From b532df003a5340bd6f644a80b3c3a578f8e6dc6d Mon Sep 17 00:00:00 2001 From: Greg Brownstein Date: Fri, 17 Sep 2021 15:49:59 -0400 Subject: [PATCH] Fix certificate-based oauth token support (#30) * fix cert token params * add cert param through to invoke * remove UseCertificate * bypass when verbose is off * help/comments * update changelog --- CHANGELOG.md | 3 ++ VenafiPS/Private/Write-VerboseWithSecret.ps1 | 5 +-- VenafiPS/Public/Invoke-VenafiRestMethod.ps1 | 23 ++++++++++--- VenafiPS/Public/New-TppToken.ps1 | 2 +- VenafiPS/Public/New-VenafiSession.ps1 | 36 ++++++-------------- 5 files changed, 36 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8eabdee8..2b73748d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 3.1.7 +- Fix/finalize certificate-based oauth token support, [#29](https://github.com/gdbarron/VenafiPS/issues/29) + ## 3.1.6 - Thanks to @harrisonmeister for this contribution! - Add support to `Export-VenafiCertificate` for `-IncludeChain` and `-IncludePrivateKey` when using JKS format, [#24](https://github.com/gdbarron/VenafiPS/issues/24) and [#26](https://github.com/gdbarron/VenafiPS/issues/26) diff --git a/VenafiPS/Private/Write-VerboseWithSecret.ps1 b/VenafiPS/Private/Write-VerboseWithSecret.ps1 index 0cb4c2d4..3a3373fe 100644 --- a/VenafiPS/Private/Write-VerboseWithSecret.ps1 +++ b/VenafiPS/Private/Write-VerboseWithSecret.ps1 @@ -44,7 +44,8 @@ function Write-VerboseWithSecret { } process { - if ( -not $InputObject ) { + + if ( -not $InputObject -or [System.Management.Automation.ActionPreference]::SilentlyContinue -eq $VerbosePreference ) { return } @@ -54,7 +55,7 @@ function Write-VerboseWithSecret { $processMe = $InputObject if ($InputObject.GetType().FullName -ne 'System.String') { # if hashtable or other object, convert to json first - $processMe = $InputObject | ConvertTo-Json -Depth 20 + $processMe = $InputObject | ConvertTo-Json -Depth 5 } foreach ($prop in $PropertyName) { diff --git a/VenafiPS/Public/Invoke-VenafiRestMethod.ps1 b/VenafiPS/Public/Invoke-VenafiRestMethod.ps1 index e4a551a1..58a3bd9c 100644 --- a/VenafiPS/Public/Invoke-VenafiRestMethod.ps1 +++ b/VenafiPS/Public/Invoke-VenafiRestMethod.ps1 @@ -43,7 +43,11 @@ function Invoke-VenafiRestMethod { [String] $ServerUrl, [Parameter(ParameterSetName = 'URL')] - [switch] $UseDefaultCredentials, + [Alias('UseDefaultCredentials')] + [switch] $UseDefaultCredential, + + [Parameter(ParameterSetName = 'URL')] + [X509Certificate] $Certificate, [Parameter()] [ValidateSet("Get", "Post", "Patch", "Put", "Delete", 'Head')] @@ -136,12 +140,22 @@ function Invoke-VenafiRestMethod { } } - if ( $UseDefaultCredentials ) { + if ( $UseDefaultCredential.IsPresent -and $Certificate ) { + throw 'You cannot use UseDefaultCredential and Certificate parameters together' + } + + if ( $UseDefaultCredential.IsPresent ) { $params.Add('UseDefaultCredentials', $true) } $params | Write-VerboseWithSecret + # ConvertTo-Json, used in Write-VerboseWithSecret, has an issue with certificates + # add this param after + if ( $Certificate ) { + $params.Add('Certificate', $Certificate) + } + $oldProgressPreference = $ProgressPreference $ProgressPreference = 'SilentlyContinue' @@ -189,8 +203,9 @@ function Invoke-VenafiRestMethod { } } } - - $ProgressPreference = $oldProgressPreference + finally { + $ProgressPreference = $oldProgressPreference + } if ( $FullResponse.IsPresent ) { $response diff --git a/VenafiPS/Public/New-TppToken.ps1 b/VenafiPS/Public/New-TppToken.ps1 index 604bc6d6..6fe419c3 100644 --- a/VenafiPS/Public/New-TppToken.ps1 +++ b/VenafiPS/Public/New-TppToken.ps1 @@ -27,7 +27,7 @@ Username / password credential used to request API Token A session state, redirect URL, or random string to prevent Cross-Site Request Forgery (CSRF) attacks .PARAMETER Certificate -Certificate used to request API token +Certificate used to request API token. Certificate authentication must be configured for remote web sdk clients, https://docs.venafi.com/Docs/21.1SDK/TopNav/Content/CA/t-CA-ConfiguringInTPPandIIS-tpp.php. .EXAMPLE New-TppToken -AuthServer 'https://mytppserver.example.com' -Scope @{ Certificate = "manage,discover"; Configuration = "manage" } -ClientId 'MyAppId' -Credential $credential diff --git a/VenafiPS/Public/New-VenafiSession.ps1 b/VenafiPS/Public/New-VenafiSession.ps1 index 155c6180..7d2cc6ca 100644 --- a/VenafiPS/Public/New-VenafiSession.ps1 +++ b/VenafiPS/Public/New-VenafiSession.ps1 @@ -61,6 +61,10 @@ Create key-based session using Windows Integrated authentication New-VenafiSession -Server venafitpp.mycompany.com -ClientId MyApp -Scope @{'certificate'='manage'} Create token-based session using Windows Integrated authentication with a certain scope and privilege restriction +.EXAMPLE +New-VenafiSession -Server venafitpp.mycompany.com -Certificate $myCert -ClientId MyApp -Scope @{'certificate'='manage'} +Create token-based session using a client certificate + .EXAMPLE New-VenafiSession -Server venafitpp.mycompany.com -AuthServer tppauth.mycompany.com -ClientId MyApp -Credential $cred Create token-based session using oauth authentication where the vedauth and vedsdk are hosted on different servers @@ -90,13 +94,13 @@ https://docs.venafi.com/Docs/19.4/TopNav/Content/SDK/WebSDK/API_Reference/r-SDK- https://docs.venafi.com/Docs/19.4/TopNav/Content/SDK/WebSDK/API_Reference/r-SDK-GET-Authorize-Integrated.php?tocpath=Topics%20by%20Guide%7CDeveloper%27s%20Guide%7CWeb%20SDK%20reference%7CAuthentication%20programming%20interfaces%7C_____3 .LINK -https://docs.venafi.com/Docs/20.1SDK/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-Authorize-Integrated.php?tocpath=Auth%20SDK%20reference%20for%20token%20management%7C_____10 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-Authorize-Integrated.php?tocpath=Platform%20SDK%7CAuth%20REST%20for%20token%20management%7C_____10 .LINK -https://docs.venafi.com/Docs/20.1SDK/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeOAuth.php?tocpath=Auth%20SDK%20reference%20for%20token%20management%7C_____11 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeOAuth.php?tocpath=Platform%20SDK%7CAuth%20REST%20for%20token%20management%7C_____11 .LINK -https://docs.venafi.com/Docs/20.1/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeCertificate.php?tocpath=Topics%20by%20Guide%7CDeveloper%27s%20Guide%7CAuth%20SDK%20reference%20for%20token%20management%7C_____9 +https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeCertificate.php?tocpath=Platform%20SDK%7CAuth%20REST%20for%20token%20management%7C_____9 #> function New-VenafiSession { @@ -109,7 +113,6 @@ function New-VenafiSession { [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')] [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')] [Parameter(Mandatory, ParameterSetName = 'AccessToken')] - # [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipelineByPropertyName)] [ValidateScript( { if ( $_ -match '^(https?:\/\/)?(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.)*(xn--)?([a-z0-9][a-z0-9\-]{0,60}|[a-z0-9-]{1,30}\.[a-z]{2,})$' ) { $true @@ -127,30 +130,18 @@ function New-VenafiSession { [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')] [Parameter(Mandatory, ParameterSetName = 'TokenOAuth')] - # [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipelineByPropertyName)] + [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')] [string] $ClientId, [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')] [Parameter(Mandatory, ParameterSetName = 'TokenOAuth')] - # [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipelineByPropertyName)] + [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')] [hashtable] $Scope, [Parameter(ParameterSetName = 'TokenIntegrated')] [Parameter(ParameterSetName = 'TokenOAuth')] [string] $State, - # [Parameter(Mandatory, ParameterSetName = 'TppToken')] - # [ValidateScript( { - # if ( $_.AccessToken -and $_.AuthUrl -and $_.ClientId ) { - # $true - # } else { - # throw 'Object provided for TppToken is not valid. Please request a new token with New-TppToken.' - # } - # } - # )] - # [pscustomobject] $TppToken, - - # [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipelineByPropertyName)] [Parameter(Mandatory, ParameterSetName = 'AccessToken')] [PSCredential] $AccessToken, @@ -159,6 +150,7 @@ function New-VenafiSession { [Parameter(ParameterSetName = 'TokenOAuth')] [Parameter(ParameterSetName = 'TokenIntegrated')] + [Parameter(ParameterSetName = 'TokenCertificate')] [ValidateScript( { if ( $_ -match '^(https?:\/\/)?(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.)*(xn--)?([a-z0-9][a-z0-9\-]{0,60}|[a-z0-9-]{1,30}\.[a-z]{2,})$' ) { $true @@ -235,14 +227,6 @@ function New-VenafiSession { $newSession.Expires = $token.Expires } - # 'TppToken' { - # $newSession.Token = [PSCustomObject]@{ - # AccessToken = $AccessToken - # ClientId = $ClientId - # Scope = $Scope - # } - # } - 'AccessToken' { $newSession.Token = [PSCustomObject]@{ AccessToken = $AccessToken