Describe the bug
Please add support for VirtualUsername so that AAM Dual Accounts can be used.

To Reproduce
n/a

Expected behavior
The ability to use VirtualUsername with pyAIM.

Change Pipfile and requirements.txt to require urllib3 versions greater than or equal to 1.24.2 due to CVE-2019-11324 identified in previous versions:

Vulnerable versions: < 1.24.2
Patched version: 1.24.2
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Describe the bug
To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate.

The certificate's hostname-specific data should match the server hostname.

It's not recommended to re-invent the wheel by implementing custom hostname verification.

TLS/SSL libraries provide built-in hostname verification functions that should be used.

To Reproduce
n/a

Expected behavior
In aimccp.py L19:

self._context = ssl._create_unverified_context()

should be:

self._context = ssl._create_unverified_context()
self._context.check_hostname = True

Screenshots

Describe the bug
The password string is truncated when it contains commas

To Reproduce
Steps to reproduce the behavior:

1. Change the password to contain a comma on Cyberark
2. Use pyaim to retrieve the password
3. Check response['Password'], it is truncated up to the comma

Expected behavior
I would like to get the password even if it contains commas

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Red Hat 8
• python 3.9.5
• pyaim 1.2.9

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

from pyaim import CCPPasswordREST
#from requests.auth import HTTPBasicAuth
#import requests

#requests.get('https://cyberarkccp-dev.company.com/AIMWebservice/v1.1/AIM.asmx', verify=False,auth=HTTPBasicAuth('user', 'pass'))
aimccp = CCPPasswordREST('https://cyberarkccp-dev.company.com/AIMWebservice/v1.1/AIM.asmx', verify=False) # set verify=False to ignore SSL

service_status = aimccp.check_service()

if service_status == 'SUCCESS: AIMWebService Found. Status Code: 200':
response = aimccp.GetPassword(appid='PAS_AUTOMATION_APP',safe='PAS_AUTOMATION',object='vault_pasautomation',reason='Reason message')
print('Full Python Object: {}'.format(response))
print('Username: {}'.format(response['Username']))
print('Password: {}'.format(response['Content']))
else:
raise Exception(service_status)

when i am running the above code i am getting the below error. I don't know why i am getting this error. Can any one help me. What all prerequisites needed for this? Do i need any permissions to run this in my local machine?

Error Message:

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "c:/Users/abc/Desktop/DashBoard/PASproject/ccppwd.py", line 8, in
service_status = aimccp.check_service()
File "C:\Users\abc\AppData\Roaming\Python\Python37\site-packages\pyaim\aimccp.py", line 37, in check_service
raise Exception(e)
Exception: [Errno 11001] getaddrinfo failed

I am able to retrieve the credential information using the object name:

from pyaim import CCPPasswordREST

aimccp = CCPPasswordREST('https://aimdev.mycompany.com', verify=True) # set verify=False to ignore SSL

service_status = aimccp.check_service()
print(service_status)

if service_status == 'SUCCESS: AIMWebService Found. Status Code: 200':
response = aimccp.GetPassword(appid='APP-DV-Test',safe='S-GEN-Test',objectName='APITest',reason='Reason message')
print('Full Python Object: {}'.format(response))
print('UserName: {}'.format(response['UserName']))
print('Password: {}'.format(response['Content']))
else:
raise Exception(service_status)

However when I use the same code, but use username to pass the Virtual UserName, I get an error.

from pyaim import CCPPasswordREST

aimccp = CCPPasswordREST('https://aimdev.mycompany.com', verify=True) # set verify=False to ignore SSL

service_status = aimccp.check_service()
print(service_status)

if service_status == 'SUCCESS: AIMWebService Found. Status Code: 200':
response = aimccp.GetPassword(appid='APP-DV-Test',safe='S-GEN-Test',username='VIRT_API_Test',reason='Reason message')
print('Full Python Object: {}'.format(response))
UserName = ('UserName: {}'.format(response['UserName']))
print (UserName)
AIMPass = ('Password: {}'.format(response['Content']))
print (AIMPass)
#print('UserName: {}'.format(response['UserName']))
#print('Password: {}'.format(response['Content']))
else:
raise Exception(service_status)

Full Python Object: {'ErrorCode': 'APPAP004E', 'ErrorMsg': 'Password object matching query [UserName=VIRT_API_Test;Safe=S-GEN-Test] was not found (Diagnostic Info: 5). Please check that there is a password object that answers your query in the Vault and that both the Provider and the application user have the appropriate permissions needed in order to use the password.'}

Describe the bug
When attempting to retrieve an account from the vault using CCPPasswordREST an HTTP 500 error is returned.

Expected behavior
The request should be successful and return either an error from the Centralized Credential Provider or respond with the requested account details.

Additional context
Initially, the safe had a space in the name. After removing the space, the same error was occurring. Confirmed the same values worked via requests in Python 3.7 on same machine.

Currently, pyAIM is using the default path (AIMWebService) to build the REST API calls for the queries, e.g. lines 31 or 86 in https://github.com/infamousjoeg/pyaim/blob/master/pyaim/aimccp.py
url = '/AIMWebService/v1.1/aim.asmx'
url = f"/AIMWebService/api/Accounts?{params}"
CCP installations can be performed on custom paths for various reasons.

My suggestion is to add a supported parameter for custom application paths (optional) for the CCPPasswordREST() function to be able to use pyAIM in these environments.

I can see from the README and a search through the issues that there is no support for Mac yet and I'm wondering why that is?

Is there a big thing making it hard to have Mac support, or has there just not been sufficient interest yet?

Is your feature request related to a problem? Please describe.
I'd like to get passwords when my script is run on a Mac, but Mac doesn't appear to be supported.

Describe the solution you'd like
To be able to get passwords when the script is run on a Mac, just like the other platforms.

Describe alternatives you've considered
Rest API? Maybe Python could use the C language CredentialProvider?

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
No problem, except that I cannot make it work with a .p12 file or similar. I understand, based upon cyberark's documentation and support personnel, that in order to use cyberark's Applications, a machine or certificate's serial number must be used for authentication purposes. I have tried only with powershell (by using Invoke-Method, "-Certificate" flag is required for passing the variable holding the authentication file (.p12)).

As part of the examples listed, is there any which shows how to pass the certificate's serial number or any other authentication in order to retrieve a password?

Describe the solution you'd like
A clear and concise description of what you want to happen.
No solution proposed.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.
I would appreciate your support and thank you for the time you put into these programs.

In the aimcpp.py the response returned from sub process call is split by comma ",". So if there is comma in a password then the output returned is wrong.

Is your feature request related to a problem? Please describe.
It would be really beneficial to be able to attempt to connect to multiple backup URLs if the first one fails, with a fairly short timeout.

Describe the solution you'd like
Implement some sort of timeout before trying a backup URL

Describe alternatives you've considered
I could build this logic into my script using pyaim, but that woudn't let me specify the timeout for the connection attempt.

Additional context
N/A

Describe the bug
When initializing CCPPasswordREST with verify=True the following error occurs:

Traceback (most recent call last):
  File "/Users/joegarcia/Git/infamousjoeg/pyaim/pyaim/aimccp.py", line 83, in GetPassword
    conn.request("GET", url, headers=self._headers)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/client.py", line 1230, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/client.py", line 1276, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/client.py", line 1225, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/client.py", line 944, in send
    self.connect()
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/client.py", line 1399, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/joegarcia/Git/infamousjoeg/pyaim/pyaim/aimccp.py", line 91, in GetPassword
    raise Exception(e)
Exception: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

Validated that the SSL Certificates on https://cyberark.joegarcia.dev are valid and current. They are supplied via LetsEncrypt.

To Reproduce
Steps to reproduce the behavior:

1. Init the CCPPasswordREST class with verify=True to verify all SSL certificates.
2. Either check_service() or GetPassword to receive the SSL error.

Expected behavior
No errors should occur and SSL should be verified successfully unless not from a Trusted Root.

Dependabot couldn't authenticate with https://pypi.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

Getting an error when trying to use the CLIPasswordSDK method.

[root@lncd906 sdk]# ls -l /opt/CARKaim/sdk/clipasswordsdk
-rwxr-xr-x. 1 root bin 6903152 Jun 13 03:38 /opt/CARKaim/sdk/clipasswordsdk

[root@lncd906 sdk]# python3
Python 3.6.8 (default, Jun 11 2019, 15:15:01)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux
Type "help", "copyright", "credits" or "license" for more information.

from pyaim import CLIPasswordSDK
aimcp = CLIPasswordSDK('/opt/CARKaim/sdk/clipasswordsdk')
response = aimcp.GetPassword(appid='APP_CyberArkDAP_QA',safe='DAP_Automation',objectName='dap_automation-github')
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/pyaim/aimcp.py", line 63, in GetPassword
response = subprocess.run(query, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
File "/usr/lib64/python3.6/subprocess.py", line 423, in run
with Popen(*popenargs, kwargs) as process:
File "/usr/lib64/python3.6/subprocess.py", line 729, in init
restore_signals, start_new_session)
File "/usr/lib64/python3.6/subprocess.py", line 1364, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: '/opt/CARKaim/sdk/clipasswordsdk GetPassword -p AppDescs.AppID=APP_CyberArkDAP_QA -p Query=safe=DAP_Automation;object=dap_automation-github; -p RequiredProps= -o Password': '/opt/CARKaim/sdk/clipasswordsdk GetPassword -p AppDescs.AppID=APP_CyberArkDAP_QA -p Query=safe=DAP_Automation;object=dap_automation-github; -p RequiredProps= -o Password'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python3.6/site-packages/pyaim/aimcp.py", line 68, in GetPassword
raise Exception(e)
Exception: [Errno 2] No such file or directory: '/opt/CARKaim/sdk/clipasswordsdk GetPassword -p AppDescs.AppID=APP_CyberArkDAP_QA -p Query=safe=DAP_Automation;object=dap_automation-github; -p RequiredProps=* -o Password': '/opt/CARKaim/sdk/clipasswordsdk GetPassword -p AppDescs.AppID=APP_CyberArkDAP_QA -p Query=safe=DAP_Automation;object=dap_automation-github; -p RequiredProps=* -o Password'

[root@lncd906 sdk]# /opt/CARKaim/sdk/clipasswordsdk GetPassword -p AppDescs.AppID=APP_CyberArkDAP_QA -p Query="Safe=DAP_Automation;Object=dap_automation-github" -o PassProps.UserName
clb10

As you can see from the first command, the executable exists. From the last command, you can see that clipasswordsdk works from the command line. CLIPasswordSDK method worked in the previous version (1.1.3)

I have a piece of code that works fine against v1.1.1 and recently installed it on a new instance which has the latest version (currently 1.2.7). Running the code gives me:

File "/usr/local/lib/python3.6/site-packages/pyaim/aimccp.py", line 19, in init
self._context = ssl.create_unverified_context()
AttributeError: module 'ssl' has no attribute 'create_unverified_context'

From what I can see, this should be _create_unverified_context().

To Reproduce

Write code containing:
pyaim.CCPPasswordREST("https://myhost", verify=False)

(I haven't tried with verify=True, but I suspect that works, as that avoids the above code)

Expected behavior
It does not crash with an AttributeError

My organization uses self-signed certs internally. I would like to be able to pass an argument to the object initializer to specify the cert location.

I verified that if I pass verify=False to the CCPPasswordREST() function, everything works. That's not ideal, though.

This first code block demonstrates what I'm doing to replicate the conditions in the aimccp.py file. I grab the same package imports, set up the app endpoint (names all redacted), and walk through the object creation including SSL setup. I included the relevant part of the error message from the conn.getresponse() call.

import http.client
import ssl

CCP_ENDPOINT = 'https://app.foo.org'
full_url = 'https://app.foo.org/AIMWebService/api/Accounts?AppID=MyAppID&Safe=MySafe&Object=MyObject'

base_uri = CCP_ENDPOINT
base_uri = base_uri.strip('/').replace('https://','')
headers = {'Content-Type': 'application/json'}

context = ssl.create_default_context()

conn = http.client.HTTPSConnection(base_uri, context=context)
conn.request("GET", full_url, headers=headers)

>>> conn.request("GET", full_url, headers=headers)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  ...
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

I did some digging and found the requests package method of handling the verify argument. They allow for passing the location of your local certs bundle. the http.client package has a similar capability. This sample shows the added lines to my example that declare the local cert location. It turns out that the standard (on my distro, anyway) location for certs works fine. It just needs to be expressly declared. I think that is something to do with conda.

...

certs = '/etc/ssl/certs/ca-bundle.crt'
context = ssl.create_default_context()
context.load_verify_locations(cafile=certs)
conn = http.client.HTTPSConnection(base_uri, context=context)
conn.request("GET", full_url, headers=headers)
res = conn.getresponse()
conn.close()
res.status

>>> res.status
200

When the essential line (context.load_verify_locations(cafile=certs)) is added to the non-working example above, the http.client code is able to connect to my app server. To integrate this, I suggest modifying the CCPPasswordREST definition to be something like this:

class CCPPasswordREST(object):

    # Runs on Initialization
    def __init__(self, base_uri, verify=True):

        # Declare Init Variables
        self._base_uri = base_uri.rstrip('/').replace('https://','') # Example: https://pvwa.cyberarkexample.com
        self._context = ssl.create_default_context()
        self._headers = {'Content-Type': 'application/json'} # Build Header for GET Request

        if verify is not True:
            if verify is False:
                self._context = ssl._create_unverified_context()
                self._context.check_hostname = True
            else:
                self._context.load_verify_locations(cafile=verify)

This overloads the verify argument similar to the requests package. The alternate option I see would be to add another argument to the definition, def __init__(self, base_uri, verify=True, cafile='/etc/ssl/certs/ca-bundle.crt'): or some such.

Is your feature request related to a problem? Please describe.
No. It's a legit feature request.

Describe the solution you'd like
A new class to be created called CCPPasswordREST that will utilize the @cyberark Centralized Credential Provider via REST.

Describe alternatives you've considered
There are no alternatives. It's a different product and different methodology.

Additional context
It will require the requests package as a dependency.

Firstly, many thanks for creating this module. It's very helpful indeed.

I'm almost afraid to ask, but how do you specify the username for the account you wish to retrieve the password for? Under windows, when I run the command line tool, I issue a command similar to this one:
CLIPasswordSDK64.exe GetPassword /p AppDescs.AppID=MyAppID /p Query=Safe=TheSafeINeed;Folder=Root;UserName=TheUserName /o Password

Here's how I call your routine:

cli=CLIPasswordSDK(f"{sdk_path}\CLIPasswordSDK64.exe")
password = cli.GetPassword('MyAppID', 'TheSafeINeed', 'Username=SVC_MLAI_D')

I recognize that the third argument should be the objectName but I'm not sure how to provide that. I've tried many combinations with no luck.

Any advice would be very much appreciated.

Many thanks again for this module.