From 9e1f4405f61056b328839b5479a57006ed5356ea Mon Sep 17 00:00:00 2001 From: Pasha Zayko Date: Mon, 13 Oct 2025 12:35:27 -0400 Subject: [PATCH 1/3] Adding remediation point definition Creating definition for new remediation endpoint with POST request --- specs/SHIELD.json | 93 ++++++++++++++++++++++++- src/shield/TypeScript/package-lock.json | 4 +- src/shield/TypeScript/package.json | 2 +- 3 files changed, 95 insertions(+), 4 deletions(-) diff --git a/specs/SHIELD.json b/specs/SHIELD.json index a97e06a..a927f20 100644 --- a/specs/SHIELD.json +++ b/specs/SHIELD.json @@ -1749,7 +1749,7 @@ }, "description": "Deprive your threats of practical significance. Deploy the Securing Privilege Access architecture. All in a few seconds.", "title": "SHI Environment Lockdown and Defense", - "version": "3.0.4" + "version": "3.0.9" }, "openapi": "3.1.0", "paths": { @@ -2631,6 +2631,97 @@ ] } }, + "/Api/Deploy/Remediate": { + "post": { + "summary": "Perform remediation steps to address discovered gaps in security posture", + "description": "After the user consents, perform necessary steps to deploy resources to cover the security gap.\n\nThis endpoint requires the `Deploy.ReadWrite`, or the `Everything.ReadWrite` scope (permission).", + "operationId": "/Api/Deploy/Remediate/Post", + "requestBody": { + "content": { + "application/json": { + "examples": { + "Insufficient Remediation Request": { + "description": "Someone trying to automate this application without reading the documentation.", + "summary": "Remediation Request Missing Needed Data", + "value": {} + }, + "No User Consent": { + "description": "User did not agree to the terms and conditions. This post should not have been sent.", + "summary": "User Did Not Consent", + "value": { + "remediationConsent": false, + "templateList": [ + "8e2b1c7a-4d5f-4a8b-9e6a-2c1b7f3d8e4a", + "3a7e2b1c-5d4f-4a8b-9e6a-7f2b3d1c9e45" + ] + } + }, + "User Consented": { + "description": "User agreed to the terms and conditions and pressed the remediate button.", + "summary": "User Consented", + "value": { + "remediationConsent": true, + "templateList": [ + "9c1e7a2b-5d3f-4a8b-2c6e-1a7f3d9e8b5c", + "2b3e7a1c-4d5f-4a8b-9e6a-5d1c7e2b3a4f", + "7f1a3d9e-8b5c-4a8b-2c6e-9c2e7a1b5d3f" + ] + } + } + }, + "schema": { + "properties": { + "remediationConsent": { + "description": "Flag that indicates the end user has consented to remediation steps (`true`) or not (`false`).", + "type": "boolean", + "examples": [ + true + ] + }, + "templateList": { + "description": "List of templateIds that indicate configuration items to be applied as part of remediation.", + "type": "array", + "items": { + "type": "string", + "format": "uuid", + "maxLength": 36, + "minLength": 36, + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$", + "examples": [ + "5d1c7e2b-3a4f-4a8b-9e6a-7f2b3d1c9e45" + ] + }, + "minItems": 0 + } + }, + "type": "object", + "required": [ + "remediationConsent", + "templateList" + ] + } + } + } + }, + "responses": { + "202": { + "description": "Request for remediation is accepted and process is running" + }, + "400": { + "description": "User provided information or choice are invalid for the operation" + }, + "409": { + "description": "Operation is already in progress" + }, + "503": { + "description": "System requirements have not been met!" + } + }, + "tags": [ + "Deploy" + ] + } + }, "/Api/Deploy/Version": { "get": { "description": "Gets the version of the API server and the architecture version deployed as well as the supported version of the architecture spec from the server.\n\nThis endpoint requires the `Deploy.Read`, `Deploy.ReadWrite`, or the `Everything.ReadWrite` scope (permission).", diff --git a/src/shield/TypeScript/package-lock.json b/src/shield/TypeScript/package-lock.json index 9f4da2f..eff69e6 100644 --- a/src/shield/TypeScript/package-lock.json +++ b/src/shield/TypeScript/package-lock.json @@ -1,12 +1,12 @@ { "name": "@shi-corp/sdk-shield", - "version": "3.0.7", + "version": "3.0.9", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@shi-corp/sdk-shield", - "version": "3.0.7", + "version": "3.0.9", "license": "MIT", "dependencies": { "@microsoft/kiota-authentication-azure": "~1.0.0-preview.98", diff --git a/src/shield/TypeScript/package.json b/src/shield/TypeScript/package.json index 02baa58..edada41 100644 --- a/src/shield/TypeScript/package.json +++ b/src/shield/TypeScript/package.json @@ -1,6 +1,6 @@ { "name": "@shi-corp/sdk-shield", - "version": "3.0.7", + "version": "3.0.9", "type": "module", "main": "bin/index.js", "description": "SDK client used to interface with the SHIELD application.", From 5627f91951f8585b38323e80a2d7b39719b61c1a Mon Sep 17 00:00:00 2001 From: Pasha Zayko Date: Mon, 20 Oct 2025 14:00:58 -0400 Subject: [PATCH 2/3] Adding endpoint to create BreakGlass group resource Define new endpoint that attempts to create new group and return its name, or just returns name if the resource has already been provisioned --- specs/SHIELD.json | 51 +++++++++++++++++++++++++ src/shield/TypeScript/package-lock.json | 4 +- src/shield/TypeScript/package.json | 2 +- 3 files changed, 54 insertions(+), 3 deletions(-) diff --git a/specs/SHIELD.json b/specs/SHIELD.json index e658386..94e3f81 100644 --- a/specs/SHIELD.json +++ b/specs/SHIELD.json @@ -3732,6 +3732,57 @@ ] } }, + "/Api/Deploy/Remediate/BreakGlass": { + "post": { + "summary": "Request to create BreakGlass security group", + "description": "Attempt to create BreakGlass security group in the tenant. If group has already been provisioned it will return the name of the group to reference.\n\nThis endpoint requires the `Deploy.ReadWrite`, or the `Everything.ReadWrite` scope (permission). ", + "operationId": "/Api/Deploy/Remediate/BreakGlass/Post", + "responses": { + "200": { + "content": { + "application/json": { + "examples": { + "Response with data": { + "summary": "Example of the returned data", + "description": "An example of the name of the resource either created or already existing.", + "value": { + "groupName": "SHIELD - BreakGlass" + } + } + }, + "schema": { + "type": "object", + "properties": { + "groupName": { + "type": "string", + "description": "Name of the security group created now or already existing in the tenant.", + "examples": [ + "SHIELD - BreakGlass" + ] + } + }, + "required": [ + "groupName" + ], + "examples": [ + { + "groupName": "SHIELD - BreakGlass" + } + ] + } + } + }, + "description": "OK" + }, + "503": { + "description": "System requirements have not been met!" + } + }, + "tags": [ + "Deploy" + ] + } + }, "/Api/Deploy/Remediate": { "post": { "summary": "Perform remediation steps to address discovered gaps in security posture", diff --git a/src/shield/TypeScript/package-lock.json b/src/shield/TypeScript/package-lock.json index a966a91..de1f019 100644 --- a/src/shield/TypeScript/package-lock.json +++ b/src/shield/TypeScript/package-lock.json @@ -1,12 +1,12 @@ { "name": "@shi-corp/sdk-shield", - "version": "3.0.10", + "version": "3.0.11", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@shi-corp/sdk-shield", - "version": "3.0.10", + "version": "3.0.11", "license": "MIT", "dependencies": { "@microsoft/kiota-authentication-azure": "~1.0.0-preview.99", diff --git a/src/shield/TypeScript/package.json b/src/shield/TypeScript/package.json index 9045d7c..52d8ac4 100644 --- a/src/shield/TypeScript/package.json +++ b/src/shield/TypeScript/package.json @@ -1,6 +1,6 @@ { "name": "@shi-corp/sdk-shield", - "version": "3.0.10", + "version": "3.0.11", "type": "module", "main": "bin/index.js", "description": "SDK client used to interface with the SHIELD application.", From cb38c2adcd8d3136fb8c2d9e543a4bbb643c8447 Mon Sep 17 00:00:00 2001 From: Pasha Zayko Date: Mon, 3 Nov 2025 11:46:23 -0500 Subject: [PATCH 3/3] Updating the spec definition to reflect all properties and adjusting example to match the definition Deploy.ConfigurationItem response now also includes deployStatus field Change example to accurately present available fields --- specs/SHIELD.json | 70 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 55 insertions(+), 15 deletions(-) diff --git a/specs/SHIELD.json b/specs/SHIELD.json index 94e3f81..8fd6bef 100644 --- a/specs/SHIELD.json +++ b/specs/SHIELD.json @@ -1113,7 +1113,7 @@ }, "Deploy.ConfigurationItem": { "title": "Deploy - Configuration Item List", - "description": "", + "description": "Collection of objects representing the configuration items with curated properties and values in user-friendly format.", "type": "array", "items": { "description": "", @@ -1140,6 +1140,19 @@ ] ] }, + "deployState": { + "type": "string", + "description": "Indicator of the infrastructure configuration item's current state. Mutated means that the item has been modified by the end user outside of SHIELD.", + "enum": [ + "notDeployed", + "deployed", + "Mutated", + "error" + ], + "examples": [ + "deployed" + ] + }, "groupTagList": { "type": "array", "description": "List of metadata tags that indicate which deployment sets the configuration item is compatible with.", @@ -1253,6 +1266,7 @@ }, "required": [ "childDependencies", + "deployState", "groupTagList", "msCloudTypes", "parentDependencies", @@ -1265,6 +1279,7 @@ "7e1a2b3c-4d5f-4a8b-9e6a-1c2b7f3d8e4a", "9c2e7a1b-5d3f-4a8b-2c6e-7f1a3d9e8b5c" ], + "deployState": "deployed", "groupTagList": [ { "description": "Collection of policies covering critical conditional access settings.", @@ -1290,6 +1305,7 @@ "7e1a2b3c-4d5f-4a8b-9e6a-1c2b7f3d8e4a", "9c2e7a1b-5d3f-4a8b-2c6e-7f1a3d9e8b5c" ], + "deployState": "deployed", "groupTagList": [ { "description": "Collection of policies covering critical conditional access settings.", @@ -1310,6 +1326,7 @@ "childDependencies": [ "1c2b5d3f-7a1b-4a8b-9e6a-2e4a3b7e8c5d" ], + "deployState": "notDeployed", "groupTagList": [ { "description": "Principal containers that are used to provide assignments.", @@ -3655,22 +3672,45 @@ "summary": "Available Configuration Items", "value": [ { - "id": "5e2a9c1f-8b3d-4f6a-9e7c-2d1f3a6b4c8e", - "name": "Core Security Group", - "description": "A core security group that contains essential security roles and permissions.", - "type": "SecurityGroup", - "isActive": true, - "createdAt": "2024-02-20T10:00:00Z", - "updatedAt": "2024-05-15T11:30:00Z" + "childDependencies": [ + "7e1a2b3c-4d5f-4a8b-9e6a-1c2b7f3d8e4a", + "9c2e7a1b-5d3f-4a8b-2c6e-7f1a3d9e8b5c" + ], + "deployState": "deployed", + "groupTagList": [ + { + "description": "Collection of policies covering critical conditional access settings.", + "displayName": "Conditional Policy", + "tagId": "3b7e2a1c-4d5f-4a8b-9e6a-2c1b7f3d8e4a" + } + ], + "msCloudTypes": [ + "Public" + ], + "parentDependencies": [ + "8e6a1c2b-7f3d-4a8b-9c2e-5d3f7a1b2e4a" + ], + "templateId": "2a1c7e3b-5d4f-4a8b-9e6a-7f3d2b1c8e4a", + "urlPath": "/identity/conditionalAccess/policies" }, { - "id": "9c7f2e1a-3b6d-4a8e-9f5c-1d2a4b7e6c3f", - "name": "Scope Tag - Confidential Data", - "description": "A scope tag designed to restrict access to confidential data resources.", - "type": "ScopeTag", - "isActive": true, - "createdAt": "2024-04-12T14:20:00Z", - "updatedAt": "2024-07-01T09:50:00Z" + "childDependencies": [ + "1c2b5d3f-7a1b-4a8b-9e6a-2e4a3b7e8c5d" + ], + "deployState": "notDeployed", + "groupTagList": [ + { + "description": "Principal containers that are used to provide assignments.", + "displayName": "Administrative Unit", + "tagId": "5d3f9c2e-7a1b-4a8b-2c6e-1a3d7e8b5c4a" + } + ], + "msCloudTypes": [ + "Public" + ], + "parentDependencies": [], + "templateId": "4a8b7e1a-2b3c-4d5f-9e6a-1c2b7f3d8e4a", + "urlPath": "/directory/administrativeUnits" } ] }