- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 03-04-2021 08:15 AM
CredentialResolver JAR file is used to resolve Credential ID sent from the MID Server into actual credentials stored in external credential storage(eg. CyberArk, HashiCorp, Thycotic or even a File stored on secured customer environment). CredentialResolver class is responsible for communicating with the external credential store and the resolve method in the class is expected to return the map of credentials.
The credential map returned from the resolve method is expected to have keys matching with the column names in discovery_credential table i.e., for
Azure we expect the resolve method to return a map with tenant_id, client_id , secret_key
GCP we expect the resolve method to return a map with two keys email and secret_key.
Use this sample Java file as a template:
package com.snc.discovery;
import java.util.*;
import java.util.regex.Pattern;
/**
* This is just a templated how we can resolve Azure/GCP credential which are stored in external vault
*/
public class CredentialResolver {
// These are the permissible names of arguments passed INTO the resolve()
// method.
// the string identifier as configured on the ServiceNow instance...
public static final String ARG_ID = "id";
// a dotted-form string IPv4 address (like "10.22.231.12") of the target
// system...
public static final String ARG_IP = "ip";
// the string type (ssh, snmp, etc.) of credential as configured on the
// instance...
public static final String ARG_TYPE = "type";
// the string MID server making the request, as configured on the
// instance...
public static final String ARG_MID = "mid";
public static final String GCP_TYPE = "gcp";
public static final String GCP_EMAIL = "email";
public static final String GCP_SECRET_KEY = "secret_key";
public static final String AZURE_TYPE = "azure";
public static final String AZURE_SECRET_KEY = "secret_key";
public static final String AZURE_CLIENT_ID = "client_id";
public static final String AZURE_TENANT_ID = "tenant_id";
public CredentialResolver() {
}
/**
* Resolve a credential.
*/
public Map resolve(Map args) {
String credId = (String) args.get(ARG_ID);
String type = (String) args.get(ARG_TYPE);
String safeName = fSafeName;
String policyId = fPolicyId;
Map<String, String> result = new HashMap<>();
Map<String,String> passwordMap = getPasswordFromStorage(credId, safeName, fSafeFolder, policyId);
if (GCP_TYPE.equals(type)) {
result.put(GCP_EMAIL, email);
result.put(GCP_SECRET_KEY, secretValue);
return result;
} else if (AZURE_TYPE.equals(type)) {
//Other credentials can be chained here
result.put(AZURE_SECRET_KEY, secret_key_from_vault);
result.put(AZURE_CLIENT_ID, client_id_from_vault);
result.put(AZURE_TENANT_ID, tenant_id_from_vault);
}
return result;
}
/**
* This method will be place where we will be putting logic to get credential from storage
* Return object may be a map or object depends on Vault type
*
* for eg CyberArk gives PSDKPassword object which contains all information
* @param crendialID
* @return
*/
private Map<String, String> getPasswordFromStorage(String crendialID)
{
Map<String,String> map = new HashMap<String,String>();
return map;
}
/**
* Return the API version supported by this class.
*/
public String getVersion() {
return "1.0";
}
//To test the credential resolver
public static void main(String[] args) {
HashMap<String, String> input = new HashMap<>();
input.put("id", "");
input.put("type", "gcp");
CredentialResolver obj = new CredentialResolver();
Map<String, String> result = obj.resolve(input);
System.out.println("Result Map Returned : " + result);
}
}
- 1,543 Views
