Add vault/secret management (#36)

* first cut, secrets mgmt * readme update * help, bugfixes * minor help updates * remove clientid param from access token vault * help update * new function * code cleanup * release prep * release prep * more release prep
Venafi · Nov 1, 2021 · eeae3db · eeae3db
1 parent c926b04
commit eeae3db
Show file tree

Hide file tree

Showing 8 changed files with 348 additions and 58 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 3.3.0
+- Add support for local token/key storage with [PowerShell SecretManagement](https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/).  Store your access or refresh token securely and have VenafiPS use it to create a new session.
+- Add `Get-TppClassAttribute` to list all attributes for a specific class.  Helpful for attribute validation and getting values for all attributes.
+
 ## 3.2.0
 - Add support for token refresh to `New-VenafiSession` and `New-TppToken`.  Auto-refresh $VenafiSession when token expires and we have a refresh token.  [#33](https://github.com/gdbarron/VenafiPS/issues/33)
 - Fix invalid grant details in `Test-TppToken`, [#32](https://github.com/gdbarron/VenafiPS/issues/32)

diff --git a/README.md b/README.md
@@ -26,6 +26,16 @@ Documentation can be found at [http://VenafiPS.readthedocs.io](http://VenafiPS.r
 
 VenafiPS is published to the PowerShell Gallery.  The most recent version is listed in the badge 'powershell gallery' above and can be viewed by clicking on it.  To install the module, you need to have PowerShell installed first.  On Windows, PowerShell will already be installed.  For [Linux](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-7) or [macOS](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-macos?view=powershell-7), you will need to install PowerShell Core; follow those links for guidance.  Once PowerShell is installed, start a PowerShell prompt and execute `Install-Module -Name VenafiPS` which will install from the gallery.
 
+### Token/Key Secret Storage
+
+To securely store and retrieve secrets, VenafiPS has added support for the [PowerShell SecretManagement module](https://github.com/PowerShell/SecretManagement).  This can be used to store your access tokens, refresh tokens, or vaas key.  To use this feature, a vault will need to be created.  You can use [SecretStore](https://github.com/PowerShell/SecretStore) provided by the PowerShell team or any other vault type.  All of this functionality has been added to `New-VenafiSession`.  To prepare your environment, execute the following:
+- `Install-Module Microsoft.PowerShell.SecretManagement`
+- `Install-Module Microsoft.PowerShell.SecretStore` or whichever vault you would like to use
+- `Register-SecretVault -Name VenafiPS -ModuleName Microsoft.PowerShell.SecretStore`.  If you are using a different vault type, replace the value for `-ModuleName`.
+- If using the vault Microsoft.PowerShell.SecretStore, execute `Set-SecretStoreConfiguration -Authentication None -Confirm:$false`.  Note, although the vault authentication is set to none, this just turns off the password required to access the vault, it does not mean your secrets are not encrypted.  This is required for automation purposes.  If using a different vault type, ensure you turn off any features which inhibit automation.
+
+Note, extension vaults are registered to the current logged in user context, and will be available only to that user (unless also registered to other users).
+
 ## Usage
 
 As the module supports both TPP and Venafi as a Service, you will note different names for the functions.  Functions with `-Tpp` are for TPP only, `-Vaas` are for Venafi as a Service only, and `-Venafi` are for both.
@@ -35,6 +45,12 @@ Start a new PowerShell prompt (even if you have one from the Install Module step
 ```powershell
 $cred = Get-Credential
 New-VenafiSession -Server 'venafi.mycompany.com' -Credential $cred -ClientId 'MyApp' -Scope @{'certificate'='manage'}
+
+# to store access token for later use
+New-VenafiSession -Server 'venafi.mycompany.com' -Credential $cred -ClientId 'MyApp' -Scope @{'certificate'='manage'} -VaultAccessTokenName TppAccessToken
+
+# to store refresh token for later use
+New-VenafiSession -Server 'venafi.mycompany.com' -Credential $cred -ClientId 'MyApp' -Scope @{'certificate'='manage'} -VaultRefreshTokenName TppRefreshToken
 ```
 
 This will create a session which will be used by default in other functions.

diff --git a/RELEASE.md b/RELEASE.md
@@ -1,5 +1,2 @@
-- Add support for token refresh to `New-VenafiSession` and `New-TppToken`.  Auto-refresh $VenafiSession when token expires and we have a refresh token.  [#33](https://github.com/gdbarron/VenafiPS/issues/33)
-- Fix invalid grant details in `Test-TppToken`, [#32](https://github.com/gdbarron/VenafiPS/issues/32)
-- Update Version in VenafiSession object, from `Get-TppVersion`, to be of type Version.  Drop Revision from version so now only 3 octets.  This assists in performing version validation.
-- Update `New-TppToken` to account for a bug in pre 21.3 which expected the client_id to be lowercase
-- Update `Test-TppToken` to validate the tpp version is supported
+- Add support for local token/key storage with [PowerShell SecretManagement](https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/).  Store your access or refresh token securely and have VenafiPS use it to create a new session.
+- Add `Get-TppClassAttribute` to list all attributes for a specific class.  Helpful for attribute validation and getting values for all attributes.
diff --git a/VenafiPS/Public/Get-TppAttribute.ps1 b/VenafiPS/Public/Get-TppAttribute.ps1
@@ -26,7 +26,7 @@ Get the effective values of the attribute
 Session object created from New-VenafiSession method.  The value defaults to the script session object $VenafiSession.
 
 .INPUTS
-InputObject, Path, Guid
+Path, Guid
 
 .OUTPUTS
 PSCustomObject with properties Name, Value, IsCustomField, and CustomName
@@ -60,15 +60,12 @@ https://docs.venafi.com/Docs/20.4SDK/TopNav/Content/SDK/WebSDK/r-SDK-POST-Config
 
 #>
 function Get-TppAttribute {
-    [CmdletBinding(DefaultParameterSetName = 'ByObject')]
+    [CmdletBinding(DefaultParameterSetName = 'ByPath')]
     param (
 
-        [Parameter(Mandatory, ParameterSetName = 'EffectiveByObject', ValueFromPipeline)]
-        [Parameter(Mandatory, ParameterSetName = 'ByObject', ValueFromPipeline)]
-        [TppObject] $InputObject,
-
-        [Parameter(Mandatory, ParameterSetName = 'EffectiveByPath', ValueFromPipeline)]
-        [Parameter(Mandatory, ParameterSetName = 'ByPath', ValueFromPipeline)]
+        [Parameter(Mandatory, ParameterSetName = 'EffectiveByPath', ValueFromPipeline, ValueFromPipelineByPropertyName)]
+        [Parameter(Mandatory, ParameterSetName = 'ByPath', ValueFromPipeline, ValueFromPipelineByPropertyName)]
+        [Parameter(Mandatory, ParameterSetName = 'AllByPath', ValueFromPipeline, ValueFromPipelineByPropertyName)]
         [ValidateNotNullOrEmpty()]
         [ValidateScript( {
                 if ( $_ | Test-TppDnPath ) {
@@ -86,16 +83,13 @@ function Get-TppAttribute {
         [ValidateNotNullOrEmpty()]
         [guid[]] $Guid,
 
-        [Parameter(Mandatory, ParameterSetName = 'EffectiveByObject')]
-        [Parameter(ParameterSetName = 'ByObject')]
         [Parameter(Mandatory, ParameterSetName = 'EffectiveByPath')]
         [Parameter(ParameterSetName = 'ByPath')]
         [Parameter(Mandatory, ParameterSetName = 'EffectiveByGuid')]
         [Parameter(ParameterSetName = 'ByGuid')]
         [ValidateNotNullOrEmpty()]
         [String[]] $Attribute,
 
-        [Parameter(Mandatory, ParameterSetName = 'EffectiveByObject')]
         [Parameter(Mandatory, ParameterSetName = 'EffectiveByPath')]
         [Parameter(Mandatory, ParameterSetName = 'EffectiveByGuid')]
         [Alias('EffectivePolicy')]
@@ -134,10 +128,6 @@ function Get-TppAttribute {
     process {
 
         switch -Wildcard ($PSCmdlet.ParameterSetName) {
-            '*Object' {
-                $pathToProcess = $InputObject.Path
-            }
-
             '*Path' {
                 $pathToProcess = $Path
             }
@@ -151,6 +141,7 @@ function Get-TppAttribute {
 
             $baseParams.Body['ObjectDN'] = $thisPath
 
+
             # if specifying attribute name(s), it's a different rest api
             if ( $PSBoundParameters.ContainsKey('Attribute') ) {
 

diff --git a/VenafiPS/Public/Get-TppClassAttribute.ps1 b/VenafiPS/Public/Get-TppClassAttribute.ps1
@@ -0,0 +1,62 @@
+<#
+.SYNOPSIS
+    List all attributes for a specified class
+.DESCRIPTION
+    List all attributes for a specified class, helpful for validation or to pass to Get-TppAttribute
+.EXAMPLE
+    Get-TppClassAttribute -ClassName 'X509 Server Certificate'
+    Get all attributes for the specified class
+.INPUTS
+    ClassName
+.OUTPUTS
+    PSCustomObject
+#>
+function Get-TppClassAttribute {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory, ValueFromPipeline)]
+        [string] $ClassName,
+
+        [Parameter()]
+        [VenafiSession] $VenafiSession = $script:VenafiSession
+    )
+
+    begin {
+        $allAttributes = [System.Collections.Generic.List[object]]::new()
+    }
+
+    process {
+
+        Write-Verbose "Processing $ClassName"
+
+        $params = @{
+            VenafiSession = $VenafiSession
+            Method        = 'Post'
+            UriLeaf       = 'configschema/class'
+            Body          = @{
+                'Class' = $ClassName
+            }
+        }
+        $classDetails = Invoke-VenafiRestMethod @params | Select-Object -ExpandProperty 'ClassDefinition'
+
+        if ($ClassName -ne 'Top') {
+            $recurseAttribs = $classDetails.SuperClassNames | Get-TppClassAttribute
+            foreach ($item in $recurseAttribs) {
+                $allAttributes.Add($item)
+            }
+        }
+
+        foreach ($item in ($classDetails.OptionalNames)) {
+            $allAttributes.Add(
+                [pscustomobject] @{
+                    'Name'  = $item
+                    'Class' = $classDetails.Name
+                }
+            )
+        }
+    }
+
+    end {
+        $allAttributes | Sort-Object -Property 'Name', 'Class' -Unique
+    }
+}
diff --git a/VenafiPS/Public/New-TppToken.ps1 b/VenafiPS/Public/New-TppToken.ps1
@@ -242,7 +242,7 @@ function New-TppToken {
             Server         = $params.ServerUrl
             AccessToken    = New-Object System.Management.Automation.PSCredential('AccessToken', ($response.access_token | ConvertTo-SecureString -AsPlainText -Force))
             RefreshToken   = $null
-            Scope          = $response.scope
+            Scope          = $Scope
             Identity       = $response.identity
             TokenType      = $response.token_type
             ClientId       = $params.Body.client_id