Get-SAStokenValidity--v1-0.psm1
|
$FunctionScriptName = "Get-SAStokenValidity" Write-Verbose "Import-Start| [$($FunctionScriptName)]" function Get-SAStokenValidity { <# .SYNOPSIS Check if sastoken is valid -> dry check .DESCRIPTION Checks validity of provided sastoken Does not check custom policy or token signature. Output: True/False + Details in Verbose / Debug .PARAMETER sastoken The sastoken value .PARAMETER pipe The sastoken value from pipe input .PARAMETER AllowHTTP Allow http AND https in sastoken || NOT recommended .PARAMETER ignoreSignature Ignore the existance of a signature .PARAMETER Blob [Switch] Required 'Allowed service' .PARAMETER File [Switch] Required 'Allowed service' .PARAMETER Queue [Switch] Required 'Allowed service' .PARAMETER Table [Switch] Required 'Allowed service' .PARAMETER Service [Switch] Required 'Allowed resource types' .PARAMETER Container [Switch] Required 'Allowed resource types' .PARAMETER Object [Switch] Required 'Allowed resource types' .PARAMETER Read [Switch] Required 'Allowed permission' .PARAMETER Write [Switch] Required 'Allowed permission' .PARAMETER Delete [Switch] Required 'Allowed permission' .PARAMETER List [Switch] Required 'Allowed permission' .PARAMETER Add [Switch] Required 'Allowed permission' .PARAMETER Create [Switch] Required 'Allowed permission' .PARAMETER Update [Switch] Required 'Allowed permission' .PARAMETER Process [Switch] Required 'Allowed permission' .PARAMETER Versioning [Switch] Required 'Blob versioning permissions' .PARAMETER ReadOnlyObject [Switch] Presets RO permissions | still needs service param .PARAMETER ReadWriteObject [Switch] Presets RW permissions | still needs service param .PARAMETER ReadWriteFull [Switch] Presets full RW permissions | still needs service param .PARAMETER FullAccess [Switch] Presets FullAccess permissions Checks for everything! You should never use this for anything... .EXAMPLE Get-SAStokenValidity -sastoken $sastoken # Only checks if syntax is valid Get-SAStokenValidity -sastoken $sastoken -Table -ReadWriteObject Get-SAStokenValidity -sastoken $sastoken -Table -Blob -Object -Read -Add $sastokens | Get-SAStokenValidity Output: True/False + Details in Verbose / Debug .NOTES AUTHOR: Ken Dobrunz // Ken.Dobrunz@Direkt-Gruppe.de | Direkt Gruppe WEBSITE: http://kensmagic.site LASTEDIT: 24.05.2020 - Version: 1.0 #> [cmdletbinding()] Param( [Parameter()]$sastoken = $sastoken, [parameter(ValueFromPipeline = $True)]$pipe, # Common [Parameter()][switch]$AllowHTTP, [Parameter()][switch]$ignoreSignature, # Sastoken allowed services - No filter => Any OK [Parameter()][switch]$Blob, [Parameter()][switch]$File, [Parameter()][switch]$Queue, [Parameter()][switch]$Table, # Resource Type - No filter => Any OK [Parameter()][switch]$Service, [Parameter()][switch]$Container, [Parameter()][switch]$Object, #Sastoken needed permissions - No filter => Any OK [Parameter()][Alias('r')][switch]$Read, [Parameter()][Alias('w')][switch]$Write, [Parameter()][Alias('d')][switch]$Delete, [Parameter()][Alias('l')][switch]$List, [Parameter()][Alias('a')][switch]$Add, [Parameter()][Alias('c')][switch]$Create, [Parameter()][Alias('u')][switch]$Update, [Parameter()][Alias('p')][switch]$Process, [Parameter()][Alias('x')][switch]$Versioning, #Defaults [Parameter()][Alias('ReadOnly')][switch]$ReadOnlyObject, [Parameter()][Alias('ReadWrite')][switch]$ReadWriteObject, [Parameter()][switch]$ReadWriteFull, [Parameter()][Alias('Root')][switch]$FullAccess ) Begin { $SelfIdentifier = "SAScheck" #Defaults if ($ReadOnlyObject -or $ReadWriteObject -or $ReadWriteFull) { $Object = $true $Read = $true } if ($ReadWriteObject -or $ReadWriteFull) { $Write = $true $Delete = $true $Add = $true $Create = $true $Update = $true } if ($ReadWriteFull) { $Service = $true $Container = $true } # Service check $ss = "ss=*" if ($Blob) { $ss += "b*" } if ($File) { $ss += "f*" } if ($Queue) { $ss += "q*" } if ($Table) { $ss += "t*" } # Resource type check $srt = "srt=*" if ($Service) { $srt += "s*" } if ($Container) { $srt += "c*" } if ($Object) { $srt += "o*" } # Permission check $sp = "sp=*" if ($Read) { $sp += "r*" } if ($Write) { $sp += "w*" } if ($Delete) { $sp += "d*" } if ($List) { $sp += "l*" } if ($Add -and ($blob -or $queue -or $table)) { $sp += "a*" } if ($Create) { $sp += "c*" } if ($Update -and ($Queue -or $Table)) { $sp += "u*" } if ($Process -and $Queue) { $sp += "p*" } if ($Versioning -and $Blob) { $sp += "x*" } if($FullAccess){ Write-Verbose "[$($SelfIdentifier)] Selected preset: FULLaccess! - Checking for ALL permissions on all services. Do not use this kind of permissions..." $ss = "ss=*bfqt*" $srt = "srt=*sco*" $sp = "sp=*rwdlacupx*" } $spr = "spr=https" if ($AllowHTTP) { $spr += ",http" } $checkparam = @($ss, $srt, $sp) if (!$ignoreSignature) { $checkparam += "sig=*" } $functionverbosecount = 0 } process { if ($pipe) { $sastoken = $pipe } $valid = $false if ($null -eq $sastoken) { throw "[$($SelfIdentifier)] No SAS token!"; $valid = $false }else { $sasparam = $sastoken.split("&") if ($sasparam -like "si=*") { Write-Verbose "[$($SelfIdentifier)] token used specific access policy [$($sasparam[2])] @ [$($sasparam[3])] - no further checks." $valid = $true } else { $valid = $true $checkparam | ForEach-Object { if ($sasparam -like $_) { Write-Debug "Valid: [$($_)]" } else { Write-Verbose "[$($SelfIdentifier)] Invalid: [$($_)]" $valid = $false } } if ((Get-Date(($sasparam | Where-Object { $_ -like "se=*" }).split("se=", [System.StringSplitOptions]::RemoveEmptyEntries)[0])) -gt (Get-Date)) { Write-Verbose "[$($SelfIdentifier)] SASToken active [$(($sasparam | Where-Object {$_ -like "se=*"}))]" } else { $valid = $false throw "[$($SelfIdentifier)] Sas token expired! [$(($sasparam | Where-Object {$_ -like "se=*"}))]" } if ((Get-Date(($sasparam | Where-Object { $_ -like "st=*" }).split("st=", [System.StringSplitOptions]::RemoveEmptyEntries)[0])) -lt (Get-Date)) { Write-Debug "SASToken already active [$(($sasparam | Where-Object {$_ -like "st=*"}))]" } else { $valid = $false throw "[$($SelfIdentifier)] Sas token not yet active! [$(($sasparam | Where-Object {$_ -like "st=*"}))]" } } } if ($valid) { Write-Verbose "[$($SelfIdentifier)] sastoken is valid" }else { Write-Verbose "[$($SelfIdentifier)] sastoken is invalid" } $functionverbosecount++ return $valid } End { if ($functionverbosecount -gt 1) { Write-Verbose "[$($SelfIdentifier)] Ran [$($functionverbosecount)] times" } } } # v1.0a Export-ModuleMember -Function * Write-Verbose "Import-END| [$($FunctionScriptName)]" |