Add RDP MFA Caching Password and SSH CA Support

Author: ofiriluz

README.md

@@ -39,6 +39,7 @@ CyberArk's Official SDK and CLI for different services operations
     - [x] SIA K8S Service
     - [x] SIA DB Service
     - [x] SIA Access Service
+    - [x] SIA SSH CA Service
     - [x] Session Monitoring Service
     - [x] Identity Users Service
     - [x] Identity Roles Service
@@ -225,8 +226,9 @@ The following services and commands are supported:
     - <b>certificates</b> - SIA Certificates Management
     - <b>db</b> - SIA DB Enduser Operations
     - <b>sso</b> - SIA SSO Enduser Operations
-    - <b>k8s</b> - SIA kubernetes service
-    - <b>access</b> - SIA access service
+    - <b>k8s</b> - SIA Kubernetes Service
+    - <b>access</b> - SIA Access Service
+    - <b>ssh-ca</b> - SIA SSH CA Service
 - <b>sm</b> - Session Monitoring Service
 - <b>identity</b> - Identity Service
     - <b>users</b> - Identity Users Management
@@ -311,6 +313,11 @@ Generate a short lived SSO password for databases connection
 ark exec sia sso short-lived-password
 ```
 
+Generate a short lived SSO password for RDP connection
+```shell
+ark exec sia sso short-lived-password --service DPA-RDP
+```
+
 Generate a short lived SSO oracle wallet for oracle database connection
 ```shell
 ark exec sia sso short-lived-oracle-wallet --folder ~/wallet
@@ -326,6 +333,31 @@ Generate kubectl config file and save on specific path
 ark exec sia k8s generate-kubeconfig --folder=/Users/My.User/.kube
 ```
 
+Generate new SSH CA Key version
+```shell
+ark exec sia ssh-ca generate-new-ca
+```
+
+Deactivate previous SSH CA Key version
+```shell
+ark exec sia ssh-ca deactivate-previous-ca
+```
+
+Reactivate previous SSH CA Key version
+```shell
+ark exec sia ssh-ca reactivate-previous-ca
+```
+
+Get SSH CA public key
+```shell
+ark exec sia ssh-ca public-key
+```
+
+Get SSH CA public key script
+```shell
+ark exec sia ssh-ca public-key-script
+```
+
 Create a PCloud Safe
 ```shell
 ark exec pcloud safes add-safe --safe-name=safe

ark_sdk_python/ark_api.py

@@ -152,6 +152,18 @@ def sia_access(self) -> "ArkSIAAccessService":
 
         return cast(ArkSIAAccessService, self.service(ArkSIAAccessService))
 
+    @property
+    def sia_ssh_ca(self) -> "ArkSIASSHCAService":
+        """
+        Returns the SIA SSH CA service if the appropriate authenticators were given
+
+        Returns:
+            ArkSIASSHCAService: _description_
+        """
+        from ark_sdk_python.services.sia.ssh_ca import ArkSIASSHCAService
+
+        return cast(ArkSIASSHCAService, self.service(ArkSIASSHCAService))
+
     @property
     def sia_workspaces_db(self) -> "ArkSIADBWorkspaceService":
         """

ark_sdk_python/auth/identity/ark_identity_service_user.py

@@ -11,10 +11,10 @@
 
 from ark_sdk_python.auth.identity.ark_identity_fqdn_resolver import ArkIdentityFQDNResolver
 from ark_sdk_python.common import ArkKeyring, ArkSystemConfig, get_logger
+from ark_sdk_python.common.ark_jwt_utils import ArkJWTUtils
 from ark_sdk_python.common.env import DEPLOY_ENV, IDENTITY_ENV_URLS, AwsEnv
 from ark_sdk_python.models import ArkAuthException, ArkProfile
 from ark_sdk_python.models.auth import ArkAuthMethod, ArkToken, ArkTokenType
-from ark_sdk_python.common.ark_jwt_utils import ArkJWTUtils
 
 
 class ArkIdentityServiceUser:

ark_sdk_python/models/actions/services/ark_sia_exec_action_consts.py

@@ -48,6 +48,7 @@
     ArkSIAVMGetSecret,
     ArkSIAVMSecretsFilter,
 )
+from ark_sdk_python.models.services.sia.ssh_ca.ark_sia_get_ssh_public_key import ArkSIAGetSSHPublicKey
 from ark_sdk_python.models.services.sia.sso import (
     ArkSIASSOGetShortLivedClientCertificate,
     ArkSIASSOGetShortLivedOracleWallet,
@@ -232,6 +233,17 @@
     action_name='access',
     schemas=ACCESS_ACTION_TO_SCHEMA_MAP,
 )
+SSH_CA_ACTION_TO_SCHEMA_MAP: Final[Dict[str, Optional[Type[ArkModel]]]] = {
+    'generate-new-ca': None,
+    'deactivate-previous-ca': None,
+    'reactivate-previous-ca': None,
+    'public-key': ArkSIAGetSSHPublicKey,
+    'public-key-script': ArkSIAGetSSHPublicKey,
+}
+SSH_CA_ACTION: Final[ArkServiceActionDefinition] = ArkServiceActionDefinition(
+    action_name='ssh-ca',
+    schemas=SSH_CA_ACTION_TO_SCHEMA_MAP,
+)
 SIA_ACTIONS: Final[ArkServiceActionDefinition] = ArkServiceActionDefinition(
     action_name='sia',
     subactions=[
@@ -243,5 +255,6 @@
         CERTIFICATES_ACTION,
         K8S_ACTION,
         ACCESS_ACTION,
+        SSH_CA_ACTION,
     ],
 )

ark_sdk_python/models/services/sia/ssh_ca/__init__.py

@@ -0,0 +1,5 @@
+from ark_sdk_python.models.services.sia.ssh_ca.ark_sia_get_ssh_public_key import ArkSIAGetSSHPublicKey
+
+__all__ = [
+    'ArkSIAGetSSHPublicKey',
+]

ark_sdk_python/models/services/sia/ssh_ca/ark_sia_get_ssh_public_key.py

@@ -0,0 +1,9 @@
+from typing import Optional
+
+from pydantic import Field
+
+from ark_sdk_python.models import ArkModel
+
+
+class ArkSIAGetSSHPublicKey(ArkModel):
+    output_file: Optional[str] = Field(default=None, description='Save output to file')

ark_sdk_python/models/services/sia/sso/ark_sia_sso_get_short_lived_password.py

@@ -1,7 +1,10 @@
+from typing import Literal
+
 from pydantic import Field
 
 from ark_sdk_python.models import ArkModel
 
 
 class ArkSIASSOGetShortLivedPassword(ArkModel):
     allow_caching: bool = Field(description='Allow short lived token caching', default=False)
+    service: Literal['DPA-DB', 'DPA-RDP'] = Field(description='Which service to get the token info for', default='DPA-DB')

ark_sdk_python/services/sia/ark_sia_api.py

@@ -7,6 +7,7 @@
 from ark_sdk_python.services.sia.policies.vm import ArkSIAVMPoliciesService
 from ark_sdk_python.services.sia.secrets.db import ArkSIADBSecretsService
 from ark_sdk_python.services.sia.secrets.vm import ArkSIAVMSecretsService
+from ark_sdk_python.services.sia.ssh_ca import ArkSIASSHCAService
 from ark_sdk_python.services.sia.sso import ArkSIASSOService
 from ark_sdk_python.services.sia.workspaces.db import ArkSIADBWorkspaceService
 from ark_sdk_python.services.sia.workspaces.targetsets import ArkSIATargetSetsWorkspaceService
@@ -25,6 +26,7 @@ def __init__(self, isp_auth: ArkISPAuth) -> None:
         self.__certificates_service = ArkSIACertificatesService(isp_auth)
         self.__k8s_service = ArkSIAK8SService(isp_auth)
         self.__access_service = ArkSIAAccessService(isp_auth)
+        self.__ssh_ca_service = ArkSIASSHCAService(isp_auth)
 
     @property
     def workspace_db(self) -> ArkSIADBWorkspaceService:
@@ -135,3 +137,13 @@ def k8s(self) -> ArkSIAK8SService:
             ArkSIAK8SService: _description_
         """
         return self.__k8s_service
+
+    @property
+    def ssh_ca(self) -> ArkSIASSHCAService:
+        """
+        Getter for the SSH CA service
+
+        Returns:
+            ArkDPASSHCAService: _description_
+        """
+        return self.__ssh_ca_service

ark_sdk_python/services/sia/ssh_ca/__init__.py

@@ -0,0 +1,3 @@
+from ark_sdk_python.services.sia.ssh_ca.ark_sia_ssh_ca_service import ArkSIASSHCAService
+
+__all__ = ['ArkSIASSHCAService']

ark_sdk_python/services/sia/ssh_ca/ark_sia_ssh_ca_service.py

@@ -0,0 +1,131 @@
+import os
+from http import HTTPStatus
+from typing import Final
+
+from overrides import overrides
+from requests import Response
+
+from ark_sdk_python.auth.ark_isp_auth import ArkISPAuth
+from ark_sdk_python.common.isp import ArkISPServiceClient
+from ark_sdk_python.models import ArkServiceException
+from ark_sdk_python.models.services import ArkServiceConfig
+from ark_sdk_python.models.services.sia.ssh_ca import ArkSIAGetSSHPublicKey
+from ark_sdk_python.services.ark_service import ArkService
+
+SERVICE_CONFIG: Final[ArkServiceConfig] = ArkServiceConfig(
+    service_name='sia-ssh-ca', required_authenticator_names=['isp'], optional_authenticator_names=[]
+)
+
+# SSH CA Key Rotation
+GENERATE_NEW_CA_KEY_API: Final[str] = 'api/public-keys/rotation/generate-new'
+DEACTIVATE_PREVIOUS_CA_KEY_API: Final[str] = 'api/public-keys/rotation/deactivate-previous'
+REACTIVATE_PREVIOUS_CA_KEY_API: Final[str] = 'api/public-keys/rotation/reactivate-previous'
+
+PUBLIC_KEYS_API: Final[str] = 'api/public-keys'
+PUBLIC_KEYS_SCRIPT_API: Final[str] = 'api/public-keys/scripts'
+
+
+class ArkSIASSHCAService(ArkService):
+    def __init__(self, isp_auth: ArkISPAuth) -> None:
+        super().__init__(isp_auth)
+        self.__isp_auth = isp_auth
+        self.__client: ArkISPServiceClient = ArkISPServiceClient.from_isp_auth(
+            isp_auth=self.__isp_auth,
+            service_name='dpa',
+            refresh_connection_callback=self.__refresh_sia_auth,
+        )
+
+    def __refresh_sia_auth(self, client: ArkISPServiceClient) -> None:
+        ArkISPServiceClient.refresh_client(client, self.__isp_auth)
+
+    def generate_new_ca(self) -> None:
+        """
+        Generate new SSH CA key version
+
+        Raises:
+            ArkServiceException: _description_
+        """
+        self._logger.info('Generate new CA key version')
+        resp: Response = self.__client.post(GENERATE_NEW_CA_KEY_API)
+        if resp.status_code != HTTPStatus.CREATED:
+            raise ArkServiceException(f'Failed to generate new CA key [{resp.text}] - [{resp.status_code}]')
+
+    def deactivate_previous_ca(self) -> None:
+        """
+        Deactivate previous SSH CA key version
+
+        Raises:
+            ArkServiceException: _description_
+        """
+        self._logger.info('Deactivate previous CA key version')
+        resp: Response = self.__client.post(DEACTIVATE_PREVIOUS_CA_KEY_API)
+        if resp.status_code != HTTPStatus.OK:
+            raise ArkServiceException(f'Failed to deactivate previous CA key [{resp.text}] - [{resp.status_code}]')
+
+    def reactivate_previous_ca(self) -> None:
+        """
+        Reactivate previous SSH CA key version
+
+        Raises:
+            ArkServiceException: _description_
+        """
+        self._logger.info('Reactivate previous CA key version')
+        resp: Response = self.__client.post(REACTIVATE_PREVIOUS_CA_KEY_API)
+        if resp.status_code != HTTPStatus.OK:
+            raise ArkServiceException(f'Failed to reactivate previous CA key [{resp.text}] - [{resp.status_code}]')
+
+    def public_key(self, get_public_key: ArkSIAGetSSHPublicKey) -> str:
+        """
+        Retrieves the public key used for SIA SSH connections trust with customer env
+
+        Args:
+            get_public_key (ArkSIAGetSSHPublicKey): _description_
+
+        Raises:
+            ArkNotSupportedException: _description_
+            ArkServiceException: _description_
+
+        Returns:
+            str
+        """
+        self._logger.info('Getting public key')
+        resp: Response = self.__client.get(PUBLIC_KEYS_API)
+        if resp.status_code == HTTPStatus.OK:
+            if get_public_key.output_file:
+                os.makedirs(os.path.dirname(get_public_key.output_file), exist_ok=True)
+                with open(get_public_key.output_file, 'w', encoding='utf-8') as f:
+                    f.write(resp.text)
+            return resp.text
+        raise ArkServiceException(f'Failed to get public key [{resp.text}] - [{resp.status_code}]')
+
+    def public_key_script(self, get_public_key: ArkSIAGetSSHPublicKey) -> str:
+        """
+        Retrieves the public key script used for SIA SSH connections trust with customer env
+        The script can be run to install the public key in needed ssh configuration files
+
+        Args:
+            get_public_key (ArkSIAGetSSHPublicKey): _description_
+
+        Raises:
+            ArkNotSupportedException: _description_
+            ArkServiceException: _description_
+
+        Returns:
+            str
+        """
+        self._logger.info('Getting public key script')
+        resp: Response = self.__client.get(
+            PUBLIC_KEYS_SCRIPT_API,
+        )
+        if resp.status_code == HTTPStatus.OK:
+            if get_public_key.output_file:
+                os.makedirs(os.path.dirname(get_public_key.output_file), exist_ok=True)
+                with open(get_public_key.output_file, 'w', encoding='utf-8') as f:
+                    f.write(resp.text)
+            return resp.text
+        raise ArkServiceException(f'Failed to get public key script [{resp.text}] - [{resp.status_code}]')
+
+    @staticmethod
+    @overrides
+    def service_config() -> ArkServiceConfig:
+        return SERVICE_CONFIG