Open-Secret - allows for checking out a secret

docs/_data/navigation.yml

@@ -150,6 +150,8 @@ commands:
         url: /commands/Invoke-TssSecretGeneratePassword
       - title: "New-TssSecret"
         url: /commands/New-TssSecret
+      - title: "Open-TssSecret"
+        url: /commands/Open-TssSecret
       - title: "Remove-TssSecret"
         url: /commands/Remove-TssSecret
       - title: "Restore-TssSecret"

docs/collections/_pages/commands.md

@@ -118,6 +118,7 @@ The table below lists the API endpoints matched up to the function that directly
 
 **Command** | **API Endpoint** |
 ---------------- | --------------------------------- |
+[Close-TssSecret] | POST /secrets/{id}/check-in
 [Disable-TssSecretCheckout] | PATCH /secrets/{id}/security-checkout
 [Disable-TssSecretEmail] | PATCH /secrets/{id}/email
 [Enable-TssSecretCheckout] | PATCH /secrets/{id}/security-checkout
@@ -137,7 +138,8 @@ The table below lists the API endpoints matched up to the function that directly
 [Invoke-TssSecretGeneratePassword] | GET /internals/secret-detail/{id}/generate-password
 [Invoke-TssSecretGeneratePassword] | POST /internals/secret-detail/{id}/validate-password
 [New-TssSecret] | POST /secrets
-[Close-TssSecret] | POST /secrets/{id}/check-in
+[Open-TssSecret] | POST /secret-access-requests/secrets/{id}/view-comment
+[Open-TssSecret] | POST /secrets/{id}/check-out
 [Remove-TssSecret] | DELETE /secrets/{id}
 [Restore-TssSecret] | PUT /secrets/{id}/undelete
 [Revoke-TssSecret] | POST /secrets/{id}/expire
@@ -308,4 +310,5 @@ The table below lists the API endpoints matched up to the function that directly
 [Remove-TssSecretPerimssion]:/thycotic.secretserver/commands/Remove-TssSecretPermission
 [Search-TssSecretPerimssion]:/thycotic.secretserver/commands/Search-TssSecretPermission
 [Update-TssSecretPerimssion]:/thycotic.secretserver/commands/Update-TssSecretPermission
-[New-TssSecretPerimssion]:/thycotic.secretserver/commands/New-TssSecretPermission
+[New-TssSecretPerimssion]:/thycotic.secretserver/commands/New-TssSecretPermission
+[Open-TssSecret]:/thycotic.secretserver/commands/Open-TssSecret

src/functions/secrets/Open-Secret.ps1

@@ -0,0 +1,114 @@
+function Open-Secret {
+    <#
+    .SYNOPSIS
+    Checkout a Secret
+
+    .DESCRIPTION
+    Checkout a Secret
+
+    .LINK
+    https://thycotic-ps.github.io/thycotic.secretserver/commands/Open-TssSecret
+
+    .LINK
+    https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/secrets/Open-Secret.ps1
+
+    .EXAMPLE
+    $session = New-TssSession -SecretServer https://alpha -Credential $ssCred
+    Checkout-TssSecret -TssSession $session -Id 72 -TicketId 'N000354'
+
+    Checkout Secret ID 72 providing ticket number required by Ticket Integration
+
+    .EXAMPLE
+    $session = New-TssSession -SecretServer https://alpha -Credential $ssCred
+    Open-TssSecret -TssSession $session -Id 376
+
+    Checkout Secret ID 376
+
+    .EXAMPLE
+    $session = New-TssSession -SecretServer https://alpha -Credential $ssCred
+    Open-TssSecret -TssSession $session -Id 42 -Comment "CI process"
+
+    Checkout Secret ID 42 providing a comment (Secret configured to checkout and require comment)
+
+    .NOTES
+    Requires TssSession object returned by New-TssSession
+    #>
+    [CmdletBinding(SupportsShouldProcess)]
+    [OutputType('TssSecret')]
+    param (
+        # TssSession object created by New-TssSession for auth
+        [Parameter(Mandatory,ValueFromPipeline,Position = 0)]
+        [TssSession]
+        $TssSession,
+
+        # Secret ID
+        [Alias("SecretId")]
+        [int]
+        $Id,
+
+        # Comment to provide for restricted secret (Require Comment is enabled)
+        [string]
+        $Comment,
+
+        # Associated ticket number (required for ticket integrations)
+        [string]
+        $TicketNumber,
+
+        # Associated ticket system ID (required for ticket integrations)
+        [int]
+        $TicketSystemId
+    )
+    begin {
+        $tssParams = $PSBoundParameters
+        $invokeViewCommentParams = . $GetInvokeTssParams $TssSession
+        $invokeCheckoutParams = . $GetInvokeTssParams $TssSession
+    }
+    process {
+        Write-Verbose "Provided command parameters: $(. $GetInvocation $PSCmdlet.MyInvocation)"
+        if ($tssParams.ContainsKey('TssSession') -and $TssSession.IsValidSession()) {
+            . $CheckVersion $TssSession '10.9.000000' $PSCmdlet.MyInvocation
+
+            # Checkout endpoint requires a pre-checkout comment be sent
+            $restrictedBody = @{}
+            switch ($tssParams.Keys) {
+                'Comment' { $restrictedBody.Add('comment',$Comment) }
+                'TicketNumber' { $restrictedBody.Add('ticketNumber', $TicketNumber) }
+                'TicketSystemId' { $restrictedBody.Add('ticketSystemId', $TicketSystemId) }
+            }
+            if ($restrictedBody.Count -gt 0) {
+                $uriViewComment = $TssSession.ApiUrl, 'secret-access-requests', 'secrets', $Id, 'view-comment' -join '/'
+
+                $invokeViewCommentParams.Body = $restrictedBody | ConvertTo-Json
+                $invokeViewCommentParams.Uri = $uriViewComment
+                $invokeViewCommentParams.Method = 'POST'
+
+                if ($PSCmdlet.ShouldProcess("Secret ID: $Id", "$($invokeViewCommentParams.Method) $uriViewComment with: `n$($invokeViewCommentParams.Body)`n")) {
+                    Write-Verbose "Performing the operation $($invokeViewCommentParams.Method) $uriViewComment with:`n$($invokeViewCommentParams.Body)`n"
+                    try {
+                        . $InvokeApi @invokeViewCommentParams >$null
+                    } catch {
+                        Write-Warning "Issue adding view comment for Secret [$Id]"
+                        $err = $_
+                        . $ErrorHandling $err
+                    }
+                }
+            }
+            # Secret Checkout
+            $uriCheckout = $TssSession.ApiUrl, 'secrets', $Id, 'check-out' -join '/'
+            $invokeCheckoutParams.Uri = $uriCheckout
+            $invokeCheckoutParams.Method = 'POST'
+            if ($PSCmdlet.ShouldProcess("Secret ID: $Id", "$($invokeCheckoutParams.Method) $uriCheckout")) {
+                Write-Verbose "Performing the operation $($invokeCheckoutParams.Method) $uriCheckout"
+                try {
+                    . $InvokeApi @invokeCheckoutParams >$null
+                } catch {
+                    Write-Warning "Issue checking out Secret [$Id]"
+                    $err = $_
+                    . $ErrorHandling $err
+                }
+            }
+        } else {
+            Write-Warning "No valid session found"
+        }
+    }
+}

tests/secrets/Open-Secret.Tests.ps1

@@ -0,0 +1,19 @@
+BeforeDiscovery {
+    $commandName = Split-Path ($PSCommandPath.Replace('.Tests.ps1','')) -Leaf
+}
+Describe "$commandName verify parameters" {
+    BeforeDiscovery {
+        [object[]]$knownParameters = 'TssSession', 'Id', 'Comment', 'TicketNumber', 'TicketSystemId'
+        [object[]]$currentParams = ([Management.Automation.CommandMetaData]$ExecutionContext.SessionState.InvokeCommand.GetCommand($commandName,'Function')).Parameters.Keys
+        [object[]]$commandDetails = [System.Management.Automation.CommandInfo]$ExecutionContext.SessionState.InvokeCommand.GetCommand($commandName,'Function')
+        $unknownParameters = Compare-Object -ReferenceObject $knownParameters -DifferenceObject $currentParams -PassThru
+    }
+    Context "Verify parameters" -Foreach @{currentParams = $currentParams } {
+        It "$commandName should contain <_> parameter" -TestCases $knownParameters {
+            $_ -in $currentParams | Should -Be $true
+        }
+        It "$commandName should not contain parameter: <_>" -TestCases $unknownParameters {
+            $_ | Should -BeNullOrEmpty
+        }
+    }
+}