merge release 2.1 to main (#14)

* fix JSON documentation for UO usage
* safely access param dictionaries
* fix manifest example for central provider Host param
* add constructor parameter for loading SDK DLL;
* add logging for SDK loading and invoking
* add option to target NetFramework SDK for platform compatibility

Author: doebrowsk

CHANGELOG.md

@@ -1,3 +1,8 @@
+2.1.0 
+- Added additional parameter option when using Unity Configuration to target the correct directory with the Net Password SDK DLL
+- Added additional parameter option when using Unity Configuration to specify if the Net Framework or Net Standard Password SDK should be used
+- Improve logging and error handling to report errors correctly
+
 2.0.1
 - Bug fix for DLL compatibility issue preventing CyberArk from loading correctly on the Keyfactor Platform
 - Include `manifest.json` and alternate `SDK-manifest.json` files and instructions on their use

README.md

@@ -12,7 +12,7 @@ Keyfactor supports the retrieval of credentials from 3rd party Privileged Access
 
 ## Support for CyberArk PAM Provider
 
-CyberArk PAM Provider is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative.
+CyberArk PAM Provider is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
 
 ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
@@ -79,6 +79,7 @@ Certificate Authentication cannot be required. This may necessitate creating a S
 
 #### For SDK-based local Credential Provider
 To use a local Credential Provider instead, the Credential Provider will need to be installed on the machine that is using the PAM Provider. After installing the Credential Provider, copy the `NetStandardPasswordSDK.dll` assembly from the install location into the PAM Provider install location. This dll __needs__ to be adjacent to `cyberark-credentialprovider-pam.dll` to be properly loaded.
+__Important__: When running the SDK Credential Provider on Keyfactor Command, the `NetPasswordSDK.dll` needs to be copied instead of `NetStandardPasswordSDK.dll`. This library is compatible with .NET Framework which is necessary to work in Keyfactor Command.
 
 After registering the Credential Provider during install, make sure the Provider for the machine has been granted permission to access the Safe, as well as the Application ID that will be used.
 
@@ -92,7 +93,7 @@ A <code>manifest.json</code> file is included in the release. This file needs to
 ~~~ json
 "Keyfactor:PAMProviders:CyberArk-CentralCredentialProvider:InitializationInfo": {
     "AppId": "myappid",
-    "Host": "https://my.cyberark.instance:99999",
+    "Host": "my.cyberark.instance:99999",
     "Site": "WithOutCert"
   }
 ~~~
@@ -116,10 +117,10 @@ This file then needs to be edited to enter in the "initialization" parameters fo
 
 #### Usage with the Keyfactor Universal Orchestrator
 To use the PAM Provider to resolve a field, for example a Server Password, instead of entering in the actual value for the Server Password, enter a `json` object with the parameters specifying the field.
-The parameters needed are the "instance" parameters above:
+The parameters needed are the "instance" parameters above (with appropriate characters escaped for correct JSON formatting):
 
 ~~~ json
-{"Safe":"MySafe","Folder":"Root\Secrets","Object":"MySecret"}
+{"Safe":"MySafe","Folder":"Root\\Secrets","Object":"MySecret"}
 ~~~
 
 If a field supports PAM but should not use PAM, simply enter in the actual value to be used instead of the `json` format object above.
@@ -148,9 +149,16 @@ The Keyfactor service and IIS Server should be restarted after making these chan
 
 
 For registering the CyberArk for use with the SDK-based Credential Provider, use the following `<register>` instead.
+Make sure to enter in the correct full path to the directory for `extensionPath` that has the SDK DLL for the PAM Provider.
 
 ```xml
-<register type="IPAMProvider" mapTo="Keyfactor.Extensions.Pam.CyberArk.SdkCredentialProviderPAM, cyberark-credentialprovider-pam" name="CyberArk-SdkCredentialProvider" />
+<register type="IPAMProvider" mapTo="Keyfactor.Extensions.Pam.CyberArk.SdkCredentialProviderPAM, cyberark-credentialprovider-pam" name="CyberArk-SdkCredentialProvider">
+  <constructor>
+    <param name="extensionPath">
+      <value value="C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\bin"/>
+    </param>
+  </constructor>
+</register>
 ```
 
 ##### Usage

cyberark-credentialprovider-pam/CentralCredentialProviderPAM.cs

@@ -20,19 +20,19 @@
 
 namespace Keyfactor.Extensions.Pam.CyberArk
 {
-    public class CentralCredentialProviderPAM : IPAMProvider
+    public class CentralCredentialProviderPAM : CyberArkProvider, IPAMProvider
     {
         public string Name => "CyberArk-CentralCredentialProvider";
 
         public string GetPassword(Dictionary<string, string> instanceParameters, Dictionary<string, string> initializationInfo)
         {
-            string appId = initializationInfo["AppId"];
-            string host = initializationInfo["Host"];
-            string site = initializationInfo["Site"];
+            string appId = GetRequiredValue(initializationInfo, "AppId");
+            string host = GetRequiredValue(initializationInfo, "Host");
+            string site = GetRequiredValue(initializationInfo, "Site");
 
-            string safe = instanceParameters["Safe"];
-            string folder = instanceParameters["Folder"];
-            string obj = instanceParameters["Object"];
+            string safe = GetRequiredValue(instanceParameters, "Safe");
+            string folder = GetRequiredValue(instanceParameters, "Folder");
+            string obj = GetRequiredValue(instanceParameters, "Object");
 
             var http = new HttpClient();
             http.BaseAddress = new Uri($"https://{host}/");

cyberark-credentialprovider-pam/Constants.cs

@@ -0,0 +1,46 @@
+// Copyright 2023 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+namespace Keyfactor.Extensions.Pam.CyberArk
+{
+    public static class Constants
+    {
+        public interface SDK
+        {
+            string DLL { get; }
+            string PasswordSDKType { get; }
+            string PasswordRequestType { get; }
+            string PasswordSDKExceptionType { get; }
+            string PasswordResponseType { get; }
+        }
+
+        public class NetStandard : SDK
+        {
+            public string DLL => "NetStandardPasswordSDK.dll";
+            public string PasswordSDKType => "CyberArk.AAM.NetStandardPasswordSDK.PasswordSDK";
+            public string PasswordRequestType => "CyberArk.AAM.NetStandardPasswordSDK.PSDKPasswordRequest";
+            public string PasswordSDKExceptionType => "CyberArk.AAM.NetStandardPasswordSDK.Exceptions.PSDKException";
+            public string PasswordResponseType => "CyberArk.AAM.NetStandardPasswordSDK.PSDKPassword";
+        }
+
+        public class NetFramework : SDK
+        {
+            public string DLL => "NetPasswordSDK.dll";
+            public string PasswordSDKType => "CyberArk.AIM.NetPasswordSDK.PasswordSDK";
+            public string PasswordRequestType => "CyberArk.AIM.NetPasswordSDK.PSDKPasswordRequest";
+            public string PasswordSDKExceptionType => "CyberArk.AIM.NetPasswordSDK.Exceptions.PSDKException";
+            public string PasswordResponseType => "CyberArk.AIM.NetPasswordSDK.PSDKPassword";
+        }
+    }
+}

cyberark-credentialprovider-pam/CyberArkProvider.cs

@@ -0,0 +1,33 @@
+// Copyright 2023 Keyfactor
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+
+namespace Keyfactor.Extensions.Pam.CyberArk
+{
+    public class CyberArkProvider
+    {
+        protected string GetRequiredValue(Dictionary<string, string> dict, string key)
+        {
+            if (!dict.ContainsKey(key)
+                || string.IsNullOrWhiteSpace(dict[key]))
+            {
+                string error = $"Required field {key} was missing a value or was not defined as expected in dictionary.";
+                throw new ArgumentException(error);
+            }
+            return dict[key];
+        }
+    }
+}

cyberark-credentialprovider-pam/SdkCredentialProviderPAM.cs

@@ -12,35 +12,77 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using Keyfactor.Logging;
 using Keyfactor.Platform.Extensions;
+using Microsoft.Extensions.Logging;
 using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Reflection;
 
 namespace Keyfactor.Extensions.Pam.CyberArk
 {
-    public class SdkCredentialProviderPAM : IPAMProvider
+    public class SdkCredentialProviderPAM : CyberArkProvider, IPAMProvider
     {
         public string Name => "CyberArk-SdkCredentialProvider";
 
+        private readonly ILogger Logger;
+        private readonly Constants.SDK SDKConstants;
+        private readonly string ExtensionPath;
+        private readonly bool UsingFrameworkLibrary = false;
+
+        public SdkCredentialProviderPAM()
+        {
+            Logger = LogHandler.GetClassLogger<SdkCredentialProviderPAM>();
+            Logger.LogTrace($"Starting up {Name} with no constructor parameters.");
+            SDKConstants = new Constants.NetStandard();
+            Logger.LogTrace($"SDK to be targeted will be {SDKConstants.DLL}");
+
+            // when lookup path is not provided, use executing assembly location (running on UO)
+            ExtensionPath = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location);
+            Logger.LogInformation($"{Name} determined it will use the following directory to load the SDK: {ExtensionPath}");
+        }
+
+        public SdkCredentialProviderPAM(string extensionPath, bool useFramework = true)
+        {
+            Logger = LogHandler.GetClassLogger<SdkCredentialProviderPAM>();
+            Logger.LogTrace($"Starting up {Name} with constructor parameters provided.");
+            UsingFrameworkLibrary = useFramework;
+            if (UsingFrameworkLibrary)
+            {
+                SDKConstants = new Constants.NetFramework();
+            }
+            else
+            {
+                SDKConstants = new Constants.NetStandard();
+            }
+            Logger.LogTrace($"SDK to be targeted will be {SDKConstants.DLL}");
+
+            // Extension Path (for looking up DLL) can be passed in as a Unity Constructor parameter (running on Command)
+            ExtensionPath = extensionPath;
+            Logger.LogInformation($"{Name} determined it will use the following directory to load the SDK: {ExtensionPath}");
+        }
+
         public string GetPassword(Dictionary<string, string> instanceParameters, Dictionary<string, string> initializationInfo)
         {
-            string appId = initializationInfo["AppId"];
+            string appId = GetRequiredValue(initializationInfo, "AppId");
+            Logger.LogInformation($"Configured with Initialization Parameters: AppId = {appId}");
 
-            string safe = instanceParameters["Safe"];
-            string folder = instanceParameters["Folder"];
-            string obj = instanceParameters["Object"];
+            string safe = GetRequiredValue(instanceParameters, "Safe");
+            string folder = GetRequiredValue(instanceParameters, "Folder");
+            string obj = GetRequiredValue(instanceParameters, "Object");
+            Logger.LogInformation($"Configured with Instance Parameters: Safe = {safe} ; Folder = {folder} ; Object = {obj}");
 
-            string executingDir = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location);
-            string dll = Path.Combine(executingDir, "NetStandardPasswordSDK.dll");
+            string dll = Path.Combine(ExtensionPath, SDKConstants.DLL);
+            Logger.LogDebug($"Loading DLL: {dll}");
             var sdk = Assembly.LoadFrom(dll);
+            Logger.LogTrace("Loaded SDK DLL.");
 
             // get the types from the dll
-            Type PasswordSDKType = sdk.GetType("CyberArk.AAM.NetStandardPasswordSDK.PasswordSDK");
-            Type PasswordRequestType = sdk.GetType("CyberArk.AAM.NetStandardPasswordSDK.PSDKPasswordRequest");
-            Type PasswordSDKExceptionType = sdk.GetType("CyberArk.AAM.NetStandardPasswordSDK.Exceptions.PSDKException");
-            Type PasswordResponseType = sdk.GetType("CyberArk.AAM.NetStandardPasswordSDK.PSDKPassword");
+            Type PasswordSDKType = sdk.GetType(SDKConstants.PasswordSDKType);
+            Type PasswordRequestType = sdk.GetType(SDKConstants.PasswordRequestType);
+            Type PasswordSDKExceptionType = sdk.GetType(SDKConstants.PasswordSDKExceptionType);
+            Type PasswordResponseType = sdk.GetType(SDKConstants.PasswordResponseType);
 
             // Create Password Request
             ConstructorInfo ctor = PasswordRequestType.GetConstructor(Type.EmptyTypes);
@@ -50,7 +92,9 @@ public string GetPassword(Dictionary<string, string> instanceParameters, Diction
             }
 
             object passwordRequest;
+            Logger.LogTrace("Attempting to invoke constructor of PSDKPasswordRequest type.");
             passwordRequest = ctor.Invoke(null);
+            Logger.LogTrace($"Constructed PSDKPasswordRequest. {passwordRequest}");
 
             PropertyInfo propertyInfo = PasswordRequestType.GetProperty("ConnectionTimeout");
             propertyInfo.SetValue(passwordRequest, 30);
@@ -73,14 +117,37 @@ public string GetPassword(Dictionary<string, string> instanceParameters, Diction
 
 
             // Sending the request to get the password
-            object passwordResponse = PasswordSDKType.GetMethod("GetPassword").Invoke(null, new object[] { passwordRequest });
+            Logger.LogTrace("Attempting to invoke GetPassword method of PasswordSDK type.");
+            object passwordResponse;
+            try
+            {
+                passwordResponse = PasswordSDKType.GetMethod("GetPassword").Invoke(null, new object[] { passwordRequest });
+            }
+            catch (TargetInvocationException ex)
+            {
+                Logger.LogError(ex.InnerException, "Error occurred when invoking GetPassword method.");
+                Logger.LogError(ex.ToString());
+                Logger.LogError(ex.InnerException.ToString());
+
+                throw ex.InnerException;
+            }
+            Logger.LogTrace("Invoked GetPassword method.");
 
 
             // Analyzing the response
             propertyInfo = PasswordResponseType.GetProperty("Content");
-            var password = (char[])propertyInfo.GetValue(passwordResponse, null);
-
-            return new string(password);
+            if (UsingFrameworkLibrary)
+            {
+                // for netframework
+                var password = (string)propertyInfo.GetValue(passwordResponse, null);
+                return password;
+            }
+            else
+            {
+                //for netstandard
+                var password = (char[])propertyInfo.GetValue(passwordResponse, null);
+                return new string(password);
+            }
         }
     }
 }

cyberark-credentialprovider-pam/cyberark-credentialprovider-pam.csproj

@@ -1,13 +1,23 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFramework>netstandard2.0</TargetFramework>
     <RootNamespace>Keyfactor.Extensions.Pam.CyberArk</RootNamespace>
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
     <PackageReference Include="Keyfactor.Platform.IPAMProvider" Version="1.0.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <PackageReference Include="Newtonsoft.Json" Version="12.0.3" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Update="manifest.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+    <None Update="SDK-manifest.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
   </ItemGroup>
 
 </Project>

cyberark-credentialprovider-pam/manifest.json

@@ -9,7 +9,7 @@
   },
   "Keyfactor:PAMProviders:CyberArk-CentralCredentialProvider:InitializationInfo": {
     "AppId": "myappid",
-    "Host": "https://my.cyberark.instance:99999",
+    "Host": "my.cyberark.instance:99999",
     "Site": "WithOutCert"
   }
 }

readme-src/readme-config.md

@@ -6,6 +6,7 @@ Certificate Authentication cannot be required. This may necessitate creating a S
 
 #### For SDK-based local Credential Provider
 To use a local Credential Provider instead, the Credential Provider will need to be installed on the machine that is using the PAM Provider. After installing the Credential Provider, copy the `NetStandardPasswordSDK.dll` assembly from the install location into the PAM Provider install location. This dll __needs__ to be adjacent to `cyberark-credentialprovider-pam.dll` to be properly loaded.
+__Important__: When running the SDK Credential Provider on Keyfactor Command, the `NetPasswordSDK.dll` needs to be copied instead of `NetStandardPasswordSDK.dll`. This library is compatible with .NET Framework which is necessary to work in Keyfactor Command.
 
 After registering the Credential Provider during install, make sure the Provider for the machine has been granted permission to access the Safe, as well as the Application ID that will be used.
 
@@ -19,7 +20,7 @@ A <code>manifest.json</code> file is included in the release. This file needs to
 ~~~ json
 "Keyfactor:PAMProviders:CyberArk-CentralCredentialProvider:InitializationInfo": {
     "AppId": "myappid",
-    "Host": "https://my.cyberark.instance:99999",
+    "Host": "my.cyberark.instance:99999",
     "Site": "WithOutCert"
   }
 ~~~
@@ -43,10 +44,10 @@ This file then needs to be edited to enter in the "initialization" parameters fo
 
 #### Usage with the Keyfactor Universal Orchestrator
 To use the PAM Provider to resolve a field, for example a Server Password, instead of entering in the actual value for the Server Password, enter a `json` object with the parameters specifying the field.
-The parameters needed are the "instance" parameters above:
+The parameters needed are the "instance" parameters above (with appropriate characters escaped for correct JSON formatting):
 
 ~~~ json
-{"Safe":"MySafe","Folder":"Root\Secrets","Object":"MySecret"}
+{"Safe":"MySafe","Folder":"Root\\Secrets","Object":"MySecret"}
 ~~~
 
 If a field supports PAM but should not use PAM, simply enter in the actual value to be used instead of the `json` format object above.

readme-src/readme-register.md

@@ -1,6 +1,13 @@
 
 For registering the CyberArk for use with the SDK-based Credential Provider, use the following `<register>` instead.
+Make sure to enter in the correct full path to the directory for `extensionPath` that has the SDK DLL for the PAM Provider.
 
 ```xml
-<register type="IPAMProvider" mapTo="Keyfactor.Extensions.Pam.CyberArk.SdkCredentialProviderPAM, cyberark-credentialprovider-pam" name="CyberArk-SdkCredentialProvider" />
+<register type="IPAMProvider" mapTo="Keyfactor.Extensions.Pam.CyberArk.SdkCredentialProviderPAM, cyberark-credentialprovider-pam" name="CyberArk-SdkCredentialProvider">
+  <constructor>
+    <param name="extensionPath">
+      <value value="C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\bin"/>
+    </param>
+  </constructor>
+</register>
 ```