Created
June 30, 2021 11:13
-
-
Save ajin/184322f1028db6145956620372fab49f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Author: Ajin Man Tuladhar | |
| Purpose: Basic script to disable an internal user of Cisco Identity Services Engine (ISE). | |
| """ | |
| import sys | |
| import requests | |
| from requests.auth import HTTPBasicAuth | |
| import json | |
| import logging | |
| # The ISE sandbox uses a self-signed cert at present, so let's ignore any | |
| # obvious security warnings for now. | |
| import urllib3 | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
| # The server root url, credentials to form url requests. | |
| # See here for more details: | |
| # https://developer.cisco.com/docs/identity-services-engine | |
| # You can access the API documentation at URL /ers/sdk | |
| serverlist1 = ['10.0.40.202', '10.0.40.201'] | |
| serverlist2 = ['10.0.40.202', '10.0.40.203'] | |
| port = 9060 | |
| # the credential to connect to ISE. This needs to be protected obviously! | |
| username = "rest_user" | |
| password = "Test01" | |
| auth = HTTPBasicAuth(username,password) | |
| # Headers are consistent for GET and POST requests | |
| headers = {"Accept": "application/json", "Content-Type" : "application/json"} | |
| logging.basicConfig( | |
| filename='IseDisableInternalUser.log', | |
| format='%(asctime)s %(levelname)-8s %(message)s', | |
| level=logging.INFO, | |
| datefmt='%Y-%m-%d %H:%M:%S') | |
| ''' GET request to ISE to get users and user id''' | |
| def do_get_endpoint(name, server): | |
| url = f"https://{server}:{port}/ers/config/{name}" | |
| resp = requests.get(url, auth=auth, headers=headers, verify=False) | |
| res_dict = json.loads(resp.text) | |
| return res_dict | |
| ''' PUT request to ISE to set the status of the user account''' | |
| def do_put_endpoint(name, obj, server): | |
| url = f"https://{server}:{port}/ers/config/{name}" | |
| resp = requests.put(url, auth=auth, headers=headers, verify=False, data=obj) | |
| res_dict = json.loads(resp.text) | |
| return res_dict | |
| ''' Retrieve active site by trying to establish a connection with list of hosts''' | |
| def get_active_server(serverList): | |
| activeServer = None | |
| for server in serverList: | |
| try: | |
| url = f"https://{server}:{port}/ers/config/" | |
| resp = requests.get(url, auth=auth, headers=headers, verify=False) | |
| activeServer = server | |
| except Exception as e: | |
| logging.debug("server not available... trying another") | |
| pass | |
| return activeServer | |
| ''' ISE API: Get-All internalusers, to list the users ''' | |
| def get_users(server): | |
| res_dict = do_get_endpoint("internaluser", server) | |
| internal_users = res_dict['SearchResult']['resources'] | |
| return internal_users | |
| ''' ISE API: Get-ByID user's details ''' | |
| def get_user_id (name, server): | |
| res_dict = do_get_endpoint("internaluser?filter=name.EQ.{}".format(name), server) | |
| internal_users = res_dict['SearchResult']['resources'] | |
| user_id = None | |
| if len(internal_users) == 1: | |
| user = internal_users[0] | |
| user_id = user['id'] | |
| elif len(internal_users) > 1: | |
| logging.error(f"Multiple users found on {server}") | |
| else: | |
| logging.error(f"No user found on {server}") | |
| return user_id | |
| ''' ISE API: Put-ByID user status ''' | |
| def change_user_status (user_name, user_id, status, server) : | |
| if user_id is not None: | |
| dict_user = {} | |
| dict_user["id"] = user_id | |
| dict_user["name"] = user_name | |
| dict_user["enabled"] = status | |
| dict_internal_user = {} | |
| dict_internal_user["InternalUser"] = dict_user | |
| logging.info(f"changing {user_name} status to {status} on {server}") | |
| res_dict = do_put_endpoint(f"internaluser/{user_id}", json.dumps(dict_internal_user), server) | |
| return res_dict | |
| if __name__=="__main__": | |
| if len(sys.argv) != 2: | |
| print("Usage: python ISE-DisableInternalUser.py [username]") | |
| sys.exit(1) | |
| user_name = sys.argv[1] | |
| activeServer = get_active_server(serverlist1) | |
| if activeServer is not None: | |
| user_id = get_user_id(user_name, activeServer) | |
| res = change_user_status(user_name, user_id, "false", activeServer) | |
| else: | |
| logging.error(f"no active server found: {serverlist1}") | |
| # the second server lists (env 2) | |
| activeServer = get_active_server(serverlist2); | |
| if activeServer is not None: | |
| user_id = get_user_id(user_name, activeServer) | |
| res = change_user_status(user_name, user_id, "false", activeServer) | |
| else: | |
| logging.error(f"no active server found: {serverlist2}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment