Added support for FortiSOAR password vault

fortinet-fortisoar · Dec 21, 2024 · 438ab1f · 438ab1f
1 parent 3c5fb5c
commit 438ab1f
Show file tree

Hide file tree

Showing 7 changed files with 1,345 additions and 595 deletions.
diff --git a/azure-key-vault/info.json b/azure-key-vault/info.json
@@ -5,11 +5,14 @@
   "publisher": "Fortinet",
   "cs_approved": true,
   "cs_compatible": true,
-  "version": "1.0.0",
+  "version": "2.0.0",
   "category": "Identity and Access Management",
+  "tags": [
+    "vault"
+  ],
   "icon_small_name": "small.png",
   "icon_large_name": "large.png",
-  "help_online": "https://docs.fortinet.com/document/fortisoar/1.0.0/azure-key-vault/553/azure-key-vault-v1-0-0",
+  "help_online": "",
   "configuration": {
     "fields": [
       {
@@ -56,6 +59,30 @@
         "visible": true,
         "value": ""
       },
+      {
+        "title": "Use As Vault",
+        "required": false,
+        "editable": true,
+        "visible": true,
+        "value": false,
+        "type": "checkbox",
+        "name": "use_vault",
+        "description": "Azure Key Vault integration has other important actions apart from its usage as purely a vault. However, if you intend to use it as a vault in the system, check this option, i.e., set it to \"True\" and configure the following additional parameter that are required parameter Vault Name: Name of the vault that stores the credentials.",
+        "tooltip": "Azure Key Vault integration has other important actions apart from its usage as purely a vault. However, if you intend to use it as a vault in the system, check this option, i.e., set it to \"True\".",
+        "onchange": {
+          "true": [
+            {
+              "title": "Vault Name",
+              "name": "vault_name",
+              "description": "Name of the vault that stores the passwords.",
+              "type": "text",
+              "visible": true,
+              "editable": true,
+              "required": true
+            }
+          ]
+        }
+      },
       {
         "title": "Verify SSL",
         "required": false,
@@ -142,6 +169,12 @@
             }
           ],
           "enabledForDeployment": "",
+          "networkAcls": {
+            "bypass": "",
+            "ipRules": [],
+            "defaultAction": "",
+            "virtualNetworkRules": []
+          },
           "enabledForDiskEncryption": "",
           "enabledForTemplateDeployment": "",
           "enableSoftDelete": "",
@@ -311,12 +344,16 @@
           {
             "kid": "",
             "attributes": {
+              "exp": "",
+              "nbf": "",
               "enabled": "",
               "created": "",
               "updated": "",
               "recoveryLevel": "",
-              "exportable": ""
+              "exportable": "",
+              "recoverableDays": ""
             },
+            "managed": "",
             "tags": {}
           }
         ],
@@ -375,7 +412,9 @@
           "enabled": "",
           "created": "",
           "updated": "",
-          "recoveryLevel": ""
+          "recoveryLevel": "",
+          "recoverableDays": "",
+          "exportable": ""
         },
         "tags": {}
       },
@@ -435,7 +474,8 @@
           "created": "",
           "updated": "",
           "recoveryLevel": "",
-          "exportable": ""
+          "exportable": "",
+          "recoverableDays": ""
         },
         "tags": {}
       },
@@ -480,8 +520,10 @@
               "exp": "",
               "created": "",
               "updated": "",
-              "recoveryLevel": ""
+              "recoveryLevel": "",
+              "recoverableDays": ""
             },
+            "managed": "",
             "tags": {}
           }
         ],
@@ -538,7 +580,8 @@
           "exp": "",
           "created": "",
           "updated": "",
-          "recoveryLevel": ""
+          "recoveryLevel": "",
+          "recoverableDays": ""
         },
         "tags": {}
       },
@@ -594,7 +637,8 @@
           "exp": "",
           "created": "",
           "updated": "",
-          "recoveryLevel": ""
+          "recoveryLevel": "",
+          "recoverableDays": ""
         },
         "tags": {}
       },
@@ -710,7 +754,8 @@
           "exp": "",
           "created": "",
           "updated": "",
-          "recoveryLevel": ""
+          "recoveryLevel": "",
+          "recoverableDays": ""
         },
         "tags": {},
         "policy": {
@@ -967,7 +1012,20 @@
       "category": "investigation",
       "annotation": "get_versions",
       "output_schema": {
-        "value": [],
+        "value": [
+          {
+            "kid": "",
+            "tags": {},
+            "attributes": {
+              "created": "",
+              "enabled": "",
+              "updated": "",
+              "exportable": "",
+              "recoveryLevel": "",
+              "recoverableDays": ""
+            }
+          }
+        ],
         "nextLink": ""
       },
       "parameters": [
@@ -1058,6 +1116,73 @@
         }
       ],
       "enabled": true
+    },
+    {
+      "operation": "get_credentials",
+      "title": "Get Credentials",
+      "description": "Retrieves a list of the secrets from the Azure Key Vault based on the vault name you have specified. ",
+      "category": "investigation",
+      "annotation": "get_credentials",
+      "output_schema": [
+        {
+          "key": "",
+          "display_name": ""
+        }
+      ],
+      "parameters": [],
+      "enabled": true,
+      "visible": false
+    },
+    {
+      "operation": "get_credentials_details",
+      "title": "Get Credentials Details",
+      "description": "Gets a Secret from specified Azure Key Vault vault name, secret name, and the secret version you have specified. ",
+      "category": "investigation",
+      "annotation": "get_credentials_details",
+      "output_schema": [
+        {
+          "field_name": "",
+          "value": ""
+        }
+      ],
+      "parameters": [
+        {
+          "title": "Secret Name",
+          "name": "secret_id",
+          "type": "text",
+          "description": "Specify the name of the secret to retrieve from the key vault. ",
+          "tooltip": "Specify the name of the secret to retrieve from the key vault. ",
+          "required": true,
+          "editable": true,
+          "visible": true
+        }
+      ],
+      "enabled": true,
+      "visible": false
+    },
+    {
+      "operation": "get_credential",
+      "title": "Get Credential",
+      "description": "Gets a Secret from specified Azure Key Vault vault name, secret name, and the secret version you have specified.",
+      "category": "investigation",
+      "annotation": "get_credential",
+      "output_schema": {
+        "password": ""
+      },
+      "parameters": [
+        {
+          "title": "Secret Name",
+          "name": "secret_id",
+          "type": "text",
+          "description": "Specify the name of the secret to retrieve from the key vault. ",
+          "tooltip": "Specify the name of the secret to retrieve from the key vault. ",
+          "required": true,
+          "editable": true,
+          "visible": true
+        }
+      ],
+      "enabled": true,
+      "visible": false
     }
   ]
 }
diff --git a/azure-key-vault/operations.py b/azure-key-vault/operations.py
@@ -12,6 +12,7 @@
 
 logger = get_logger('azure-key-vault')
 
+
 class AzureKeyVault(object):
     def __init__(self, config):
         self.server_url = 'https://'
@@ -44,7 +45,8 @@ def make_rest_call(self, endpoint, params={}, data=None, method='POST', manage_a
         try:
             if data:
                 data = json.dumps(data)
-            response = requests.request(method, service_url, data=data, headers=headers, params=params, verify=self.verify_ssl)
+            response = requests.request(method, service_url, data=data, headers=headers, params=params,
+                                        verify=self.verify_ssl)
             if response.ok:
                 content_type = response.headers.get('Content-Type')
                 if response.text != "" and 'application/json' in content_type:
@@ -67,8 +69,8 @@ def make_rest_call(self, endpoint, params={}, data=None, method='POST', manage_a
             logger.error('An SSL error occurred')
             raise ConnectorError('An SSL error occurred')
         except requests.exceptions.ConnectionError:
-            logger.error('A connection error occurred')
-            raise ConnectorError('A connection error occurred')
+            logger.error('A connection error occurred.')
+            raise ConnectorError('A connection error occurred.')
         except requests.exceptions.Timeout:
             logger.error('The request timed out')
             raise ConnectorError('The request timed out')
@@ -141,7 +143,7 @@ def list_or_get_keys(config, params):
     kv = AzureKeyVault(config)
     vault_name = params.get('vault_name', '')
     key_name = params.get('key_name', '')
-    key_version = params.get('key-version', '')
+    key_version = params.get('key-version', '') or ''
     endpoint = '{0}.vault.azure.net/keys'.format(vault_name)
     if key_name:
         endpoint += '/{0}/{1}'.format(key_name, key_version)
@@ -171,9 +173,9 @@ def list_or_get_secret(config, params):
     config['scope'] = VAULT_SCOPE
     kv = AzureKeyVault(config)
     vault_name = params.get('vault_name')
-    endpoint = '{0}.vault.azure.net/secrets/'.format(vault_name)
+    endpoint = '{0}.vault.azure.net/secrets'.format(vault_name)
     secret_name = params.get('secret_name', '')
-    secret_version = params.get('secret_version', '')
+    secret_version = params.get('secret_version', '') or ''
     if secret_name:
         endpoint += '/{0}/{1}'.format(secret_name, secret_version)
         response = kv.make_rest_call(endpoint=endpoint, method='GET')
@@ -204,7 +206,7 @@ def list_or_get_certificate(config, params):
     vault_name = params.get('vault_name')
     endpoint = '{0}.vault.azure.net/certificates'.format(vault_name)
     certificate_name = params.get('certificate_name', '')
-    certificate_version = params.get('certificate-version', '')
+    certificate_version = params.get('certificate-version', '') or ''
     if certificate_name:
         endpoint += '/{0}/{1}'.format(certificate_name, certificate_version)
         response = kv.make_rest_call(endpoint=endpoint, method='GET')
@@ -290,11 +292,50 @@ def check(config, connector_info):
             update_connnector_config(connector_info['connector_name'], connector_info['connector_version'], config,
                                      config['config_id']) and ms.validate_vault_token(config, connector_info)
         config['config_id'] = config_id
+        if config.get('use_vault'):
+            get_credentials(config, {})
         return True
     except Exception as err:
         raise ConnectorError(str(err))
 
 
+def get_credentials(config, params):
+    config['scope'] = VAULT_SCOPE
+    kv = AzureKeyVault(config)
+    vault_name = config.get('vault_name')
+    endpoint = '{0}.vault.azure.net/secrets/?'.format(vault_name)
+    payload = {}
+    size = params.get('size')
+    if size:
+        payload["maxresults"] = size
+    response = kv.make_rest_call(endpoint=endpoint, method='GET', params=payload)
+    formatted_response = []
+    for secret in response.get('value', []):
+        secret_name = secret.get('id').split('secrets/')[-1]
+        formatted_response.append({"key": secret_name, "display_name": secret_name})
+    return formatted_response
+
+
+def get_credentials_details(config, params):
+    formatted_response = [
+        {
+            "field_name": "Secret Value",
+            "value": "*****"
+        }
+    ]
+    return formatted_response
+
+
+def get_credential(config, params):
+    config['scope'] = VAULT_SCOPE
+    kv = AzureKeyVault(config)
+    vault_name = config.get('vault_name')
+    secret_name = params.get('secret_id')
+    endpoint = '{0}.vault.azure.net/secrets/{1}'.format(vault_name, secret_name)
+    response = kv.make_rest_call(endpoint=endpoint, method='GET')
+    return {"password": response.get('value')}
+
+
 operations = {
     'list_key_vault': list_key_vault,
     'get_key_vault': get_key_vault,
@@ -310,5 +351,9 @@ def check(config, connector_info):
     'get_certificate': list_or_get_certificate,
     'delete_certificate': delete_certificate,
     'get_certificate_policy': get_certificate_policy,
-    'get_versions': get_versions
+    'get_versions': get_versions,
+
+    'get_credentials': get_credentials,
+    'get_credentials_details': get_credentials_details,
+    'get_credential': get_credential
 }