Posh-ACME

4.25.0

Private/Get-EncryptionParam.ps1

                                function Get-EncryptionParam {

    [OutputType([hashtable])]

    [CmdletBinding()]

    param(

        [Parameter(Mandatory,Position=0)]

        [PSTypeName('PoshACME.PAAccount')]$Account

    )

    # return early if sskey is empty or not defined

    if ([String]::IsNullOrEmpty($Account.sskey)) {

        return @{}

    }

    if ('VAULT' -ne $Account.sskey) {

        # an sskey value of anything except 'VAULT' should mean the key string

        # is directly attached to the account object

        $keyString = $Account.sskey

    }

    else {

        # retrieve the key from the SecretManagement Vault if possible

        # make sure we have the necessary SecretManagement commands available

        if (-not (Get-Command 'Unlock-SecretVault' -EA Ignore) -or

            -not (Get-Command 'Get-Secret' -EA Ignore) )

        {

            Write-Error "Unable to retrieve encryption key. Commands associated with SecretManagement module not found. Make sure Microsoft.PowerShell.SecretManagement is installed and accessible." -Category 'NotInstalled'

            return @{}

        }

        # make sure we have a vault name

        $vaultName = $env:POSHACME_VAULT_NAME

        if ([string]::IsNullOrWhiteSpace($vaultName)) {

            Write-Error "Unable to retrieve encryption key. SecretManagement Vault name not found. Make sure POSHACME_VAULT_NAME and related environment variables are defined." -Category 'ObjectNotFound'

            return @{}

        }

        # build the secret name

        if ([String]::IsNullOrEmpty($env:POSHACME_VAULT_SECRET_TEMPLATE)) {

            $secretName = 'poshacme-{0}-sskey' -f $Account.VaultGuid

        } else {

            Write-Debug "Using custom secret template: $($env:POSHACME_VAULT_SECRET_TEMPLATE)"

            $secretName = $env:POSHACME_VAULT_SECRET_TEMPLATE -f $Account.VaultGuid

        }

        # if a vault password is defined, explicitly unlock the vault

        if (-not [string]::IsNullOrEmpty($env:POSHACME_VAULT_PASS)) {

            $ssPass = ConvertTo-SecureString $env:POSHACME_VAULT_PASS -AsPlainText -Force

            Unlock-SecretVault -Name $vaultName -Password $ssPass

        }

        # Attempt to get the key

        try {

            Write-Debug "Attempting to retrieve secret '$secretName' from vault '$vaultName'"

            $keyString = Get-Secret -Vault $vaultName -Name $secretName -AsPlainText -EA Stop

        } catch {

            $PSCmdlet.WriteError($_)

            return @{}

        }

    }

    # return the hydrated key as a hashtable to splat

    $keyBytes = $keyString | ConvertFrom-Base64Url -AsByteArray

    return @{ Key = $keyBytes }

}