functions/secrets/Set-Secret.ps1
|
function Set-Secret { <# .SYNOPSIS Set various settings or fields for a given secret .DESCRIPTION Set various settings or fields for a given secret. .EXAMPLE $session = New-TssSession -SecretServer https://alpha -Credential $ssCred Set-TssSecret -TssSession $session -Id 345 -FolderId 3 Move Secret 345 to folder ID 3 .EXAMPLE $session = New-TssSession -SecretServer https://alpha -Credential $ssCred Set-TssSecret -TssSession $session -Id 113 -ForceCheckIn Sets secret 1455 disables emailing when changed .LINK https://thycotic-ps.github.io/thycotic.secretserver/commands/secrets/Set-TssSecret .LINK https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/secrets/Set-Secret.ps1 .NOTES Requires TssSession object returned by New-TssSession #> [cmdletbinding(SupportsShouldProcess, DefaultParameterSetName = 'all')] param( # TssSession object created by New-TssSession for auth [Parameter(Mandatory, ValueFromPipeline, Position = 0)] [TssSession] $TssSession, # Secret Id to modify [Parameter(Mandatory, ValueFromPipelineByPropertyName)] [Alias('SecretId')] [int[]] $Id, # Comment to provide for restricted secret (Require Comment is enabled) [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'restricted')] [string] $Comment, # Force check-in of the Secret [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'restricted')] [Parameter(ParameterSetName = 'checkIn')] [switch] $ForceCheckIn, # Associated Ticket Number [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'restricted')] [int] $TicketNumber, #Associated Ticket System ID [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'restricted')] [int] $TicketSystemId, # Set the secret active secret is active [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [switch] $Active, # Whether Auto Change is enabled [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'password')] [switch] $AutoChangeEnabled, # Manual password to use on next Auto Change [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'password')] [securestring] $AutoChangeNextPassword, # Whether the Secret inherits permissions from the containing folder [Parameter(ParameterSetName = 'all')] [Alias('EnableInheritPermissions')] [switch] $EnableInheritPermission, # Whether Secret Policy is inherited from containing folder [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [switch] $EnableInheritSecretPolicy, # Folder (ID) [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [Alias('Folder')] [int] $FolderId, # Generate new SSH Keys [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [switch] $GenerateSshKeys, # Heartbeat enabled [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [switch] $HeartbeatEnabled, # Secret out of sync [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [switch] $IsOutOfSync, # Secret name [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [string] $SecretName, # Secret Policy (ID) [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [int] $SecretPolicy, # Secret Site [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'general')] [Alias('Site')] [int] $SiteId, # Check-In a Secret, can be combined with ForceCheckIn to forcibly check the Secret in [Parameter(ParameterSetName = 'all')] [Parameter(ParameterSetName = 'checkIn')] [switch] $CheckIn ) begin { $setSecretParams = $PSBoundParameters $generalParamSet = . $ParameterSetParams $PSCmdlet.MyInvocation.MyCommand.Name 'general' # Need to know if any of the params provided are in the specific parameter sets # if they are not we will null out the variable so the code below is not triggered $generalParams = @() foreach ($g in $generalParamSet) { if ($setSecretParams.ContainsKey($g)) { $generalParams += $g } } # Require Get-TssSecret and PUT /secrets/{id} endpoint $passwordParamSet = . $ParameterSetParams $PSCmdlet.MyInvocation.MyCommand.Name 'password' $folderParamSet = . $ParameterSetParams $PSCmdlet.MyInvocation.MyCommand.Name 'folder' $otherParams = @() foreach ($p in $passwordParamSet) { if ($setSecretParams.ContainsKey($p)) { $otherParams += $p } } foreach ($f in $folderParamSet) { if ($setSecretParams.ContainsKey($f)) { $otherParams += $f } } # restricted params $restrictedParamSet = . $ParameterSetParams $PSCmdlet.MyInvocation.MyCommand.Name 'restricted' $restrictedParams = @() foreach ($r in $restrictedParamSet) { if ($setSecretParams.ContainsKey($r)) { $restrictedParams += $r } } $invokeParamsGenearl = . $GetInvokeTssParams $TssSession $invokeParamsOther = . $GetInvokeTssParams $TssSession $invokeParamsCheckIn = . $GetInvokeTssParams $TssSession } process { Write-Verbose "Provided command parameters: $(. $GetInvocation $PSCmdlet.MyInvocation)" if ($setSecretParams.ContainsKey('TssSession') -and $TssSession.IsValidSession()) { . $CheckVersion $TssSession '10.9.000000' $PSCmdlet.MyInvocation foreach ($secret in $Id) { if ($otherParams.Count -gt 0) { $uri = $TssSession.ApiUrl, 'secrets', $secret -join '/' $invokeParamsOther.Uri = $uri $invokeParamsOther.Method = 'PUT' $whatIfProcessing = 0 if ($setSecretParams.ContainsKey('AutoChangeEnabled') -and -not $PSCmdlet.ShouldProcess("SecretId: $secret", "$($invokeParamsOther.Method) $uri updating AutoChangeEnabled to $AutoChangeEnabled")) { $whatIfProcessing++ } if ($setSecretParams.ContainsKey('AutoChangeNextPassword') -and -not $PSCmdlet.ShouldProcess("SecretId: $secret", "$($invokeParamsOther.Method) $uri updating AutoChangeNextPassword to $AutoChangeNextPassword")) { $whatIfProcessing++ } if ($setSecretParams.ContainsKey('EnableInheritPermission') -and -not $PSCmdlet.ShouldProcess("SecretId: $secret", "$($invokeParamsOther.Method) $uri updating Inherit Permission to $EnableInheritPermission")) { $whatIfProcessing++ } $getParams = @{ TssSession = $TssSession Id = $secret } if ($restrictedParams.Count -gt 0) { $getParams.Add('ForceCheckIn', $ForceCheckIn) $getParams.Add('TicketNumber', $TicketNumber) $getParams.Add('TicketSystemId', $TicketSystemId) $getParams.Add('Comment', $Comment) } if (-not $PSCmdlet.ShouldProcess("SecretId: $secret", 'Getting Secret')) { $whatIfProcessing++ } if ($whatIfProcessing -eq 0) { try { Write-Verbose "Getting SecretID: [$secret]" $getSecret = . $GetSecret $TssSession $secret $restrictedParams } catch { Write-Error "Issue getting Secret [$secret] details: $_" } if ($getSecret) { if ($restrictedParams.Count -gt 0) { $getSecret.Add('ForceCheckIn', $ForceCheckIn) $getSecret.Add('TicketNumber', $TicketNumber) $getSecret.Add('TicketSystemId', $TicketSystemId) $getSecret.Add('Comment', $Comment) } if ($setSecretParams.ContainsKey('AutoChangeEnabled')) { $getSecret.AutoChangeEnabled = [boolean]$AutoChangeEnabled } if ($setSecretParams.ContainsKey('AutoChangeNextPassword')) { if ($setSecretParams.ContainsKey('AutoChangeEnabled') -and -not $AutoChangeEnabled) { Write-Warning "AutoChangeNextPassword requires AutoChange to be enabled. Please provide -AutoChangeEnabled parameter to enable it and set next manual password on secret [$secret]." } elseif ($getSecret.AutoChangeEnabled -eq $false -and -not $AutoChangeEnabled) { Write-Warning "AutoChangeNextPassword require AutoChange to be enabled. AutoChange found disabled on secret [$secret]. Please provide -AutoChangeEnabled parameter to enable it and set next manual password." } else { $getSecret.AutoChangeNextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($AutoChangeNextPassword)) } } if ($setSecretParams.ContainsKey('EnableInheritPermission')) { $getSecret.EnableInheritPermissions = $EnableInheritPermission } $invokeParamsOther.Body = $getSecret | ConvertTo-Json -Depth 5 Write-Verbose "$($invokeParamsOther.Method) $uri with:`t$($invokeParamsOther.Body)`n" try { $otherResponse = . $InvokeApi @invokeParamsOther } catch { Write-Warning "Issue setting property on secret [$secret]" $err = $_ . $ErrorHandling $err } if ($otherResponse.PSObject.Properties.Name -contains 'AutoChangeEnabled' -and $setSecretParams.ContainsKey('AutoChangeEnabled')) { if ($otherResponse.AutoChangeEnabled -eq $AutoChangeEnabled) { Write-Verbose "Secret [$secret] AutoChangeEnabled was set to $AutoChangeEnabled" } } if ($otherResponse.PSObject.Properties.Name -contains 'AutoChangeNextPassword' -and $setSecretParams.ContainsKey('AutoChangeNextPassword')) { if ($otherResponse.AutoChangeNextPassword -eq $AutoChangeNextPassword) { Write-Verbose "Secret [$secret] AutoChangeNextPassword was set to $AutoChangeNextPassword" } } if ($otherResponse.PSObject.Properties.Name -contains 'EnableInheritPermissions' -and $setSecretParams.ContainsKey('EnableInheritPermission')) { if ($otherResponse.EnableInheritPermissions -eq $EnableInheritPermission) { Write-Verbose "Secret [$secret] EnableInheritPermissions was set to $EnableInheritPermission" } } } } } if ($generalParams.Count -gt 0) { Write-Verbose 'Working on general parameter set values' # data object for General Settings # Each object added to data requires dirty (true) and value property $generalBody = @{ data = @{ } } if ($setSecretParams.ContainsKey('Active')) { $setActive = @{ dirty = $true value = [boolean]$Active } $generalBody.data.Add('active', $setActive) } if ($setSecretParams.ContainsKey('EnableInheritSecretPolicy')) { $setInheritance = @{ dirty = $true value = [boolean]$EnableInheritSecretPolicy } $generalBody.data.Add('enableInheritSecretPolicy', $setInheritance) } if ($setSecretParams.ContainsKey('FolderId')) { $setFolder = @{ dirty = $true value = $FolderId } $generalBody.data.Add('folder', $setFolder) } if ($setSecretParams.ContainsKey('GenerateSshKeys')) { #does not require dirty and value properties $generalBody.data.Add('generateSshKeys', [boolean]$GenerateSshKeys) } if ($setSecretParams.ContainsKey('HeartbeatEnabled')) { $setHb = @{ dirty = $true value = "$HeartbeatEnabled" } $generalBody.data.Add('heartbeatEnabled', $setHb) } if ($setSecretParams.ContainsKey('SecretPolicy')) { $setSecretPolicy = @{ dirty = $true value = $SecretPolicy } $generalBody.data.Add('secretPolicy', $setSecretPolicy) } if ($setSecretParams.ContainsKey('SiteId')) { $setSite = @{ dirty = $true value = $SiteId } $generalBody.data.Add('site', $setSite) } if ($setSecretParams.ContainsKey('IsOutOfSync')) { $setOutOfSync = @{ dirty = $true value = [boolean]$IsOutOfSync } $generalBody.data.Add('isOutOfSync', $setOutOfSync) } if ($setSecretParams.ContainsKey('SecretName')) { $setName = @{ dirty = $true value = $SecretName } $generalBody.data.Add('name', $setName) } $uri = $TssSession.ApiUrl, 'secrets', $secret, 'general' -join '/' $invokeParamsGenearl.Uri = $uri $invokeParamsGenearl.Method = 'PATCH' $invokeParamsGenearl.Body = $generalBody | ConvertTo-Json -Depth 5 if ($PSCmdlet.ShouldProcess("SecretId: $secret", "$($invokeParamsGenearl.Method) $uri with:`n$($invokeParamsGenearl.Body)`n")) { Write-Verbose "$($invokeParamsGenearl.Method) $uri with:`n$($invokeParamsGenearl.Body)`n" try { $generalResponse = . $InvokeApi @invokeParamsGenearl } catch { Write-Warning "Issue configuring general settings on [$secret]" $err = $_ . $ErrorHandling $err } if ($generalResponse.id -eq $secret -and $generalResponse.name.value -eq $SecretName) { Write-Verbose "Secret [$secret] name set to [$($generalResponse.name.value)]" } if ($generalResponse.id -eq $secret -and $generalResponse.active.value -eq $Active) { Write-Verbose "Secret [$secret] Active set to [$($generalResponse.active.value)]" } } } if ($setSecretParams.ContainsKey('CheckIn')) { Write-Verbose 'Working on check-in' $uri = $TssSession.ApiUrl, 'secrets', $secret, 'check-in' -join '/' $invokeParamsCheckIn.Uri = $uri $invokeParamsCheckIn.Method = 'POST' $checkInBody = @{} if ($restrictedParams.Count -gt 0) { switch ($restrictedParams) { 'Comment' { $checkInBody.Add('comment', $Comment) } 'ForceCheckIn' { $checkInBody.Add('forceCheckIn', [boolean]$ForceCheckIn) } 'TicketNumber' { $checkInBody.Add('ticketNumber', $TicketNumber) } 'TicketSystemId' { $checkInBody.Add('ticketSystemId', $TicketSystemId) } } } $uri = $TssSession.ApiUrl, 'secrets', $secret, 'check-in' -join '/' $invokeParamsCheckIn.Uri = $uri $invokeParamsCheckIn.Method = 'POST' $invokeParamsCheckIn.Body = $checkInBody | ConvertTo-Json -Depth 5 if ($PSCmdlet.ShouldProcess("SecretId: $secret", "$($invokeParamsCheckIn.Method) $uri with:`n$($invokeParamsCheckIn.Body)`n")) { Write-Verbose "$($invokeParamsCheckIn.Method) $uri with:`n$checkInBody`n" try { $checkInResponse = . $InvokeApi @invokeParamsCheckIn } catch { Write-Warning "Issue performing check-in on secret [$secret]" $err = $_ . $ErrorHandling $err } } if ($checkInResponse.checkedOut) { Write-Warning "Secret [$secret] not checked in" } else { Write-Verbose "Secret [$secret] checked in" } } } } else { Write-Warning 'No valid session found' } } } |