-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathokta_user_reset_passsord.yml
192 lines (173 loc) · 8.04 KB
/
okta_user_reset_passsord.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
---
# Query for Open Password Reset Ticket ..
- name: Getting Password Reset Ticket...
vars:
jira_api_token: "{{ lookup('env','JIRA_API_TOKEN') | default(false) }}"
help_desk_project: NHD
jira_user: jra-is-svc@example.com
jira_server: example.atlassian.net
community.general.jira:
uri: "https://{{ jira_server }}"
username: "{{ jira_user }}"
password: "{{ jira_api_token }}"
project: "{{ help_desk_project }}"
operation: search
maxresults: 1
jql: resolution = Unresolved AND issuetype = "Service Request with Approvals" AND Approvals = approved() AND (labels ="password_reset_request" AND labels !="ignore_password_request")
args:
fields:
lastViewed: null
register: reset_password_help_desk_ticket
# Determine if a ticket came back, if it did then set an actioning fact, if not then it will skip the remaining tasks and end.
- name: Set actioning fact. Is there a ticket to action?
set_fact:
reset_password_ticket_needs_actioned: "{{ 'yes' if (reset_password_help_desk_ticket.meta.issues | length > 0) else 'no' }}"
# Gather fields of helpdesk ticket for actioning.
- name: Getting Help Desk Ticket Details...
vars:
help_desk_ticket: "{{ reset_password_help_desk_ticket.meta.issues.0.key }}"
jira_api_token: "{{ lookup('env','JIRA_API_TOKEN') | default(false) }}"
help_desk_project: NHD
jira_user: jra-is-svc@example.com
jira_server: example.atlassian.net
community.general.jira:
uri: "https://{{ jira_server }}"
username: "{{ jira_user }}"
password: "{{ jira_api_token }}"
project: "{{ help_desk_project }}"
operation: fetch
issue: "{{ help_desk_ticket }}"
register: password_reset_parent_help_desk_ticket # <var>.meta.key
when: reset_password_ticket_needs_actioned
# Gather the email address of the end user.
- name: Set Parent Helpdesk Ticket fact
set_fact:
reset_password_okta_user_name: "{{ password_reset_parent_help_desk_ticket.meta.fields.reporter.emailAddress }}"
when: reset_password_ticket_needs_actioned
# Get the email address of the marked approver in the ticket. This will allow us to compare against the requestor email and ensure they do not match.
- name: Set Approver Facts
set_fact:
approver: "{{ password_reset_parent_help_desk_ticket.meta.fields.customfield_10040.0.approvers.0.approver.emailAddress }}"
when: reset_password_ticket_needs_actioned
# Compare approver and requestor. Ensure they do not match, otherwise set fact to decline the ticket.
- name: Ensure the Requestor is not the Approver
set_fact:
requestor_is_not_approver: "{{ 'yes' if (reset_password_okta_user_name != approver) else 'no' }}"
when: reset_password_ticket_needs_actioned
# Verbally scold the user for trying to be their own approver.
- name: Comment on issue if the Approver is set as the Requestor.
vars:
jira_api_token: "{{ lookup('env','JIRA_API_TOKEN') | default(false) }}"
help_desk_project: NHD
jira_user: jra-is-svc@example.com
jira_server: example.atlassian.net
community.general.jira:
uri: "https://{{ jira_server }}"
username: "{{ jira_user }}"
password: "{{ jira_api_token }}"
issue: "{{ password_reset_parent_help_desk_ticket.meta.key }}"
operation: comment
comment: |
Hi there!
This is a comment to let you know that your request for a password reset has been automatically denied.
In order to minimize the damage of potentially compromised accounts we require that the requestor and the approver of a ticket like this be different people.
Please edit the ticket and ensure that your line manager is selected. This ticket will now need manual intervention from the IS Team. Please make a member of the team aware.
when: reset_password_ticket_needs_actioned and not requestor_is_not_approver
# Update Parent Helpdesk Ticket with Label to inform completion of task and be ignored on future runs.
- name: Updating Parent Help Desk Ticket with ignore label...
vars:
jira_api_token: "{{ lookup('env','JIRA_API_TOKEN') | default(false) }}"
help_desk_project: NHD
jira_user: jra-is-svc@example.com
jira_server: example.atlassian.net
community.general.jira:
uri: "https://{{ jira_server }}"
username: "{{ jira_user }}"
password: "{{ jira_api_token }}"
issue: "{{ password_reset_parent_help_desk_ticket.meta.key }}"
operation: edit
args:
fields:
labels:
- ignore_password_request
register: password_reset_parent_help_desk_ticket_label # <var>.meta.key
when: reset_password_ticket_needs_actioned and not requestor_is_not_approver
# If ticket is approved and requestor is not approver, continue.
- name: Set Continuation Fact
set_fact:
password_reset_approved: "{{ 'yes' if requestor_is_not_approver else 'no' }}"
when: reset_password_ticket_needs_actioned
# Gather Okta ID of the specified User.
- name: Query Okta User by ticket reporter.
uri:
url: "https://{{ organization }}.okta.com/api/v1/users?search=profile.email+eq+%22{{ reset_password_okta_user_name }}%22+and+status+eq+%22ACTIVE%22"
method: GET
body_format: json
return_content: true
headers:
Accept: application/json
Content-Type: application/json
Authorization: "SSWS {{ okta_api_token }}"
register: okta_user_lookup
when: password_reset_approved
# Reset Password for the specified user.
- name: Reset Password
uri:
url: "https://{{ organization }}.okta.com/api/v1/users/{{ okta_user_lookup.json.0.id }}/lifecycle/reset_password?sendEmail=true"
method: POST
body_format: json
return_content: true
headers:
Accept: application/json
Content-Type: application/json
Authorization: "SSWS {{ okta_api_token }}"
register: password_reset_actioned
when: password_reset_approved and (okta_user_lookup.json.0.id | length > 0)
# Comment on the issue to inform user of completion.
- name: Comment on issue
vars:
jira_api_token: "{{ lookup('env','JIRA_API_TOKEN') | default(false) }}"
help_desk_project: NHD
jira_user: jra-is-svc@example.com
jira_server: example.atlassian.net
community.general.jira:
uri: "https://{{ jira_server }}"
username: "{{ jira_user }}"
password: "{{ jira_api_token }}"
issue: "{{ password_reset_parent_help_desk_ticket.meta.key }}"
operation: comment
comment: |
Hi there!
This is a comment to let you know that your request for an Okta password reset has been automatically approved and actioned. You should have an email sent to your secondary email address to help you set a new Password for your Okta account.
If anything went amiss with this automation feel free to reach out to a member of the IS team directly and quote your ticket number, {{ password_reset_parent_help_desk_ticket.meta.key }}
when: password_reset_approved and password_reset_actioned
# Let the team know that this happened for visibility.
- name: Send notification message via Slack when MFA has been reset.
community.general.slack:
token: "{{ slack_api_token }}"
msg: |
This is a message to let you know that I have performed a password reset for {{reset_password_okta_user_name}}. The ticket was approved by {{approver}}. No action is required unless you feel this is suspicious.
Sincerely and automatically,
:party_blob: Oktansible Bot. :party_blob:
channel: '#is_isum_board'
color: danger
delegate_to: localhost
when: password_reset_approved and password_reset_actioned
# Close the ticket.
- name: Resolve the issue
vars:
jira_api_token: "{{ lookup('env','JIRA_API_TOKEN') | default(false) }}"
help_desk_project: NHD
jira_user: jra-is-svc@example.com
jira_server: example.atlassian.net
community.general.jira:
uri: "https://{{ jira_server }}"
username: "{{ jira_user }}"
password: "{{ jira_api_token }}"
issue: "{{ password_reset_parent_help_desk_ticket.meta.key }}"
operation: transition
status: Resolve this issue
fields:
resolution:
name: Done
when: password_reset_approved and password_reset_actioned