functions/deploy/Get-JeaEndpoint.ps1
|
function Get-JeaEndpoint { <# .SYNOPSIS Retrieve JEA Endpoints and their capabilities from target computers. .DESCRIPTION Retrieve JEA Endpoints and their capabilities from target computers. Resolves all roles / identity mappings, all capabilities and the remoting configuration. Check the "Roles" property for the actual capabilities exposed by the endpoint. .PARAMETER Name Name of the JEA endpoint to filter by. Defaults to '*' .PARAMETER ComputerName Computer to retrieve JEA endpoints from. Defaults to: $env:COMPUTERNAME .PARAMETER Credential Credentials to use for the remoting connection. .EXAMPLE PS C:\> Get-JeaEndpoint Searches the current computer for JEA endpoints .EXAMPLE PS C:\> Get-JeaEndpoint -ComputerName server1,server2,server3 -Name JEA_ServiceManager Retrieves the deployed JEA endpoints named JEA_ServiceManager. This includes the version they are deployed at if they were originally deployed through JEAnalyzer. #> [CmdletBinding()] param ( [string] $Name = '*', [Parameter(ValueFromPipeline = $true)] [PSFComputer[]] $ComputerName = $env:COMPUTERNAME, [PSCredential] $Credential ) begin { #region Scriptblock $scriptblock = { param ( $Name ) #region Functions function Convert-JeaSessionConfiguration { [CmdletBinding()] param ( $Configuration ) $fromJEAnalyzer = $false $version = 'unknown' $description = $Configuration.Description $pattern = '^\[{0} \d+\.\d+\.\d+\]' -f ([regex]::Escape($Configuration.Name)) if ($Configuration.Description -match $pattern) { $fromJEAnalyzer = $true $version = ($description -replace '^\[.+? (\d+\.\d+\.\d+)\].{0,}$', '$1') -as [version] $description = ($description -replace '^.+?\]').Trim() } $mode = 'gMSA' if ($Configuration.RunAsVirtualAccount) { $mode = 'Virtual Admin' if ($Configuration.RunAsVirtualAccountGroups) { $mode = 'Virtual Admin (Constrained)' } } [PSCustomObject]@{ PSTypeName = 'JEAnalyzer.Jea.Endpoint' ComputerName = $env:COMPUTERNAME Name = $Configuration.Name Mode = $mode Author = $Configuration.Author Description = $description Version = $version Permissions = $Configuration.Permission Roles = $null FromJEAnalyzer = $fromJEAnalyzer PSVersion = $Configuration.PSVersion RunAsUser = $Configuration.RunAsUser RunAsVirtualAccount = $Configuration.RunAsVirtualAccount RunAsVirtualAccountGroups = $Configuration.RunAsVirtualAccountGroups } } function Convert-JeaSessionConfiguration { [CmdletBinding()] param ( $Configuration ) $fromJEAnalyzer = $false $version = 'unknown' $description = $Configuration.Description $pattern = '^\[{0} \d+\.\d+\.\d+\]' -f ([regex]::Escape($Configuration.Name)) if ($Configuration.Description -match $pattern) { $fromJEAnalyzer = $true $version = ($description -replace '^\[.+? (\d+\.\d+\.\d+)\].{0,}$', '$1') -as [version] $description = ($description -replace '^.+?\]').Trim() } $mode = 'gMSA' if ($Configuration.RunAsVirtualAccount) { $mode = 'Virtual Admin' if ($Configuration.RunAsVirtualAccountGroups) { $mode = 'Virtual Admin (Constrained)' } } [PSCustomObject]@{ PSTypeName = 'JEAnalyzer.Jea.Endpoint' ComputerName = $env:COMPUTERNAME Name = $Configuration.Name Mode = $mode Enabled = $Configuration.Enabled Author = $Configuration.Author Description = $description Version = $version Permissions = $Configuration.Permission Roles = $null FromJEAnalyzer = $fromJEAnalyzer PSVersion = $Configuration.PSVersion RunAsUser = $Configuration.RunAsUser RunAsVirtualAccount = $Configuration.RunAsVirtualAccount RunAsVirtualAccountGroups = $Configuration.RunAsVirtualAccountGroups } } function Get-JeaRoleDefinition { [CmdletBinding()] param ( $Configuration, [string] $Identity, [Hashtable] $Definition ) foreach ($capabilityFile in $Definition.RoleCapabilityFiles) { $fail = $null $content = $null try { $content = Import-PowerShellDataFile -Path $capabilityFile -ErrorAction Stop } catch { $fail = $_ } $name = (Split-Path -Path $capabilityFile -Leaf) -replace '\.psrc$' [PSCustomObject]@{ PSTypeName = 'JEAnalyzer.Jea.RoleCapability' ComputerName = $ENV:COMPUTERNAME JeaEndpoint = $Configuration.Name Identity = $Identity Type = 'ByFile' Name = $name Path = $capabilityFile Error = $fail ModulesToImport = $content.ModulesToImport VisibleCmdlets = $($content.VisibleCmdlets) VisibleAliases = $($content.VisibleAliases) VisibleFunctions = $($content.VisibleFunctions) VisibleExternalCommands = $($content.VisibleExternalCommands) VisibleProviders = $($content.VisibleProviders) AliasDefinitions = $($content.AliasDefinitions) FunctionDefinitions = $($content.FunctionDefinitions) } } foreach ($capability in $Definition.RoleCapabilities) { $file = $null $fail = $null $content = $null $file = Get-Item -Path "$env:ProgramFiles\WindowsPowerShell\Modules\*\RoleCapability\$capability.psrc" -ErrorAction Ignore | Select-Object -First 1 if (-not $file) { $fail = "Role Capability File not found!" } else { try { $content = Import-PowerShellDataFile -Path $file.FullName -ErrorAction Stop } catch { $fail = $_ } } [PSCustomObject]@{ PSTypeName = 'JEAnalyzer.Jea.RoleCapability' ComputerName = $ENV:COMPUTERNAME JeaEndpoint = $Configuration.Name Identity = $Identity Type = 'ByName' Name = $capability Path = $file.FullName Error = $fail ModulesToImport = $content.ModulesToImport VisibleCmdlets = $content.VisibleCmdlets VisibleAliases = $content.VisibleAliases VisibleFunctions = $content.VisibleFunctions VisibleExternalCommands = $content.VisibleExternalCommands VisibleProviders = $content.VisibleProviders AliasDefinitions = $content.AliasDefinitions FunctionDefinitions = $content.FunctionDefinitions } } } #endregion Functions $jeaConfigurations = Get-PSSessionConfiguration | Where-Object SessionType -EQ RestrictedRemoteServer foreach ($jeaConfiguration in $jeaConfigurations) { if ($jeaConfiguration.Name -notlike $Name) { continue } $coreData = Convert-JeaSessionConfiguration -Configuration $jeaConfiguration $coreData.Roles = foreach ($pair in $jeaConfiguration.RoleDefinitions.GetEnumerator()) { Get-JeaRoleDefinition -Identity $pair.Key -Definition $pair.Value -Configuration $jeaConfiguration } $coreData } } #endregion Scriptblock } process { Invoke-PSFCommand -ComputerName $ComputerName -Credential $Credential -ScriptBlock $scriptblock -ArgumentList $Name | Remove-SerializationLabel | ForEach-Object { $_.Roles = $_.Roles | Remove-SerializationLabel $_ } } } |