Identity service support, containing Users, Roles, Policies and Directories API's with fitting validation models (cyberark#20)

* Identity service support, containing Users, Roles, Policies and Directories API's with fitting validation models

* Minor fix to defaults

* Minor fix to defaults

* Minor fixes

* Some more examples

* Some more examples

Author: ofiriluz

README.md

@@ -37,6 +37,10 @@ CyberArk's Official SDK and CLI for different services operations
     - [x] DPA K8S Service
     - [x] DPA DB Service
     - [x] Session Monitoring Service
+    - [x] Identity Users Service
+    - [x] Identity Roles Service
+    - [x] Identity Policies Service
+    - [x] Identity Directories Service
 - [x] All services contains CRUD and Statistics per respective service
 - [x] Ready to use SDK in Python
 - [x] CLI and SDK Examples
@@ -211,6 +215,12 @@ The following services and commands are supported:
     - <b>db</b> - DPA DB Enduser Operations
     - <b>sso</b> - DPA SSO Enduser Operations
     - <b>k8s</b> - DPA kubernetes service
+- <b>sm</b> - Session Monitoring Service
+- <b>identity</b> - Identity Service
+    - <b>users</b> - Identity Users Management
+    - <b>roles</b> - Identity Roles Management
+    - <b>policies</b> - Identity Policies Management
+    - <b>directories</b> - Identity Directories Reading
 
 Any command has its own subcommands, with respective arguments
 

ark_sdk_python/ark_api.py

@@ -80,6 +80,54 @@ def profile(self) -> ArkProfile:
         """
         return self.__profile
 
+    @property
+    def identity_directories(self) -> "ArkIdentityDirectoriesService":
+        """
+        Returns the Identity Directories Service if the appropriate authenticators were given
+
+        Returns:
+            ArkIdentityDirectoriesService: _description_
+        """
+        from ark_sdk_python.services.identity.directories import ArkIdentityDirectoriesService
+
+        return cast(ArkIdentityDirectoriesService, self.service(ArkIdentityDirectoriesService))
+
+    @property
+    def identity_policies(self) -> "ArkIdentityPoliciesService":
+        """
+        Returns the Identity Policies Service if the appropriate authenticators were given
+
+        Returns:
+            ArkIdentityPoliciesService: _description_
+        """
+        from ark_sdk_python.services.identity.policies import ArkIdentityPoliciesService
+
+        return cast(ArkIdentityPoliciesService, self.service(ArkIdentityPoliciesService))
+
+    @property
+    def identity_roles(self) -> "ArkIdentityRolesService":
+        """
+        Returns the Identity Roles Service if the appropriate authenticators were given
+
+        Returns:
+            ArkIdentityRolesService: _description_
+        """
+        from ark_sdk_python.services.identity.roles import ArkIdentityRolesService
+
+        return cast(ArkIdentityRolesService, self.service(ArkIdentityRolesService))
+
+    @property
+    def identity_users(self) -> "ArkIdentityUsersService":
+        """
+        Returns the Identity Users Service if the appropriate authenticators were given
+
+        Returns:
+            ArkIdentityUsersService: _description_
+        """
+        from ark_sdk_python.services.identity.users import ArkIdentityUsersService
+
+        return cast(ArkIdentityUsersService, self.service(ArkIdentityUsersService))
+
     @property
     def dpa_workspaces_db(self) -> "ArkDPADBWorkspaceService":
         """

ark_sdk_python/examples/create_identity_resources.py

@@ -0,0 +1,20 @@
+from ark_sdk_python.auth import ArkISPAuth
+from ark_sdk_python.models.auth import ArkAuthMethod, ArkAuthProfile, ArkSecret, IdentityArkAuthMethodSettings
+from ark_sdk_python.models.services.identity.roles import ArkIdentityCreateRole
+from ark_sdk_python.models.services.identity.users import ArkIdentityCreateUser
+from ark_sdk_python.services.identity import ArkIdentityAPI
+
+if __name__ == "__main__":
+    isp_auth = ArkISPAuth()
+    isp_auth.authenticate(
+        auth_profile=ArkAuthProfile(
+            username='CoolUser', auth_method=ArkAuthMethod.Identity, auth_method_settings=IdentityArkAuthMethodSettings()
+        ),
+        secret=ArkSecret(secret='CoolPassword'),
+    )
+
+    # Create an identity service to create some users and roles
+    print('Creating identity roles and users')
+    identity_api = ArkIdentityAPI(isp_auth)
+    identity_api.identity_roles.create_role(ArkIdentityCreateRole(role_name='IT'))
+    identity_api.identity_users.create_user(ArkIdentityCreateUser(username='it_user', password='CoolPassword', roles=['IT']))

ark_sdk_python/examples/default_suffix.py

@@ -0,0 +1,12 @@
+from ark_sdk_python.auth import ArkISPAuth
+from ark_sdk_python.models.ark_profile import ArkProfileLoader
+from ark_sdk_python.models.services.identity.directories import ArkIdentityListDirectoriesEntities
+from ark_sdk_python.services.identity import ArkIdentityAPI
+
+if __name__ == "__main__":
+    isp_auth = ArkISPAuth()
+    isp_auth.authenticate(ArkProfileLoader().load_default_profile())
+    identity_api = ArkIdentityAPI(isp_auth)
+    print(identity_api.identity_directories.tenant_default_suffix())
+    for page in identity_api.identity_directories.list_directories_entities(ArkIdentityListDirectoriesEntities()):
+        print([i.name for i in page.items])

ark_sdk_python/models/actions/services/__init__.py

@@ -1,14 +1,17 @@
 from typing import Any, List
 
 from ark_sdk_python.models.actions.services.ark_dpa_exec_action_consts import DPA_ACTIONS
+from ark_sdk_python.models.actions.services.ark_identity_exec_action_consts import IDENTITY_ACTIONS
 from ark_sdk_python.models.actions.services.ark_sm_exec_action_consts import SM_ACTIONS
 
 SUPPORTED_SERVICE_ACTIONS: List[Any] = [
+    IDENTITY_ACTIONS,
     DPA_ACTIONS,
     SM_ACTIONS,
 ]
 
 __all__ = [
+    'IDENTITY_ACTIONS',
     'DPA_ACTIONS',
     'SM_ACTIONS',
     'SUPPORTED_SERVICE_ACTIONS',

ark_sdk_python/models/actions/services/ark_identity_exec_action_consts.py

@@ -0,0 +1,114 @@
+from typing import Dict, Final, Optional, Type
+
+from ark_sdk_python.models import ArkModel
+from ark_sdk_python.models.actions.ark_service_action_definition import ArkServiceActionDefinition
+from ark_sdk_python.models.services.identity.directories import ArkIdentityListDirectories, ArkIdentityListDirectoriesEntities
+from ark_sdk_python.models.services.identity.policies import (
+    ArkIdentityAddAuthenticationProfile,
+    ArkIdentityAddPolicy,
+    ArkIdentityDisablePolicy,
+    ArkIdentityEnablePolicy,
+    ArkIdentityGetAuthenticationProfile,
+    ArkIdentityGetPolicy,
+    ArkIdentityRemoveAuthenticationProfile,
+    ArkIdentityRemovePolicy,
+)
+from ark_sdk_python.models.services.identity.roles import (
+    ArkIdentityAddAdminRightsToRole,
+    ArkIdentityAddGroupToRole,
+    ArkIdentityAddRoleToRole,
+    ArkIdentityAddUserToRole,
+    ArkIdentityCreateRole,
+    ArkIdentityDeleteRole,
+    ArkIdentityListRoleMembers,
+    ArkIdentityRemoveGroupFromRole,
+    ArkIdentityRemoveRoleFromRole,
+    ArkIdentityRemoveUserFromRole,
+    ArkIdentityRoleIdByName,
+    ArkIdentityUpdateRole,
+)
+from ark_sdk_python.models.services.identity.users import (
+    ArkIdentityCreateUser,
+    ArkIdentityDeleteUser,
+    ArkIdentityResetUserPassword,
+    ArkIdentityUpdateUser,
+    ArkIdentityUserByName,
+    ArkIdentityUserIdByName,
+)
+
+# Identity Definitions
+# Directories
+IDENTITY_DIRECTORIES_ACTION_TO_SCHEMA_MAP: Final[Dict[str, Optional[Type[ArkModel]]]] = {
+    'list-directories': ArkIdentityListDirectories,
+    'list-directories-entities': ArkIdentityListDirectoriesEntities,
+    'tenant-default-suffix': None,
+}
+IDENTITY_DIRECTORIES_ACTIONS: Final[ArkServiceActionDefinition] = ArkServiceActionDefinition(
+    action_name='directories',
+    schemas=IDENTITY_DIRECTORIES_ACTION_TO_SCHEMA_MAP,
+)
+
+# Policies
+IDENTITY_POLICIES_ACTION_TO_SCHEMA_MAP: Final[Dict[str, Optional[Type[ArkModel]]]] = {
+    'add-authentication-profile': ArkIdentityAddAuthenticationProfile,
+    'remove-authentication-profile': ArkIdentityRemoveAuthenticationProfile,
+    'list-authentication-profiles': None,
+    'authentication-profile': ArkIdentityGetAuthenticationProfile,
+    'add-policy': ArkIdentityAddPolicy,
+    'remove-policy': ArkIdentityRemovePolicy,
+    'list-policies': None,
+    'policy': ArkIdentityGetPolicy,
+    'enable-policy': ArkIdentityEnablePolicy,
+    'disable-policy': ArkIdentityDisablePolicy,
+    'enable-default-policy': None,
+    'disable-default-policy': None,
+}
+IDENTITY_POLICIES_ACTIONS: Final[ArkServiceActionDefinition] = ArkServiceActionDefinition(
+    action_name='policies',
+    schemas=IDENTITY_POLICIES_ACTION_TO_SCHEMA_MAP,
+)
+
+# Roles
+IDENTITY_ROLES_ACTION_TO_SCHEMA_MAP: Final[Dict[str, Optional[Type[ArkModel]]]] = {
+    'add-user-to-role': ArkIdentityAddUserToRole,
+    'add-group-to-role': ArkIdentityAddGroupToRole,
+    'add-role-to-role': ArkIdentityAddRoleToRole,
+    'remove-user-from-role': ArkIdentityRemoveUserFromRole,
+    'remove-group-from-role': ArkIdentityRemoveGroupFromRole,
+    'remove-role-from-role': ArkIdentityRemoveRoleFromRole,
+    'create-role': ArkIdentityCreateRole,
+    'update-role': ArkIdentityUpdateRole,
+    'delete-role': ArkIdentityDeleteRole,
+    'list-role-members': ArkIdentityListRoleMembers,
+    'add-admin-rights-to-role': ArkIdentityAddAdminRightsToRole,
+    'role-id-by-name': ArkIdentityRoleIdByName,
+}
+IDENTITY_ROLES_ACTIONS: Final[ArkServiceActionDefinition] = ArkServiceActionDefinition(
+    action_name='roles',
+    schemas=IDENTITY_ROLES_ACTION_TO_SCHEMA_MAP,
+)
+
+# Users
+IDENTITY_USERS_ACTION_TO_SCHEMA_MAP: Final[Dict[str, Optional[Type[ArkModel]]]] = {
+    'create-user': ArkIdentityCreateUser,
+    'update-user': ArkIdentityUpdateUser,
+    'delete-user': ArkIdentityDeleteUser,
+    'user-by-name': ArkIdentityUserByName,
+    'user-id-by-name': ArkIdentityUserIdByName,
+    'reset-user-password': ArkIdentityResetUserPassword,
+}
+IDENTITY_USERS_ACTIONS: Final[ArkServiceActionDefinition] = ArkServiceActionDefinition(
+    action_name='users',
+    schemas=IDENTITY_USERS_ACTION_TO_SCHEMA_MAP,
+)
+
+# Service Actions Definition
+IDENTITY_ACTIONS: Final[ArkServiceActionDefinition] = ArkServiceActionDefinition(
+    action_name='identity',
+    subactions=[
+        IDENTITY_DIRECTORIES_ACTIONS,
+        IDENTITY_POLICIES_ACTIONS,
+        IDENTITY_ROLES_ACTIONS,
+        IDENTITY_USERS_ACTIONS,
+    ],
+)

ark_sdk_python/models/common/identity/ark_identity_directory_schemas.py

@@ -94,6 +94,7 @@ class RoleRow(ArkModel):
     id: str = Field(alias='_ID')
     admin_rights: Optional[List[RoleAdminRight]] = Field(alias='AdministrativeRights')
     is_hidden: Optional[bool] = Field(alias='IsHidden')
+    description: Optional[str] = Field(alias='Description')
 
 
 class RoleResult(ArkModel):
@@ -113,6 +114,7 @@ class UserRow(ArkModel):
     directory_service_type: DirectoryService = Field(alias='ServiceType')
     email: Optional[str] = Field(alias='EMail')
     internal_id: Optional[str] = Field(alias='InternalName')
+    description: Optional[str] = Field(alias='Description')
 
 
 class UserResult(ArkModel):

ark_sdk_python/models/services/dpa/policies/db/ark_dpa_db_connection_data.py

@@ -40,9 +40,13 @@ class ArkDPADBOracleDBAuth(ArkDPADBBaseAuth):
 
 
 class ArkDPADBMongoDBAuth(ArkDPADBBaseAuth):
-    global_builtin_roles: List[ArkDPADBMongoGlobalBuiltinRole] = Field(description='Global builtin roles across all databases')
-    database_builtin_roles: Dict[str, List[ArkDPADBMongoDatabaseBuiltinRole]] = Field(description='Per database builtin roles')
-    database_custom_roles: Dict[str, List[str]] = Field(description='Custom per database roles')
+    global_builtin_roles: List[ArkDPADBMongoGlobalBuiltinRole] = Field(
+        description='Global builtin roles across all databases', default_factory=list
+    )
+    database_builtin_roles: Dict[str, List[ArkDPADBMongoDatabaseBuiltinRole]] = Field(
+        description='Per database builtin roles', default_factory=dict
+    )
+    database_custom_roles: Dict[str, List[str]] = Field(description='Custom per database roles', default_factory=dict)
     applied_to: Optional[List[ArkDPADBAppliedTo]] = Field(description='Which resources to apply to')
 
 

ark_sdk_python/models/services/dpa/workspaces/db/ark_dpa_db_add_database.py

@@ -14,6 +14,7 @@ class ArkDPADBAddDatabase(ArkCamelizedModel):
     platform: ArkWorkspaceType = Field(
         description='Platform of the database, as in, where it resides, defaulted to on premises', default=ArkWorkspaceType.ONPREM
     )
+    auth_database: str = Field(description='Authentication database used, most commonly used with mongodb', default='admin')
     services: Optional[List[str]] = Field(description='Services related to the database, most commonly used with oracle')
     domain: Optional[str] = Field(description='The domain the DB resides in')
     domain_controller_name: Optional[str] = Field(description='Domain controller name associated to this database')

ark_sdk_python/models/services/dpa/workspaces/db/ark_dpa_db_database.py

@@ -13,6 +13,7 @@ class ArkDPADBDatabase(ArkCamelizedModel):
     name: str = Field(description='Name of the database, often referenced in policies and other APIs')
     network_name: str = Field(description='Name of the network the database resides in', default='OnPrem')
     platform: Optional[ArkWorkspaceType] = Field(description='Platform of the database, as in, where it resides')
+    auth_database: str = Field(description='Authentication database used, most commonly used with mongodb', default='admin')
     services: List[str] = Field(description='Services related to the database, most commonly used with oracle', default_factory=list)
     domain: Optional[str] = Field(description='The domain the DB resides in')
     domain_controller_name: Optional[str] = Field(description='Domain controller name associated to this database')

ark_sdk_python/models/services/dpa/workspaces/db/ark_dpa_db_update_database.py

@@ -14,6 +14,7 @@ class ArkDPADBUpdateDatabase(ArkCamelizedModel):
     new_name: Optional[str] = Field(description='New name for the database')
     network_name: Optional[str] = Field(description='Name of the network the database resides in', default='ON-PREMISE')
     platform: Optional[ArkWorkspaceType] = Field(description='Platform of the database, as in, where it resides')
+    auth_database: str = Field(description='Authentication database used, most commonly used with mongodb', default='admin')
     services: Optional[List[str]] = Field(description='Services related to the database, most commonly used with oracle')
     domain: Optional[str] = Field(description='The domain the DB resides in')
     domain_controller_name: Optional[str] = Field(description='Domain controller name associated to this database')

ark_sdk_python/models/services/identity/__init__.py

@@ -0,0 +1,21 @@
+from ark_sdk_python.models.services.identity.directories.ark_identity_directory import ArkIdentityDirectory
+from ark_sdk_python.models.services.identity.directories.ark_identity_entity import (
+    ArkIdentityEntity,
+    ArkIdentityEntityType,
+    ArkIdentityGroupEntity,
+    ArkIdentityRoleEntity,
+    ArkIdentityUserEntity,
+)
+from ark_sdk_python.models.services.identity.directories.ark_identity_list_directories import ArkIdentityListDirectories
+from ark_sdk_python.models.services.identity.directories.ark_identity_list_directories_entities import ArkIdentityListDirectoriesEntities
+
+__all__ = [
+    'ArkIdentityListDirectoriesEntities',
+    'ArkIdentityEntity',
+    'ArkIdentityEntityType',
+    'ArkIdentityGroupEntity',
+    'ArkIdentityRoleEntity',
+    'ArkIdentityUserEntity',
+    'ArkIdentityListDirectories',
+    'ArkIdentityDirectory',
+]

ark_sdk_python/models/services/identity/directories/__init__.py

@@ -0,0 +1,9 @@
+from pydantic import Field
+
+from ark_sdk_python.models import ArkModel
+from ark_sdk_python.models.common.identity import DirectoryService
+
+
+class ArkIdentityDirectory(ArkModel):
+    directory: DirectoryService = Field(description='Name of the directory')
+    directory_service_uuid: str = Field(description='ID of the directory')

ark_sdk_python/models/services/identity/directories/ark_identity_directory.py

@@ -0,0 +1,37 @@
+from enum import Enum
+from typing import List, Optional
+
+from pydantic import Field
+
+from ark_sdk_python.models import ArkModel
+from ark_sdk_python.models.common.identity import DirectoryService, RoleAdminRight
+
+
+class ArkIdentityEntityType(str, Enum):
+    Role = 'ROLE'
+    User = 'USER'
+    Group = 'GROUP'
+
+
+class ArkIdentityEntity(ArkModel):
+    id: str = Field(description='ID of the entity')
+    name: str = Field(description='Name of the entity')
+    entity_type: ArkIdentityEntityType = Field(description='Type of the entity')
+    directory_service_type: DirectoryService = Field(description='Directory type of the entity')
+    display_name: Optional[str] = Field(description='Display name of the entity')
+    service_instance_localized: str = Field(description='Display directory service name')
+
+
+class ArkIdentityUserEntity(ArkIdentityEntity):
+    email: Optional[str] = Field(description='Email of the user')
+    description: Optional[str] = Field(description='Description of the user')
+
+
+class ArkIdentityGroupEntity(ArkIdentityEntity):
+    pass
+
+
+class ArkIdentityRoleEntity(ArkIdentityEntity):
+    admin_rights: Optional[List[RoleAdminRight]] = Field(description='Admin rights of the role')
+    is_hidden: bool = Field(description='Whwether this role is hidden or not')
+    description: Optional[str] = Field(description='Description of the role')

ark_sdk_python/models/services/identity/directories/ark_identity_entity.py

@@ -0,0 +1,10 @@
+from typing import List, Optional
+
+from pydantic import Field
+
+from ark_sdk_python.models import ArkModel
+from ark_sdk_python.models.common.identity import DirectoryService
+
+
+class ArkIdentityListDirectories(ArkModel):
+    directories: Optional[List[DirectoryService]] = Field(description='Directories types to list')