Currently, I use a single SSM parameter to store a set of properties separated by newlines, like this:
property1=value1
property2=value2
property3=value3
(I am aware of the 4K size limit, it's fine.)
This works well, for normal String type parameters that store non-sensitive information like environment configuration, but I'd also like to do similar for secrets using the SecureString parameter type.
The problem is that I can't edit the parameter value in the console because it's using a HTML input field of type="password" that doesn't handle newlines.
The multi-line value works fine with the actual parameter store backend - I can set a value with multiple lines with the SSM API no problem and they can be read with the EC2 CLI properly too.
But I can't edit them using the console. This is a problem because the whole point of using a SecureString parameter is that I intend the only place to edit/view these secrets to be via the console (so that permissions are controlled and access is audited).
There's a few infrastructure workarounds I could implement (one parameter for each secret, store the secrets on S3 or other secret storing service, etc.) but they all have drawbacks - I'm just trying to find out if there's a way around this using the console?
Is there any way I can work around this and use the console to edit multi-line SecureString parameters?
Any kind of browser workaround or hack that I might be able to use to tell the browser to use a textarea instead of a "password" type field?
I'm using Chrome, but I'd be happy to work around this by using another browser or something (editing the secrets is pretty rare, and viewing multi-line values in the console works fine).
EDIT
After posting this question, AWS notified me there was a whole new "AWS Systems Manager" UI, but it still has the same problem - I tried the below browser hacks on this new UI, but no luck.
Failed browser hack attempt 1: I tried opening the browser console, running document.getElementById("Value").value = "value1\nvalue2" and then clicking the save button, which set the value I injectec, but the newline was filtered out.
Failed browser hack attempt 2: I tried using the browser instpector to change the element to a TextArea and then typed in two lines of input and clicked save, but that didn't set the value at all.
From https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-file, I learned you can pass a file as parameter to the --value argument. So if your file is called secrets.properties, you can do this:
aws ssm put-parameter --type SecureString --name secrets --value file://secrets.properties
I found a way to do it, but it's too much effort and too weird - if anyone can find a simpler way, I will mark that as the answer.
The hacky workaround is to install the "Tamper Chrome" extension + app, then capture the XHR request as the browser sends it and edit the new lines into the JSON.
Blech. Plus "Tamper Chrome" is pretty awful, I don't want to run it on my machine.
This might be better to use the new secrets manager that was launched recently. The interface for it is very close to parameter store but it has better support for multiple parameters in one place.
I wonder if the change in the console was due to the expected release of the service since they have a pricing model around secrets whereas parameter store is free
In the end, I decided the answer to this question is "don't do that". Not that I would've wanted to hear that when I was trying to make it work.
You should use a separate SSM param per secret for these reasons:
ability to grant permissions at fine grained level; e.g. you have an API password for calling your service, and a DB password for the service talk to a DB - if you store them in the same secret you couldn't only grant access to the API password.
ability to track key access separately - the SSM access logs can only tell you that the target machine/user accessed the SSM param at that time, it won't be able to tell you which secret was accessed
ability to use separate KMS keys to encrypt
Just watch out for the fact that you can only request a max of 10 SSM params at a time.
if you want, you can try with my app https://github.com/ledongthuc/awssecretsmanagerui
I try to create it to easier to update multi-line values and binary easier. Hope it's helpful with your case.
Related
I have CAS 6.2.x running in Kubernetes building the image from this repo. I am passing in the cas.properties file via configmap.I have it wired up against Active Directory and am able to login with the Username/Password. I am now working to enable MFA with the Google Authenticator plugin. I have this working as well if I force the flow globally with the following:
cas.authn.mfa.global-provider-id=mfa-gauth
When I try to use the values described here for Multifactor Authentication: Principal Attribute Trigger it doesn't send me to the MFA flow. These are the settings that I have set:
cas.authn.ldap[0].principalAttributeList=userPrincipalName,cn,givenName,sAMAccountName,memberOf
cas.authn.mfa.global-principal-attribute-name-triggers=memberOf
cas.authn.mfa.global-principal-attribute-value-regex=ForceMfa
When I log in these are the values returned back for memberOf:
memberOf
[CN=Group2,OU=MyOu,DC=subdomain,DC=domain,DC=local, CN=Group1,OU=MyOu,DC=subdomain,DC=domain,DC=local, CN=ForceMfa,OU=MyOu,DC=subdomain,DC=domain,DC=local]
Principal
I used Misagh blog post as a guide.
If I change the trigger and regex to sAMAccountName and my username it then works as expected. Not sure if I need to change the regex format to find the group name or if I just have something else wrong. It just seems like the regex is not finding a match for some reason as the settings seem to be working for me, just not with memberOf.
Thank you
Consider switching this to:
cas.authn.mfa.global-principal-attribute-value-regex=.*ForceMfa.+
Then, attach/review your logs for org.apereo.cas under either DEBUG/TRACE so you can see what's happening.
guys! I'm looking for a solution or some ideas on how to solve my task.
There is a video surveillance camera(vendor: Hikvision) with an accessible web-interface.
In the web-interface, there is a field Device Name containing data I need to retrieve by means of the Zabbix server and further to use this data for renaming discovered hosts.
Since Hikvision cameras support SNMP, I've tried the SNMP agent in Zabbix. I turned out that Hikvision MIB doesn't contain data from that field.
Also exploring web-interface through Developer tools in Google Chrome I stumbled upon the string Request URL: http://10.90.187.16/ISAPI/System/deviceInfo which gives such response in XML format:
<DeviceInfo xmlns="http://www.hikvision.com/ver20/XMLSchema" version="2.0">
<deviceName>1.5.1.1</deviceName>
<deviceID>566eec0b-6580-11b3-81a1-1868cb48861f</deviceID>
<deviceDescription>IPCamera</deviceDescription>
<deviceLocation>hangzhou</deviceLocation>
<systemContact>Hikvision.China</systemContact>
<model>DS-2CD2155FWD-IS</model>
<serialNumber>DS-2CD2155FWD-IS20170417AAWR749464587</serialNumber>
<macAddress>18:68:cb:48:86:1f</macAddress>
<firmwareVersion>V5.4.5</firmwareVersion>
<firmwareReleasedDate>build 170124</firmwareReleasedDate>
<encoderVersion>V7.3</encoderVersion>
<encoderReleasedDate>build 170123</encoderReleasedDate>
<bootVersion>V1.3.4</bootVersion>
<bootReleasedDate>100316</bootReleasedDate>
<hardwareVersion>0x0</hardwareVersion>
<deviceType>IPCamera</deviceType>
<telecontrolID>88</telecontrolID>
<supportBeep>false</supportBeep>
<supportVideoLoss>false</supportVideoLoss>
</DeviceInfo>
Where the tag <deviceName>1.5.1.1</deviceName> contains required data and now the question is how to put two and two together by means of Zabbix.
Digging into Zabbix documentation I've found an article about creating an Item based on HTTP agent with XML request . Unfortunately there are not any exmaples how to do it exactly.
Has somebody had such experience? Any clues will be helpful
You can create an HTTP Agent item, set it to TEXT type and point it to http://10.90.187.16/ISAPI/System/deviceInfo (don't forget the authentication, if required!), Zabbix will retrieve the full XML.
To get the desired value you have to create a dependent item, point it to the previous item and set up a preprocessing step.
Create a single XML Xpath preprocessing rule with parameter string(/DeviceInfo/DeviceName) to get the 1.5.1.1 value
If you want to get the firmware version, create another dependent item and set up the XPath to string(/DeviceInfo/FirmwareVersion) and so on for every element you need.
If you want a single value you can use a single item, adding the preprocessing rule to the http agent item. I use my solution for flexibility, maybe one day I'll need another XML element or maybe a firmware update will add some element to the page.
Dependent items are more flexible, but of course the full XML uses more storage in the database for stuff you don't need right now: it's a tradeoff, either way works!
We've got some user data stored in LDAP that has been "encrypted" by an iRule with the AES::Encrypt function. We now find we need to use the encrypted value elsewhere.
We need to decrypt and re-encrypt it because : The Encrypt uses AES-CWC - which appears to be virtually unused anywhere else. So, we really need the F5's own code to decrypt it.
I was hoping to run a script from the console or TMOS. I can run tcl UI, but somehow need to "import" the code to do the AES functions. Is there an easy way to make a tcl session work like it does in the iRules, or a path that the iRule functions are stored in?
(And no, I can't get the F5 to provide the decrypted value to the app with an API (if there is one). The other app is querying LDAP, and can happily decode AES-CBC - but not CWC. And we can't wait for the users to login and re-encrypt with a different iRule when they do. It needs to be fixed "now"!)
I have created JMeter script that need to be used for different environments like Staging, Production, etc. I want to dynamically change the IP address.
Can someone let me know how can I proceed with this?
Remove all the IP, port, protocol details from the HTTP Sampler.
Add HTTP Request Defaults under test plan - in which you can update IP, Port & Protocol details. So, just changing it one place will do for entire test.
As you need to change it dynamically, use property file/properties. for example.. (these names can be anything)
host.ip=10.11.12.13
host.port=443
host.protocol=https
You can pass the properties via command line argument to the test.
jmeter -n -t /path/to/test.jmx -l /path/to/result.jtl -Jhost.ip=10.111.12.13 -Jhost.port=443 -Jhost.protocol=https -Jtest.duration=300
J - defines a local JMeter property.
In the test, access these values using ${__P(host.ip)},${__P(host.port)}..etc
If you have a lot of properties, You can have a look at the Property File Reader. I have been using this for a while & I love it.
Advantage is - even in the GUI mode, it will work great.
http://www.testautomationguru.com/jmeter-property-file-reader-a-custom-config-element/
If you use the Property File Reader & pass the property file name itself dynamically, then use
jmeter -n -t /path/to/test.jmx -l /path/to/result.jtl -Jproperty.file.path=/path/to/file.properties
Then access it using ${__P(property.file.path)} in the File Path.
Box:// seems to open the app, however I am not able to discern how to target a specific file.
Currently we don't have support for this, but it is a great idea that we'll consider for our roadmap.
We actually do support this. The best way to add this integration into your app is to use our OneCloud AppToApp framework (additional information available here http://developers.box.com/the-box-sdk-for-onecloud-on-ios/)
This is easy using the app-to-app framework. You just need to call BoxAppToAppAPI's sendFileDownloadRequestToApplication:withMetaData: if you want an app to go to a particular file and in Box's case download/preview it.
To make it go to the Box app you can simply pass in [BoxAppToAppApplication BoxApplication] in the first parameter.
As for the metadata parameter, you can create it with BoxAppToAppFileMetadata's appToAppFileMetadataWithFileName:fileExtension:folderPath:mimeType:fileID:folderPathByID:exportToken:username:
Assuming your app already integrates with the Box API via the SDK or otherwise, it should be able to get all of that information easily.
If the mimeType is not known, nil can be passed in. Also, nil can be passed in for the exportToken if the file was not exported out of the Box app (with the AppToApp framework, a roundtrip scenario is also supported where the user starts in the Box app, picks a file to view/edit/etc in your app, and then sends it back to Box to upload). So if it's not a round-trip, it's just a one-way from your app to Box, use nil for the exportToken.
Before doing this, you can also check if the Box app is installed by checking for [[BoxAppToAppApplication BoxApplication] isInstalled].
Below is a fictional example (the values are made up):
BoxAppToAppFileMetadata *metadata = [BoxAppToAppFileMetadata appToAppFileMetadataWithFileName:#"fileName"
fileExtension:#"png"
folderPath:#"All Files/Folder1"
mimeType:nil
fileID:[NSNumber numberWithLongLong:123456]
folderPathByID:#"0/12345"
exportToken:nil
username:#"username#email.com"]
BoxAppToAppStatus status = [BoxAppToAppAPI sendFileDownloadRequestToApplication:[BoxAppToAppApplication BoxApplication]
withMetaData:metadata];