-
Notifications
You must be signed in to change notification settings - Fork 103
/
Copy pathsite_credentials.rb
225 lines (211 loc) · 8.36 KB
/
site_credentials.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
module Nexpose
# Object that represents administrative credentials to be used
# during a scan. When retrieved from an existing site configuration
# the credentials will be returned as a security blob and can only
# be passed back as is during a Site Save operation. This object
# can only be used to create a new set of credentials.
#
class SiteCredentials < Credential
# Unique identifier of the credential on the Nexpose console.
attr_accessor :id
# The service for these credentials.
attr_accessor :service
# The host for these credentials.
attr_accessor :host_restriction
# The port on which to use these credentials.
attr_accessor :port_restriction
# The password
attr_accessor :password
# The name
attr_accessor :name
# is this credential enable on site or not.
attr_accessor :enabled
# the description of credential
attr_accessor :description
# domain of the service
attr_accessor :domain
# database of the service
attr_accessor :database
# The type of privilege escalation to use (sudo/su)
# Permission elevation type. See Nexpose::Credential::ElevationType.
attr_accessor :permission_elevation_type
# The userid to use when escalating privileges (optional)
attr_accessor :permission_elevation_user
# The password to use when escalating privileges (optional)
attr_accessor :permission_elevation_password
# The authentication type to use with SNMP v3 credentials
attr_accessor :authentication_type
# The privacy/encryption type to use with SNMP v3 credentials
attr_accessor :privacy_type
# The privacy/encryption pass phrase to use with SNMP v3 credentials
attr_accessor :privacy_password
# the user name to be used in service
attr_accessor :user_name
# the notes password
attr_accessor :notes_id_password
# use windows auth
attr_accessor :use_windows_auth
# sid for oracle
attr_accessor :sid
#for ssh public key require pem format private key
attr_accessor :pem_format_private_key
# for snmp v1/v2
attr_accessor :community_name
# scope of credential
attr_accessor :scope
# Test this credential against a target where the credentials should apply.
# Only works for a newly created credential. Loading an existing credential
# will likely fail due to the API not sending password.
#
# @param [Connection] nsc An active connection to the security console.
# @param [String] target Target host to check credentials against.
# @param [Fixnum] engine_id ID of the engine to use for testing credentials.
# Will default to the local engine if none is provided.
# @param [Fixnum] siteid
# @return [Boolean] If the credential is able to connect to the target.
#
def test(nsc, target, engine_id = nil, siteid = -1)
unless engine_id
engine_id = nsc.engines.detect { |e| e.name == 'Local scan engine' }.id
end
@port = Credential::DEFAULT_PORTS[@service] if @port.nil?
parameters = _to_param(target, engine_id, @port, siteid)
parameters = JSON.generate(parameters)
resp = JSON.parse(Nexpose::AJAX.post(nsc, '/data/credential/test', parameters, Nexpose::AJAX::CONTENT_TYPE::JSON))
resp['success'] == 'true'
end
def _to_param(target, engine_id, port, siteid)
{
dev: target,
port: port,
siteID: siteid,
engineID: engine_id,
service: @service,
domain: @domain,
database: @database,
userName: @user_name,
password: @password,
privilegeElevationUserName: @permission_elevation_user,
privilegeElevationPassword: @permission_elevation_password,
privilegeElevationType: @permission_elevation_type,
pemkey: @pem_format_private_key,
snmpv3AuthType: @authentication_type,
snmpv3PrivType: @privacy_type,
snmpv3PrivPassword: @privacy_password
}
end
#Create a credential object using name, id, description, host and port
def self.for_service(name, id = -1, desc = nil, host = nil, port = nil, service = Credential::Service::CIFS)
cred = new
cred.name = name
cred.id = id.to_i
cred.enabled = true
cred.description = desc
cred.host_restriction = host
cred.port_restriction = port
cred.service = service
cred.scope = Credential::Scope::SITE_SPECIFIC
cred.permission_elevation_type = Credential::ElevationType::NONE
cred
end
# Load an credential from the provided console.
#
# @param [Connection] nsc Active connection to a Nexpose console.
# @param [String] id Unique identifier of an site.
# @param [String] id Unique identifier of an credential.
# @return [SiteCredential] The requested credential of site, if found.
#
def self.load(nsc, site_id, credential_id)
uri = "/api/2.1/sites/#{site_id}/credentials/#{credential_id}"
resp = AJAX.get(nsc, uri, AJAX::CONTENT_TYPE::JSON)
hash = JSON.parse(resp, symbolize_names: true)
new.object_from_hash(nsc, hash)
end
# Copy an existing configuration from a Nexpose instance.
# Returned object will reset the credential ID and append "Copy" to the existing
# name.
# Reminder: The password field will not be populated due to the API not sending password.
#
# @param [Connection] connection Connection to the security console.
# @param [String] id Unique identifier of an site.
# @param [String] id Unique identifier of an credential.
# @return [SiteCredentials] Site credential loaded from a Nexpose console.
#
def self.copy(connection, site_id, credential_id)
site_credential = self.load(connection, site_id, credential_id)
site_credential.id = -1
site_credential.name = "#{site_credential.name} Copy"
site_credential
end
# Copy an existing configuration from a site credential.
# Returned object will reset the credential ID and append "Copy" to the existing
# name.
# Reminder: The password field will not be populated due to the API not sending password.
#
# @return [SiteCredentials] modified.
#
def copy
site_credential = self.clone
site_credential.id = -1
site_credential.name = "#{site_credential.name} Copy"
site_credential
end
def to_json
JSON.generate(to_h)
end
def to_h
{ id: id,
service: service,
host_restriction: host_restriction,
port_restriction: port_restriction,
password: password,
name: name,
enabled: enabled,
description: description,
domain: domain,
database: database,
permission_elevation_type: permission_elevation_type,
permission_elevation_user: permission_elevation_user,
permission_elevation_password: permission_elevation_password,
authentication_type: authentication_type,
privacy_type: privacy_type,
privacy_password: privacy_password,
user_name: user_name,
notes_id_password: notes_id_password,
use_windows_auth: use_windows_auth,
sid: sid,
pem_format_private_key: pem_format_private_key,
community_name: community_name,
scope: scope
}
end
def ==(other)
eql?(other)
end
def eql?(other)
id.eql?(other.id) &&
service.eql?(other.service) &&
host_restriction.eql?(other.host_restriction) &&
port_restriction.eql?(other.port_restriction) &&
password.eql?(other.password) &&
name.eql?(other.name) &&
enabled.eql?(other.enabled) &&
description.eql?(other.description) &&
domain.eql?(other.domain) &&
database.eql?(other.database) &&
permission_elevation_type.eql?(other.permission_elevation_type) &&
permission_elevation_user.eql?(other.permission_elevation_user) &&
permission_elevation_password.eql?(other.permission_elevation_password) &&
authentication_type.eql?(other.authentication_type) &&
privacy_type.eql?(other.privacy_type) &&
privacy_password.eql?(other.privacy_password) &&
user_name.eql?(other.user_name) &&
notes_id_password.eql?(other.notes_id_password) &&
use_windows_auth.eql?(other.use_windows_auth) &&
sid.eql?(other.sid) &&
pem_format_private_key.eql?(other.pem_format_private_key) &&
community_name.eql?(other.community_name) &&
scope.eql?(other.scope)
end
end
end