
[ClearPass]
# IP or FQDN of the Clearpass Publisher
clearpass_fqdn = 10.12.102.7
[OAuth2]
# API connection parameters
grant_type = password
# client_id required for all grant types
client_id_rw = Sber_API_client
client_id_ro = Sber_API_client_RO
# Clearpass username for changing password through API
username = Sber_tech_api_admin
[DB]
# Clearpass username for database connection
username = appexternal
[Misc]
# Days to password expire (TODO:read this value from Clearpass)
days_to_passw_exp = 40
- External DB user and password (CPPM)
- Two API clients (Clearpass Guest)
- RW API Client (Clearpass Guest)
- RO API Client (Clearpass Guest) *Profiles for API clients (Clearpass Guest)
- RW profile (Clearpass Guest)
- RO profile (Clearpass Guest)
- Local user and Role for API RW (CPPM)
Project directory contains integration tests (./tests/test_aaa.py):
- Check file parameters
- Ping CPPM
- Test CPPM API connection
- Test Postgress DB connection
- Test password expiration for particular user (additional local user 'test_pass_expiry' required)
Also test directory includes regression tests for developer (test_regression.py) For this test the application must be started and user test123 must be existed.
Run tests from project dir:
pytest -v test_aaa.py
Example of successful test results:
======================================================== test session starts =========================================================
platform darwin -- Python 3.7.1, pytest-5.3.4, py-1.7.0, pluggy-0.13.1 -- /anaconda3/bin/python
cachedir: .pytest_cache
rootdir: /Users/semenov-ay/Downloads/aaa-sber/CPPM-change-password, inifile: pytest.ini
plugins: doctestplus-0.2.0, arraydiff-0.3, remotedata-0.3.1, allure-pytest-2.8.7, openfiles-0.3.1
collected 15 items
tests/test_aaa.py::test_file1_parameters[ClearPass-clearpass_fqdn] PASSED [ 6%]
tests/test_aaa.py::test_file1_parameters[OAuth2-grant_type] PASSED [ 13%]
tests/test_aaa.py::test_file1_parameters[OAuth2-client_id_rw] PASSED [ 20%]
tests/test_aaa.py::test_file1_parameters[OAuth2-client_id_ro] PASSED [ 26%]
tests/test_aaa.py::test_file1_parameters[OAuth2-username] PASSED [ 33%]
tests/test_aaa.py::test_file1_parameters[DB-username] PASSED [ 40%]
tests/test_aaa.py::test_file1_parameters[Misc-days_to_passw_exp] PASSED [ 46%]
tests/test_aaa.py::test_file2_parameters[OAuth2-password] PASSED [ 53%]
tests/test_aaa.py::test_file2_parameters[DB-password] PASSED [ 60%]
tests/test_aaa.py::test_cppm_ping PASSED [ 66%]
tests/test_aaa.py::test_clearpass_api_connection PASSED [ 73%]
tests/test_aaa.py::test_clearpass_postgres_conn[right_pass] PASSED [ 80%]
tests/test_aaa.py::test_clearpass_postgres_conn[wrong_pass] PASSED [ 86%]
tests/test_aaa.py::test_clearpass_postgres_conn[wrong_name] PASSED [ 93%]
tests/test_aaa.py::test_exp_days_f PASSED [100%]
========================================================== warnings summary ==========================================================
tests/test_aaa.py::test_clearpass_api_connection
/anaconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
-- Docs: https://docs.pytest.org/en/latest/warnings.html
=================================================== 15 passed, 1 warning in 8.85s ====================================================semenoc
Start application from project dir
python3 aaa_change_password.py
Please use gunicorn + nginx to avoid security issues with HTTP
Connect to app by http//application_server_IP_address:5000 (if you are not using WSGI scheme) Login to App by your CPPM local username Logged_in page which shows expiration message (May differ from screenshot) Change password page Success in changing password redirects to Logged_in page
##License MIT
Author: Andrey Semenov andrey.semenov@hpe.com
- Add Gunicorn, nginx and Docker to Setup and Usage