From 7a97a22c42a983c60a0c434bc0300f4dec9fd895 Mon Sep 17 00:00:00 2001 From: Greg Brownstein Date: Sat, 27 Nov 2021 08:54:11 -0500 Subject: [PATCH] Invoke-VenafiCertificateAction and policy attributes (#45) --- CHANGELOG.md | 8 + RELEASE.md | 10 +- VenafiPS/Public/Get-TppAttribute.ps1 | 212 ++++++++---- VenafiPS/Public/Get-VenafiCertificate.ps1 | 4 + .../Public/Invoke-VenafiCertificateAction.ps1 | 239 +++++++++++++ VenafiPS/Public/New-VenafiSession.ps1 | 323 +++++++++--------- VenafiPS/Public/Remove-TppCertificate.ps1 | 30 +- VenafiPS/Public/Set-TppAttribute.ps1 | 213 +++++++----- VenafiPS/VenafiPS.psd1 | 46 +-- VenafiPS/VenafiPS.psm1 | 1 + 10 files changed, 726 insertions(+), 360 deletions(-) create mode 100644 VenafiPS/Public/Invoke-VenafiCertificateAction.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 4eade045..8245e134 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## 3.4.0 +- Add `-All` option to `Get-TppAttribute` to get ALL effective attribute values for an object. This will provide the values as well as the path where the policy was applied +- Add getting policies (policy attributes) with `Get-TppAttribute` +- Add setting policies (policy attributes) with `Set-TppAttribute` +- Add `Invoke-VenafiCertificateAction`. This is your one stop shop for certificate actions on TPP or VaaS. You can Retire, Reset, Renew, Push, Validate, or Revoke. +- Cleanup output and verbose logging with `Remove-TppCertificate` +- Fix parameter set issue in `New-VenafiSession`, ensure version and custom field info retrieval doesn't occur when creating a VaaS session + ## 3.3.1 - Remove validation/limitation from `Get-TppCustomField` to only retrieve classes of type X509 Certificate and Device - Retrieve Application Base custom fields during `New-VenafiSession` diff --git a/RELEASE.md b/RELEASE.md index 536560f5..40759154 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,4 +1,6 @@ -- Remove validation/limitation from `Get-TppCustomField` to only retrieve classes of type X509 Certificate and Device -- Retrieve Application Base custom fields during `New-VenafiSession` -- Fix parameter sets in `Import-TppCertificate` requiring PrivateKey be provided with PKCS#12 certificate, [#37](https://github.com/gdbarron/VenafiPS/issues/37) -- Add `-CertificateAuthorityAttribute` to `New-TppCertificate` to submit values to the CA during enrollment +- Add `-All` option to `Get-TppAttribute` to get ALL effective attribute values for an object. This will provide the values as well as the path where the policy was applied +- Add getting policies (policy attributes) with `Get-TppAttribute` +- Add setting policies (policy attributes) with `Set-TppAttribute` +- Add `Invoke-VenafiCertificateAction`. This is your one stop shop for certificate actions on TPP or VaaS. You can Retire, Reset, Renew, Push, Validate, or Revoke. +- Cleanup output and verbose logging with `Remove-TppCertificate` +- Fix parameter set issue in `New-VenafiSession`, ensure version and custom field info retrieval doesn't occur when creating a VaaS session diff --git a/VenafiPS/Public/Get-TppAttribute.ps1 b/VenafiPS/Public/Get-TppAttribute.ps1 index dede2373..760e8790 100644 --- a/VenafiPS/Public/Get-TppAttribute.ps1 +++ b/VenafiPS/Public/Get-TppAttribute.ps1 @@ -1,47 +1,75 @@ <# .SYNOPSIS -Get attributes for a given object +Get object attributes as well as policies (policy attributes) .DESCRIPTION -Retrieves object attributes. You can either retrieve all attributes or individual ones. +Retrieves object attributes as well as policies (aka policy attributes). +You can either retrieve all attributes or individual ones. By default, the attributes returned are not the effective policy, but that can be requested with the -EffectivePolicy switch. - -.PARAMETER InputObject -TppObject which represents a unique object +Effective switch. +Policy folders can have attributes as well as policies which apply to the resultant objects. +For more info on policies and how they are different than attributes, see https://docs.venafi.com/Docs/current/TopNav/Content/Policies/c_policies_tpp.php. .PARAMETER Path Path to the object to retrieve configuration attributes. Just providing DN will return all attributes. .PARAMETER Guid +To be deprecated; use -Path instead. Object Guid. Just providing Guid will return all attributes. .PARAMETER AttributeName Only retrieve the value/values for this attribute .PARAMETER Effective -Get the effective values of the attribute +Get the objects attribute value, once policies have been applied. +This is not applicable to policies, only objects. + +.PARAMETER All +Get all effective object attribute values. +This will perform 3 steps, get the object type, enumerate the attributes for the object type, and get all the effective values. +The output will contain the path where the policy was applied from. +Note, expect this to take longer than usual given the number of api calls. + +.PARAMETER Policy +Get policies (aka policy attributes) instead of object attributes + +.PARAMETER ClassName +Required when getting policy attributes. Provide the class name to retrieve the value for. +If unsure of the class name, add the value through the TPP UI and go to Support->Policy Attributes to find it. .PARAMETER VenafiSession Session object created from New-VenafiSession method. The value defaults to the script session object $VenafiSession. .INPUTS -Path, Guid +Path .OUTPUTS -PSCustomObject with properties Name, Value, IsCustomField, and CustomName +PSCustomObject with properties: +- Name +- Value +- PolicyPath (only applicable with -All) +- IsCustomField (not applicable to policies) +- CustomName (not applicable to policies) .EXAMPLE Get-TppAttribute -Path '\VED\Policy\My Folder\myapp.company.com' -Retrieve all configurations for a certificate +Retrieve all values for an object, excluding values assigned by policy .EXAMPLE -Get-TppAttribute -Path '\VED\Policy\My Folder\myapp.company.com' -EffectivePolicy -Retrieve all effective configurations for a certificate +Get-TppAttribute -Path '\VED\Policy\My Folder\myapp.company.com' -AttributeName 'driver name' +Retrieve the value for a specific attribute .EXAMPLE -Get-TppAttribute -Path '\VED\Policy\My Folder\myapp.company.com' -AttributeName 'driver name' -Retrieve all the value for attribute driver name from certificate myapp.company.com +Get-TppAttribute -Path '\VED\Policy\My Folder\myapp.company.com' -AttributeName 'Contact' -Effective +Retrieve the effective value for a specific attribute + +.EXAMPLE +Get-TppAttribute -Path '\VED\Policy\My Folder\myapp.company.com' -All +Retrieve all effective values for an object + +.EXAMPLE +Get-TppAttribute -Path '\VED\Policy\My Folder' -Policy -Class 'X509 Certificate' -AttributeName 'Contact' +Retrieve the policy attribute value for the specified policy folder .LINK http://VenafiPS.readthedocs.io/en/latest/functions/Get-TppAttribute/ @@ -50,13 +78,13 @@ http://VenafiPS.readthedocs.io/en/latest/functions/Get-TppAttribute/ https://github.com/gdbarron/VenafiPS/blob/main/VenafiPS/Public/Get-TppAttribute.ps1 .LINK -https://docs.venafi.com/Docs/20.4SDK/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-read.php?tocpath=Web%20SDK%7CConfig%20programming%20interface%7C_____27 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-read.php .LINK -https://docs.venafi.com/Docs/20.4SDK/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-readall.php?tocpath=Web%20SDK%7CConfig%20programming%20interface%7C_____28 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-readall.php .LINK -https://docs.venafi.com/Docs/20.4SDK/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-readeffectivepolicy.php?tocpath=Web%20SDK%7CConfig%20programming%20interface%7C_____31 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-readeffectivepolicy.php #> function Get-TppAttribute { @@ -65,7 +93,8 @@ function Get-TppAttribute { [Parameter(Mandatory, ParameterSetName = 'EffectiveByPath', ValueFromPipeline, ValueFromPipelineByPropertyName)] [Parameter(Mandatory, ParameterSetName = 'ByPath', ValueFromPipeline, ValueFromPipelineByPropertyName)] - [Parameter(Mandatory, ParameterSetName = 'AllByPath', ValueFromPipeline, ValueFromPipelineByPropertyName)] + [Parameter(Mandatory, ParameterSetName = 'AllEffectivePath')] + [Parameter(Mandatory, ParameterSetName = 'PolicyPath')] [ValidateNotNullOrEmpty()] [ValidateScript( { if ( $_ | Test-TppDnPath ) { @@ -76,17 +105,18 @@ function Get-TppAttribute { } })] [Alias('DN')] - [String[]] $Path, + [String] $Path, [Parameter(Mandatory, ParameterSetName = 'EffectiveByGuid', ValueFromPipeline)] [Parameter(Mandatory, ParameterSetName = 'ByGuid', ValueFromPipeline)] [ValidateNotNullOrEmpty()] - [guid[]] $Guid, + [guid] $Guid, [Parameter(Mandatory, ParameterSetName = 'EffectiveByPath')] [Parameter(ParameterSetName = 'ByPath')] [Parameter(Mandatory, ParameterSetName = 'EffectiveByGuid')] [Parameter(ParameterSetName = 'ByGuid')] + [Parameter(Mandatory, ParameterSetName = 'PolicyPath')] [ValidateNotNullOrEmpty()] [String[]] $Attribute, @@ -95,6 +125,15 @@ function Get-TppAttribute { [Alias('EffectivePolicy')] [Switch] $Effective, + [Parameter(Mandatory, ParameterSetName = 'AllEffectivePath')] + [switch] $All, + + [Parameter(Mandatory, ParameterSetName = 'PolicyPath')] + [switch] $Policy, + + [Parameter(Mandatory, ParameterSetName = 'PolicyPath')] + [string] $ClassName, + [Parameter()] [VenafiSession] $VenafiSession = $script:VenafiSession ) @@ -103,26 +142,40 @@ function Get-TppAttribute { $VenafiSession.Validate() | Out-Null - if ( $PSBoundParameters.ContainsKey('Attribute') ) { - if ( $PSBoundParameters.ContainsKey('Effective') ) { - $uriLeaf = 'config/ReadEffectivePolicy' - } - else { - $uriLeaf = 'config/read' - } - } - else { - $uriLeaf = 'config/readall' + if ( $Guid ) { + Write-Warning '-Guid will be deprecated in a future release. Please use -Path instead.' } $baseParams = @{ VenafiSession = $VenafiSession - Method = 'Post' - UriLeaf = $uriLeaf - Body = @{ + Method = 'Post' + Body = @{ ObjectDN = '' } } + + if ( $Policy ) { + $uriLeaf = 'config/ReadPolicy' + } + else { + if ( $PSBoundParameters.ContainsKey('Attribute') ) { + if ( $Effective ) { + $uriLeaf = 'config/ReadEffectivePolicy' + } + else { + $uriLeaf = 'config/read' + } + } + else { + if ( $All ) { + $uriLeaf = 'config/ReadEffectivePolicy' + } + else { + $uriLeaf = 'config/readall' + } + } + } + $baseParams.UriLeaf = $uriLeaf } process { @@ -137,71 +190,80 @@ function Get-TppAttribute { } } - foreach ($thisPath in $pathToProcess) { + $baseParams.Body['ObjectDN'] = $pathToProcess - $baseParams.Body['ObjectDN'] = $thisPath + if ( $All ) { + $className = Get-TppObject -Path $pathToProcess -VenafiSession $VenafiSession | Select-Object -ExpandProperty TypeName + $Attribute = Get-TppClassAttribute -ClassName $className -VenafiSession $VenafiSession | Select-Object -ExpandProperty Name + } + if ( $Attribute ) { - # if specifying attribute name(s), it's a different rest api - if ( $PSBoundParameters.ContainsKey('Attribute') ) { + # get the attribute values one by one as there is no + # api which allows passing a list + $configValues = foreach ($thisAttribute in $Attribute) { - # get the attribute values one by one as there is no - # api which allows passing a list - $configValues = foreach ($thisAttribute in $Attribute) { + $params = $baseParams.Clone() + $params.Body += @{ + AttributeName = $thisAttribute + } - $params = $baseParams.Clone() + # add the class for a policy call + if ( $ClassName ) { $params.Body += @{ - AttributeName = $thisAttribute + 'Class' = $ClassName } + } - $response = Invoke-TppRestMethod @params + $response = Invoke-TppRestMethod @params - if ( $response ) { - [PSCustomObject] @{ - Name = $thisAttribute - Value = $response.Values - } + if ( $response ) { + [PSCustomObject] @{ + Name = $thisAttribute + Value = $response.Values + PolicyPath = $response.PolicyDN } } } - else { - $response = Invoke-TppRestMethod @baseParams - if ( $response ) { - $configValues = $response.NameValues | Select-Object Name, - @{ - n = 'Value' - e = { - $_.Values - } + } + else { + $response = Invoke-TppRestMethod @baseParams + if ( $response ) { + $configValues = $response.NameValues | Select-Object Name, + @{ + n = 'Value' + e = { + $_.Values } } } + } - if ( $configValues ) { - - $configValues = @($configValues) + if ( $configValues ) { - # convert custom field guids to names - foreach ($thisConfigValue in $configValues) { + $configValues = @($configValues) - $customField = $VenafiSession.CustomField | Where-Object {$_.Guid -eq $thisConfigValue.Name} - $thisConfigValue | Add-Member @{ - 'IsCustomField' = $null -ne $customField - 'CustomName' = $null - } - if ( $customField ) { - $thisConfigValue.CustomName = $customField.Label - } + # convert custom field guids to names + foreach ($thisConfigValue in $configValues) { - $thisConfigValue + $customField = $VenafiSession.CustomField | Where-Object { $_.Guid -eq $thisConfigValue.Name } + $thisConfigValue | Add-Member @{ + 'IsCustomField' = $null -ne $customField + 'CustomName' = $null + } + if ( $customField ) { + $thisConfigValue.CustomName = $customField.Label } - # [PSCustomObject] @{ - # Path = $thisPath - # Attribute = $updatedConfigValues - # } + $thisConfigValue } + + # [PSCustomObject] @{ + # Path = $thisPath + # Attribute = $updatedConfigValues + # } } + # } } end { diff --git a/VenafiPS/Public/Get-VenafiCertificate.ps1 b/VenafiPS/Public/Get-VenafiCertificate.ps1 index 71065d5a..b5b16094 100644 --- a/VenafiPS/Public/Get-VenafiCertificate.ps1 +++ b/VenafiPS/Public/Get-VenafiCertificate.ps1 @@ -48,6 +48,10 @@ Get certificate info for a specific cert on TPP, including historical versions o Get-VenafiCertificate -CertificateId '\ved\policy\mycert.com' -IncludePreviousVersions -ExcludeRevoked -ExcludeExpired Get certificate info for a specific cert on TPP, including historical versions of the certificate that are not revoked or expired. +.EXAMPLE +Find-TppCertificate | Get-VenafiCertificate +Get certificate info for all certs in TPP + .LINK https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-GET-Certificates-guid.php #> diff --git a/VenafiPS/Public/Invoke-VenafiCertificateAction.ps1 b/VenafiPS/Public/Invoke-VenafiCertificateAction.ps1 new file mode 100644 index 00000000..917f994d --- /dev/null +++ b/VenafiPS/Public/Invoke-VenafiCertificateAction.ps1 @@ -0,0 +1,239 @@ +<# +.SYNOPSIS +Perform an action against a certificate on TPP or VaaS + +.DESCRIPTION +One stop shop for basic certificate actions against either TPP or VaaS. +When supported by the platform, you can Retire, Reset, Renew, Push, Validate, or Revoke. + +.PARAMETER CertificateId +Certificate identifier. For Venafi as a Service, this is the unique guid. For TPP, use the full path. + +.PARAMETER Retire +Retire/disable a certificate + +.PARAMETER Reset +Reset the state of a certificate and its associated applications. TPP only. + +.PARAMETER Renew +Requests immediate renewal for an existing certificate + +.PARAMETER Push +Provisions the same certificate and private key to one or more devices or servers. +The certificate must be associated with one or more Application objects. +TPP only. + +.PARAMETER Validate +Initiates SSL/TLS network validation + +.PARAMETER Revoke +Sends a revocation request to the certificate CA. TPP only. + +.PARAMETER AdditionalParameters +Additional items specific to the action being taken, if needed. +See the api documentation for appropriate items, many are in the links in this help. + +.PARAMETER VenafiSession +Session object created from New-VenafiSession method. The value defaults to the script session object $VenafiSession. + +.INPUTS +CertificateId + +.OUTPUTS +PSCustomObject with the following properties: + CertificateId - Certificate path (TPP) or Guid (VaaS) + Success - A value of true indicates that the action was successful + Error - Indicates any errors that occurred. Not returned when Success is true + +.EXAMPLE +Invoke-VenafiCertificateAction -CertificateId '\VED\Policy\My folder\app.mycompany.com' -Revoke +Perform an action + +.EXAMPLE +Invoke-VenafiCertificateAction -CertificateId '\VED\Policy\My folder\app.mycompany.com' -Revoke -AdditionalParameters @{'Comments'='Key compromised'} +Perform an action sending additional parameters. + +.LINK +http://VenafiPS.readthedocs.io/en/latest/functions/Invoke-TppCertificateRenewal/ + +.LINK +https://github.com/gdbarron/VenafiPS/blob/main/VenafiPS/Public/Invoke-TppCertificateRenewal.ps1 + +.LINK +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Certificates-Reset.php + +.LINK +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Certificates-renew.php + +.LINK +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Certificates-Push.php + +.LINK +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Certificates-Validate.php + +.LINK +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Certificates-revoke.php + +.LINK +https://api.venafi.cloud/webjars/swagger-ui/index.html?configUrl=%2Fv3%2Fapi-docs%2Fswagger-config&urls.primaryName=outagedetection-service + +#> +function Invoke-VenafiCertificateAction { + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '', Justification = 'Params being used in paramset check, not by variable')] + + param ( + [Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)] + [ValidateNotNullOrEmpty()] + [Alias('Path')] + [string] $CertificateId, + + [Parameter(Mandatory, ParameterSetName = 'Retire')] + [switch] $Retire, + + [Parameter(Mandatory, ParameterSetName = 'Reset')] + [switch] $Reset, + + [Parameter(Mandatory, ParameterSetName = 'Renew')] + [switch] $Renew, + + [Parameter(Mandatory, ParameterSetName = 'Push')] + [switch] $Push, + + [Parameter(Mandatory, ParameterSetName = 'Validate')] + [switch] $Validate, + + [Parameter(Mandatory, ParameterSetName = 'Revoke')] + [switch] $Revoke, + + [Parameter()] + [hashtable] $AdditionalParameters, + + [Parameter()] + [VenafiSession] $VenafiSession = $script:VenafiSession + ) + + begin { + $authType = $VenafiSession.Validate() + } + + process { + + $returnObject = [PSCustomObject]@{ + CertificateId = $CertificateId + Success = $true + Error = $null + } + + $params = @{ + VenafiSession = $VenafiSession + Method = 'Post' + } + + switch ($authType) { + 'vaas' { + + $params.UriRoot = 'outagedetection/v1' + + if ( $PSCmdLet.ParameterSetName -in 'Reset', 'Push', 'Revoke' ) { + throw ('{0} action is not supported on VaaS' -f $PSCmdLet.ParameterSetName) + } + + switch ($PSCmdLet.ParameterSetName) { + 'Retire' { + $params.UriLeaf = "certificates/retirement" + $params.Body = @{"certificateIds" = @($CertificateId) } + } + + 'Renew' { + $params.UriLeaf = "certificaterequests" + $params.Body = @{"existingCertificateId" = $CertificateId } + } + + 'Validate' { + $params.UriLeaf = "certificates/validation" + $params.Body = @{"certificateIds" = @($CertificateId) } + } + } + } + + Default { + + $performInvoke = $true + + switch ($PSCmdLet.ParameterSetName) { + 'Retire' { + $performInvoke = $false + + try { + Set-TppAttribute -Path $CertificateId -Attribute @{ 'Disabled' = '1' } -VenafiSession $VenafiSession + } + catch { + $returnObject.Success = $false + $returnObject.Error = $_ + } + } + + 'Reset' { + $params.UriLeaf = 'Certificates/Reset' + $params.Body = @{ + CertificateDN = $CertificateId + } + } + + 'Renew' { + $params.UriLeaf = 'Certificates/Renew' + $params.Body = @{ + CertificateDN = $CertificateId + } + } + + 'Push' { + $params.UriLeaf = 'Certificates/Push' + $params.Body = @{ + CertificateDN = $CertificateId + } + } + + 'Validate' { + $params.UriLeaf = 'Certificates/Validate' + $params.Body = @{ + CertificateDNs = @($CertificateId) + } + } + + 'Revoke' { + $params.UriLeaf = 'Certificates/Revoke' + $params.Body = @{ + CertificateDN = $CertificateId + } + if ( -not $PSCmdlet.ShouldProcess($CertificateId, 'Revoke certificate') ) { + $performInvoke = $false + $returnObject.Success = $false + $returnObject.Error = 'User cancelled' + } + } + } + } + } + + if ( $AdditionalParameters ) { + $params.Body += $AdditionalParameters + } + + try { + if ( $performInvoke ) { + Invoke-VenafiRestMethod @params -FullResponse | Out-Null + } + } + catch { + $returnObject.Success = $false + $returnObject.Error = $_ + } + + # return path so another function can be called + $returnObject + + } +} diff --git a/VenafiPS/Public/New-VenafiSession.ps1 b/VenafiPS/Public/New-VenafiSession.ps1 index fbee65e7..df067ca6 100644 --- a/VenafiPS/Public/New-VenafiSession.ps1 +++ b/VenafiPS/Public/New-VenafiSession.ps1 @@ -151,7 +151,8 @@ https://github.com/PowerShell/SecretStore #> function New-VenafiSession { - [CmdletBinding(SupportsShouldProcess, DefaultParameterSetName = 'KeyIntegrated')] + [CmdletBinding(DefaultParameterSetName = 'KeyIntegrated')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '', Justification = 'Not needed')] param( [Parameter(Mandatory, ParameterSetName = 'KeyCredential')] @@ -302,217 +303,217 @@ function New-VenafiSession { } } - if ( $PSCmdlet.ShouldProcess($Server, 'New session') ) { - Switch ($PsCmdlet.ParameterSetName) { + # if ( $PSCmdlet.ShouldProcess($Server, 'New session') ) { + Switch ($PsCmdlet.ParameterSetName) { - { $_ -in 'KeyCredential', 'KeyIntegrated' } { + { $_ -in 'KeyCredential', 'KeyIntegrated' } { - Write-Warning 'Key-based authentication will be deprecated in release 21.4 in favor of token-based. Get started with token authentication today, https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/t-SDKa-Setup-OAuth.php.' + Write-Warning 'Key-based authentication will be deprecated in release 21.4 in favor of token-based. Get started with token authentication today, https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/t-SDKa-Setup-OAuth.php.' - if ( $PsCmdlet.ParameterSetName -eq 'KeyCredential' ) { - $newSession.Connect($Credential) - } - else { - # integrated - $newSession.Connect($null) - } + if ( $PsCmdlet.ParameterSetName -eq 'KeyCredential' ) { + $newSession.Connect($Credential) + } + else { + # integrated + $newSession.Connect($null) + } + } + + { $_ -in 'TokenOAuth', 'TokenIntegrated', 'TokenCertificate' } { + $params = @{ + AuthServer = $authServerUrl + ClientId = $ClientId + Scope = $Scope } - { $_ -in 'TokenOAuth', 'TokenIntegrated', 'TokenCertificate' } { - $params = @{ - AuthServer = $authServerUrl - ClientId = $ClientId - Scope = $Scope - } + if ($Credential) { + $params.Credential = $Credential + } - if ($Credential) { - $params.Credential = $Credential - } + if ($Certificate) { + $params.Certificate = $Certificate + } - if ($Certificate) { - $params.Certificate = $Certificate - } + if ($State) { + $params.State = $State + } + + $token = New-TppToken @params -Verbose:$isVerbose + $newSession.Token = $token + $newSession.Expires = $token.Expires + } - if ($State) { - $params.State = $State + 'AccessToken' { + $newSession.Token = [PSCustomObject]@{ + Server = $authServerUrl + AccessToken = $AccessToken + } + # we don't have the expiry so create one + # rely on the api call itself to fail if access token is invalid + $newSession.Expires = (Get-Date).AddMonths(12) + } + + 'VaultAccessToken' { + $tokenSecret = Get-Secret -Name $VaultAccessTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue + if ( -not $tokenSecret ) { + throw "'$VaultAccessTokenName' secret not found in vault VenafiPS." + } + + # check if metadata was stored or we should get from params + $secretInfo = Get-SecretInfo -Name $VaultAccessTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue + + if ( $secretInfo.Metadata.Count -gt 0 ) { + $newSession.ServerUrl = $secretInfo.Metadata.Server + $newSession.Expires = $secretInfo.Metadata.Expires + $newSession.Token = [PSCustomObject]@{ + Server = $secretInfo.Metadata.AuthServer + AccessToken = $tokenSecret + ClientId = $secretInfo.Metadata.ClientId } - $token = New-TppToken @params -Verbose:$isVerbose - $newSession.Token = $token - $newSession.Expires = $token.Expires + $metadataStored = $true } + else { + # need to check params as not mandatory + if ( -not $Server -or -not $ClientId ) { + throw '-Server and -ClientId are required parameters as they weren''t stored with -VaultMetadata' + } - 'AccessToken' { $newSession.Token = [PSCustomObject]@{ Server = $authServerUrl - AccessToken = $AccessToken + AccessToken = $tokenSecret } # we don't have the expiry so create one # rely on the api call itself to fail if access token is invalid $newSession.Expires = (Get-Date).AddMonths(12) } + } - 'VaultAccessToken' { - $tokenSecret = Get-Secret -Name $VaultAccessTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue - if ( -not $tokenSecret ) { - throw "'$VaultAccessTokenName' secret not found in vault VenafiPS." - } - - # check if metadata was stored or we should get from params - $secretInfo = Get-SecretInfo -Name $VaultAccessTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue - - if ( $secretInfo.Metadata.Count -gt 0 ) { - $newSession.ServerUrl = $secretInfo.Metadata.Server - $newSession.Expires = $secretInfo.Metadata.Expires - $newSession.Token = [PSCustomObject]@{ - Server = $secretInfo.Metadata.AuthServer - AccessToken = $tokenSecret - ClientId = $secretInfo.Metadata.ClientId - } - - $metadataStored = $true - } - else { - # need to check params as not mandatory - if ( -not $Server -or -not $ClientId ) { - throw '-Server and -ClientId are required parameters as they weren''t stored with -VaultMetadata' - } - - $newSession.Token = [PSCustomObject]@{ - Server = $authServerUrl - AccessToken = $tokenSecret - } - # we don't have the expiry so create one - # rely on the api call itself to fail if access token is invalid - $newSession.Expires = (Get-Date).AddMonths(12) - } + 'RefreshToken' { + $params = @{ + AuthServer = $authServerUrl + ClientId = $ClientId + RefreshToken = $RefreshToken } - 'RefreshToken' { - $params = @{ - AuthServer = $authServerUrl - ClientId = $ClientId - RefreshToken = $RefreshToken - } + $newToken = New-TppToken @params + $newSession.Token = $newToken + $newSession.Expires = $newToken.Expires + } - $newToken = New-TppToken @params - $newSession.Token = $newToken - $newSession.Expires = $newToken.Expires + 'VaultRefreshToken' { + $tokenSecret = Get-Secret -Name $VaultRefreshTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue + if ( -not $tokenSecret ) { + throw "'$VaultRefreshTokenName' secret not found in vault VenafiPS." } - 'VaultRefreshToken' { - $tokenSecret = Get-Secret -Name $VaultRefreshTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue - if ( -not $tokenSecret ) { - throw "'$VaultRefreshTokenName' secret not found in vault VenafiPS." - } - - # check if metadata was stored or we should get from params - $secretInfo = Get-SecretInfo -Name $VaultRefreshTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue + # check if metadata was stored or we should get from params + $secretInfo = Get-SecretInfo -Name $VaultRefreshTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue - if ( $secretInfo.Metadata.Count -gt 0 ) { - $params = @{ - AuthServer = $secretInfo.Metadata.AuthServer - ClientId = $secretInfo.Metadata.ClientId - } - - $metadataStored = $true - - } - else { - # need to check params as not mandatory - if ( -not $Server -or -not $ClientId ) { - throw '-Server and -ClientId are required parameters as they weren''t stored with -VaultMetadata' - } - - $params = @{ - AuthServer = $authServerUrl - ClientId = $ClientId - } + if ( $secretInfo.Metadata.Count -gt 0 ) { + $params = @{ + AuthServer = $secretInfo.Metadata.AuthServer + ClientId = $secretInfo.Metadata.ClientId } - $params.RefreshToken = $tokenSecret + $metadataStored = $true - $newToken = New-TppToken @params - $newSession.Token = $newToken - $newSession.Expires = $newToken.Expires - } - - 'Vaas' { - $newSession.ServerUrl = $script:CloudUrl - $newSession.Key = $VaasKey } + else { + # need to check params as not mandatory + if ( -not $Server -or -not $ClientId ) { + throw '-Server and -ClientId are required parameters as they weren''t stored with -VaultMetadata' + } - 'VaultVaasKey' { - $newSession.ServerUrl = $script:CloudUrl - $keySecret = Get-Secret -Name $VaultVaasKeyName -Vault 'VenafiPS' -ErrorAction SilentlyContinue - if ( -not $keySecret ) { - throw "'$VaultVaasKeyName' secret not found in vault VenafiPS." + $params = @{ + AuthServer = $authServerUrl + ClientId = $ClientId } - $newSession.Key = $keySecret } - Default { - throw ('Unknown parameter set {0}' -f $PSCmdlet.ParameterSetName) - } + $params.RefreshToken = $tokenSecret + + $newToken = New-TppToken @params + $newSession.Token = $newToken + $newSession.Expires = $newToken.Expires } - if ( $VaultAccessTokenName ) { - # set new access token in vault - Set-Secret -Name $VaultAccessTokenName -Secret $newSession.Token.AccessToken -Vault 'VenafiPS' + 'Vaas' { + $newSession.ServerUrl = $script:CloudUrl + $newSession.Key = $VaasKey } - if ( $VaultRefreshTokenName ) { - # set new refresh token in vault - if ( $newSession.Token.RefreshToken ) { - Set-Secret -Name $VaultRefreshTokenName -Secret $newSession.Token.RefreshToken -Vault 'VenafiPS' - } - else { - Write-Warning 'Refresh token not provided by server and will not be saved in the vault' + 'VaultVaasKey' { + $newSession.ServerUrl = $script:CloudUrl + $keySecret = Get-Secret -Name $VaultVaasKeyName -Vault 'VenafiPS' -ErrorAction SilentlyContinue + if ( -not $keySecret ) { + throw "'$VaultVaasKeyName' secret not found in vault VenafiPS." } + $newSession.Key = $keySecret } - if ( $VaultVaasKeyName ) { - # set new vaas key in vault - Set-Secret -Name $VaultVaasKeyName -Secret $newSession.Key -Vault 'VenafiPS' + Default { + throw ('Unknown parameter set {0}' -f $PSCmdlet.ParameterSetName) } + } - if ( $VaultMetadata.IsPresent -or $metadataStored ) { - if ( -not $VaultAccessTokenName -and -not $VaultRefreshTokenName) { - throw 'Vaulting metadata requires either -VaultAccessTokenName or -VaultRefreshTokenName is provided' - } - $metadata = @{ - Server = $newSession.ServerUrl - AuthServer = $newSession.Token.Server - ClientId = $newSession.Token.ClientId - Expires = $newSession.Expires - } + if ( $VaultAccessTokenName ) { + # set new access token in vault + Set-Secret -Name $VaultAccessTokenName -Secret $newSession.Token.AccessToken -Vault 'VenafiPS' + } - $metadata | ConvertTo-Json | Write-Verbose + if ( $VaultRefreshTokenName ) { + # set new refresh token in vault + if ( $newSession.Token.RefreshToken ) { + Set-Secret -Name $VaultRefreshTokenName -Secret $newSession.Token.RefreshToken -Vault 'VenafiPS' + } + else { + Write-Warning 'Refresh token not provided by server and will not be saved in the vault' + } + } - if ( $VaultAccessTokenName ) { - Set-SecretInfo -Name $VaultAccessTokenName -Vault 'VenafiPS' -Metadata $metadata - } + if ( $VaultVaasKeyName ) { + # set new vaas key in vault + Set-Secret -Name $VaultVaasKeyName -Secret $newSession.Key -Vault 'VenafiPS' + } - if ( $VaultRefreshTokenName ) { - Set-SecretInfo -Name $VaultRefreshTokenName -Vault 'VenafiPS' -Metadata $metadata - } + if ( $VaultMetadata.IsPresent -or $metadataStored ) { + if ( -not $VaultAccessTokenName -and -not $VaultRefreshTokenName) { + throw 'Vaulting metadata requires either -VaultAccessTokenName or -VaultRefreshTokenName is provided' } - - # will fail if user is on an older version. this isn't required so bypass on failure - # only applicable to tpp - if ( $PSCmdlet.ParameterSetName -notin 'VaasKey', 'VaultVaasKey' ) { - $newSession.Version = (Get-TppVersion -VenafiSession $newSession -ErrorAction SilentlyContinue) - $certFields = 'X509 Certificate', 'Device', 'Application Base' | Get-TppCustomField -VenafiSession $newSession -ErrorAction SilentlyContinue - # make sure we remove duplicates - $newSession.CustomField = $certFields.Items | Sort-Object -Property Guid -Unique + $metadata = @{ + Server = $newSession.ServerUrl + AuthServer = $newSession.Token.Server + ClientId = $newSession.Token.ClientId + Expires = $newSession.Expires } - if ( $PassThru ) { - $newSession + $metadata | ConvertTo-Json | Write-Verbose + + if ( $VaultAccessTokenName ) { + Set-SecretInfo -Name $VaultAccessTokenName -Vault 'VenafiPS' -Metadata $metadata } - else { - $Script:VenafiSession = $newSession + + if ( $VaultRefreshTokenName ) { + Set-SecretInfo -Name $VaultRefreshTokenName -Vault 'VenafiPS' -Metadata $metadata } } + + # will fail if user is on an older version. this isn't required so bypass on failure + # only applicable to tpp + if ( $PSCmdlet.ParameterSetName -notin 'Vaas', 'VaultVaasKey' ) { + $newSession.Version = (Get-TppVersion -VenafiSession $newSession -ErrorAction SilentlyContinue) + $certFields = 'X509 Certificate', 'Device', 'Application Base' | Get-TppCustomField -VenafiSession $newSession -ErrorAction SilentlyContinue + # make sure we remove duplicates + $newSession.CustomField = $certFields.Items | Sort-Object -Property Guid -Unique + } + + if ( $PassThru ) { + $newSession + } + else { + $Script:VenafiSession = $newSession + } + # } } diff --git a/VenafiPS/Public/Remove-TppCertificate.ps1 b/VenafiPS/Public/Remove-TppCertificate.ps1 index e708be86..e2532c41 100644 --- a/VenafiPS/Public/Remove-TppCertificate.ps1 +++ b/VenafiPS/Public/Remove-TppCertificate.ps1 @@ -45,7 +45,7 @@ http://VenafiPS.readthedocs.io/en/latest/functions/Remove-TppCertificate/ https://github.com/gdbarron/VenafiPS/blob/main/VenafiPS/Public/Remove-TppCertificate.ps1 .LINK -https://docs.venafi.com/Docs/20.4SDK/TopNav/Content/SDK/WebSDK/r-SDK-DELETE-Certificates-Guid.php?tocpath=Web%20SDK%7CCertificates%20programming%20interface%7C_____9 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-DELETE-Certificates-Guid.php #> function Remove-TppCertificate { @@ -53,10 +53,7 @@ function Remove-TppCertificate { [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param ( - [Parameter(Mandatory, ParameterSetName = 'ByObject', ValueFromPipeline)] - [TppObject] $InputObject, - - [Parameter(Mandatory, ValueFromPipeline, ParameterSetName = 'ByPath')] + [Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)] [ValidateNotNullOrEmpty()] [ValidateScript( { if ( $_ | Test-TppDnPath ) { @@ -87,16 +84,16 @@ function Remove-TppCertificate { process { - if ( $PSBoundParameters.ContainsKey('InputObject') ) { - $path = $InputObject.Path - $guid = $InputObject.Guid - } else { - $guid = $Path | ConvertTo-TppGuid -VenafiSession $VenafiSession - } + # if ( $PSBoundParameters.ContainsKey('InputObject') ) { + # $path = $InputObject.Path + # $guid = $InputObject.Guid + # } else { + # $guid = $Path | ConvertTo-TppGuid -VenafiSession $VenafiSession + # } # ensure either there are no associations or the force flag was provided - $associatedApps = $Guid | - Get-TppAttribute -Attribute "Consumers" -EffectivePolicy -VenafiSession $VenafiSession | + $associatedApps = $Path | + Get-TppAttribute -Attribute "Consumers" -Effective -VenafiSession $VenafiSession | Select-Object -ExpandProperty Value if ( $associatedApps ) { @@ -108,11 +105,12 @@ function Remove-TppCertificate { } } - $params.UriLeaf = "Certificates/$Guid" + $guid = $Path | ConvertTo-TppGuid -VenafiSession $VenafiSession + $params.UriLeaf = "Certificates/$guid" if ( $PSCmdlet.ShouldProcess($Path, 'Remove certificate and all associations') ) { - Remove-TppCertificateAssociation -Path $Path -All -VenafiSession $VenafiSession - Invoke-TppRestMethod @params + Remove-TppCertificateAssociation -Path $Path -All -VenafiSession $VenafiSession -Confirm:$false + Invoke-TppRestMethod @params | Out-Null } } } diff --git a/VenafiPS/Public/Set-TppAttribute.ps1 b/VenafiPS/Public/Set-TppAttribute.ps1 index 9e502a17..1978cc9f 100644 --- a/VenafiPS/Public/Set-TppAttribute.ps1 +++ b/VenafiPS/Public/Set-TppAttribute.ps1 @@ -1,9 +1,10 @@ <# .SYNOPSIS -Sets a value on an attribute +Sets a value on an objects attribute or policies (policy attributes) .DESCRIPTION -Set a value on an attribute. The attribute can either be built-in or custom. +Set the value on an objects attribute. The attribute can either be built-in or custom. +You can also set policies (policy attributes). .PARAMETER Path Path to the object to modify @@ -14,6 +15,16 @@ Hashtable with names and values to be set. If setting a custom field, you can u .PARAMETER BypassValidation Bypass data validation. Only appicable to custom fields. +.PARAMETER Policy +Set policies (aka policy attributes) instead of object attributes + +.PARAMETER ClassName +Required when setting policy attributes. Provide the class name to set the value for. +If unsure of the class name, add the value through the TPP UI and go to Support->Policy Attributes to find it. + +.PARAMETER Lock +Lock the value on the policy. Only applicable to setting policies. + .PARAMETER VenafiSession Session object created from New-VenafiSession method. The value defaults to the script session object $VenafiSession. @@ -24,16 +35,24 @@ Path None .EXAMPLE -Set-TppAttribute -Path '\VED\Policy\My Folder\app.company.com -Attribute @{'My custom field Label'='new custom value'} +Set-TppAttribute -Path '\VED\Policy\My Folder\app.company.com' -Attribute @{'Consumers'='\VED\Policy\myappobject.company.com'} +Set a value on an object + +.EXAMPLE +Set-TppAttribute -Path '\VED\Policy\My Folder\app.company.com' -Attribute @{'My custom field Label'='new custom value'} Set value on custom field .EXAMPLE -Set-TppAttribute -Path '\VED\Policy\My Folder\app.company.com -Attribute @{'DateField'='hi'} -BypassValidation +Set-TppAttribute -Path '\VED\Policy\My Folder\app.company.com' -Attribute @{'My custom field Label'='new custom value'} -BypassValidation Set value on custom field bypassing field validation .EXAMPLE -Set-TppAttribute -Path '\VED\Policy\My Folder\app.company.com -Attribute @{'Consumers'='\VED\Policy\myappobject.company.com'} -Set value on a certificate by overwriting any existing values +Set-TppAttribute -Path '\VED\Policy\My Folder' -Policy -ClassName 'X509 Certificate' -Attribute @{'Notification Disabled'='0'} +Set a policy attribute + +.EXAMPLE +Set-TppAttribute -Path '\VED\Policy\My Folder' -Policy -ClassName 'X509 Certificate' -Attribute @{'Notification Disabled'='0'} -Lock +Set a policy attribute and lock the value .LINK http://VenafiPS.readthedocs.io/en/latest/functions/Set-TppAttribute/ @@ -42,11 +61,13 @@ http://VenafiPS.readthedocs.io/en/latest/functions/Set-TppAttribute/ https://github.com/gdbarron/VenafiPS/blob/main/VenafiPS/Public/Set-TppAttribute.ps1 .LINK -https://docs.venafi.com/Docs/21.2/TopNav/Content/SDK/WebSDK/r-SDK-POST-Metadata-Set.php?tocpath=Platform%20SDK%7CWeb%20SDK%20REST%7CCertificate%20end%20points%20for%20TLS%7CMetadata%20custom%20fields%20API%7C_____17 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Metadata-Set.php .LINK -https://docs.venafi.com/Docs/21.2/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-write.php?tocpath=Platform%20SDK%7CWeb%20SDK%20REST%7CConfiguration%20end%20points%7CConfig%20API%7C_____36 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-write.php +.LINK +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config-writepolicy.php #> function Set-TppAttribute { @@ -65,14 +86,23 @@ function Set-TppAttribute { } })] [Alias('DN')] - [String[]] $Path, + [String] $Path, [Parameter(Mandatory)] [hashtable] $Attribute, - [Parameter()] + [Parameter(ParameterSetName = 'Object')] [switch] $BypassValidation, + [Parameter(Mandatory, ParameterSetName = 'Policy')] + [switch] $Policy, + + [Parameter(Mandatory, ParameterSetName = 'Policy')] + [string] $ClassName, + + [Parameter(ParameterSetName = 'Policy')] + [switch] $Lock, + [Parameter()] [VenafiSession] $VenafiSession = $script:VenafiSession ) @@ -85,111 +115,132 @@ function Set-TppAttribute { Method = 'Post' } - $baseFields = @() - $customFields = @() + if ( -not $Policy ) { + + $baseFields = @() + $customFields = @() - $Attribute.GetEnumerator() | ForEach-Object { + $Attribute.GetEnumerator() | ForEach-Object { - $thisKey = $_.Key - $thisValue = $_.Value - $customFieldError = $null + $thisKey = $_.Key + $thisValue = $_.Value + $customFieldError = $null - $customField = $VenafiSession.CustomField | Where-Object { $_.Label -eq $thisKey -or $_.Guid -eq $thisKey } - if ( $customField ) { - switch ( $customField.Type.ToString() ) { - '1' { - # string - if ( $customField.RegularExpression -and $thisValue -notmatch $customField.RegularExpression ) { - $customFieldError = 'regular expression ''{0}'' validation failed' -f $customField.RegularExpression + $customField = $VenafiSession.CustomField | Where-Object { $_.Label -eq $thisKey -or $_.Guid -eq $thisKey } + if ( $customField ) { + switch ( $customField.Type.ToString() ) { + '1' { + # string + if ( $customField.RegularExpression -and $thisValue -notmatch $customField.RegularExpression ) { + $customFieldError = 'regular expression ''{0}'' validation failed' -f $customField.RegularExpression + } } - } - '2' { - # list - if ( $thisValue -notin $customField.AllowedValues ) { - $customFieldError = 'value is not in the list of allowed values ''{0}''' -f $customField.AllowedValues + '2' { + # list + if ( $thisValue -notin $customField.AllowedValues ) { + $customFieldError = 'value is not in the list of allowed values ''{0}''' -f $customField.AllowedValues + } } - } - '5' { - # identity - if ( -not ($thisValue | Test-TppIdentity -ExistOnly -VenafiSession $VenafiSession) ) { - $customFieldError = 'value is not a valid identity' + '5' { + # identity + if ( -not ($thisValue | Test-TppIdentity -ExistOnly -VenafiSession $VenafiSession) ) { + $customFieldError = 'value is not a valid identity' + } } - } - '4' { - # date/time - try { - [datetime] $thisValue + '4' { + # date/time + try { + [datetime] $thisValue + } + catch { + $customFieldError = 'value is not a valid date' + } } - catch { - $customFieldError = 'value is not a valid date' + + Default { + $customFieldError = 'unknown custom field type' } } - Default { - $customFieldError = 'unknown custom field type' + if ( $customFieldError -and -not $BypassValidation.IsPresent ) { + Write-Error ('The value ''{0}'' for field ''{1}'' encountered an error, {2}' -f $thisValue, $thisKey, $customFieldError) + } + else { + $customFields += @{ + ItemGuid = $customField.Guid + List = @($thisValue) + } } - } - - if ( $customFieldError -and -not $BypassValidation.IsPresent ) { - Write-Error ('The value ''{0}'' for field ''{1}'' encountered an error, {2}' -f $thisValue, $thisKey, $customFieldError) } else { - $customFields += @{ - ItemGuid = $customField.Guid - List = @($thisValue) + $baseFields += @{ + Name = $thisKey + Value = $thisValue } } } - else { - $baseFields += @{ - Name = $thisKey - Value = $thisValue - } - } } } process { - foreach ($thisDn in $Path) { + if ( -not $PSCmdlet.ShouldProcess($Path) ) { + continue + } - if ( $PSCmdlet.ShouldProcess($thisDn) ) { + if ( $Policy ) { + $Attribute.GetEnumerator() | ForEach-Object { - # built-in fields and custom fields have different APIs and payloads + $params.UriLeaf = 'config/WritePolicy' + $params.Body = @{ + ObjectDN = $Path + Class = $ClassName + AttributeName = $_.Key + Values = @($_.Value) + Locked = [int]$Lock.ToBool() + } - if ( $baseFields.Count -gt 0 ) { + $response = Invoke-TppRestMethod @params - $params.UriLeaf = 'config/Write' - $params.Body = @{ - ObjectDN = $thisDn - AttributeData = $baseFields - } + if ( $response.Result -ne [TppConfigResult]::Success ) { + Write-Error $response.Error + } + } + } - $response = Invoke-TppRestMethod @params + # built-in fields and custom fields have different APIs and payloads - if ( $response.Result -ne [TppConfigResult]::Success ) { - Write-Error $response.Error - } - } + if ( $baseFields.Count -gt 0 ) { - if ( $customFields.Count -gt 0 ) { + $params.UriLeaf = 'config/Write' + $params.Body = @{ + ObjectDN = $Path + AttributeData = $baseFields + } - $params.UriLeaf = 'Metadata/Set' - $params.Body = @{ - DN = $thisDn - GuidData = $customFields - KeepExisting = $true - } + $response = Invoke-TppRestMethod @params - $response = Invoke-TppRestMethod @params + if ( $response.Result -ne [TppConfigResult]::Success ) { + Write-Error $response.Error + } + } - if ( $response.Result -ne 0 ) { - Write-Error $response.Error - } - } + if ( $customFields.Count -gt 0 ) { + + $params.UriLeaf = 'Metadata/Set' + $params.Body = @{ + DN = $Path + GuidData = $customFields + KeepExisting = $true + } + + $response = Invoke-TppRestMethod @params + + if ( $response.Result -ne 0 ) { + Write-Error $response.Error } } } diff --git a/VenafiPS/VenafiPS.psd1 b/VenafiPS/VenafiPS.psd1 index 5daa4d94..a2f4a379 100644 --- a/VenafiPS/VenafiPS.psd1 +++ b/VenafiPS/VenafiPS.psd1 @@ -12,7 +12,7 @@ RootModule = 'VenafiPS.psm1' # Version number of this module. -ModuleVersion = '3.3.1' +ModuleVersion = '3.4' # Supported PSEditions # CompatiblePSEditions = @() @@ -69,28 +69,28 @@ PowerShellVersion = '5.1' # NestedModules = @() # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -FunctionsToExport = 'Add-TppCertificateAssociation', 'ConvertTo-TppGuid', - 'ConvertTo-TppPath', 'Export-VenafiCertificate', - 'Find-TppCertificate', 'Find-TppCodeSignEnvironment', - 'Find-TppCodeSignProject', 'Find-TppCodeSignTemplate', - 'Find-TppIdentity', 'Find-TppObject', 'Get-TppAttribute', - 'Get-TppClassAttribute', 'Get-TppCodeSignConfig', - 'Get-TppCodeSignEnvironment', 'Get-TppCodeSignProject', - 'Get-TppCustomField', 'Get-TppIdentity', 'Get-TppIdentityAttribute', - 'Get-TppObject', 'Get-TppPermission', 'Get-TppSystemStatus', - 'Get-TppVersion', 'Get-TppWorkflowTicket', 'Get-VaasApplication', - 'Get-VaasOrgUnit', 'Get-VenafiCertificate', 'Import-TppCertificate', - 'Invoke-TppCertificatePush', 'Invoke-TppCertificateRenewal', - 'Invoke-VenafiRestMethod', 'Move-TppObject', 'New-TppCapiApplication', - 'New-TppCertificate', 'New-TppCodeSignProject', 'New-TppDevice', - 'New-TppObject', 'New-TppPolicy', 'New-TppToken', 'New-VenafiSession', - 'Read-TppLog', 'Remove-TppCertificate', - 'Remove-TppCertificateAssociation', 'Remove-TppCodeSignEnvironment', - 'Remove-TppCodeSignProject', 'Remove-TppPermission', - 'Rename-TppObject', 'Revoke-TppCertificate', 'Revoke-TppToken', - 'Set-TppAttribute', 'Set-TppCodeSignProjectStatus', - 'Set-TppPermission', 'Set-TppWorkflowTicketStatus', 'Test-ModuleHash', - 'Test-TppIdentity', 'Test-TppObject', 'Test-TppToken', 'Write-TppLog' +FunctionsToExport = 'Add-TppCertificateAssociation', 'ConvertTo-TppGuid', + 'ConvertTo-TppPath', 'Export-VenafiCertificate', + 'Find-TppCertificate', 'Find-TppCodeSignEnvironment', + 'Find-TppCodeSignProject', 'Find-TppCodeSignTemplate', + 'Find-TppIdentity', 'Find-TppObject', 'Get-TppAttribute', + 'Get-TppClassAttribute', 'Get-TppCodeSignConfig', + 'Get-TppCodeSignEnvironment', 'Get-TppCodeSignProject', + 'Get-TppCustomField', 'Get-TppIdentity', 'Get-TppIdentityAttribute', + 'Get-TppObject', 'Get-TppPermission', 'Get-TppSystemStatus', + 'Get-TppVersion', 'Get-TppWorkflowTicket', 'Get-VaasApplication', + 'Get-VaasOrgUnit', 'Get-VenafiCertificate', 'Import-TppCertificate', + 'Invoke-TppCertificatePush', 'Invoke-TppCertificateRenewal', + 'Invoke-VenafiRestMethod', 'Move-TppObject', 'New-TppCapiApplication', + 'New-TppCertificate', 'New-TppCodeSignProject', 'New-TppDevice', + 'New-TppObject', 'New-TppPolicy', 'New-TppToken', 'New-VenafiSession', + 'Read-TppLog', 'Remove-TppCertificate', + 'Remove-TppCertificateAssociation', 'Remove-TppCodeSignEnvironment', + 'Remove-TppCodeSignProject', 'Remove-TppPermission', + 'Rename-TppObject', 'Revoke-TppCertificate', 'Revoke-TppToken', + 'Set-TppAttribute', 'Set-TppCodeSignProjectStatus', + 'Set-TppPermission', 'Set-TppWorkflowTicketStatus', 'Test-ModuleHash', + 'Test-TppIdentity', 'Test-TppObject', 'Test-TppToken', 'Write-TppLog', 'Invoke-VenafiCertificateAction' # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. CmdletsToExport = @() diff --git a/VenafiPS/VenafiPS.psm1 b/VenafiPS/VenafiPS.psm1 index 43f5eb41..ceccd66f 100644 --- a/VenafiPS/VenafiPS.psm1 +++ b/VenafiPS/VenafiPS.psm1 @@ -14,6 +14,7 @@ foreach ( $folder in $folders) { Foreach ( $thisFile in $files ) { Try { + Write-Verbose ('dot sourcing {0}' -f $thisFile.FullName) . $thisFile.fullname if ( $folder -eq 'Public' ) { Export-ModuleMember -Function $thisFile.Basename