Table Of Contents

Previous topic

8.1. Common configuration options

Next topic

8.3. CredentialStorePlugin

8.2. Plugin development

Follow the steps in Getting started to set up the correct Python environment. There are administrative steps bellow to describe the plugin. After adding some code to the plugin, the directory can be packaged in a ZIP file and uploaded to SPS.

8.2.1. Administrative tasks

Update the following files with information correct for your plugin:

MANIFEST: plugin name, descriptions, etc. For details consult the Creating custom Credential Store plugins developer’s guide.

Pipfile: describes what additional Python3 PIP packages to package in the eventual plugin and also what packages to use at development time. Note that the Plugin SDK should not be listed in the [packages] section, as the Plugin SDK is pre-installed on Safeguard for Privileges Sessions. There are other pre-installed python packages on the system, consult the developer’s guide for more information. In most cases the Plugin SDK should not be listed in the [dev-packages] section either as it is installed manually as explained in Getting started.

8.2.2. Basic functionality

Inherit the Plugin class from CredentialStorePlugin and implement the appropriate user defined functions: do_get_password_list(), do_get_private_key_list(), do_check_in_credential(), do_authentication_completed() or do_session_ended(). The expected return values are defined in the technical document Creating custom Credential Store plugins.

This is a basic example in which the credential store does not rotate passwords, just simply stores them:

#!/usr/bin/env pluginwrapper3

from safeguard.sessions.plugin import CredentialStorePlugin

class Plugin(CredentialStorePlugin):
    def do_get_password_list(self):
        #
        # logic to fetch password based on self.account and self.asset and any other
        #   data in self.connection, self.configuration, etc.
        #
        password = ...
        return {'passwords': [password]}

In the next example the credential store does rotate passwords and it will give a checkout identifier to be used for checking in the password later.

#!/usr/bin/env pluginwrapper3

from safeguard.sessions.plugin import CredentialStorePlugin
from safeguard.sessions.plugin.plugin_base import cookie_property

class Plugin(CredentialStorePlugin):
    @cookie_property
    def checkout_id(self):
        return None

    def do_get_password_list(self):
        #
        # logic to fetch password and checkout id based on self.account and self.asset and
        #   any other data in self.connection, self.configuration, etc.
        #
        self.checkout_id = ...
        password = ...
        return {'passwords': [password]}

    def do_check_in_credential(self):
        # logic to check in the password using self.checkout_id and/or self.account, self.asset

8.2.3. Pre-defined attributes on self

The following attributes are available in all the above methods, except where otherwise noted.

self.connection which is a read-only object to show a record of the SPS connection that is being processed. For example to find out the protocol used in the connection, write self.connection.protocol. Note: only ‘session_id’ is available in do_authentication_completed() do_check_in_credential() and do_session_ended() methods.

self.cookie represents the cookie passed to and returned by the plugin.

self.session_cookie represents the session cookie passed to and returned by the plugin.

self.account represents the account name.

self.asset represents the asset name.