Add support for vault access token. Closes #81 (#84)

* Add support for vault access token * Updates based on review * minor tweaks * code cleanuo * help update Co-authored-by: Greg Brownstein <[email protected]>
Venafi · Feb 14, 2022 · 6519cab · 6519cab
1 parent 45256a2
commit 6519cab
Showing 1 changed file with 58 additions and 8 deletions.
diff --git a/VenafiPS/Public/Test-TppToken.ps1 b/VenafiPS/Public/Test-TppToken.ps1
@@ -7,11 +7,17 @@ Use the TPP API call 'Authorize/Verify' to test if the current token is valid.
 
 .PARAMETER AuthServer
 Auth server or url, venafi.company.com or https://venafi.company.com.
+This will be used to access vedauth for token-based authentication.
 If just the server name is provided, https:// will be appended.
 
 .PARAMETER AccessToken
 Access token retrieved outside this module.  Provide a credential object with the access token as the password.
 
+.PARAMETER VaultAccessTokenName
+Name of the SecretManagement vault entry for the access token; the name of the vault must be VenafiPS.
+Note: '-Server' parameter is required if the vault does not contain saved metadata.
+See New-VenafiSession -VaultMetaData
+
 .PARAMETER TppToken
 Token object obtained from New-TppToken
 
@@ -43,9 +49,17 @@ $TppToken | Test-TppToken
 Verify that token object from pipeline is valid. Can be used to validate directly object from New-TppToken.
 
 .EXAMPLE
-Test-TppToken -AuthServer 'mytppserver.example.com' -AccessToken $cred
+Test-TppToken -AuthServer venafi.mycompany.com -AccessToken $cred
 Verify that PsCredential object containing accesstoken is valid.
 
+.EXAMPLE
+Test-TppToken -VaultAccessTokenName access-token
+Verify access token stored in VenafiPS vault, metadata stored with secret
+
+.EXAMPLE
+Test-TppToken -VaultAccessTokenName access-token -AuthServer venafi.mycompany.com
+Verify access token stored in VenafiPS vault providing server to authenticate against
+
 .EXAMPLE
 Test-TppToken -GrantDetail
 Verify that accesstoken stored in $VenafiSession object is valid and return PsCustomObject as output with details.
@@ -67,6 +81,7 @@ function Test-TppToken {
 
     param (
         [Parameter(Mandatory, ParameterSetName = 'AccessToken')]
+        [Parameter(ParameterSetName = 'VaultAccessToken')]
         [ValidateScript( {
                 if ( $_ -match '^(https?:\/\/)?(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.)*(xn--)?([a-z0-9][a-z0-9\-]{0,60}|[a-z0-9-]{1,30}\.[a-z]{2,})$' ) {
                     $true
@@ -85,6 +100,9 @@ function Test-TppToken {
         [Parameter(Mandatory, ParameterSetName = 'TppToken', ValueFromPipeline)]
         [pscustomobject] $TppToken,
 
+        [Parameter(Mandatory, ParameterSetName = 'VaultAccessToken')]
+        [string] $VaultAccessTokenName,
+
         [Parameter()]
         [switch] $GrantDetail,
 
@@ -98,6 +116,12 @@ function Test-TppToken {
             UriRoot = 'vedauth'
             UriLeaf = 'Authorize/Verify'
         }
+
+        $serverUrl = $AuthServer
+        # add prefix if just server url was provided
+        if ( $serverUrl -notlike 'https://*') {
+            $serverUrl = 'https://{0}' -f $serverUrl
+        }
     }
 
     process {
@@ -120,14 +144,40 @@ function Test-TppToken {
             }
 
             'AccessToken' {
-                $AuthUrl = $AuthServer
-                # add prefix if just server url was provided
-                if ( $AuthServer -notlike 'https://*') {
-                    $AuthUrl = 'https://{0}' -f $AuthUrl
+                $params.Server = $serverUrl
+                $params.Header = @{'Authorization' = 'Bearer {0}' -f $AccessToken.GetNetworkCredential().password }
+            }
+
+            'VaultAccessToken' {
+                # ensure the appropriate setup has been performed
+                if ( -not (Get-Module -Name Microsoft.PowerShell.SecretManagement -ListAvailable)) {
+                    throw 'The module Microsoft.PowerShell.SecretManagement is required as well as a vault named ''VenafiPS''.  See the github readme for guidance, https://github.com/Venafi/VenafiPS#tokenkey-secret-storage.'
                 }
 
-                $params.Server = $AuthUrl
-                $params.Header = @{'Authorization' = 'Bearer {0}' -f $AccessToken.GetNetworkCredential().password }
+                $vault = Get-SecretVault -Name 'VenafiPS' -ErrorAction SilentlyContinue
+                if ( -not $vault ) {
+                    throw 'A SecretManagement vault named ''VenafiPS'' could not be found'
+                }
+
+                $tokenSecret = Get-Secret -Name $VaultAccessTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue
+                if ( -not $tokenSecret ) {
+                    throw "'$VaultAccessTokenName' secret not found in vault VenafiPS."
+                }
+
+                # check if metadata was stored
+                $secretInfo = Get-SecretInfo -Name $VaultAccessTokenName -Vault 'VenafiPS' -ErrorAction SilentlyContinue
+
+                if ( $secretInfo.Metadata.Count -gt 0 ) {
+                    $params.Server = $secretInfo.Metadata.AuthServer
+                }
+                else {
+                    if ( -not $AuthServer ) {
+                        throw '-AuthServer is a required parameter as it wasn''t stored with New-VenafiSession -VaultMetadata'
+                    }
+
+                    $params.Server = $serverUrl
+                }
+                $params.Header = @{'Authorization' = 'Bearer {0}' -f $tokenSecret.GetNetworkCredential().password }
             }
 
             'TppToken' {
@@ -148,7 +198,7 @@ function Test-TppToken {
 
         $response = Invoke-VenafiRestMethod @params -FullResponse
 
-        if ( $GrantDetail.IsPresent ) {
+        if ( $GrantDetail ) {
 
             switch ([int]$response.StatusCode) {