Functions/Read-SecretifySecret.ps1
|
<#
.SYNOPSIS Retrieves and decrypts a secret from a secure store based on a provided URL, or a combination of identifier and key. .DESCRIPTION This function allows for flexible retrieval and decryption of secrets: - If a complete secret link is provided (including both the identifier and decryption key), the function parses the URL to extract these components and uses them to retrieve the secret. - If an identifier and key are provided separately, it uses the session's base URL combined with these details to fetch and decrypt the secret. .PARAMETER Url The full URL to the secret. If only the identifier and key are provided, the session's base URL will be used. This parameter is optional if both Identifier and Key are provided. .PARAMETER Identifier The unique identifier for the secret to be retrieved. This parameter is required if the Key is provided without a complete URL. .PARAMETER Key The decryption key required to access the secret. This parameter is required if Identifier is provided. .EXAMPLE Read-SecretifySecret -Url "https://secretify.com/s/12345#keyHere" This command parses the complete URL to extract the base URL, identifier, and decryption key to retrieve the secret. .EXAMPLE Read-SecretifySecret -Identifier "abc123" -Key "s3cr3t" This command uses the session's base URL to retrieve the secret identified by "abc123" with the decryption key "s3cr3t". .OUTPUTS PSCustomObject Returns a decrypted secret object retrieved from the secure storage service. .NOTES Ensure that appropriate parameters are provided to successfully retrieve and decrypt the secret. At least an Identifier and Key are required unless a complete secret link is provided. #> function Read-SecretifySecret { [CmdletBinding()] param ( [Parameter(Mandatory = $false)] [string]$Url, [Parameter(Mandatory = $false)] [string]$Identifier, [Parameter(Mandatory = $false)] [string]$Key ) try { $headers = @{ "Authorization" = "Bearer $($SecretifySession.AuthToken)" "Content-Type" = "application/json" } if ($Url -match '\/s\/.+?#') { # Assuming the URL is a complete secret link $secretLinkParts = $Url -split '#' $baseUrl = $secretLinkParts[0] -replace '\/s\/.*$', '' $identifier = $secretLinkParts[0] -replace '^.*\/s\/', '' $key = $secretLinkParts[1] $secretUrl = "$baseUrl/api/v1/secret/$Identifier/_cipher" Write-Verbose "Parsed URL for Base URL: $baseUrl, Identifier: $identifier, Key: $key" } elseif ($Identifier -and $Key) { $secretUrl = "$($SecretifySession.Url)/api/v1/secret/$Identifier/_cipher" } else { throw "Insufficient parameters provided to retrieve and decrypt the secret." } Write-Verbose "Retrieving encrypted data from $secretUrl" if ($SecretifySession.Proxy) { $response = Invoke-RestMethod -Uri $secretUrl -Method Get -Headers $headers -Proxy $SecretifySession.Proxy } else { $response = Invoke-RestMethod -Uri $secretUrl -Method Get -Headers $headers } $cipher = $response.data.cipher | ConvertFrom-Json Write-Verbose "Cipher object: $(ConvertTo-Json -InputObject $cipher)" $decryptedAttributes = @{} $decryptionKey = ConvertFrom-Base64Url -base64Url $Key foreach ($attributeName in $cipher.PSObject.Properties.Name) { $encryptedData = $cipher.$attributeName $decryptedData = Unprotect-String -encryptedData $encryptedData -encryptionKey $decryptionKey $decryptedAttributes[$attributeName] = $decryptedData } Write-Verbose "Successfully decrypted the data." return [PSCustomObject]$decryptedAttributes } catch { throw "Failed to reveal secret. Error: $($_.Exception.Message)" } } |