Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding helps to create an Azure connector
- Loading branch information
Showing
3 changed files
with
202 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
<# | ||
.SYNOPSIS | ||
Powershel script to setup an azure account for a cloud connector. | ||
.DESCRIPTION | ||
This script creates an App regestration and service principal for a Trend Micro Azure cloud connector. | ||
This script outputs json that works with the addAzureConnector.py script to add the connector to the DSM. | ||
#> | ||
|
||
#Name of the connector in Azure | ||
$appName = "Deep Security Azure Connector" | ||
#Password is 32 long | ||
Add-Type -AssemblyName System.Web | ||
$password = [System.Web.Security.Membership]::GeneratePassword(32,0) | ||
|
||
|
||
$psadCredential = New-Object Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory.PSADPasswordCredential | ||
$startDate = Get-Date | ||
$psadCredential.StartDate = $startDate | ||
$psadCredential.EndDate = $startDate.AddYears(10) | ||
$psadCredential.KeyId = [guid]::NewGuid() | ||
$psadCredential.Password = $password | ||
|
||
#If you need to login to a specific subscription otherwise just login | ||
#$c = Login-AzureRmAccount -SubscriptionId "b0ba4069-ce0a-4f1f-c623-711faae9620b" | ||
$c = Login-AzureRmAccount | ||
|
||
#Create the new application regestration | ||
$d = New-AzureRmADApplication -DisplayName $appName -HomePage "http://www.trendmicro.com" -IdentifierUris "http://NewApplication" -PasswordCredentials $psadCredential | ||
#Create the new service principal | ||
$f = New-AzureRmADServicePrincipal -ApplicationId $d.ApplicationId | ||
#Useful to debug | ||
#$f | ||
#Assign the new service princiapl rights to read from the Azure account | ||
$t = New-AzureRmRoleAssignment -RoleDefinitionName "Reader" -ServicePrincipalName $d.ApplicationId | ||
#Useful to debug | ||
#$t | ||
|
||
|
||
#Build the output to match what is expected in Deep Security API for createing the connector. | ||
$outputObject = New-Object -TypeName psobject | ||
#This will be the name of the connector in Deep Security. | ||
$outputObject | Add-Member -MemberType NoteProperty -Name name -Value $c.Context.Account.Id | ||
$outputObject | Add-Member -MemberType NoteProperty -Name cloudType -Value "AZURE_ARM" | ||
$outputObject | Add-Member -MemberType NoteProperty -Name subscriptionId -Value $c.Context.Subscription.SubscriptionId | ||
$outputObject | Add-Member -MemberType NoteProperty -Name subscriptionName -Value $c.Context.Subscription.Name | ||
$outputObject | Add-Member -MemberType NoteProperty -Name azureAdTenantId -Value $c.Context.Tenant.TenantId | ||
$outputObject | Add-Member -MemberType NoteProperty -Name azureAdTenantName -Value $c.Context.Tenant.Directory | ||
$outputObject | Add-Member -MemberType NoteProperty -Name azureAdApplicationId -Value $d.ApplicationId | ||
$outputObject | Add-Member -MemberType NoteProperty -Name azureAdApplicationName -Value $appName | ||
$outputObject | Add-Member -MemberType NoteProperty -Name azureAdApplicationPassword -Value $password | ||
|
||
$outputObject | ConvertTo-Json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
import urllib3 | ||
import json | ||
import certifi | ||
import sys | ||
import os | ||
|
||
class DeepSecurityRestApi: | ||
def __init__(self, config): | ||
self._config = config | ||
self._url = "https://{0}:{1}/rest".format(self._config["hostname"], self._config["port"]) | ||
self._http = urllib3.PoolManager(cert_reqs='CERT_NONE', ca_certs=certifi.where(), assert_hostname=False) | ||
self._sID = "" | ||
self._headers = { 'Content-Type': 'application/json', | ||
'Accept': 'application/json'} | ||
|
||
def PostRequest (self, uri, body): | ||
requestURL = self._url + uri | ||
requestHeaers = self._headers | ||
if self._sID: | ||
requestHeaers.add( 'Cookie: sID=' + self._sID) | ||
r = self._http.request( 'POST', | ||
requestURL, | ||
body=body, | ||
headers=requestHeaers) | ||
return json.loads(r.data.decode('utf-8'))['data'] | ||
|
||
def GetReuqest(self, uri): | ||
requestURL = self._url + uri | ||
requestHeaers = self._headers | ||
if self._sID: | ||
requestHeaers.add('Cookie: sID=' + self._sID) | ||
r = self._http.request('GET', | ||
requestURL, | ||
headers=requestHeaers) | ||
return json.loads(r.data.decode('utf-8'))['data'] | ||
|
||
def Logout(self): | ||
requestURL = self._url + '/authentication/logout' | ||
requestHeaers = self._headers | ||
|
||
r = self._http.request('DELETE', requestURL, fields={'sID' : self._sID},headers=requestHeaers) | ||
if r.status == 200: | ||
self._sID ="" | ||
else: | ||
print("Failed to logout with error status: {0} and return {1} ".format(r.status, r.data)) | ||
return | ||
|
||
def Authentiate(self, username, password, tenantName): | ||
requestURL = self._url + '/authentication/login' | ||
requestHeaers = self._headers | ||
|
||
if tenantName: | ||
AuthJson = { | ||
"dsCredentials": { | ||
"userName": username, | ||
"password": password, | ||
"tenantName": tenantName | ||
} | ||
} | ||
else: | ||
AuthJson = { | ||
"dsCredentials": { | ||
"userName": username, | ||
"password": password | ||
} | ||
} | ||
jsoon_string = json.dumps(AuthJson) | ||
r = self._http.request('POST', requestURL, body=jsoon_string, headers=requestHeaers) | ||
if r.status == 200: | ||
self._sID = r.data.decode("utf-8") | ||
else: | ||
print("Failed to authenticate with error status: {0} and return {1} ".format(r.status, r.data) ) | ||
return | ||
|
||
def AddAzureFromFile(self, filename): | ||
with open(filename) as json_file: | ||
data = json.load(json_file) | ||
requestURL = self._url + '/cloudaccounts' | ||
requestHeaers = self._headers | ||
AzureConnector = { | ||
"createCloudAccountRequest": { | ||
"cloudAccountElement": { | ||
"name": data["name"], | ||
"cloudType": "AZURE_ARM", | ||
"subscriptionId": data["subscriptionId"], | ||
"subscriptionName": data["subscriptionName"], | ||
"azureAdTenantId": data["azureAdTenantId"], | ||
"azureAdTenantName": data["azureAdTenantName"], | ||
"azureAdApplicationId": data["azureAdApplicationId"], | ||
"azureAdApplicationName": data["azureAdApplicationName"], | ||
"azureAdApplicationPassword": data["azureAdApplicationPassword"] | ||
}, | ||
"sessionId": self._sID | ||
} | ||
} | ||
jsoon_string = json.dumps(AzureConnector) | ||
print(jsoon_string) | ||
r = self._http.request('POST', requestURL, body=jsoon_string, headers=requestHeaers) | ||
if r.status == 200: | ||
self._sID = r.data | ||
else: | ||
print("Failed to authenticate with error status: {0} and return {1} ".format(r.status, r.data)) | ||
|
||
return | ||
|
||
|
||
|
||
if __name__ == '__main__': | ||
|
||
config = { "hostname" : "localhost", | ||
"port": "443", | ||
} | ||
if len(sys.argv) != 2: | ||
print("Usage: addAzureConnector.py <json account data from powershell>") | ||
exit(0) | ||
|
||
dsRest = DeepSecurityRestApi(config=config) | ||
dsRest.Authentiate(username= os.environ.get('username', None), password=os.environ.get('password', None), tenantName="") | ||
dsRest.AddAzureFromFile(sys.argv[1]) | ||
dsRest.Logout() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
|
||
# Azure Support | ||
|
||
## Azure Connector | ||
To help make the Azure connector easy in Deep Security you can run the SetupAzureForConnector.ps1 powershell script to setup Azure side. It will create an app registration and service princaple in Azure and then output a json secion. This json is then consumed by the python script, addAzureConnector.py, to create the connection in the DSM. | ||
|
||
## Example | ||
|
||
1) Run the powershell script to create the app regestration. After a sucessful run you will get a json output. | ||
~~~~JSON | ||
{ | ||
"name": "My Azure Account", | ||
"cloudType": "AZURE_ARM", | ||
"subscriptionId": "24be60c9-e19a-4faf-9623-6b140a29620b", | ||
"subscriptionName": "Pay-As-You-Go", | ||
"azureAdTenantId": "d3e340ca-98bf-4dbf-9586-506a71f8d53c", | ||
"azureAdTenantName": "My Teant", | ||
"azureAdApplicationId": "164a6d85-9a55-4e19-84ba-54ec41040ac4", | ||
"azureAdApplicationName": "Deep Security Azure Connector", | ||
"azureAdApplicationPassword": "k7t|.-AE/Mqm3bn^2mdgFf\u003eQVm$|fz\u003eR" | ||
} | ||
|
||
~~~~ | ||
2) Next Send the json output to the Deep Security administrator. | ||
The Deep Security administrator will then put the json into a file and call the python script. Note the python script requires a username/password (not an API key) and these values are set in environment variables "username" and "password" | ||
|
||
~~~~bash | ||
python addAzureConnector.py account.json | ||
~~~~ | ||
3) Verify the connector syncs correclty in the DSM. |