SecureChange Custom Scripts

Overview

Custom scripts are files of code containing business logic that can run at various stages of the SecureChange ticket lifecycle. The scripts can be written by any programmer with the required skills; alternatively, they can be provided by Tufin Professional Services. For a quotation, contact your account manager. The scripts receive the ticket details from SecureChange, which they can use to run TOS APIs and/or pass information to external systems; they have no format requirements. Any number of custom scripts can be integrated into workflows.

Custom scripts can be written in any programming language, and must be installed on the TOS Aurora host outside the cluster or on an external host.

Custom scripts can be invoked following a specific workflow event such as closing a ticket or moving from one ticket step to the next. These events are called triggers.

Every custom script requires a matching mediator script, the purpose of which is to communicate between SecureChange and the custom script. The mediator script contains no business logic, must be written in a fixed format, and must be uploaded to TOS Aurora. SecureChange calls the mediator script, which sends an XML payload to the web server. This payload is used as input to the custom script.

Mediator Scripts

The mediator script must be uploaded to TOS using the command sudo tos scripts sc push. When triggered by a SecureChange event, it sends a request to the web server to run its matching custom script. You must create a unique mediator script for every custom script.

Mediator Script Types

There are different types of mediator scripts - each with a different syntax.

Type

Expects Return Code

Expects XML Script
Workflow event triggers, as configured in Settings > SecureChange API check mark  
External risk analysis check mark  
Ticket validation script check mark  
Assignment mode: Skip assignment step   check mark
Dynamic assignment   check mark
Assignment mode: Pre-assignment scripts   check mark

Workflow Event Triggers

A script can run after a workflow event occurs. These events include:

Trigger

Action

Advance

Runs a script when a handled ticket has advanced to a new step on the specified workflow.

Automatic step failed

Runs a script when an automatic step has failed in a ticket.

Create

Runs a script when a ticket is created.

Close

Runs a script when a ticket is closed.

Cancel

Runs a script when a ticket is canceled.

Redo

Runs a script when a handler of a ticket has returned to an earlier step on a specified workflow.

Reject

Runs a script when a ticket is rejected.

Reopen

Runs a script when the requester reopens a ticket after the handlers have completed their tasks.

Resolve

Runs a script when all handlers have completed their tasks and is pending confirmation by the requester.

Resubmit

Runs a script when an expired ticket is resubmitted.

XML Input to the Custom Script

When invoked, SecureChange passes ticket information to the mediator script in XML format containing the following attributes:

  • completion_step_id
  • completion_step_name
  • createDate
  • current_stage_id
  • current_stage_name
  • id
  • open_request_id
  • open_request_name
  • subject
  • updateDate
  

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ticket_info>
  <id>64</id>
  <subject>test_mediator_tutorial</subject>
  <priority>
    <id>3</id>
    <name>Normal</name>
  </priority>
  <createDate>1704707276656</createDate>
  <updateDate>1704707524268</updateDate>
  <requester>
    <id>4</id>
    <login>api</login>
    <display_name>api api</display_name>
  </requester>
  <current_stage>
    <id>253</id>
    <name>test_mediator</name>
    <ticket_task>
      <id>253</id>
      <name>Default</name>
      <handler>
        <id>4</id>
        <login>api</login>
        <display_name>api api</display_name>
      </handler>
    </ticket_task>
  </current_stage>
  <open_request_stage>
    <id>252</id>
    <name>Open request</name>
    <ticket_task>
      <id>252</id>
      <name>Default</name>
      <handler>
        <id>4</id>
        <login>api</login>
        <display_name>api api</display_name>
      </handler>
    </ticket_task>
  </open_request_stage>
  <comment xsi:type="RedoCommentType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <content>test</content>
    <user>
      <id>4</id>
      <login>api</login>
      <display_name>api api</display_name>
    </user>
  </comment>
</ticket_info>

Implementing your Custom Script

These are the steps to implement a mediator script. Each step includes sample code.

  1. Create the web server that will be used to run your custom scripts (see Custom Scripting Solution).

  2. You can create your custom scripts in any programming language.

    TOS Aurora users can use Pytos 2 (a Python package) to create scripts. This package, which the Tufin Professional Services team maintains, contains common SecureTrack, SecureChange, and GraphQL API calls. You can find the package repository here: https://gitlab.com/tufinps/pytos2-ce

    Here is a tutorial that explains how to use pytos2: https://gitlab.com/tufinps/pytos2-ce/-/blob/master/docs/Basic%20Usage.ipynb?ref_type=heads

    Here is an example of a custom script that updates field values in a ticket.

    #!/usr/bin/env python3

    import asyncio
    from datetime import datetime
    import json
    from os import getenv
    from sys import stdin
    from xml.etree.ElementTree import fromstring

    import httpx
    from pydantic import AnyUrl, BaseSettings


    class Settings(BaseSettings):
        securechange_url: AnyUrl = "https://user:password@localhost/securechangeworkflow/api/securechange"  # type: ignore

        class Config:
            # .env file overrides
            env_file = ".env"
            env_file_encoding = "utf-8"


    settings = Settings()


    async def get_ticket(ticket_id):
        async with httpx.AsyncClient(
            base_url=settings.securechange_url, verify=False, timeout=30
        ) as client:
            res = await client.get(f"/tickets/{ticket_id}.json")
            res.raise_for_status()
            ticket_json = res.json()
            return ticket_json


    async def update_field(ticket, field_name, value):
        ticket_id = ticket["ticket"]["id"]
        current_step = ticket["ticket"]["steps"]["step"][-1]
        current_task = current_step["tasks"]["task"]
        x = [f for f in current_task["fields"]["field"] if f["name"] == field_name]
        field = x[0] if len(x) > 0 else None
        if not field:
            return None
        field["reason"] = value
        put_field_url = f"/tickets/{ticket_id}/steps/{current_step['id']}/tasks/{current_task['id']}/fields/"
        async with httpx.AsyncClient(
            base_url=settings.securechange_url,
            verify=False,
            timeout=30,
            headers={"Accept": "application/json"},
        ) as client:
            return await client.put(
                put_field_url,
                json={"fields": {"field": [field]}},
            )


    async def process(ticket_id, previous_step):
        ticket = await get_ticket(ticket_id)
        if previous_step != ticket["ticket"]["steps"]["step"][-2]["name"]:
            print("Ticket is no longer at the expected step")
        res = await update_field(
            ticket,
            "Approve Access Request",
            "newval" + str(datetime.now()),
        )
        print(res.text if res else "no field match")
        if res and not res.is_error:
            print("Successfully updated field")
        return res


    async def run_from_stdin():
        scw_event = getenv("SCW_EVENT")
        if scw_event == "ADVANCE":
            ticket_info = stdin.read()

            ticket_info_xml = fromstring(ticket_info)

            # Parse the ticket id
            x = ticket_info_xml.find("id")
            ticket_id = x.text if x is not None else None

            # parse the previous step
            previous_stage = ticket_info_xml.find("current_stage")
            x = previous_stage.find("name")
            previous_step_name = (
                (x.text if x is not None else None) if previous_stage else None
            )
            return await process(ticket_id, previous_step_name)


    if __name__ == "__main__":
        loop = asyncio.get_event_loop()
        loop.run_until_complete(run_from_stdin())
        # asyncio.run(run_from_stdin())

    • These scripts are intended to allow TOS Aurora-specific addons only. Scripts should be designed to utilize the TOS Aurora APIs or web service to interact with the software.

    • Scripts should not impede the performance or functionality of TOS Aurora. If Tufin Support provides assistance with troubleshooting or performance issues, you may be asked to disable scripts as part of the troubleshooting process.

  3. From this template, replacing <hostname>, <endpoint>,<user-name>, <password>, and <script_name> with values that define the path and location of its matching custom script.

    #! /bin/bash

    ARGS=($@)
    TICKET_INFO=$(cat | base64 -w0)

    # User hardcoded arguments 
    HOST=<hostname>
    ENDPOINT=<endpoint>
    USERNAME=<user-name>
    PASSWORD=<password>
    EXEC_SCRIPT=<script_name>

    #all additional arguments taken from SC
    EXEC_ARGS=${ARGS[@]:1}

    # define the payload to send to your webserver
    PAYLOAD="{ \
      \"ticket_info\":\"${TICKET_INFO}\",
      \"event\":\"${SCW_EVENT}\",
      \"script\": { \
        \"name\": \"${EXEC_SCRIPT}\",
        \"argv\": \"${EXEC_ARGS}\"
      }
    }"

    RESP=$(curl -sS --fail -X POST -u "${USERNAME}:${PASSWORD}" "${HOST}/${ENDPOINT}" \
        -H "Content-Type: application/json" \
        -d "${PAYLOAD}" 2>&1)

    HTTP_EXT_CODE=$?
    [ $HTTP_EXT_CODE -ne 0 ] && \
        echo $RESP > /dev/stderr && exit $HTTP_EXT_CODE 

    export RESP

    # parse the response json in python, the schema may differ from
    # server to server implementation
    python -c "
    import os, sys, json

    p = json.loads(os.getenv('RESP') or {})
    stdout = p.get('stdout', '')
    stderr = p.get('stderr', '')
    message = p.get('message', '')
    ext_code = p.get('ext_code', 0)

    sys.stdout.write(message)
    sys.stdout.write(stdout)

    if ext_code != 0:
      sys.stderr.write(stderr)
    exit(ext_code)
    "

  4. Upload to TOS Aurora; it is placed in /opt/tufin/data/securechange/scripts/.

    Push Mediator

    [<ADMIN> ~]$ sudo tos scripts sc push <path on local host> <relative path on SecureChange> [--overwrite]

    Verify that the Mediator is in the correct location

    [<ADMIN> ~]$ sudo tos scripts sc list [relative path on SecureChange] [--detailed]

  5. Configure the web server to run your custom scripts. They can run either on your TOS Aurora server outside the cluster or on a different server altogether. Select one:

    1. Create a file in the /etc/systemd/system directory called trigger.service. (In this example, we use the vi editor, but you can create it any way you like.)

      [<ADMIN> ~]# vi /etc/systemd/system/trigger.service
      vi /etc/systemd/system/trigger.service

      For example:

      [Unit]
Description=Tufin Trigger Service
After=network.target

[Service]
Type=simple
WorkingDirectory=/opt/trigger-service/
Environment=PATH=/opt/trigger-service/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=PYTHONPATH=/opt/trigger-service/venv/lib/python3.6/site-packages:/opt/trigger-service/venv/bin
Environment=KUBECONFIG=/etc/rancher/k3s/k3s.yaml
ExecStart=/opt/trigger-service/venv/bin/uvicorn trigger_proxy:app --host 0.0.0.0
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target
    2. Modify the following locations where you have the mediator script installed: (Note that in the example, the location is /opt/trigger-service.)
      • WorkingDirectory
      • Environment
      • ExecStart
    3. Save the trigger.service file.
    4. Change the file permissions. 
      [<ADMIN> ~]# chmod 644 /etc/systemd/system/trigger.service
      chmod 644 /etc/systemd/system/trigger.service

    5. Start the service.

      [<ADMIN> ~]# systemctl start trigger
      systemctl start trigger

    6. Enable service on boot.

      [<ADMIN> ~]# systemctl enable trigger 
      systemctl enable trigger

    7. Check the status.

      [<ADMIN> ~]# systemctl status trigger
      systemctl status trigger

    8. Modify the Mediator script (mediator.sh). In the following line, replace SCRIPT_HOST=192.168.40.73:8000 with the IP address of the web service:

      SCRIPT_HOST=192.168.40.73:8000

      • For a deployment without high availability (HA), use the IP address of assigned to a node in the cluster, which is the IP address you would use to SSH to the server. It is not the VIP used in the TOS interface.

      • For an HA deployment, use the IP address of the cni0 interface from the server running the trigger proxy.

        To get the IP address.

        [<ADMIN> ~]# ip -4 addr show cni0 | grep -oP "(?<=inet )[\d\.]+(?=/)"
        ip -4 addr show cni0 | grep -oP "(?<=inet )[\d\.]+(?=/)"

        Set the SCRIPT_HOST to the returned IP address.

        [<ADMIN> ~]# set SCRIPT_HOST=<IP>
        set SCRIPT_HOST=<IP>

        where <IP> is the IP address.

    9. Place your custom SecureChange scripts, together with all dependencies and resources, on a node in the cluster in the directory or subdirectory that contains the web service. Make sure that the web service has permissions to run the scripts.

    10. Copy the script to the SecureChange pod.

      [<ADMIN> ~]# tos scripts sc push mediator.sh
      tos scripts sc push mediator.sh

      This command places the script in the following directory on the internal SecureChange pod.

      [<ADMIN> ~]# /opt/tufin/data/securechange/scripts/
      /opt/tufin/data/securechange/scripts/

    1. Modify the mediator.sh file.
      • On line 4 in the mediator.sh file, replace the IP address with the IP address of the external server that will present the custom script. You must prepend https:// before the IP address:

        SCRIPT_HOST=https://<EXTERNAL_SERVER_IP>:8000

      • Replace line 6 with the following: 
        resp=$(curl --cacert /opt/tufin/data/securechange/scripts/rootCA.pem -sS --fail -X POST -u "user:pass"  -H "Content-Type: application/json" "$SCRIPT_HOST/trigger_file" -d \
        resp=$(curl --cacert /opt/tufin/data/securechange/scripts/rootCA.pem -sS --fail -X POST -u "user:pass" -H "Content-Type: application/json" "$SCRIPT_HOST/trigger_file" -d \

        • This code establishes trust between the SecureChange pod on the Aurora node and the external server that will present the certificate. When you push the cert to the SecureChange pod, the full path is sent to the pod.

        Alternatively, you can replace --cacert /opt/tufin/data/securechange/scripts/rootCA.pem with -k, which accepts any certificate but is not secure.

        Replace user:pass with the username/password that is required for basic authentication to the external server.

    2. Create a file in the /etc/systemd/system directory called trigger.service. (In this example, we use the vi editor, but you can create it any way you like.)

      [<ADMIN> ~]# vi /etc/systemd/system/trigger.service
      vi /etc/systemd/system/trigger.service

    3. Copy the following into the trigger.service file and replace ssl-keyfile and ssl-certfile with your key/cert pair.

      [Unit]
Description=Tufin Trigger Service
After=network.target

[Service]
Type=simple
WorkingDirectory=<WORKING_DIRECTORY>
Environment=PATH=/opt/trigger-service/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ExecStart=<EXEC_START_DIRECTORY> trigger_proxy:app --host 0.0.0.0 --ssl-keyfile=<SSL_KEYFILE> --ssl-certfile=<SSL_CERTFILE>
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

      where

      • <WORKING_DIRECTORY> and <EXEC_START_DIRECTORY> are the location where you installed the mediator script.

      • Environment: Change the path as required for your environment.

      • <SSL_KEYFILE> and <SSL_CERTFILE> are the SSL files that are saved in the directory under the <WORKING_DIRECTORY> and <EXEC_START_DIRECTORY> directories. For example:

        • ssl-keyfile=<WORKING_DIRECTORY>/ssl_cert/10.20.50.56-key.pem

        • ssl-certfile=<WORKING_DIRECTORY>/ssl_cert/10.20.50.56.pem

    4. Save the trigger.service file.
    5. Change the file permissions. 
      [<ADMIN> ~]# chmod 644 /etc/systemd/system/trigger.service
      chmod 644 /etc/systemd/system/trigger.service

    6. Start the service.

      [<ADMIN> ~]# systemctl start trigger
      systemctl start trigger

    7. Enable service on boot.

      [<ADMIN> ~]# systemctl enable trigger 
      systemctl enable trigger

    8. Check the status.

      [<ADMIN> ~]# systemctl status trigger
      systemctl status trigger

    9. Place your custom SecureChange scripts, together with all dependencies and resources, on a node in the cluster in the directory or subdirectory that contains the web service. Make sure that the web service has permissions to run the scripts.

    10. Copy the mediator.sh script and the rootCA.pem file to the Aurora data node. 

      [<ADMIN> ~]# scp mediator.sh rootCA.pem tufin-admin@<AURORA DATA NODE IP>:~
      scp mediator.sh rootCA.pem tufin-admin@<AURORA DATA NODE IP>:~

      The scp command copies the files from your external server to the /home/tufin-admin/ directory on the Aurora data node.

    11. Push the files to the SecureChange pod:

      [<ADMIN> ~]# tos scripts sc push mediator.sh
      tos scripts sc push mediator.sh
      [<ADMIN> ~]# tos scripts sc push rootCA.pem
      tos scripts sc push rootCA.pem

      The tos scripts sc commands place the files in the /opt/tufin/data/securechange/scripts/ directory on the SecureChange pod.

    12. On the external server, modify the trigger-service/trigger_proxy/_init_.py file as follows:

      1. On lines 68 and 69, change the username and password to match those in the mediator.sh file.

        • correct_username = secrets.compare_digest(credentials.username, "username")

        • correct_password = secrets.compare_digest(credentials.password, "password")

      2. On line 80, add a # to comment out the line:

        #@app.post("/trigger_file", dependencies=[Depends(ip_security)])

      3. On line 81, remove the # to uncomment the line:

        @app.post("/trigger_file", dependencies=[Depends(basic_auth)])

  6. Note that this procedure is only relevant for pure bash scripts that do not depend on any other library or infrastructure.

    1. Log into SecureChange using API account.

    2. Go to: Settings > SecureChange API

    3. Click: Add script

    4. Enter the full path to the script, for example:

      /opt/tufin/data/securechange/scripts/mediator1.sh

    5. Add any arguments that you want to pass to the script.

    6. Click Test to make sure that SecureChange can run the script.

    7. Select the SecureChange workflow that triggers the script.

    8. Select the workflow events that trigger the script.

    9. Click Save to save the script configuration.

    10. Check the web server for the response.

      data: {'ticket_info': 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pjx0aWNrZXRfaW5mbz48aWQ+NjQ8L2lkPjxzdWJqZWN0PnRlc3RfbWVkaWF0b3JfdHV0b3JpYWw8L3N1YmplY3Q+10.244.0.144 - - [08/Jan/2024 11:52:04] "POST /submit HTTP/1.1" 200 -

    11. Decode base64 to xml to get ticket information.

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <ticket_info>
          <id>64</id>
          <subject>test_mediator_tutorial</subject>
          <priority>
              <id>3</id>
              <name>Normal</name>
          </priority>
          <createDate>1704707276656</createDate>
          <updateDate>1704707524268</updateDate>
          <requester>
              <id>4</id>
              <login>api</login>
              <display_name>api api</display_name>
          </requester>
          <current_stage>
              <id>253</id>
              <name>test_mediator</name>
              <ticket_task>
                  <id>253</id>
                  <name>Default</name>
                  <handler>
                      <id>4</id>
                      <login>api</login>
                      <display_name>api api</display_name>
                  </handler>
              </ticket_task>
          </current_stage>
          <open_request_stage>
              <id>252</id>
              <name>Open request</name>
              <ticket_task>
                  <id>252</id>
                  <name>Default</name>
                  <handler>
                      <id>4</id>
                      <login>api</login>
                      <display_name>api api</display_name>
                  </handler>
              </ticket_task>
          </open_request_stage>
          <comment xsi:type="RedoCommentType"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              <content>test</content>
              <user>
                  <id>4</id>
                  <login>api</login>
                  <display_name>api api</display_name>
              </user>
          </comment>
      </ticket_info>

    If SecureChange does not succeed in starting the script following a selected trigger, a message is added to Settings > Message Board

Resources

How do I Get Here?

SecureChange > Settings > SecureChange API