SecretManagement.KeePass.psm1
|
using namespace KeePassLib using namespace KeePassLib.Interfaces using namespace KeePassLib.Keys using namespace KeepassLib.Security using namespace KeePassLib.Serialization using namespace Microsoft.PowerShell.SecretManagement using namespace System.Collections.Generic using namespace System.Collections.ObjectModel using namespace System.Management.Automation using namespace System.Runtime.InteropServices function Register-KeepassSecretVault { <# .SYNOPSIS Registers a Keepass Vault with the Secret Management engine .DESCRIPTION Enables you to register a keepass vault with the secret management engine, with more discoverable parameters and safety checks .EXAMPLE PS C:\> Register-KeepassSecretVault -Path $HOME/Desktop/MyVault.kdbx Explanation of what the example does #> [CmdletBinding(DefaultParameterSetName = 'UseMasterPassword')] param( #Path to your kdbx database file [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)][String]$Path, #Name of your secret management vault. Defaults to the base filename [String]$Name, #Path to your kdbx keyfile path if you use one. Only v1 keyfiles (2.44 and older) are currently supported [String]$KeyPath, #Prompt for a master password for the vault [Switch]$UseMasterPassword, #Use your Windows Login account as an authentication factor for the vault [Switch]$UseWindowsAccount, #Automatically create a keepass database with the specifications you provided [Parameter(ParameterSetName='Create')][Switch]$Create, #Specify the master password to use when automatically creating a vault [Parameter(ParameterSetName='Create')][SecureString]$MasterPassword, #Report key titles as full paths including folders. Useful if you want to view conflicting Keys [Switch]$ShowFullTitle, #Show Recycle Bin entries [Switch]$ShowRecycleBin, #Don't validate the vault operation upon registration. This is useful for pre-staging #vaults or vault configurations in deployments. [Parameter(ParameterSetName='SkipValidate')][Switch]$SkipValidate ) $ErrorActionPreference = 'Stop' if (-not ($SkipValidate -or $Create)) { $Path = Resolve-Path $Path } if (-not $Name) { $Name = ([IO.FileInfo]$Path).BaseName } if ($UseWindowsAccount -and -not ($PSEdition -eq 'Desktop' -or $IsWindows)) { throw [NotSupportedException]'-UseWindowsAccount parameter is only supported on Windows' } if (-not $UseMasterPassword -and -not $UseWindowsAccount -and -not $KeyPath) { throw [InvalidOperationException]'No authentication methods specified. You must specify at least one of: UseMasterPassword, UseWindowsAccount, or KeyPath' } if ($Create) { $ConnectKPDBParams = @{ Path = $Path KeyPath = $KeyPath UseWindowsAccount = $UseWindowsAccount Create = $Create MasterPassword = $MasterPassword } $dbConnection = Connect-KeePassDatabase @ConnectKPDBParams if (-not $dbConnection) {throw 'Connect-KeePassDatabase was executed but a database connection was not returned. This should not happen.'} } #BUG: Workaround for https://github.com/PowerShell/SecretManagement/issues/103 if (Get-Module SecretManagement.KeePass -ErrorAction SilentlyContinue -OutVariable KeePassModule) { $ModuleName = $KeePassModule.Path } else { $ModuleName = 'SecretManagement.KeePass' } Register-SecretVault -ModuleName $ModuleName -Name $Name -VaultParameters @{ Path = $Path UseMasterPassword = $UseMasterPassword.IsPresent UseWindowsAccount = $UseWindowsAccount.IsPresent KeyPath = $KeyPath ShowFullTitle = $ShowFullTitle.IsPresent ShowRecycleBin = $ShowRecycleBin.IsPresent } if (-not (Get-SecretVault -Name $Name)) { throw 'Register-SecretVault did not return an error but the vault is not registered.' } #Create does the same validation if (-not $SkipValidate -and -not $Create) { if (-not (Test-SecretVault -VaultName $Name)) { Unregister-SecretVault -Name $Name -ErrorAction SilentlyContinue throw "$Name is an invalid vault configuration, removing. Consider using -SkipValidate if you wish to pre-load a configuration without testing it" } } } function Unlock-KeePassSecretVault { <# .SYNOPSIS Enables the entry of a master password prior to vault activities for unattended scenarios. If registering a vault for the first time unattended, be sure to use the -SkipValidate parameter of Register-KeepassSecretVault .EXAMPLE Get-SecretVault 'MyKeepassVault' | Unlock-KeePassSecretVault -Password $MySecureString .EXAMPLE Unlock-KeePassSecretVault -Name 'MyKeepassVault' -Password $MySecureString #> param ( [Parameter(Mandatory)][SecureString]$Password, [Parameter(Mandatory,ValueFromPipelineByPropertyName)][String]$Name ) Write-PSFMessage -Level Warning 'DEPRECATED: This command has been deprecated. Please use the SecretManagement command Unlock-SecretVault instead.' Microsoft.PowerShell.SecretManagement\Unlock-SecretVault -Password $Password -Name $Name } function ConvertTo-ReadOnlyDictionary { <# .SYNOPSIS Converts a hashtable to a ReadOnlyDictionary[String,Object]. Needed for SecretInformation #> [CmdletBinding()] param( [Parameter(ValueFromPipeline)][hashtable]$hashtable ) process { $dictionary = [SortedDictionary[string,object]]::new([StringComparer]::OrdinalIgnoreCase) $hashtable.GetEnumerator().foreach{ $dictionary[$_.Name] = $_.Value } [ReadOnlyDictionary[string,object]]::new($dictionary) } } function GetKeepassParams ([String]$VaultName, [Hashtable]$AdditionalParameters) { $KeepassParams = @{} if ($VaultName) { $KeepassParams.KeePassConnection = (Get-Variable -Scope Script -Name "Vault_$VaultName").Value } return $KeepassParams } function Test-DBChanged ($dbConnection) { [string]$currentDbFileHash = (Get-FileHash -Path $dbConnection.IOConnectionInfo.Path).Hash [byte[]]$dbHashBytes = $dbConnection.HashOfFileOnDisk #Convert to String [string]$dbHash = $dbHashBytes.foreach{[String]::Format('{0:X2}', $_)} -join '' #Return true or false $currentDbFileHash -ne $dbHash } function Unlock-SecureString ([SecureString]$SecureString) { <# .SYNOPSIS Compatibility function to convert a secure string to plain text .OUTPUT String #> if ($PSVersionTable.PSVersion -ge '6.0.0') { ConvertFrom-SecureString -AsPlainText -SecureString $SecureString } else { #Legacy Windows Powershell Workaround Method [PSCredential]::new('SecureString',$SecureString).GetNetworkCredential().Password } } function VaultError ([String]$Message) { <# .SYNOPSIS Takes a terminating error and first writes it as a non-terminating error to the user to better surface the issue. #> #FIXME: Use regular errors if https://github.com/PowerShell/SecretManagement/issues/102 is resolved Write-PSFMessage -Level Error "Vault ${VaultName}: $Message" throw "Vault ${VaultName}: $Message" } function Connect-KeePassDatabase { <# .SYNOPSIS Open a connection to a keepass database #> param ( #Path to the Keepass database [Parameter(Mandatory)][String]$Path, #Prompt for a master password [Switch]$UseMasterPassword, #The master password to unlock the database [SecureString]$MasterPassword, #The path to the key file for the database [String]$KeyPath, #Whether to use a secure key stored via DPAPI in your windows profile [Switch]$UseWindowsAccount, #Create a new database at the specified path. Will error if a database does not exist at the specified path [Switch]$Create, #Allow clobbering an existing database [Switch]$AllowClobber ) $DBCompositeKey = [CompositeKey]::new() if (-not $MasterPassword -and -not $KeyPath -and -not $UseWindowsAccount) { Write-PSFMessage -Level Verbose "No vault authentication mechanisms specified. Assuming you wanted to prompt for the Master Password" $UseMasterPassword = $true } if ($UseMasterPassword -and -not $MasterPassword) { $CredentialParams = @{ Username = 'Keepass Master Password' Message = "Enter the Keepass Master password for: $Path" } #PS7+ Only if ($PSEdition -ne 'Desktop') { $CredentialParams.Title = 'Keepass Master Password' } $MasterPassword = (Get-Credential @CredentialParams).Password } #NOTE: Order in which the CompositeKey is created is important and must follow the order of : MasterKey, KeyFile, Windows Account if ($MasterPassword) { $DBCompositeKey.AddUserKey( [KcpPassword]::new( #Decode SecureString [Marshal]::PtrToStringUni([Marshal]::SecureStringToBSTR($MasterPassword)) ) ) } if ($KeyPath) { if (-not (Test-Path $KeyPath)) { if ($Create) { #Create a new key [KcpKeyFile]::Create( $KeyPath, $null ) } else { #Will emit a path not found error Resolve-Path $KeyPath } } else { Write-PSFMessage -Level Verbose "A keepass key file was already found at $KeyPath. Reusing this key for safety. Please manually delete this key if you wish to use a new one" } $resolvedKeyPath = Resolve-Path $KeyPath # Assume UNC path if no drive present. if ($Null -eq $resolvedKeyPath.Drive) { $dbCompositeKey.AddUserKey( [KcpKeyFile]::new( $resolvedKeyPath.ProviderPath, #Path to keyfile $true #Error if it is a database file ) ) } else { $dbCompositeKey.AddUserKey( [KcpKeyFile]::new( $resolvedKeyPath, #Path to keyfile $true #Error if it is a database file ) ) } } if ($UseWindowsAccount) { if ($PSVersionTable.PSVersion -gt '5.99.99' -and -not $IsWindows) { throw [NotSupportedException]'The -UseWindowsAccount parameter is only supported on a Windows Platform' } $DBCompositeKey.AddUserKey([KcpUserAccount]::new()) } $ParentPath = (Resolve-Path ($Path | Split-Path)).ProviderPath $DBFile = $Path | Split-Path -Leaf $resolvedPath = Join-Path -Path $ParentPath -ChildPath $DBFile $DBConnection = [PWDatabase]::new() $DBConnectionInfo = [IOConnectionInfo]::FromPath($resolvedPath) if ($Create) { if (-not $AllowClobber -and (Test-Path $resolvedPath)) { throw "-Create was specified but a database already exists at $resolvedPath. Please specify -AllowClobber to overwrite the database." } $DBConnection.New( $DBConnectionInfo, $DBCompositeKey ) $DBConnection.Save($null) } #Establish the connection $DBConnection.Open( $DBConnectionInfo, $DBCompositeKey, $null #No status logger ) if (-not $DBConnection.IsOpen) { throw "Unable to connect to the database at $resolvedPath. Please check you supplied proper credentials" } $DBConnection } function Get-Secret { [CmdletBinding()] param ( [string]$Name, [Alias('Vault')][string]$VaultName, [Alias('VaultParameters')][hashtable]$AdditionalParameters = (Get-SecretVault -Name $VaultName).VaultParameters ) if ($AdditionalParameters.Verbose) { $VerbosePreference = 'continue' } Write-PSFMessage "Searching Entry with Name=$Name" if (-not (Test-SecretVault -VaultName $vaultName -AdditionalParameters $AdditionalParameters)) { Write-PSFMessage -Level Error 'There appears to be an issue with the vault (Test-SecretVault returned false)' -Target "$Name" throw 'There appears to be an issue with the vault (Test-SecretVault returned false)' } if (-not $Name) { Write-PSFMessage -Level Error 'You must specify a secret Name' -Target "$Name" throw 'You must specify a secret Name' } $KeepassParams = GetKeepassParams $VaultName $AdditionalParameters if ($Name) { $KeePassParams.Title = $Name } $keepassGetResult = Get-SecretInfo -Vault $vaultName -Filter $Name -AsKPPSObject if ($null -eq $keepassGetResult) { Write-PSFMessage "No Keepass Entry found" -Target $Name return } if ($keepassGetResult.count -gt 1) { Write-PSFMessage -Level Error "Multiple ambiguous entries found for $Name, please remove the duplicate entry or specify the full path of the secret" -Target "$Name" throw "Multiple ambiguous entries found for $Name, please remove the duplicate entry or specify the full path of the secret" } $result = if (-not $keepassGetResult.Username) { $keepassGetResult.Password } else { [PSCredential]::new($KeepassGetResult.UserName, $KeepassGetResult.Password) } return $result } function Get-SecretInfo { [CmdletBinding()] param( [Alias('Name')][string]$Filter, [Alias('Vault')][string]$VaultName = (Get-SecretVault).VaultName, [Alias('VaultParameters')][hashtable]$AdditionalParameters = (Get-SecretVault -Name $VaultName).VaultParameters, [Switch]$AsKPPSObject ) if ($AdditionalParameters.Verbose) {$VerbosePreference = 'continue'} if (-not (Test-SecretVault -VaultName $vaultName)) { Write-PSFMessage -Level Error 'There appears to be an issue with the vault (Test-SecretVault returned false)' return $false } $KeepassParams = GetKeepassParams -VaultName $VaultName -AdditionalParameters $AdditionalParameters $KeepassGetResult = Get-KPEntry @KeepassParams | ConvertTo-KPPSObject if (-not $AdditionalParameters.ShowRecycleBin) { $KeepassGetResult = $KeepassGetResult | Where-Object FullPath -notmatch '^[^\/]+?\/Recycle ?Bin$' } #TODO: Split this off into private function for testing function Get-KPSecretName ([PSCustomObject]$KPPSObject) { <# .SYNOPSIS Gets the secret name for the vault context, contingent on some parameters WARNING: Relies on external context $AdditionalParameters #> if ($AdditionalParameters.ShowFullTitle) { #Strip everything before the first / $i = $KPPSObject.FullPath.IndexOf('/') $prefix = if ($i -eq -1) {$null} else { $KPPSObject.FullPath.Substring($i+1) } #Output Prefix/Title if ($prefix) { return $prefix,$KPPSObject.Title -join '/' } else { return $KPPSObject.Title } } else { return $KPPSObject.Title } } if ($Filter) { $KeepassGetResult = $KeepassGetResult | Where-Object { (Get-KPSecretName $PSItem) -like $Filter } } #Used by internal commands like Get-Secret if ($AsKPPSObject) { return $KeepassGetResult } [Object[]]$secretInfoResult = $KeepassGetResult | Foreach-Object { if (-not $PSItem.Title) { Write-PSFMessage -Level Warning "Keepass Entry with blank title found at $($PSItem.FullPath). These are not currently supported and will be omitted" return } [ReadOnlyDictionary[String,Object]]$metadata = [ordered]@{ UUID = $PSItem.uuid.ToHexString() Title = $PSItem.Title ParentGroup = $PSItem.ParentGroup Path = $PSItem.FullPath,$PSItem.Title -join '/' Notes = $PSItem.Notes URL = $PSItem.Url Tags = $PSItem.Tags -join ', ' Created = $PSItem.CreationTime Accessed = $PSItem.LastAccessTimeUtc Modified = $PSItem.LastModifiedTimeUtc Moved = $PSItem.LocationChanged IconName = $PSItem.IconId UsageCount = $PSItem.UsageCount Expires = if ($Expires) {$PSItem.ExpireTime} } | ConvertTo-ReadOnlyDictionary #TODO: Find out why the fully qualified is required on Linux even though using Namespace is defined above [Microsoft.PowerShell.SecretManagement.SecretInformation]::new( (Get-KPSecretName $PSItem), #string name #TODO: Add logic to mark as securestring if there is no username [Microsoft.PowerShell.SecretManagement.SecretType]::PSCredential, #SecretType type $VaultName, #string vaultName $metadata #ReadOnlyDictionary[string,object] metadata ) } [Object[]]$sortedInfoResult = $secretInfoResult | Sort-Object -Unique -Property Name if ($sortedInfoResult.count -lt $secretInfoResult.count) { $nonUniqueFilteredRecords = Compare-Object $sortedInfoResult $secretInfoResult -Property Name | Where-Object SideIndicator -eq '=>' Write-PSFMessage -Level Error "Vault ${VaultName}: Entries with non-unique titles were detected, the duplicates were filtered out. $(if (-not $additionalParameters.ShowFullTitle) {'Consider adding the ShowFullTitle VaultParameter to your vault registration'})" Write-PSFMessage -Level Error "Vault ${VaultName}: Filtered Non-Unique Titles: $($nonUniqueFilteredRecords.Name -join ', ')" } $sortedInfoResult } function Remove-Secret { [CmdletBinding()] param ( [ValidateNotNullOrEmpty()][string]$Name, [Alias('Vault')][string]$VaultName, [Alias('VaultParameters')][hashtable]$AdditionalParameters = (Get-SecretVault -Name $VaultName).VaultParameters ) if ($AdditionalParameters.Verbose) {$VerbosePreference = 'continue'} if (-not (Test-SecretVault -VaultName $vaultName)) { VaultError 'There appears to be an issue with the vault (Test-SecretVault returned false)' return $false } $KeepassParams = GetKeepassParams $VaultName $AdditionalParameters $GetKeePassResult = Get-SecretInfo -VaultName $VaultName -Name $Name -AsKPPSObject if ($GetKeePassResult.count -gt 1) { VaultError "There are multiple entries with the name $Name and Remove-Secret will not proceed for safety." return $false } if (-not $GetKeePassResult) { VaultError "No Keepass Entry named $Name found" return $false } Remove-KPEntry @KeepassParams -KeePassEntry $GetKeePassResult.KPEntry -ErrorAction stop -Confirm:$false return $true } function Set-Secret { [CmdletBinding()] param ( [string]$Name, [object]$Secret, [Alias('Vault')][string]$VaultName, [Alias('VaultParameters')][hashtable]$AdditionalParameters = (Get-SecretVault -Name $VaultName).VaultParameters ) if ($AdditionalParameters.Verbose) { $VerbosePreference = 'continue' } if (-not $Name) { Write-PSFMessage -Level Error ([NotSupportedException]'The -Name parameter is mandatory for the KeePass vault') return $false } if (-not (Test-SecretVault -VaultName $vaultName)) { Write-PSFMessage -Level Error 'There appears to be an issue with the vault (Test-SecretVault returned false)' return $false } $KeepassParams = GetKeepassParams $VaultName $AdditionalParameters # Write-PSFMessage -Level Verbose "KeepassParams=$($KeepassParams|ConvertTo-JSon -Compress)" -Tag Sherlock -Target $Name # Write-PSFMessage -Level Verbose "AdditionalParameters=$($AdditionalParameters|ConvertTo-JSon -Compress)" -Tag Sherlock -Target $Name switch ($Secret.GetType()) { ([String]) { $KeepassParams.Username = $null $KeepassParams.KeepassPassword = [ProtectedString]::New($true, $Secret) break } ([SecureString]) { $KeepassParams.Username = $null $KeepassParams.KeepassPassword = [ProtectedString]::New($true, (Unlock-SecureString $Secret)) break } ([PSCredential]) { $KeepassParams.Username = $Secret.Username $KeepassParams.KeepassPassword = [ProtectedString]::New($true, $Secret.GetNetworkCredential().Password) break } default { Write-PSFMessage -Level Error ([NotImplementedException]'This vault provider only accepts string, securestring, and PSCredential secrets') return $false } } if (Get-SecretInfo -Name $Name -Vault $VaultName) { Write-PSFMessage "Updating Keepass Entry" -Target $Name -Tag Update try { # $KeepassEntry = Get-SecretInfo -Name $Name -Vault $VaultName -AsKPPSObject # Need to get the original KPEntry Object for modification $KeepassParamsGetKPEntry = GetKeepassParams $VaultName $AdditionalParameters $KeepassResults = Get-KPEntry @KeepassParamsGetKPEntry -Title $Name if (-not $AdditionalParameters.ShowRecycleBin) { $countBeforeRemoval = $KeepassResults.count Write-PSFMessage -Level Verbose "Removing found entries with FullPath containing 'RecycleBin'" # $KeepassResults = $KeepassResults | Where-Object FullPath -notmatch '^[^\/]+?\/Recycle ?Bin$' $KeepassResults = $KeepassResults | Where-Object { $_.ParentGroup.GetFullPath('/', $true) -notmatch '^[^\/]+?\/Recycle ?Bin$' } Write-PSFMessage -Level Verbose "Removed $($countBeforeRemoval - $KeepassResults.count) Entries, $countBeforeRemoval entries before and $($KeepassResults.count) after" } # $fullPathes = $KeepassResults|Foreach-Object { # $path=$_.ParentGroup.GetFullPath('/', $true) # $title = $_.Strings.ReadSafe('Title') # "Title= $title; Fullpath= $Path;" # } # Write-PSFMessage -level Host -Tag Sherlock "fullPathes=$($fullPathes -join ';')" if ($KeepassResults.count -gt 1) { Write-PSFMessage -Level Error "Retrieved $($KeepassResults.count) Keepass-Entries, narrow down the criteria" return } $KeepassEntry = $KeepassResults #[1] # $KeepassEntry = Get-KPEntry -KeePassConnection $KeepassParams.KeepassConnection -Title $Title Write-PSFMessage "Found KeepassEntry=$KeepassEntry" -Level Debug # Write-PSFMessage "`$KeepassEntry.getType()=$($KeepassEntry.GetType())" -tag "Sherlock" } catch { Write-PSFMessage -Level Error "Fehler bei Get-KPEntry, $_" } # Write-PSFMessage -Level Warning "Vault ${VaultName}: A secret with the title $Name already exists. This vault currently does not support overwriting secrets. Please remove the secret with Remove-Secret first." # return $false $KPEntry = Set-KPEntry @KeepassParams -Title $Name -PassThru -KeePassEntry $KeepassEntry -Confirm:$False # Write-PSFMessage -Level Warning "Vault ${VaultName}: A secret with the title $Name already exists. This vault currently does not support overwriting secrets. Please remove the secret with Remove-Secret first." # return $false } else { #Set default group #TODO: Support Creating Secrets with paths Write-PSFMessage "Adding Keepass Entry" -Target $Name -Tag Add $KeepassParams.KeePassGroup = (Get-Variable "VAULT_$VaultName").Value.RootGroup $KPEntry = Add-KPEntry @KeepassParams -Title $Name -PassThru } #Save the changes immediately #TODO: Consider making this optional as a vault parameter $KeepassParams.KeepassConnection.Save($null) return [Bool]($KPEntry) } function Test-SecretVault { [CmdletBinding()] param ( [Parameter(ValueFromPipelineByPropertyName,Mandatory)] [Alias('Vault')][Alias('Name')][string]$VaultName, #This intelligent default is here because if you call test-secretvault from other commands it doesn't populate like it does when called from SecretManagement [Parameter(ValueFromPipelineByPropertyName)] [Alias('VaultParameters')][hashtable]$AdditionalParameters = (get-secretvault $VaultName).VaultParameters ) if ($AdditionalParameters.Verbose) {$VerbosePreference = 'continue'} Write-PSFMessage -Level Verbose "SecretManagement: Testing Vault ${VaultName}" #TODO: Hash vault parameter settings and reset vault state if they change. May be a bug if user changes vault parameters in same session #Test if connection already open, no need to do further testing if so try { $DBConnection = (Get-Variable -Name "Vault_$VaultName" -Scope Script -ErrorAction Stop).Value if (-not $DBConnection.isOpen) { Write-PSFMessage -Level Error 'Connection closed, starting a new connection' return $false } if (Test-DBChanged $DBConnection) { $dbConnection.close() Write-PSFMessage -Level Error 'Database file on disk has changed, starting a new connection' return $false } Write-PSFMessage -Level Verbose "Vault ${VaultName}: Connection already open, using existing connection" return $dbConnection.isOpen } catch { Write-PSFMessage -Level Verbose "${VaultName}: $PSItem" } #Basic Sanity Checks if (-not $VaultName) { Write-PSFMessage -Level Error 'Keepass: You must specify a Vault Name to test' return $false } if (-not $AdditionalParameters.Path) { #TODO: Create a default vault if path isn't supplied #TODO: Add ThrowUser to throw outside of module scope Write-PSFMessage -Level Error 'You must specify the Path vault parameter as a path to your KeePass Database' return $false } if (-not (Test-Path $AdditionalParameters.Path)) { Write-PSFMessage -Level Error "Could not find the keepass database $($AdditionalParameters.Path). Please verify the file exists or re-register the vault" return $false } #3 Scenarios Supported: Master PW, Keyfile, PW + Keyfile $ConnectKPDBParams = @{ Path = $AdditionalParameters.Path KeyPath = $AdditionalParameters.KeyPath UseWindowsAccount = $AdditionalParameters.UseWindowsAccount UseMasterPassword = $AdditionalParameters.UseMasterPassword } [SecureString]$vaultMasterPassword = Get-Variable -Name "Vault_${VaultName}_MasterPassword" -ValueOnly -ErrorAction SilentlyContinue if ($vaultMasterPassword) { Write-PSFMessage -Level Verbose "Cached Master Password Found for $VaultName" $ConnectKPDBParams.MasterPassword = $vaultMasterPassword } try { $DBConnection = Connect-KeePassDatabase @ConnectKPDBParams } catch { Write-PSFMessage -Level Error $PSItem } if ($DBConnection.IsOpen) { Set-Variable -Name "Vault_$VaultName" -Scope Script -Value $DBConnection return $DBConnection.IsOpen } #If we get this far something went wrong Write-PSFMessage -Level Error "Unable to open connection to the database" return $false # if (-not $AdditionalParameters.Keypath -or $AdditionalParameters.UseMasterKey) { # } # if (-not (Get-KeePassDatabaseConfiguration -DatabaseProfileName $VaultName)) { # New-KeePassDatabaseConfiguration @KeePassDBConfigParams # Write-PSFMessage -Level Verbose "Vault ${VaultName}: A PoshKeePass database configuration was not found but was created." # return $true # } # try { # Get-KeePassEntry -DatabaseProfileName $VaultName -MasterKey $VaultMasterKey -Title '__SECRETMANAGEMENT__TESTSECRET_SHOULDNOTEXIST' -ErrorAction Stop # } catch { # Clear-Variable -Name "Vault_$VaultName" -Scope Script -ErrorAction SilentlyContinue # throw $PSItem # } } function Unlock-SecretVault { param ( [Parameter(Mandatory)][SecureString]$Password, [Parameter(Mandatory)][Alias('Vault')][Alias('Name')][String]$VaultName, [Alias('VaultParameters')][hashtable]$AdditionalParameters ) Write-PSFMessage "Unlocking SecretVault $VaultName" $vault = Get-SecretVault -Name $VaultName -ErrorAction Stop $vaultName = $vault.Name if ($vault.ModuleName -ne 'SecretManagement.KeePass') { Write-PSFMessage -Level Error "$vaultName was found but is not a Keepass Vault." return $false } Set-Variable -Name "Vault_${vaultName}_MasterPassword" -Scope Script -Value $Password -Force #Force a reconnection Remove-Variable -Name "Vault_${vaultName}" -Scope Script -Force -ErrorAction SilentlyContinue if (-not (Test-SecretVault -Name $vaultName -AdditionalParameters $AdditionalParameters)) { Write-PSFMessage -Level Error "${vaultName}: Failed to unlock the vault" return $false } Write-PSFMessage "SecretVault $vault unlocked successfull" return $true } function Unregister-SecretVault { [CmdletBinding()] param( [string] $VaultName, [hashtable] $AdditionalParameters ) if ($AdditionalParameters.Verbose) {$VerbosePreference = 'continue'} try { Remove-Variable -Name "Vault_$VaultName" -Scope Script -Force -ErrorAction Stop } catch [ItemNotFoundException] { Write-PSFMessage -Level Verbose "Vault ${VaultName}: Vault was not loaded at time of deregistration" } } |