Fix certificate-based oauth token support (#30)

* fix cert token params * add cert param through to invoke * remove UseCertificate * bypass when verbose is off * help/comments * update changelog
Venafi · Sep 17, 2021 · b532df0 · b532df0
1 parent 1d357d6
commit b532df0
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 33 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 3.1.7
+- Fix/finalize certificate-based oauth token support, [#29](https://github.com/gdbarron/VenafiPS/issues/29)
+
 ## 3.1.6
 - Thanks to @harrisonmeister for this contribution!
 - Add support to `Export-VenafiCertificate` for `-IncludeChain` and `-IncludePrivateKey` when using JKS format, [#24](https://github.com/gdbarron/VenafiPS/issues/24) and [#26](https://github.com/gdbarron/VenafiPS/issues/26)

diff --git a/VenafiPS/Private/Write-VerboseWithSecret.ps1 b/VenafiPS/Private/Write-VerboseWithSecret.ps1
@@ -44,7 +44,8 @@ function Write-VerboseWithSecret {
     }
 
     process {
-        if ( -not $InputObject ) {
+
+        if ( -not $InputObject -or [System.Management.Automation.ActionPreference]::SilentlyContinue -eq $VerbosePreference ) {
             return
         }
 
@@ -54,7 +55,7 @@ function Write-VerboseWithSecret {
         $processMe = $InputObject
         if ($InputObject.GetType().FullName -ne 'System.String') {
             # if hashtable or other object, convert to json first
-            $processMe = $InputObject | ConvertTo-Json -Depth 20
+            $processMe = $InputObject | ConvertTo-Json -Depth 5
         }
 
         foreach ($prop in $PropertyName) {

diff --git a/VenafiPS/Public/Invoke-VenafiRestMethod.ps1 b/VenafiPS/Public/Invoke-VenafiRestMethod.ps1
@@ -43,7 +43,11 @@ function Invoke-VenafiRestMethod {
         [String] $ServerUrl,
 
         [Parameter(ParameterSetName = 'URL')]
-        [switch] $UseDefaultCredentials,
+        [Alias('UseDefaultCredentials')]
+        [switch] $UseDefaultCredential,
+
+        [Parameter(ParameterSetName = 'URL')]
+        [X509Certificate] $Certificate,
 
         [Parameter()]
         [ValidateSet("Get", "Post", "Patch", "Put", "Delete", 'Head')]
@@ -136,12 +140,22 @@ function Invoke-VenafiRestMethod {
         }
     }
 
-    if ( $UseDefaultCredentials ) {
+    if ( $UseDefaultCredential.IsPresent -and $Certificate ) {
+        throw 'You cannot use UseDefaultCredential and Certificate parameters together'
+    }
+
+    if ( $UseDefaultCredential.IsPresent ) {
         $params.Add('UseDefaultCredentials', $true)
     }
 
     $params | Write-VerboseWithSecret
 
+    # ConvertTo-Json, used in Write-VerboseWithSecret, has an issue with certificates
+    # add this param after
+    if ( $Certificate ) {
+        $params.Add('Certificate', $Certificate)
+    }
+
     $oldProgressPreference = $ProgressPreference
     $ProgressPreference = 'SilentlyContinue'
 
@@ -189,8 +203,9 @@ function Invoke-VenafiRestMethod {
             }
         }
     }
-
-    $ProgressPreference = $oldProgressPreference
+    finally {
+        $ProgressPreference = $oldProgressPreference
+    }
 
     if ( $FullResponse.IsPresent ) {
         $response

diff --git a/VenafiPS/Public/New-TppToken.ps1 b/VenafiPS/Public/New-TppToken.ps1
@@ -27,7 +27,7 @@ Username / password credential used to request API Token
 A session state, redirect URL, or random string to prevent Cross-Site Request Forgery (CSRF) attacks
 
 .PARAMETER Certificate
-Certificate used to request API token
+Certificate used to request API token.  Certificate authentication must be configured for remote web sdk clients, https://docs.venafi.com/Docs/21.1SDK/TopNav/Content/CA/t-CA-ConfiguringInTPPandIIS-tpp.php.
 
 .EXAMPLE
 New-TppToken -AuthServer 'https://mytppserver.example.com' -Scope @{ Certificate = "manage,discover"; Configuration = "manage" } -ClientId 'MyAppId' -Credential $credential

diff --git a/VenafiPS/Public/New-VenafiSession.ps1 b/VenafiPS/Public/New-VenafiSession.ps1
@@ -61,6 +61,10 @@ Create key-based session using Windows Integrated authentication
 New-VenafiSession -Server venafitpp.mycompany.com -ClientId MyApp -Scope @{'certificate'='manage'}
 Create token-based session using Windows Integrated authentication with a certain scope and privilege restriction
 
+.EXAMPLE
+New-VenafiSession -Server venafitpp.mycompany.com -Certificate $myCert -ClientId MyApp -Scope @{'certificate'='manage'}
+Create token-based session using a client certificate
+
 .EXAMPLE
 New-VenafiSession -Server venafitpp.mycompany.com -AuthServer tppauth.mycompany.com -ClientId MyApp -Credential $cred
 Create token-based session using oauth authentication where the vedauth and vedsdk are hosted on different servers
@@ -90,13 +94,13 @@ https://docs.venafi.com/Docs/19.4/TopNav/Content/SDK/WebSDK/API_Reference/r-SDK-
 https://docs.venafi.com/Docs/19.4/TopNav/Content/SDK/WebSDK/API_Reference/r-SDK-GET-Authorize-Integrated.php?tocpath=Topics%20by%20Guide%7CDeveloper%27s%20Guide%7CWeb%20SDK%20reference%7CAuthentication%20programming%20interfaces%7C_____3
 
 .LINK
-https://docs.venafi.com/Docs/20.1SDK/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-Authorize-Integrated.php?tocpath=Auth%20SDK%20reference%20for%20token%20management%7C_____10
+https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-Authorize-Integrated.php?tocpath=Platform%20SDK%7CAuth%20REST%20for%20token%20management%7C_____10
 
 .LINK
-https://docs.venafi.com/Docs/20.1SDK/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeOAuth.php?tocpath=Auth%20SDK%20reference%20for%20token%20management%7C_____11
+https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeOAuth.php?tocpath=Platform%20SDK%7CAuth%20REST%20for%20token%20management%7C_____11
 
 .LINK
-https://docs.venafi.com/Docs/20.1/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeCertificate.php?tocpath=Topics%20by%20Guide%7CDeveloper%27s%20Guide%7CAuth%20SDK%20reference%20for%20token%20management%7C_____9
+https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeCertificate.php?tocpath=Platform%20SDK%7CAuth%20REST%20for%20token%20management%7C_____9
 #>
 function New-VenafiSession {
 
@@ -109,7 +113,6 @@ function New-VenafiSession {
         [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')]
         [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')]
         [Parameter(Mandatory, ParameterSetName = 'AccessToken')]
-        # [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipelineByPropertyName)]
         [ValidateScript( {
                 if ( $_ -match '^(https?:\/\/)?(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.)*(xn--)?([a-z0-9][a-z0-9\-]{0,60}|[a-z0-9-]{1,30}\.[a-z]{2,})$' ) {
                     $true
@@ -127,30 +130,18 @@ function New-VenafiSession {
 
         [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')]
         [Parameter(Mandatory, ParameterSetName = 'TokenOAuth')]
-        # [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipelineByPropertyName)]
+        [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')]
         [string] $ClientId,
 
         [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')]
         [Parameter(Mandatory, ParameterSetName = 'TokenOAuth')]
-        # [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipelineByPropertyName)]
+        [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')]
         [hashtable] $Scope,
 
         [Parameter(ParameterSetName = 'TokenIntegrated')]
         [Parameter(ParameterSetName = 'TokenOAuth')]
         [string] $State,
 
-        # [Parameter(Mandatory, ParameterSetName = 'TppToken')]
-        # [ValidateScript( {
-        #         if ( $_.AccessToken -and $_.AuthUrl -and $_.ClientId  ) {
-        #             $true
-        #         } else {
-        #             throw 'Object provided for TppToken is not valid.  Please request a new token with New-TppToken.'
-        #         }
-        #     }
-        # )]
-        # [pscustomobject] $TppToken,
-
-        # [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipelineByPropertyName)]
         [Parameter(Mandatory, ParameterSetName = 'AccessToken')]
         [PSCredential] $AccessToken,
 
@@ -159,6 +150,7 @@ function New-VenafiSession {
 
         [Parameter(ParameterSetName = 'TokenOAuth')]
         [Parameter(ParameterSetName = 'TokenIntegrated')]
+        [Parameter(ParameterSetName = 'TokenCertificate')]
         [ValidateScript( {
                 if ( $_ -match '^(https?:\/\/)?(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.)*(xn--)?([a-z0-9][a-z0-9\-]{0,60}|[a-z0-9-]{1,30}\.[a-z]{2,})$' ) {
                     $true
@@ -235,14 +227,6 @@ function New-VenafiSession {
                 $newSession.Expires = $token.Expires
             }
 
-            # 'TppToken' {
-            #     $newSession.Token = [PSCustomObject]@{
-            #         AccessToken = $AccessToken
-            #         ClientId    = $ClientId
-            #         Scope       = $Scope
-            #     }
-            # }
-
             'AccessToken' {
                 $newSession.Token = [PSCustomObject]@{
                     AccessToken = $AccessToken