From 648f574094a97fd7ca4a0d5b93a60fc2b0d1d541 Mon Sep 17 00:00:00 2001 From: Rick Roca Date: Fri, 26 Jan 2024 15:19:40 -0500 Subject: [PATCH] Heroku Final --- .../Heroku/Discovery/Heroku Discovery.ps1 | 183 +++++++++++ .../SecretServer/Heroku/Discovery/readme.md | 190 +++++++++++ Scripts/SecretServer/Heroku/Instructions.md | 294 ++++++++++++++++++ .../Heroku Heartbeat Placeholder.ps1 | 1 + .../Heroku RPC Placeholder.ps1 | 1 + .../Heroku/RemotePasswordChanger/readme.md | 103 ++++++ .../Heroku Discovery Credentials.xml | 112 +++++++ .../Heroku/Templates/Heroku User Account.xml | 132 ++++++++ .../SecretServer/Heroku/Templates/readme.md | 52 ++++ Scripts/SecretServer/Heroku/readme.md | 13 + Scripts/SecretServer/Heroku/temp.ps1 | 9 + 11 files changed, 1090 insertions(+) create mode 100644 Scripts/SecretServer/Heroku/Discovery/Heroku Discovery.ps1 create mode 100644 Scripts/SecretServer/Heroku/Discovery/readme.md create mode 100644 Scripts/SecretServer/Heroku/Instructions.md create mode 100644 Scripts/SecretServer/Heroku/RemotePasswordChanger/Heroku Heartbeat Placeholder.ps1 create mode 100644 Scripts/SecretServer/Heroku/RemotePasswordChanger/Heroku RPC Placeholder.ps1 create mode 100644 Scripts/SecretServer/Heroku/RemotePasswordChanger/readme.md create mode 100644 Scripts/SecretServer/Heroku/Templates/Heroku Discovery Credentials.xml create mode 100644 Scripts/SecretServer/Heroku/Templates/Heroku User Account.xml create mode 100644 Scripts/SecretServer/Heroku/Templates/readme.md create mode 100644 Scripts/SecretServer/Heroku/readme.md create mode 100644 Scripts/SecretServer/Heroku/temp.ps1 diff --git a/Scripts/SecretServer/Heroku/Discovery/Heroku Discovery.ps1 b/Scripts/SecretServer/Heroku/Discovery/Heroku Discovery.ps1 new file mode 100644 index 0000000..2c8029f --- /dev/null +++ b/Scripts/SecretServer/Heroku/Discovery/Heroku Discovery.ps1 @@ -0,0 +1,183 @@ +#Args used for development (Remove before pushing to production): + + + +Import-Module -Name "$env:ProgramFiles\Thycotic Software Ltd\Distributed Engine\Delinea.PoSH.Helpers\Utils.psm1" + +#region define variables + #Define Argument Variables + +[string]$DiscoveryMode = $args[0] +[string]$apiKey = $args[1] +[string]$teamName = $args[2] +[string]$adminRoles = $args[3] +[string]$svcacctNamePrefixes = $args[4] + + +#Script Constants +[string]$baseURL = "https://api.heroku.com" +[string]$LogFile = "$env:ProgramFiles\Thycotic Software Ltd\Distributed Engine\log\Heroku-Discovery.log" + +[int32]$LogLevel = 3 +[string]$logApplicationHeader = "Heroku Discovery" + +#create Arrays +$adminRolesArray = $adminRoles.split(",") +$svcacctNamePrefixeArray = $svcacctNamePrefixes.Split(",") +#endregion + + + +#region Discovery Filtering Functions + +function isSvcAcct{ +param( +[string]$userName +) +try +{ + + foreach ($svcAcctPrefix in $svcacctNamePrefixeArray) + { + $svcAcctPrefix =$svcAcctPrefix.Trim() + if($userName.IndexOf($svcAcctPrefix) -eq 0) + { + $isSvcAcct = $true + + break + } + else{$isSvcAcct = $false} + } + } +catch + { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Check if Service Acct Failed" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile + Write-Log -ErrorLevel 2 -Message $Err.Exception -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile + throw $Err.Exception + } + +return $isSvcAcct +} + +function isAdminAcct{ + param( + $userRole + ) + try + { + + foreach ($role in $adminRolesArray) + { + $role = $role.Trim() + if($role-like $userRole) + { + $isAdminAcct = $true + + break + } + else{$isAdminAcct = $false} + } + } + catch + { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Check if Service Acct Failed" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile + Write-Log -ErrorLevel 2 -Message $Err.Exception -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile + throw $Err.Exception + } + + return $isAdminAcct + } + +#endregion + + + + +#region get admin users + # Fetching users associated with this role(s) + +#endregion Get Admin Users + +#region Main Process + +#creatte Headers +$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" +$headers.Add("Content-Type", 'application/json') +$headers.Add("Authorization", "Bearer $apikey") +$headers.Add("Accept", "application/vnd.heroku+json; version=3") + +# Get all users +$url = "$baseURL/teams/$TeamNAme/members" +$userlist = Invoke-RestMethod -uri $url -Headers $headers + + + + +#endregion + +#define Output Array +$foundAccounts = @() + +Try { + #Process Users + Write-Log -Errorlevel 0 -Message "Discovering Users" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile + if($DiscoveryMode -eq "Default") + { + foreach ($user in $userlist) + { + $username = $allusers | Where-Object gid -eq $user.user.gid + $object = New-Object -TypeName PSObject + $object | Add-Member -MemberType NoteProperty -Name tenanturl -Value $user.team.name + $object | Add-Member -MemberType NoteProperty -Name username -Value $username.email + + $foundAccounts += $object + + } + } + else{ + foreach ($user in $userlist) + { + $userName = $user.email + ### check if is admin and svc account + $isAdmin = isAdminAcct -userRole $user.role + + $isServiceAccount = isSvcAcct -userName $userName + + if ($user.federated) + { + $isLocal = $false + } + else + { + $isLocal = $true + } + + + + $object = New-Object -TypeName PSObject + $object | Add-Member -MemberType NoteProperty -Name tenant-url -Value $teamName + $object | Add-Member -MemberType NoteProperty -Name username -Value $username + $object | Add-Member -MemberType NoteProperty -Name Admin-Account -Value $isadmin + $object | Add-Member -MemberType NoteProperty -Name Service-Account -Value $isServiceAccount + $object | Add-Member -MemberType NoteProperty -Name Local-Account -Value $isLocal + + $foundAccounts += $object + + + } + + if($svcAcctNames){Write-Log -Errorlevel 0 -Message "List of Service Accounts defined by Service Account Naming Convention pattern(s) parameter: $($svcAcctNames)" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile} + } + +} +catch { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Account Discovery-Filtering failed" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile + Write-Log -ErrorLevel 2 -Message $Err.Exception -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile + throw $Err.Exception +} +#endregion Main Process +Write-Log -ErrorLevel 0 -Message "Successfully Found $($foundAccounts.Count) Matching Accounts" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile +return $foundAccounts \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/Discovery/readme.md b/Scripts/SecretServer/Heroku/Discovery/readme.md new file mode 100644 index 0000000..2744ed0 --- /dev/null +++ b/Scripts/SecretServer/Heroku/Discovery/readme.md @@ -0,0 +1,190 @@ +# Heroku Local Account Discovery + +## Create Discovery Source + +This scanner can help perform a Scan for user accounts within Heroku. Account types will be distinguished by roles, and/or Username prefixes sites designated by Heroku. + +### Create SaaS Scan Template +If this Script has already been created in another Delinea Integration package please skip +to the [Create Account Scan Template](#create-account-scan-template ) + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** +- Click **Create Scan Template** +- Fill out the required fields with the information + - **Nmae:** (Example: SaaS Tenant) + - **Active:** (Checked) + - **Scan Type:** Host + - **Parent Scan Template:** Host Range + - **Fields** + - Change HostRange to **tenant-url** + - Click Save + - This completes the creation of the Saas Scan Template Creation + + +### Create Account Scan Template + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** +- Click **Create Scan Template** +- Fill out the required fields with the information + - **Nmae:** (Example: Heroku Account) + - **Active:** (Checked) + - **Scan Type:** Account + - **Parent Scan Template:** Account(Basic) + - **Fields** + - Change Resource to **tenant-url** + - Add field: Admin-Account (Leave Parent and Include in Match Blank) + - Add field: Service-Account (Leave Parent and Include in Match Blank) + - Add field: Local-Account (Leave Parent and Include in Match Blank) + - Click Save + - This completes the creation of the Account Scan Template Creation + +### Create Discovery Script + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Scripts** +- Click on **Create Script** +- Fill out the required fields with the information from the application registration + - Name: (example Heroku Local Account Scanner) + - Description: (Enter something meaningful to your Organization) + - Active: (Checked) + - Script Type: Powershell + - Category: Discovery Scanner + - Merge Fields: Leave Blank + - Script: Copy and paste the Script included in the file [Heroku Discovery.ps1](./Heroku%20Discovery.ps1) + - Click Save + - This completes the creation of the Local Account Discovery Script + +### Create Saas Tenant Scanner + +If this Script has already been created in another Delinea Integration package please skip +to the [Create Account Scanner Section](#create-Heroku-account-scanner) + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Discovery** > **Configuration** > + - Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** + - Click **Create Scanner** + - Fill out the required fields with the information + - **Name:** > SaaS Tenant Scanner + - **Description:** (Example - Base scanner used to discover SaaS applications) + - **Discovery Type:** Host + - **Base Scanner:** Host + - **Input Template**: Manual Input Discovery + - **Output Template:**: Saas Tenant (Use Template that Was Created in the [SaaS Scan Template Section](#create-saas-scan-template)) + - Click Save + - This completes the creation of the Saas Tenant Scanner + +### Create Heroku Account Scanner + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Discovery** > **Configuration** > + - Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** + - Click **Create Scanner** + - Fill out the required fields with the information + - **Name:** (Example - Heroku Local Account Scanner) + - **Description:** (Example - Discovers Heroku local accounts according to configured Discovery Account template ) + - **Discovery Type:** Account + - **Base Scanner:** PowerShell Discovery Create Discovery Script + - **Input Template**: SaaS Tenant (Use Template that Was Created in the [SaaS Scan Template Section](#create-saas-scan-template)) + - **Output Template:**: Heroku Account (Use Template that Was Created in the [Create Account Scan Template Section](#create-account-scan-template)) + - **Script:** Heroku Local Account Scanner (Use Script Created in the [Create Discovery Script Section](#create-discovery-script)) + - **Script Arguments:** + ```Advanced $[1]$PAToken $[1]$service-account-name $[1]$DomainName``` + - Click Save + - This completes the creation of the Heroku Account Scanner + +### Create Discovery Source + +- Navigate to **Admin | Discovery** +- Click **Create** drop-down +- Click **Empty Discovery Source** +-Enter the Values below + - **Name:** (example: Heroku Tenant) + - **Site** (Select Site Where Discovery will run) + - **Source Type** Empty +- Click Save +- Click Cancel on the Add Flow Screen +- Click **Add Scanner** +- Find the Saas Tenant Scanner or the Scanner Created in the [Create Saas Tenant Scanner Section](#create-saas-tenant-scanner) and Click **Add Scanner** +- Select the Scanner just Ceated and Click **Edit Scanner** +- In the **lines Parse Format** Section Enter the Source Name (example: Heroku Tenant) +- Click **Save** + +- Click **Add Scanner** +- Find the Heroku Local Account Scanner or the Scanner Creatted in the [Create Heroku Account Scanner Section](#create-Heroku-account-scanner) and Click **Add Scanner** +- Select the Scanner just Created and Click **Edit Scanner** +- Click **Edit Scanner** +- Click the **Add Secret** Link +- Search for the Discovery Account Secret created in the [Instructions.md file](../Instructions.md) +- Check the Use Site Run As Secret Check box to enable it + **Note Default Site run as Secret had to be setup in the Site configuration. + See the [Setting the Default PowerShell Credential for a Site](https://docs.delinea.com/online-help/secret-server/authentication/secret-based-credentials-for-scripts/index.htm?Highlight=site) Section in the Delinea Documentation +- Click Save +- Click on the Discovery Source tab and Click the Active check box +- This completes the creation of the Discovery Source + + +### Next Steps + + The Heroku configuration is now complete. The next step is to run a manual discovery scan. +- Navigate to **Admin | Discovery** +- Click the **Run Discovery Now** (Dropdown) and select **Run Discovery Scan** +- Click on the **Network view** Button in the upper right corner +- Click on the newly created discocvery source +- Click the **Domain \ Cloud Accounts** tab to view the discovered accounts + +## Optional Report + + + +In this section, There are instructions on creating an optional report to display user information found in the discovery. + + + +- Login to Secret Server Tenant (If you have not already done so) + +- Navigate to the Reports module +- click on the New Report Button +- Fill in the following values: + - Name: The name of the Discovery Source you just Created in the [Create Discovery Source ](#create-discovery-source) Section + - Description: (Enter something meaningful to your organization) + - Category: Select the Section where you would like the report to appear (ex. Discovery Scan) + - Report SQL: Copy and Paste the SQL Query below + ***Note** " You must replace the WHERE d.DiscoverySourceId = 32 value with the Discovery Source ID of the Discovery source you are reporting on. You can find this by opening up the Discovery source and finding the ID in the URL + + +``` SQL + +SELECT + +d.[ComputerAccountId] + +,d.[CreatedDate] + +,d.[AccountName] AS [Username] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Tenant-url' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Domain] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Admin-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Admin] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Service-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Service Acount] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Local-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Service Acount] + +FROM tbComputerAccount AS d + +CROSS APPLY OPENJSON (d.AdditionalData) AS adata + +INNER JOIN tbScanItemTemplate AS s ON s.ScanItemTemplateId = d.ScanItemTemplateId + +WHERE d.DiscoverySourceId = 32 + +GROUP BY d.ComputerAccountId, d.AccountName, d.CreatedDate + + + +``` +- Click Save + +You will now find this report under the section you chose in the Category field. \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/Instructions.md b/Scripts/SecretServer/Heroku/Instructions.md new file mode 100644 index 0000000..131fc8a --- /dev/null +++ b/Scripts/SecretServer/Heroku/Instructions.md @@ -0,0 +1,294 @@ +# Heroku Connector Base Configuration + + + + + +This connector provides the following functions + + + + + +- Discovery of Heroku User Accounts in a given team + + + +** Note ** A different Discovery source and Access Key Secret and Discovery Source will be Needed for each Team + + + + + +## Not currently available in Heroku Cloud + + + + + +- Remote Password Changing Heroku users + + + +- Heartbeats to verify that user credentials are still valid + + + + + +Follow the Steps below to complete the base setup for the Connector + + + +# Authentication and Authorization Disclaimer + + + +The provided configurations are developed by using a static API access key for Authentication and Authorization. This the only current method to authentcate and provide the neccessary access to complete this process. Due to a user challenge requirement with authorization code grant type, we have opted to use a static token for this automation integration. The supported grant types are: + +- JSON Web Token Signed from an RSA key (256 bit encryption padded to PKCS11; This can change later as features are needed) + +- Client Credentials + +- Basic Authentication (64 base encoded key value pair) + +- API Access Key + + + + +# Prepare API Access Key Authentication + + + + + +## OAuth API Access Key Flow in Heroku + + + + + +This connector utilizes an API key authentication to interact with Heroku. This will use the OAUTH2 API access key process by which the Authorization bearer is in fact the API key value. This is also called "Direct Authorization" in Heroku. + + + +​ + + + +### Prerequisites + + + + + +- Login to a Heroku instance with administrative privileges (i.e. a user who has a RO systems administrator role). + + + +- API access key created in the Heroku tenant + + + +- Basic understanding of API Access Keys. + + + + + +## Create an API Access Key + + + + + +- Create an API Access Key for for programmatic Discovery. + + + +- This token will mimic the user who granted the token's access. Look here for a direct authorization explanation [here](https://devcenter.heroku.com/articles/oauth#direct-authorization). + + + +*** For more information click [here](https://devcenter.heroku.com/articles/oauth). + + + + + +## What is needed + + + + + +- Heroku API Access Key + + + +- Login to Heroku > Click your user name in your Heroku dashboard in the top right > Click Account Settings > Click Reveal API Key + + + +- Document the values of the API Access Key as they will be needed in the upcoming sections + + + +- Ensure the token is from a service account with just the necessary permissions fro the discovery + + + +# Creating secret template for Heroku Accounts + + + + + +### Heroku User Account Template + + + + + +The following steps are required to create the Secret Template for Heroku Users: + + + + + +- Log in to the Delinea Secret Server (If you have not already done so) + + + +- Navigate to Admin / Secret Templates + + + +- Click on Create / Import Template + + + +- Click on Import. + + + +- Copy and Paste the XML in the [Heroku User Template.xml File](./Templates/Heroku%20User%20Account.xml) + + + +- Click on Save + + + +- This completes the creation of the User Account template + + + + + +### Heroku Discovery Account Template + + + + + +The following steps are required to create the Secret Template for Heroku Discovery Account: + + + + + +- Log in to the Delinea Secret Server (If you have not already done so) + + + +- Navigate to Admin / Secret Templates + + + +- Click on Create / Import Template + + + +- Click on Import. + + + +- Copy and Paste the XML in the [Heroku Discovery Credentials Template.xml File](./Templates/Heroku%20Discovery%20Credentials.xml) + + + +- Click on Save + + + +- This completes the creation of the Discovery Account template + + + + + +## Create secret in Secret Server for the Heroku Discovery Account + + + +- Log in to the Delinea Secret Server (If you have not already done so) + + + +- Navigate to Secrets + + + +- Click on Create Secret + + + +- Select the template created in the earlier step [Above](#heroku-discovery-account-template). + + + +- Fill out the required fields with the information from the application registration + + + +- Secret Name (for example Heroku Discovery Account) + + + +- TeamName (Heroku team to be Discovered) + + + +- The following field values are as created in the [Create an OAuth Application Registry](#create-an-oauth-application-registry) Section + + + +- ApiKey + + + +- AdminRoles - A single or comma separated list Roles to be considered Admin Accounts (ex: admin,Partial Admins) + + + +- Service-Account-Prefixes A single or comma separated list username prefixes to be considered Admin Accounts (ex: svc,Service) + + + +- Click Create Secret + + + +- This completes the creation of a secret in Secret Server for the Heroku Discovery Account + + + +## Next Steps + + + + + +Once the tasks above are completed you can now proceed to create a [Discovery Scanner](./Discovery/readme.md) \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/RemotePasswordChanger/Heroku Heartbeat Placeholder.ps1 b/Scripts/SecretServer/Heroku/RemotePasswordChanger/Heroku Heartbeat Placeholder.ps1 new file mode 100644 index 0000000..6d92385 --- /dev/null +++ b/Scripts/SecretServer/Heroku/RemotePasswordChanger/Heroku Heartbeat Placeholder.ps1 @@ -0,0 +1 @@ +return $true \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/RemotePasswordChanger/Heroku RPC Placeholder.ps1 b/Scripts/SecretServer/Heroku/RemotePasswordChanger/Heroku RPC Placeholder.ps1 new file mode 100644 index 0000000..6d92385 --- /dev/null +++ b/Scripts/SecretServer/Heroku/RemotePasswordChanger/Heroku RPC Placeholder.ps1 @@ -0,0 +1 @@ +return $true \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/RemotePasswordChanger/readme.md b/Scripts/SecretServer/Heroku/RemotePasswordChanger/readme.md new file mode 100644 index 0000000..43284d3 --- /dev/null +++ b/Scripts/SecretServer/Heroku/RemotePasswordChanger/readme.md @@ -0,0 +1,103 @@ +# Heroku Remote Password changer + +The steps below show how to Set up and configure a Heroku Remote Password Changer, and Delinea Secret Server. + +If you have not already done so, please follow the steps in the **Instructions.md Document** found [Here](../Instructions.md) + +## Disclaimer +> [!WARNING] +> **Currently, Heroku does not support remote password changing or heartbeat for user accounts. The scripts provided here are placeholders to enable the functionality within and for Discovery.** + + +## Create Scripts + +### Remote Password Changer Script + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Scripts** +- Click on **Create Script** +- Fill out the required fields + - **Name**: ( example Heroku Remote Password Changer) + - **Description**: (Enter something meaningful to your Organization) + - **Active** (Checked) + - **Script Type**: Powershell + - **Category**: Password Changing + - **Merge Fields**: Leave Blank + - **Script**: Copy and paste the Script included [Here]](./Heroku%20RPC%20Placeholder.ps1) + - Click Save + - This completes the creation of the Remote Password Script + +### Heartbeat Script + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Scripts** +- Click on **Create Script** +- Fill out the required fields + - **Name**: ( example Heroku Heartbeat) + - **Description**: (Enter something meaningful to your Organization) + - **Active** (Checked) + - **Script Type**: Powershell + - **Category**: Heartbeat + - **Merge Fields**: Leave Blank + - **Script**: Copy and paste the Script included in the file [Heroku Heartbeat.ps1](./Heroku%20Heartbeat%20Placeholder.ps1) + - Click Save + - This completes the creation of the Heroku Heartbeat Script + +## Create Password Changer + +- Log in to Secret Server Tenant (if not already logged in) +- Navigate to **ADMIN** > **Remote Password Changing** +- Click on Options (Dropdown List) and select ***Configure Password Changers** +- Click on Create Password Changer +- Click on ***Base Password Changer* (Dropdown List) and Select PowerShell Script +- Enter a Name (Example - Heroku Remote Password Changer ) +- Click Save + - Under the **Verify Password Changed Commands** section, Enter the following information: + - **PowerShell Script** (DropdownList) Select PowerShell Script or the Script that was Created in the [Heartbeat](#heartbeat-script) Section + + - **Script Args**: ``` ``` + - Click **Save** + +- Under the **Password Change Commands** Section, Enter the following information: + - **PowerShell Script** (DropdownList) Select PowerShell Script or the Script that was Created in the [remote-password-changer-script](#remote-password-changer-script) Section + + - **Script Args**: ``` ``` + - Click **Save** +- This completes the creation of the RemotePassword Changer + +## Update Heroku User template + +- Log in to Secret Server Tenant (if not already logged in) +- Navigate to **ADMIN** > **Secret Templates** +- Find and Select the Heroku User Template created in the [Instructions.md Document](../Instructions.md) + - Select the **Mapping** Tab + - In the **Password Changing** section, click edit and fill out the following + - **Enable RPC** Checked + - **RPC Max Attempts** 12 + - **RPC Interval Hours** 8 + - **Enable Heartbeat** Checked + - **Heartbeat Interval Hours** 4 + - **Password Type to use** Select **Heroku Remote Password Changer** or the Password Changer create in the [Create Password Changer Section](#create-password-changer) +- In the **Password Type Fields** Section, fill out the following + - **Domain** tenant-url + - **Password** Password + - **Username** Username +- Click Save +- This completes the Update Heroku User template section + +## Update Remote Password Changer + +- Log in to Secret Server Tenant (if not already logged in) +- Navigate to **ADMIN** > **Remote Password Changing** +- Click on Options (Dropdown List) and select ***Configure Password Changers** +- Select the Heroku Remote Password Changer or the Password Changer created in the [create-password-change](#create-password-changer) section +- Click **Configure Scan Template at the bottom of the page** +- Click Edit +- Click the **Scan Template to use** (Dropdown List) Select the Heroku User template created in the [Instructions.md Document](../Instructions.md) +- Map the following fields that appear after the selection + - **tenant-url** -> Domain + - **Username** -> username + - **Password** -> password + - Leave all other fields blank +- Click Save +- This completes the Update Remote Password Changer section \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/Templates/Heroku Discovery Credentials.xml b/Scripts/SecretServer/Heroku/Templates/Heroku Discovery Credentials.xml new file mode 100644 index 0000000..8938dad --- /dev/null +++ b/Scripts/SecretServer/Heroku/Templates/Heroku Discovery Credentials.xml @@ -0,0 +1,112 @@ + + + Huroku Discovery Account + true + + + Teamnaame + + Teamnaame + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + Teamnaame + false + + + Discovery-Mode + + Discovery-Mode + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + discovery-mode + false + + + ApiKey + + ApiKey + true + false + true + false + + false + + -1 + 2147483647 + false + 2 + false + apikey + false + + + AdminRoles + + AdminRoles + true + false + false + true + + false + + -1 + 2147483647 + false + 2 + false + AdminRoles + false + + + Service-Account-Prefixes + + Service-Account-Prefixes + true + false + false + true + + false + + -1 + 2147483647 + false + 2 + false + Service-Account-Prefixes + false + + + 90 + 0 + fa-cogs + + + + + false + false + + \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/Templates/Heroku User Account.xml b/Scripts/SecretServer/Heroku/Templates/Heroku User Account.xml new file mode 100644 index 0000000..688a243 --- /dev/null +++ b/Scripts/SecretServer/Heroku/Templates/Heroku User Account.xml @@ -0,0 +1,132 @@ + + + _Asana User Account + true + + + tenant-url + + tenant-url + true + false + false + false + + false + + -1 + 2147483647 + true + 2 + false + tenant-url + false + + + Username + + Username + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + username + false + + + Password + + Password + true + false + true + false + + false + + -1 + 2147483647 + false + 2 + false + password + false + + + Admin-Account + + Admin-Account + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + admin-account + false + + + Service-Account + + Service-Account + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + service-account + false + + + Local-Account + + Local-Account + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + local-account + false + + + + 0 + 0 + fa-cogs + + + + + false + false + + \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/Templates/readme.md b/Scripts/SecretServer/Heroku/Templates/readme.md new file mode 100644 index 0000000..825346f --- /dev/null +++ b/Scripts/SecretServer/Heroku/Templates/readme.md @@ -0,0 +1,52 @@ +# Creating secret template for Asana Accounts + +### Asana User Account Template + +The following steps are required to create the Secret Template for Asana Users: + +- Log in to the Delinea Secret Server (If you have not already done so) +- Navigate to Admin / Secret Templates +- Click on Create / Import Template +- Click on Import. +- Copy and Paste the XML in the [Asana User Template.xml File](./Asana%20User%20Account.xml) +- Click on Save +- This completes the creation of the User Account template + +### Asana Discovery Account Template + +The following steps are required to create the Secret Template for Asana Discovery Account: + +- Log in to the Delinea Secret Server (If you have not already done so) +- Navigate to Admin / Secret Templates +- Click on Create / Import Template +- Click on Import. +- Copy and Paste the XML in the [Asana Discovery Account Template.xml File](./Asana%20Discovery%20Credentials.xml) +- Click on Save +- This completes the creation of the Discovery Account template + + +## Create secret in Secret Server for the Asana Discovery Account + +- Log in to the Delinea Secret Server (If you have not already done so) +- Navigate to Secrets +- Click on Create Secret +- Select the template created in the earlier step [Above](#Asana-discovery-account-template). +- Fill out the required fields with the information from the application registration + - Secret Name (for example Asana Discovery Account) + - tenant-url (base Asana url with no trailing slash) + - The following field values are as created in the [Create an OAuth Application Registry](../Instructions.md#create-an-oauth-application-registry) Section + - PAToken + - service-account-name + - DomainName + - Click Create Secret + - This completes the creation of a secret in Secret Server for the Asana Discovery Account + + +- The **service-account-name** field will contain a comma-separated list of Naming conventions you designate as **Service Accounts**. This assumes you have allocated and assigned a naming convention specifically for demarking service accounts. + Examples to match naming conventions like *svc-accountName* and *ApplicationSvc2*: ```Svc-*,*svc*``` +> [!IMPORTANT] +> A wildcard character (*) will be used to format the naming convention appropriately. Currently, the filter does **not** use Regular Expression and is not case sensitive. + +- The **DomainName** field will contain a single domain for identifying users of a particular domain. All users not part of this domain will be considered "Local Accounts". +> [!NOTE] +> This field is matched from the domain of users' email address. For example, if the field value contains "Domain.com", any user's email with @domain.com will be matched (Local-Account = False) and all other domains will return Local-Account = True. \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/readme.md b/Scripts/SecretServer/Heroku/readme.md new file mode 100644 index 0000000..c65c583 --- /dev/null +++ b/Scripts/SecretServer/Heroku/readme.md @@ -0,0 +1,13 @@ +# Heroku Delinea Secret Server Integration + + + +This package is designed to discover Heroku User Accounts. It will provide detailed instructions and the necessary Scripts to perform these functions. Before beginning to implement any of the specific processes it is a requirement to perform the tasks contained in the Instructions.md document which can be found [Here](./Instructions.md) + + + +# Disclaimer + + + +The provided scripts are for informational purposes only and are not intended to be used for any production or commercial purposes. You are responsible for ensuring that the scripts are compatible with your system and that you have the necessary permissions to run them. The provided scripts are not guaranteed to be error-free or to function as intended. The end user is responsible for testing the scripts thoroughly before using them in any environment. The authors of the scripts are not responsible for any damages or losses that may result from the use of the scripts. The end user agrees to use the provided scripts at their own risk. Please note that the provided scripts may be subject to change without notice. \ No newline at end of file diff --git a/Scripts/SecretServer/Heroku/temp.ps1 b/Scripts/SecretServer/Heroku/temp.ps1 new file mode 100644 index 0000000..7be6872 --- /dev/null +++ b/Scripts/SecretServer/Heroku/temp.ps1 @@ -0,0 +1,9 @@ +$apikey ="6b4404e1-4d5e-4af9-9d31-7ab44e8eaf02" +$TeamNAme = "workdayintegrations" +$url = "https://api.heroku.com/teams/$TeamNAme/members" +$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" +$headers.Add("Content-Type", 'application/json') +$headers.Add("Authorization", "Bearer $apikey") +$headers.Add("Accept", "application/vnd.heroku+json; version=3") + +Invoke-RestMethod -uri $url -Headers $headers \ No newline at end of file