SLK-103546 - Add Token Authentication Fallback Support

idanchAqua · idanchAqua · commit 4a28ad8a2a4c · 2026-03-04T19:39:18.000+02:00
- Add X-Tokens-Signature header to Auto-Connect backend API calls
- Implement automatic Bearer token fallback for direct CSPM calls on 401/403 errors
- Add get_bearer_token() and cspm_request_with_fallback() helper functions
- Refactor to use cspm_base_url and path parameters, remove duplicate URL parsing
- Add logging for HTTP requests, responses, and fallback operations
- Update trigger-aws.py, create_cspm_key.py, and generate_external_id.py
diff --git a/modules/single/modules/lambda/functions/create_cspm_key.py b/modules/single/modules/lambda/functions/create_cspm_key.py
@@ -44,22 +44,90 @@ def http_request(url, headers, method, body=None):
     if body is None:
         body = {}
 
+    print(f"HTTP request: {method} {url}")
+
     http = urllib3.PoolManager(cert_reqs='CERT_NONE')
 
     try:
         response = http.request(method, url, body=body, headers=headers)
+        response_data = response.data.decode('utf-8') if response.data else ''
+        print(f"HTTP response: {response.status} {response.reason} - {response_data}")
         return response
     except Exception as e:
         print('Failed to send http request; {}'.format(e))
         return None
 
 
+def get_bearer_token(cspm_base_url, api_key, aqua_secret, tstmp):
+    """Obtain Bearer token from CSPM /v2/tokens endpoint"""
+    path = "/v2/tokens"
+    method = "POST"
+    body = '{"validity":1,"allowed_endpoints":["ANY"]}'
+    tokens_url = cspm_base_url + path
+
+    print("Token fallback: Calling POST /v2/tokens to obtain Bearer token")
+
+    tokens_sig = get_signature(aqua_secret, tstmp, path, method, body)
+    headers = {
+        "X-API-Key": api_key,
+        "X-Signature": tokens_sig,
+        "X-Timestamp": tstmp,
+        "Content-Type": "application/json"
+    }
+
+    response = http_request(tokens_url, headers, method, body)
+    if response is None:
+        raise Exception("Failed to get Bearer token: HTTP request failed")
+
+    if response.status not in [200, 201]:
+        raise Exception(f"Failed to get Bearer token: {response.data.decode('utf-8')}")
+
+    json_object = json.loads(response.data.decode('utf-8'))
+    if json_object.get('status') != 200:
+        error_msg = json_object.get('message', 'Unknown error')
+        raise Exception(f"Tokens API failed: {error_msg}")
+
+    return json_object['data']
+
+
+def cspm_request_with_fallback(cspm_base_url, path, headers, method, body, api_key, aqua_secret, tstmp):
+    """Make CSPM request with automatic token authentication fallback"""
+    url = cspm_base_url + path
+    response = http_request(url, headers, method, body if body else '')
+
+    if response is None:
+        raise ValueError("HTTP request failed")
+
+    # Attempt fallback for 401/403 errors
+    if response.status in [401, 403]:
+        print(f"Token fallback: API key authentication failed with status {response.status}, attempting Bearer token fallback")
+        try:
+            bearer_token = get_bearer_token(cspm_base_url, api_key, aqua_secret, tstmp)
+
+            fallback_headers = {
+                "Authorization": f"Bearer {bearer_token}",
+                "X-Timestamp": tstmp,
+                "Content-Type": "application/json"
+            }
+
+            response = http_request(url, fallback_headers, method, body if body else '')
+            if response and response.status in [200, 201]:
+                print("Token fallback: Bearer token authentication succeeded")
+            elif response:
+                print(f"Token fallback: Bearer token authentication failed with status {response.status}")
+        except Exception as e:
+            print(f"Token fallback failed: {e}")
+            # Return original response if fallback fails
+
+    return response
+
+
 def get_cspm_key_id(aqua_api_key, aqua_secret, cspm_url, role_arn):
     tstmp = str(int(time.time() * 1000))
     sig = get_signature(aqua_secret, tstmp, "/v2/keys", "GET", '')
     headers = {"X-API-Key": aqua_api_key, "X-Signature": sig, "X-Timestamp": tstmp}
 
-    response = http_request(cspm_url + "/v2/keys", headers, "GET")
+    response = cspm_request_with_fallback(cspm_url, "/v2/keys", headers, "GET", '', aqua_api_key, aqua_secret, tstmp)
     json_object = json.loads(response.data)
     if response.status not in (200, 201):
         raise ValueError(f"Failed to get cspm key id for {role_arn}: {response.message}")
@@ -93,7 +161,7 @@ def create_cspm_key(cspm_url, aqua_api_key, aqua_secret, role_arn, external_id,
         "X-Timestamp": tstmp
     }
 
-    response = http_request(cspm_url + '/v2/keys', headers, "POST", jsonbody)
+    response = cspm_request_with_fallback(cspm_url, '/v2/keys', headers, "POST", jsonbody, aqua_api_key, aqua_secret, tstmp)
     if response.status not in (200, 201):
         raise Exception("Failed to create cspm key id", response.data.decode("utf-8"))
 
diff --git a/modules/single/modules/lambda/functions/generate_external_id.py b/modules/single/modules/lambda/functions/generate_external_id.py
@@ -33,11 +33,81 @@ def http_request(url, headers, method, body=None):
     if body is None:
         body = {}
 
+    print(f"HTTP request: {method} {url}")
+
     http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED')
 
     try:
         response = http.request(method, url, body=body, headers=headers)
+        response_data = response.data.decode('utf-8') if response.data else ''
+        print(f"HTTP response: {response.status} {response.reason} - {response_data}")
+        return response
+    except Exception as e:
+        print('Failed to send http request; {}'.format(e))
+        return None
+
+
+def get_bearer_token(cspm_base_url, api_key, aqua_secret, tstmp):
+    """Obtain Bearer token from CSPM /v2/tokens endpoint"""
+    path = "/v2/tokens"
+    method = "POST"
+    body = '{"validity":1,"allowed_endpoints":["ANY"]}'
+    tokens_url = cspm_base_url + path
+
+    print("Token fallback: Calling POST /v2/tokens to obtain Bearer token")
+
+    tokens_sig = get_signature(aqua_secret, tstmp, path, method, body)
+    headers = {
+        "X-API-Key": api_key,
+        "X-Signature": tokens_sig,
+        "X-Timestamp": tstmp,
+        "Content-Type": "application/json"
+    }
+
+    response = http_request(tokens_url, headers, method, body)
+
+    if response.status not in [200, 201]:
+        raise Exception(f"Failed to get Bearer token: {response.data.decode('utf-8')}")
 
+    json_object = json.loads(response.data.decode('utf-8'))
+    if json_object.get('status') != 200:
+        error_msg = json_object.get('message', 'Unknown error')
+        raise Exception(f"Tokens API failed: {error_msg}")
+
+    return json_object['data']
+
+
+def cspm_request_with_fallback(cspm_base_url, path, headers, method, body, api_key, aqua_secret, tstmp):
+    """Make CSPM request with automatic token authentication fallback"""
+    url = cspm_base_url + path
+    response = http_request(url, headers, method, body if body else '')
+
+    if response is None:
+        raise ValueError("HTTP request failed")
+
+    # Attempt fallback for 401/403 errors
+    if response.status in [401, 403]:
+        print(f"Token fallback: API key authentication failed with status {response.status}, attempting Bearer token fallback")
+        try:
+            bearer_token = get_bearer_token(cspm_base_url, api_key, aqua_secret, tstmp)
+
+            fallback_headers = {
+                "Authorization": f"Bearer {bearer_token}",
+                "X-Timestamp": tstmp,
+                "Content-Type": "application/json"
+            }
+
+            response = http_request(url, fallback_headers, method, body if body else '')
+            if response and response.status in [200, 201]:
+                print("Token fallback: Bearer token authentication succeeded")
+            elif response:
+                print(f"Token fallback: Bearer token authentication failed with status {response.status}")
+        except Exception as e:
+            print(f"Token fallback failed: {e}")
+            # Continue with original response if fallback fails
+
+    # Parse response to match existing http_request behavior
+    try:
         data = json.loads(response.data.decode('utf-8'))
     except Exception as e:
         print("warning: {}".format(e))
@@ -47,15 +117,15 @@ def http_request(url, headers, method, body=None):
 
 
 def generate_external_id(cspm_url, ac_url, aqua_api_key, aqua_secret, aws_account_id):
-    u = cspm_url + '/v2/generatedids'
-    print('api url: {}'.format(u))
+    path = '/v2/generatedids'
+    print('api url: {}'.format(cspm_url + path))
 
     tstmp = str(int(time.time() * 1000))
     method = "POST"
-    sig = get_signature(aqua_secret, tstmp, '/v2/generatedids', method, '')
+    sig = get_signature(aqua_secret, tstmp, path, method, '')
     headers = {"X-API-Key": aqua_api_key, "X-Signature": sig, "X-Timestamp": tstmp}
 
-    response = http_request(u, headers, method)
+    response = cspm_request_with_fallback(cspm_url, path, headers, method, '', aqua_api_key, aqua_secret, tstmp)
     if response.get('status', 0) != 200 and response.get('status', 0) != 201 or not response.get('data'):
         raise Exception("failed to generate external id; {}".format(response.get('message', 'Internal server error')))
 
diff --git a/modules/single/modules/trigger/trigger-aws.py b/modules/single/modules/trigger/trigger-aws.py
@@ -6,6 +6,12 @@
 import http.client
 import ssl
 
+
+def log(message):
+    """Log message to stderr (for Terraform external data source compatibility)"""
+    print(message, file=sys.stderr)
+
+
 query = json.loads(sys.stdin.read())
 ac_url = query.get('autoconnect_url')
 cspm_url = query.get('cspm_url')
@@ -49,6 +55,8 @@ def http_request(url, headers, method, body=None):
     else:
         raise ValueError("Unsupported URL format")
 
+    log(f"HTTP request: {method} {url}")
+
     try:
         conn = http.client.HTTPSConnection(hostname, context=ssl._create_unverified_context())
         conn.request(method, path, body=body, headers=headers)
@@ -58,16 +66,82 @@ def http_request(url, headers, method, body=None):
 
         conn.close()
 
+        log(f"HTTP response: {response.status} {response.reason} - {response_data}")
+
         return {
             "status": response.status,
             "reason": response.reason,
             "data": response_data
         }
     except Exception as e:
-        print(f"Failed to send HTTP request: {e}")
+        log(f"Failed to send HTTP request: {e}")
         return None
 
 
+def get_bearer_token(cspm_base_url, api_key, aqua_secret, tstmp):
+    """Obtain Bearer token from CSPM /v2/tokens endpoint"""
+    path = "/v2/tokens"
+    method = "POST"
+    body = '{"validity":1,"allowed_endpoints":["ANY"]}'
+    tokens_url = cspm_base_url + path
+
+    log("Token fallback: Calling POST /v2/tokens to obtain Bearer token")
+
+    tokens_sig = get_signature(aqua_secret, tstmp, path, method, body)
+    headers = {
+        "X-API-Key": api_key,
+        "X-Signature": tokens_sig,
+        "X-Timestamp": tstmp,
+        "Content-Type": "application/json"
+    }
+
+    response = http_request(tokens_url, headers, method, body)
+    if response is None:
+        raise Exception("Failed to get Bearer token: HTTP request failed")
+
+    if response["status"] not in [200, 201]:
+        raise Exception(f"Failed to get Bearer token: {response['data']}")
+
+    json_object = json.loads(response["data"].strip())
+    if json_object.get('status') != 200:
+        error_msg = json_object.get('message', 'Unknown error')
+        raise Exception(f"Tokens API failed: {error_msg}")
+
+    return json_object['data']
+
+
+def cspm_request_with_fallback(cspm_base_url, path, headers, method, body, api_key, aqua_secret, tstmp):
+    """Make CSPM request with automatic token authentication fallback"""
+    url = cspm_base_url + path
+    response = http_request(url, headers, method, body)
+
+    if response is None:
+        raise ValueError("HTTP request failed")
+
+    # Attempt fallback for 401/403 errors
+    if response["status"] in [401, 403]:
+        log(f"Token fallback: API key authentication failed with status {response['status']}, attempting Bearer token fallback")
+        try:
+            bearer_token = get_bearer_token(cspm_base_url, api_key, aqua_secret, tstmp)
+            
+            fallback_headers = {
+                "Authorization": f"Bearer {bearer_token}",
+                "X-Timestamp": tstmp,
+                "Content-Type": "application/json"
+            }
+            
+            response = http_request(url, fallback_headers, method, body)
+            if response["status"] in [200, 201]:
+                log("Token fallback: Bearer token authentication succeeded")
+            else:
+                log(f"Token fallback: Bearer token authentication failed with status {response['status']}")
+        except Exception as e:
+            log(f"Token fallback failed: {e}")
+            # Return original response if fallback fails
+
+    return response
+
+
 def get_cspm_key_id(aqua_api_key, aqua_secret, cspm_url, role_arn):
     """Fetch the CSPM key ID for the given IAM role ARN"""
 
@@ -78,15 +152,15 @@ def get_cspm_key_id(aqua_api_key, aqua_secret, cspm_url, role_arn):
         "X-Timestamp": tstmp
     }
 
-    response = http_request(cspm_url + "/v2/keys", headers, "GET")
+    response = cspm_request_with_fallback(cspm_url, "/v2/keys", headers, "GET", '', aqua_api_key, aqua_secret, tstmp)
 
     if response is None:
         raise ValueError(f"HTTP request failed while getting CSPM key ID for {role_arn}")
 
     if response["status"] not in [200, 201]:
         raise ValueError(f"Failed to get CSPM key ID: {response['data']}")
 
-    json_object = json.loads(response["data"])
+    json_object = json.loads(response["data"].strip())
     for key in json_object['data']:
         if key['role_arn'] == role_arn:
             return key['id']
@@ -130,10 +204,12 @@ def trigger_discovery():
         )
 
     cspm_sig = get_signature(aqua_secret, tstmp, "/v2/keys", "POST", body_cspm)
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
     headers = {
         "X-API-Key": aqua_api_key,
         "X-Authenticate-Api-Key-Signature": sig,
         "X-Register-New-Cspm-Signature": cspm_sig,
+        "X-Tokens-Signature": tokens_signature,
         "X-Timestamp": tstmp
     }
 
@@ -157,7 +233,7 @@ def update_credentials():
 
     cspm_headers = {"X-API-Key": aqua_api_key, "X-Signature": cspm_sig, "X-Timestamp": tstmp}
 
-    cspm_response = http_request(cspm_url + f"/v2/keys/{cspm_key_id}", cspm_headers, "PUT", cspm_body)
+    cspm_response = cspm_request_with_fallback(cspm_url, f"/v2/keys/{cspm_key_id}", cspm_headers, "PUT", cspm_body, aqua_api_key, aqua_secret, tstmp)
 
     ac_body = json.dumps({
         "cloud_account_id": aws_account_id,
@@ -170,8 +246,9 @@ def update_credentials():
     })
 
     ac_sig = get_signature(aqua_secret, tstmp, "/v2/internal_apikeys", method="GET")
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
 
-    ac_headers = {"X-API-Key": aqua_api_key, "X-Authenticate-Api-Key-Signature": ac_sig, "X-Timestamp": tstmp}
+    ac_headers = {"X-API-Key": aqua_api_key, "X-Authenticate-Api-Key-Signature": ac_sig, "X-Tokens-Signature": tokens_signature, "X-Timestamp": tstmp}
 
     ac_response = http_request(ac_url + f"/discover/update-credentials/{cloud}", ac_headers, "PUT", ac_body)
 
@@ -182,12 +259,13 @@ def update_credentials():
 
 
 def main():
+    discovery_response = None
     try:
         discovery_response = trigger_discovery()
-        discovery_data = json.loads(discovery_response.get("data", "{}"))
+        discovery_data = json.loads(discovery_response.get("data", "{}").strip())
         if discovery_data.get("state") == "discover_in_progress":
             update_credentials_response = update_credentials()
-            update_credentials_data = json.loads(update_credentials_response.get("data", "{}"))
+            update_credentials_data = json.loads(update_credentials_response.get("data", "{}").strip())
 
             if update_credentials_response and update_credentials_response.get('status') == 200:
                 onboarding_status = f"received response: discovery status {discovery_response.get('status', 'Unknown')}, body: {discovery_data}"
@@ -197,7 +275,7 @@ def main():
             onboarding_status = f"received response: discovery status {discovery_response.get('status', 'Unknown')}, body: {discovery_data}"
 
     except Exception as e:
-        onboarding_status = f"received response: status Error, body: {str(e)}"
+        onboarding_status = f"received response: status Error, body: {str(e)}, raw discovery_response: {discovery_response}"
 
     output = {
         "status": onboarding_status
