Servicenow 8.1.0 release (#3245)

* [SOAR-18683] Servicenow Extend OAuth with client credentials flow (#3210)

* [SOAR-18683] Servicenow Extend OAuth with client credentials flow

* Update requirements.txt

* adding parameterized back in to test unit test

* removing

* Fixing unit tests attempt #1

* Revert "Fixing unit tests attempt #1"

This reverts commit 230ad57.

* Fixing unit tests attempt #2

* Revert "Fixing unit tests attempt #2"

This reverts commit 48d76c3.

* Update requirements.txt

* Handling edge cases

* Removing an f-string that does not have any interpolated variable

* REfactor spec for SDK automation

* Removing unnecessary imports

* Fixing linter

---------

Co-authored-by: rjmurray <ryanj_murray@rapid7.com>

* Adjusting versioning

* Versioning fix

---------

Co-authored-by: rjmurray <ryanj_murray@rapid7.com>

Author: lcwiklinski-r7

plugins/servicenow/.CHECKSUM

@@ -1,7 +1,7 @@
 {
-	"spec": "c3ae1da25557460ad543d9434f6eeb51",
-	"manifest": "de3b4607248ad49ab38f25c2899f629a",
-	"setup": "dead9576e6a14815dcb13463a4315083",
+	"spec": "e524d85b72b2ae93a17ae6bfa1964504",
+	"manifest": "4799c70cc2e26ddf494b81ca4e645b7d",
+	"setup": "4b5b45a5d64ecdda6705da62b7939bb3",
 	"schemas": [
 		{
 			"identifier": "create_change_request/schema.py",
@@ -105,7 +105,7 @@
 		},
 		{
 			"identifier": "connection/schema.py",
-			"hash": "bf06fa84b9beae4dda71f8ecb2946931"
+			"hash": "dbd0b4a113640886661a53e5f8b96d1b"
 		},
 		{
 			"identifier": "incident_changed/schema.py",

plugins/servicenow/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.2
+FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.5
 
 LABEL organization=rapid7
 LABEL sdk=python
@@ -12,7 +12,7 @@ RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
 
 ADD . /python/src
 
-RUN python setup.py build && python setup.py install
+RUN pip install .
 
 # User to run plugin code. The two supported users are: root, nobody
 USER nobody

plugins/servicenow/bin/icon_servicenow

@@ -6,7 +6,7 @@ from sys import argv
 
 Name = "ServiceNow"
 Vendor = "rapid7"
-Version = "8.0.4"
+Version = "8.1.0"
 Description = "[ServiceNow](https://www.servicenow.com/) is a tool for managing incidents and configuration management. This plugin allows users to manage all aspects of incidents including creation, search, and updates. Additionally, incident changes can be monitored and processed for use in a Rapid7 InsightConnect workflow.Note: This plugin affects only the underlying tables in a ServiceNow instance, not its UI. Hence, this plugin will work seamlessly with Virtual Task Boards"
 
 

plugins/servicenow/help.md

@@ -14,7 +14,8 @@ Note: This plugin affects only the underlying tables in a ServiceNow instance, n
 # Requirements
 
 * ServiceNow username and password (for basic authentication)
-* ServiceNow username, password, client ID, and client secret (for OAuth authentication) 
+* ServiceNow client ID, and client secret (for OAuth authentication client credentials grant type) 
+* ServiceNow username, password, client ID, and client secret (for OAuth authentication password grant type) 
 * ServiceNow instance name
 
 * Please note that to use certain actions it's necessary to use scopes that have permissions on certain tables. Depending on the actions, it's necessary to add specific auth scopes:
@@ -37,7 +38,7 @@ The connection configuration accepts the following parameters:
 |Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
 | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
 |client_id|string|None|False|Client ID for an application within your application registry|None|ad0bc2109c2642106907050c2ca6ef0c|None|None|
-|client_login|credential_username_password|None|True|The ServiceNow username and password for basic authentication API interaction|None|{"username":"user1", "password":"mypassword"}|None|None|
+|client_login|credential_username_password|None|False|The ServiceNow username and password for basic authentication API interaction|None|{"username":"user1", "password":"mypassword"}|None|None|
 |client_secret|credential_secret_key|None|False|Client secret for an application within your application registry|None|ad0bc2109c2642106907050c2ca6ef0c|None|None|
 |instance|string|None|True|The instance of ServiceNow from the URL, e.g. https://{instance}.service-now.com|None|instance|None|None|
 |timeout|integer|30|False|The interval in seconds before abandoning an attempt to access ServiceNow|None|30|None|None|
@@ -1686,6 +1687,7 @@ Example output:
 
 # Version History
 
+* 8.1.0 - Add ability to use OAuth 2.0 flow named client credentials | Updated SDK to the latest version (v6.2.5)
 * 8.0.4 - Updated SDK to the latest version (v6.2.2) | Address vulnerabilities
 * 8.0.3 - Update to resolve issue parsing response from ServiceNow if XML is received
 * 8.0.2 - Initial updates for fedramp compliance | Updated SDK to the latest version

plugins/servicenow/icon_servicenow/connection/connection.py

@@ -1,11 +1,10 @@
 import insightconnect_plugin_runtime
-from .schema import ConnectionSchema, Input
 
 # Custom imports below
-import requests
-from requests.auth import HTTPBasicAuth
 from icon_servicenow.util.request_helper import RequestHelper, AuthenticationType
-from insightconnect_plugin_runtime.exceptions import ConnectionTestException
+from insightconnect_plugin_runtime.exceptions import ConnectionTestException, PluginException
+
+from .schema import ConnectionSchema, Input
 
 
 class Connection(insightconnect_plugin_runtime.Connection):
@@ -29,7 +28,13 @@ def connect(self, params):
         oauth_client_id = params.get(Input.CLIENT_ID)
         oauth_client_secret = params.get(Input.CLIENT_SECRET, {}).get("secretKey")
 
-        if not oauth_client_id or not oauth_client_secret:
+        if all([not username, not password, not oauth_client_id, not oauth_client_secret]):
+            raise PluginException(
+                cause="No credentials were provided.",
+                assistance="Ensure credentials and ServiceNow endpoint are correct.",
+            )
+
+        if not oauth_client_id or not oauth_client_secret and username and password:
             self.logger.info(
                 "Either client ID or client secret (or both) were not provided, using basic authentication"
             )

plugins/servicenow/icon_servicenow/connection/schema.py

@@ -50,7 +50,6 @@ class ConnectionSchema(insightconnect_plugin_runtime.Input):
     }
   },
   "required": [
-    "client_login",
     "instance"
   ],
   "definitions": {

plugins/servicenow/icon_servicenow/util/error_messages.py

@@ -0,0 +1 @@
+MISSING_CREDENTIALS = "Either `client_id` or `client_secret` must be provided"

plugins/servicenow/icon_servicenow/util/request_helper.py

@@ -9,6 +9,8 @@
 
 from insightconnect_plugin_runtime.exceptions import PluginException
 
+from icon_servicenow.util.error_messages import MISSING_CREDENTIALS
+
 
 class BearerAuth(AuthBase):
     """
@@ -132,15 +134,36 @@ def get_attachment(connection, sys_id):
         return str(base64.b64encode(result), "utf-8")
 
     def _get_oauth_token(self) -> str:
+        """
+        Sends a POST request to an OAuth server, automatically determining 'grant_password'
+
+        - If `username` and `password` are provided, grant_type = 'password'
+        - If `username` and `password` are not provided, grant_type = 'client_credentials'
+        """
+
+        if not self.client_id and not self.client_secret:
+            raise PluginException(status_code=400, cause=MISSING_CREDENTIALS)
+
+        # Automatic grant_type detection
+        if self.username and self.password:
+            grant_type = "password"
+        else:
+            grant_type = "client_credentials"
+
+        # Building the payload
+        payload = {
+            "grant_type": grant_type,
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+        }
+
+        if grant_type == "password":
+            payload["username"] = self.username
+            payload["password"] = self.password
+
         response = requests.post(
             url=f"{self.base_url}oauth_token.do",
-            data={
-                "grant_type": "password",
-                "client_id": self.client_id,
-                "client_secret": self.client_secret,
-                "username": self.username,
-                "password": self.password,
-            },
+            data=payload,
             timeout=30,
         )