Adding helps to create an Azure connector

deep-security · May 1, 2019 · 8b4c266 · 8b4c266
1 parent 27e6be5
commit 8b4c266
Show file tree

Hide file tree

Showing 3 changed files with 202 additions and 0 deletions.
diff --git a/deepsecurity/manager/azure/SetupAzureForConnector.ps1 b/deepsecurity/manager/azure/SetupAzureForConnector.ps1
@@ -0,0 +1,52 @@
+<#
+    .SYNOPSIS
+    Powershel script to setup an azure account for a cloud connector. 
+    .DESCRIPTION
+    This script creates an App regestration and service principal for a Trend Micro Azure cloud connector. 
+    This script outputs json that works with the addAzureConnector.py script to add the connector to the DSM.
+#>
+
+#Name of the connector in Azure
+$appName = "Deep Security Azure Connector"
+#Password is 32 long 
+Add-Type -AssemblyName System.Web
+$password = [System.Web.Security.Membership]::GeneratePassword(32,0)
+
+
+$psadCredential = New-Object  Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory.PSADPasswordCredential 
+$startDate = Get-Date
+$psadCredential.StartDate = $startDate
+$psadCredential.EndDate = $startDate.AddYears(10)
+$psadCredential.KeyId = [guid]::NewGuid()
+$psadCredential.Password = $password
+
+#If you need to login to a specific subscription otherwise just login
+#$c = Login-AzureRmAccount -SubscriptionId "b0ba4069-ce0a-4f1f-c623-711faae9620b"
+$c = Login-AzureRmAccount 
+
+#Create the new application regestration
+$d = New-AzureRmADApplication -DisplayName $appName -HomePage "http://www.trendmicro.com" -IdentifierUris "http://NewApplication" -PasswordCredentials $psadCredential 
+#Create the new service principal
+$f = New-AzureRmADServicePrincipal  -ApplicationId  $d.ApplicationId 
+#Useful to debug
+#$f
+#Assign the new service princiapl rights to read from the Azure account
+$t = New-AzureRmRoleAssignment -RoleDefinitionName "Reader" -ServicePrincipalName $d.ApplicationId
+#Useful to debug
+#$t
+
+
+#Build the output to match what is expected in Deep Security API for createing the connector. 
+$outputObject = New-Object -TypeName psobject 
+#This will be the name of the connector in Deep Security. 
+$outputObject | Add-Member -MemberType NoteProperty -Name name -Value $c.Context.Account.Id
+$outputObject | Add-Member -MemberType NoteProperty -Name cloudType -Value "AZURE_ARM"
+$outputObject | Add-Member -MemberType NoteProperty -Name subscriptionId -Value $c.Context.Subscription.SubscriptionId
+$outputObject | Add-Member -MemberType NoteProperty -Name subscriptionName -Value $c.Context.Subscription.Name
+$outputObject | Add-Member -MemberType NoteProperty -Name azureAdTenantId -Value $c.Context.Tenant.TenantId
+$outputObject | Add-Member -MemberType NoteProperty -Name azureAdTenantName -Value $c.Context.Tenant.Directory
+$outputObject | Add-Member -MemberType NoteProperty -Name azureAdApplicationId -Value $d.ApplicationId
+$outputObject | Add-Member -MemberType NoteProperty -Name azureAdApplicationName -Value $appName
+$outputObject | Add-Member -MemberType NoteProperty -Name azureAdApplicationPassword -Value $password
+
+$outputObject | ConvertTo-Json
diff --git a/deepsecurity/manager/azure/addAzureConnector.py b/deepsecurity/manager/azure/addAzureConnector.py
@@ -0,0 +1,120 @@
+import urllib3
+import json
+import certifi
+import sys
+import os
+
+class DeepSecurityRestApi:
+    def __init__(self, config):
+        self._config = config
+        self._url = "https://{0}:{1}/rest".format(self._config["hostname"], self._config["port"])
+        self._http = urllib3.PoolManager(cert_reqs='CERT_NONE', ca_certs=certifi.where(), assert_hostname=False)
+        self._sID = ""
+        self._headers = { 'Content-Type': 'application/json',
+                         'Accept': 'application/json'}
+
+    def PostRequest (self, uri, body):
+        requestURL = self._url + uri
+        requestHeaers = self._headers
+        if self._sID:
+            requestHeaers.add( 'Cookie: sID=' + self._sID)
+        r = self._http.request( 'POST',
+                          requestURL,
+                          body=body,
+                          headers=requestHeaers)
+        return json.loads(r.data.decode('utf-8'))['data']
+
+    def GetReuqest(self, uri):
+        requestURL = self._url + uri
+        requestHeaers = self._headers
+        if self._sID:
+            requestHeaers.add('Cookie: sID=' + self._sID)
+        r = self._http.request('GET',
+                               requestURL,
+                               headers=requestHeaers)
+        return json.loads(r.data.decode('utf-8'))['data']
+
+    def Logout(self):
+        requestURL = self._url + '/authentication/logout'
+        requestHeaers = self._headers
+
+        r = self._http.request('DELETE', requestURL, fields={'sID' : self._sID},headers=requestHeaers)
+        if r.status == 200:
+            self._sID =""
+        else:
+            print("Failed to logout with error status: {0} and return {1} ".format(r.status, r.data))
+        return
+
+    def Authentiate(self, username, password, tenantName):
+        requestURL = self._url + '/authentication/login'
+        requestHeaers = self._headers
+
+        if tenantName:
+            AuthJson = {
+                "dsCredentials": {
+                    "userName": username,
+                    "password": password,
+                    "tenantName": tenantName
+                }
+            }
+        else:
+            AuthJson = {
+                "dsCredentials": {
+                    "userName": username,
+                    "password": password
+                }
+            }
+        jsoon_string = json.dumps(AuthJson)
+        r = self._http.request('POST', requestURL, body=jsoon_string, headers=requestHeaers)
+        if r.status == 200:
+            self._sID = r.data.decode("utf-8")
+        else:
+            print("Failed to authenticate with error status: {0} and return {1} ".format(r.status, r.data) )
+        return
+
+    def AddAzureFromFile(self, filename):
+        with open(filename) as json_file:
+            data = json.load(json_file)
+        requestURL = self._url + '/cloudaccounts'
+        requestHeaers = self._headers
+        AzureConnector = {
+                "createCloudAccountRequest": {
+                    "cloudAccountElement": {
+                "name":  data["name"],
+                "cloudType":  "AZURE_ARM",
+                "subscriptionId":  data["subscriptionId"],
+                "subscriptionName":  data["subscriptionName"],
+                "azureAdTenantId":  data["azureAdTenantId"],
+                "azureAdTenantName":  data["azureAdTenantName"],
+                "azureAdApplicationId":  data["azureAdApplicationId"],
+                "azureAdApplicationName":  data["azureAdApplicationName"],
+                "azureAdApplicationPassword": data["azureAdApplicationPassword"]
+            },
+                "sessionId": self._sID
+            }
+        }
+        jsoon_string = json.dumps(AzureConnector)
+        print(jsoon_string)
+        r = self._http.request('POST', requestURL, body=jsoon_string, headers=requestHeaers)
+        if r.status == 200:
+            self._sID = r.data
+        else:
+            print("Failed to authenticate with error status: {0} and return {1} ".format(r.status, r.data))
+
+        return
+
+
+
+if __name__ == '__main__':
+
+    config = { "hostname" : "localhost",
+               "port": "443",
+               }
+    if len(sys.argv) != 2:
+        print("Usage: addAzureConnector.py <json account data from powershell>")
+        exit(0)
+
+    dsRest = DeepSecurityRestApi(config=config)
+    dsRest.Authentiate(username= os.environ.get('username', None), password=os.environ.get('password', None), tenantName="")
+    dsRest.AddAzureFromFile(sys.argv[1])
+    dsRest.Logout()
diff --git a/deepsecurity/manager/azure/readme.md b/deepsecurity/manager/azure/readme.md
@@ -0,0 +1,30 @@
+
+# Azure Support
+
+## Azure Connector
+To help make the Azure connector easy in Deep Security you can run the SetupAzureForConnector.ps1 powershell script to setup Azure side. It will create an app registration and service princaple in Azure and then output a json secion. This json is then consumed by the python script, addAzureConnector.py, to create the connection in the DSM. 
+
+## Example
+
+1) Run the powershell script to create the app regestration. After a sucessful run you will get a json output.
+~~~~JSON
+{
+    "name":  "My Azure Account",
+    "cloudType":  "AZURE_ARM",
+    "subscriptionId":  "24be60c9-e19a-4faf-9623-6b140a29620b",
+    "subscriptionName":  "Pay-As-You-Go",
+    "azureAdTenantId":  "d3e340ca-98bf-4dbf-9586-506a71f8d53c",
+    "azureAdTenantName":  "My Teant",
+    "azureAdApplicationId":  "164a6d85-9a55-4e19-84ba-54ec41040ac4",
+    "azureAdApplicationName":  "Deep Security Azure Connector",
+    "azureAdApplicationPassword":  "k7t|.-AE/Mqm3bn^2mdgFf\u003eQVm$|fz\u003eR"
+}
+
+~~~~
+2) Next Send the json output to the Deep Security administrator. 
+The Deep Security administrator will then put the json into a file and call the python script. Note the python script requires a username/password (not an API key) and these values are set in environment variables "username" and "password" 
+
+~~~~bash
+ python addAzureConnector.py account.json 
+~~~~
+3) Verify the connector syncs correclty in the DSM.