8.2. Plugin development¶
Follow the steps in Getting started to set up the correct Python environment. There are administrative steps bellow to describe the plugin. After adding some code to the plugin, the directory can be packaged in a ZIP file and uploaded to SPS.
8.2.1. Administrative tasks¶
Update the following files with information correct for your plugin:
MANIFEST
: plugin name, descriptions, etc. For details consult the
Creating custom Credential Store plugins developer’s guide. To determine the api version, see the
Getting started.
Pipfile
: describes what additional Python3 PIP packages to package in the eventual plugin and also what packages to
use at development time. Note that the Plugin SDK should not be listed in the [packages] section,
as the Plugin SDK is pre-installed on Safeguard for Privileges Sessions. There are other pre-installed python packages
on the system, consult the developer’s guide for more information.
8.2.2. Basic functionality¶
Inherit the Plugin class from
CredentialStorePlugin
and implement
the appropriate user defined functions:
do_get_password_list()
,
do_get_private_key_list()
,
do_check_in_credential()
,
do_authentication_completed()
or
do_session_ended()
.
The expected return values are defined in the technical document
Creating custom Credential Store plugins.
This is a basic example in which the credential store does not rotate passwords, just simply stores them:
#!/usr/bin/env pluginwrapper3
from safeguard.sessions.plugin import CredentialStorePlugin
class Plugin(CredentialStorePlugin):
def do_get_password_list(self):
# To get a configuration value:
config_value = self.plugin_configuration.get('section', 'option')
# To log something:
self.logger.debug("This is a debug message")
# To access connection information
session_id = self.connection.session_id
# your logic to fetch password based on self.account and self.asset
password = ...
return {'passwords': [password]}
In the next example the credential store does rotate passwords and it will give a checkout identifier to be used for checking in the password later.
#!/usr/bin/env pluginwrapper3
from safeguard.sessions.plugin import CredentialStorePlugin
from safeguard.sessions.plugin.plugin_base import cookie_property
class Plugin(CredentialStorePlugin):
@cookie_property
def checkout_id(self):
return None
def do_get_password_list(self):
#
# logic to fetch password and checkout id based on self.account and self.asset and
# any other data in self.connection, self.configuration, etc.
#
self.checkout_id = ...
password = ...
return {'passwords': [password]}
def do_check_in_credential(self):
# logic to check in the password using self.checkout_id and/or self.account, self.asset
8.2.3. Pre-defined attributes on self¶
On top of attributes defined by PluginBase, such as
self.plugin_configuration
and
self.logger
the following attributes are available in all the above methods, except where otherwise noted:
self.connection
which is a read-only object to show
a record of the SPS connection that is being processed. For example to find out the protocol used in the connection,
write self.connection.protocol
. Note: only ‘session_id’ is available in
do_authentication_completed()
do_check_in_credential()
and
do_session_ended()
methods.
self.account
represents the
account name.
self.asset
represents the
asset name.
8.2.4. Adding to the constructor¶
To enhance the class constructor, one may overload the
__init__
function
and add new functionality. Do keep the original call to super().__init__
at the top. Note that the
configuration parameter is the raw string representation of the plugin configuration, which will be
turned into
self.plugin_configuration
by the
base class.
#!/usr/bin/env pluginwrapper3
from safeguard.sessions.plugin import CredentialStorePlugin
class Plugin(CredentialStorePlugin):
def __init__(self, configuration):
super().__init__(configuration)
# your setup code