Skip to content

Commit

Permalink
Create object and commands to assign global permission (#473)
Browse files Browse the repository at this point in the history 
vCenter UI provides functionality to set 'global permissions' for accounts:
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-C7702E31-1623-4189-89CB-E1136AA27972.html
However, there is no automation for this operation.

The approach taken is to communicate with vCenter MOB and execute the
request modelling browser operation.

Signed-off-by: Vladimir Bespalov <[email protected]>
  • Loading branch information
@win32asm
win32asm committed Nov 14, 2024
1 parent 9f98501 commit eeea5e5
Show file tree
Hide file tree
Showing 2 changed files with 269 additions and 2 deletions.
266 changes: 266 additions & 0 deletions Modules/VMware.vSphere.SsoAdmin/MobConnect.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,266 @@
<#
Copyright 2024 JetStream Software, Inc.
SPDX-License-Identifier: BSD-2-Clause
#>

class MobConnection {
<#
.NOTES
===================================================
MOB3 connection object
Approach borrowed from https://github.com/lamw/vmware-scripts/blob/master/powershell/GlobalPermissions.ps1
===================================================
Created on: 11/13/2024
Github: https://github.com/jetstreamsoft
===================================================
Usage sample:
$local_user_name = "[email protected]"
$credential = New-Object System.Management.Automation.PSCredential($adminname, $adminpasswd)
$role_id = (Get-VIRole -Name $role_name).ExtensionData.RoleId
$mobconn = New-Object MobConnection($vcenter_server, $credential, $True)
$mobconn.SetPermissions($local_user_name, $role_id, $True)
$mobconn.Logout()
#>

hidden [object] $session
hidden [string] $nonce
hidden [string] $vc_address
hidden [bool] $skipCertCheck

MobConnection([string] $vcenter, [PSCredential] $credential, [bool] $skipCertCheck) {
if ([string]::IsNullOrEmpty($vcenter)) {
Write-Error "vcenter parameter is required" -ErrorAction Stop
}
if ($credential -eq $null) {
Write-Error "credential parameter is required." -ErrorAction Stop
}

$this.vc_address = $vcenter
$this.session = $null
$this.skipCertCheck = $skipCertCheck

# vSphere MOB URL that would allow to extract nonce.
$login_mob_url = "https://$($this.vc_address)/invsvc/mob3/?moid=authorizationService&method=AuthorizationService.AddGlobalAccessControlList"

$sessionvar = $null
# Initial login to vSphere MOB using GET and store session in class variable
$login_params = @{
"Uri" = $login_mob_url
"SessionVariable" = "sessionvar"
"Credential" = $credential
"Method" = "GET"
}
if ($this.skipCertCheck) {
$login_params["SkipCertificateCheck"] = $True
}
$results = Invoke-WebRequest @login_params

# Extract hidden vmware-session-nonce which must be included in future requests to prevent CSRF error
# Credit to https://blog.netnerds.net/2013/07/use-powershell-to-keep-a-cookiejar-and-post-to-a-web-form/ for parsing vmware-session-nonce via Powershell
if($results.StatusCode -eq 200) {
$null = $results -match 'name="vmware-session-nonce" type="hidden" value="?([^\s^"]+)"'
$this.nonce = $matches[1]
$this.session = $sessionvar
} else {
Write-Error "Failed to login to vSphere MOB with $($results.StatusCode) - $($results.Content)" -ErrorAction Stop
}
}

[void] SetPermissions([string] $user_domain, [long] $vc_role_id, [bool] $propagate) {
if ($this.session -eq $null) {
Write-Error "Object not logged in, please relogin" -ErrorAction Stop
}
if ([string]::IsNullOrEmpty($user_domain)){
Write-Error "user_domain parameter is required" -ErrorAction Stop
}
if ($user_domain.Contains('<') -or $user_domain.Contains('>')) {
Write-Error "Invalid user name provided - $user_domain" -ErrorAction Stop
}

# vSphere MOB URL to private enableMethods
$enable_mob_url = "https://$($this.vc_address)/invsvc/mob3/?moid=authorizationService&method=AuthorizationService.AddGlobalAccessControlList"

# Prepare permissions request
$request_body = @"
<permissions>
<principal>
<name>$user_domain</name>
<group>false</group>
</principal>
<roles>$vc_role_id</roles>
<propagate>$propagate</propagate>
</permissions>
"@
# The POST data payload must include the vmware-session-nonce variable + URL-encoded request body
$body="vmware-session-nonce=$($this.nonce)&permissions=$([uri]::EscapeDataString($request_body))"
$enable_params = @{
"Uri" = $enable_mob_url
"WebSession" = $this.session
"Method" = "POST"
"Body" = $body
}
if ($this.skipCertCheck) {
$enable_params["SkipCertificateCheck"] = $True
}
$results = Invoke-WebRequest @enable_params
if($results.StatusCode -ne 200) {
Write-Error "Failed to assign permissions with $($results.StatusCode) - $($results.Content)" -ErrorAction Stop
}
}

[bool] IsConnected() {
return $this.session -ne $null
}

[void] Logout() {
if ($this.session -eq $null) {
Write-Information "Object not logged in"
return
}
# Logout out of vSphere MOB
$logout_mob_url = "https://$($this.vc_address)/invsvc/mob3/logout"
$logout_params = @{
"Uri" = $logout_mob_url
"WebSession" = $this.session
"Method" = "GET"
}
if ($this.skipCertCheck) {
$logout_params["SkipCertificateCheck"] = $True
}
$results = Invoke-WebRequest @logout_params
$this.session = $null
}
}

function Connect-VcenterServerMOB {
<#
.NOTES
===========================================================================
.DESCRIPTION
This function establishes a connection to a vSphere server managed object browser.
.PARAMETER Server
Specifies the IP address or the DNS name of the vSphere server to which you want to connect.
.PARAMETER User
Specifies the user name you want to use for authenticating with the server.
.PARAMETER Password
Specifies the password you want to use for authenticating with the server.
.PARAMETER Credential
Specifies a PSCredential object to for authenticating with the server.
.PARAMETER SkipCertificateCheck
Specifies whether server Tls certificate validation will be skipped
.EXAMPLE
Connect-VcenterServerMOB -Server my.vc.server -User [email protected] -Password MyStrongPa$$w0rd
Returns an object with connection of '[email protected]' user to MOB of vCenter server 'my.vc.server'
#>
[CmdletBinding()]
param(
[Parameter(
Mandatory = $true,
ValueFromPipeline = $false,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'IP address or the DNS name of the vSphere server')]
[string]
$Server,

[Parameter(
Mandatory = $true,
ValueFromPipeline = $false,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'User name you want to use for authenticating with the server',
ParameterSetName = 'UserPass')]
[string]
$User,

[Parameter(
Mandatory = $true,
ValueFromPipeline = $false,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'Password you want to use for authenticating with the server',
ParameterSetName = 'UserPass')]
[VMware.vSphere.SsoAdmin.Utils.StringToSecureStringArgumentTransformationAttribute()]
[SecureString]
$Password,

[Parameter(
Mandatory = $true,
ValueFromPipeline = $false,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'PSCredential object to use for authenticating with the server',
ParameterSetName = 'Credential')]
[PSCredential]
$Credential,

[Parameter(
Mandatory = $false,
HelpMessage = 'Skips server Tls certificate validation')]
[switch]
$SkipCertificateCheck)

Process {
$vCenterMOB = $null

try {
if ($PSBoundParameters.ContainsKey('Credential')) {
$vCenterMOB = New-Object MobConnection `
-ArgumentList @(
$Server,
$Credential,
$SkipCertificateCheck)
} else {
$_credential = New-Object System.Management.Automation.PSCredential($User, $Password)
$vCenterMOB = New-Object MobConnection `
-ArgumentList @(
$Server,
$_credential,
$SkipCertificateCheck)
}
} catch {
Write-Error (FormatError $_.Exception)
}

return $vCenterMOB
}
}

function Disconnect-VcenterServerMOB {
<#
.NOTES
===========================================================================
.DESCRIPTION
This function closes the connection to a vSphere server managed object browser.
.PARAMETER Server
Specifies the vSphere server MOB connection you want to terminate
.EXAMPLE
$myMobConnection = Connect-VcenterServerMOB -Server my.vc.server -User [email protected] -Password 'MyStrongPa$$w0rd'
Disconnect-VcenterServerMOB -Server $myMobConnection
Disconnect a vSphere server managed object browser stored in 'myMobConnection' varaible
#>
[CmdletBinding()]
param(
[Parameter(
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'MobConnection object')]
[ValidateNotNull()]
[MobConnection]
$Server
)

Process {
if ($Server.IsConnected()) {
$Server.Logout()
}
}
}
5 changes: 3 additions & 2 deletions Modules/VMware.vSphere.SsoAdmin/VMware.vSphere.SsoAdmin.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
RootModule = 'VMware.vSphere.SsoAdmin.psm1'

# Version number of this module.
ModuleVersion = '1.3.9'
ModuleVersion = '1.4.0'

# Supported PSEditions
# CompatiblePSEditions = @()
Expand Down Expand Up @@ -80,7 +80,8 @@ FunctionsToExport = 'Connect-SsoAdminServer', 'Disconnect-SsoAdminServer',
'Get-SsoTokenLifetime', 'Set-SsoTokenLifetime', 'Get-IdentitySource', 'Set-IdentitySource',
'Remove-IdentitySource', 'Add-ActiveDirectoryIdentitySource',
'Add-LDAPIdentitySource', 'Set-LDAPIdentitySource',
'Get-SsoAuthenticationPolicy', 'Set-SsoAuthenticationPolicy'
'Get-SsoAuthenticationPolicy', 'Set-SsoAuthenticationPolicy',
'Connect-VcenterServerMOB', 'Disconnect-VcenterServerMOB'

# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
CmdletsToExport = @()
Expand Down

0 comments on commit eeea5e5

Please sign in to comment.