Classes/VenafiSession.ps1

class VenafiSession {

    [string] $Server
    [PSCustomObject] $Key
    [PSCustomObject] $Token
    [PSCustomObject] $CustomField
    [Version] $Version

    VenafiSession () {
    }

    VenafiSession ([Hashtable] $initHash) {
        $this._init($initHash)
    }

    [void] Validate() {
        $this.Validate($this.Platform, $this.AuthType)
    }

    [void] Validate(
        [string] $Platform
    ) {
        $this.Validate($Platform, $this.AuthType)
    }

    [void] Validate(
        [string] $Platform,
        [string] $AuthType
    ) {

        if ( -not $this.Key -and -not $this.Token ) {
            switch ($Platform) {
                'VaaS' {
                    throw "You must first connect to Venafi as a Service with New-VenafiSession -VaasKey"
                }

                'TPP' {
                    throw "You must first connect to a TPP server with New-VenafiSession"
                }

                Default {
                    throw "You must first connect to either Venafi as a Service or a TPP server with New-VenafiSession"
                }
            }
        }

        # newer api calls may only accept token based auth
        if ( $AuthType -ne $this.AuthType ) {
            throw "This function requires the use of $AuthType authentication"
        }

        # make sure the auth type and url we have match
        # this keeps folks from calling a vaas function with a token and vice versa
        if ( $Platform -ne $this.Platform ) {
            throw "This function is only accessible for $Platform"
        }

        Write-Verbose ("Key/Token expires: {0}, Current (+2s): {1}" -f $this.Expires, (Get-Date).ToUniversalTime().AddSeconds(2))
        if ( $this.Expires -gt (Get-Date).ToUniversalTime().AddSeconds(2) ) {
            return
        }

        # expired, perform refresh
        Write-Verbose 'Key/token expired. Attempting refresh.'

        if ( $this.Platform -eq 'TPP' ) {
            if ( $this.AuthType -eq 'Key' ) {
                try {
                    $params = @{
                        Method      = 'Get'
                        Uri         = ("{0}/vedsdk/authorize/checkvalid" -f $this.Server)
                        Headers     = @{
                            "X-Venafi-Api-Key" = $this.Key.ApiKey
                        }
                        ContentType = 'application/json'
                    }
                    Invoke-RestMethod @params
                }
                catch {
                    # tpp sessions timeout after 3 mins of inactivity
                    # reestablish connection
                    if ( $_.Exception.Response.StatusCode.value__ -eq '401' ) {
                        Write-Verbose "Unauthorized, re-authenticating"
                        if ( $this.Key.Credential ) {
                            $this.Connect($this.Key.Credential)
                        }
                        else {
                            $this.Connect($null)
                        }
                    }
                    else {
                        throw ('"{0} {1}: {2}' -f $_.Exception.Response.StatusCode.value__, $_.Exception.Response.StatusDescription, $_ | Out-String )
                    }
                }
            }
            else {
                # token
                if ( $this.Token.RefreshExpires ) {
                    Write-Verbose ("Refresh token expires: {0}, Current: {1}" -f $this.Token.RefreshExpires, (Get-Date).ToUniversalTime())
                }

                $newToken = New-TppToken -VenafiSession $this
                $this.Token = $newToken
            }
        }
        else {
            # no refresh for vaas
        }
    }

    # connect for key based
    [void] Connect(
        [PSCredential] $Credential
    ) {

        if ( -not ($this.Server) ) {
            throw "You must provide a value for Server"
        }

        $params = @{
            Server = $this.Server
        }

        if ( $Credential ) {
            $params.Method = 'Post'
            $params.UriLeaf = 'authorize'
            $params.Body = @{
                Username = $Credential.UserName
                Password = $Credential.GetNetworkCredential().Password
            }
        }
        else {
            $params.Method = 'Get'
            $params.UriLeaf = 'authorize/integrated'
            $params.UseDefaultCredentials = $true
        }

        $response = Invoke-TppRestMethod @params
        $this.Key = [pscustomobject] @{
            ApiKey     = $response.ApiKey
            Credential = $Credential
            Expires    = $response.ValidUntil
        }
    }

    hidden [void] _init ([Hashtable] $initHash) {

        if ( -not ($initHash.Server) ) {
            throw "Server is required"
        }

        $initHash.GetEnumerator() | ForEach-Object {
            if ( $_.Value ) {
                $this.$($_.Key)=$_.Value
            }
        }

        $this | Add-Member -MemberType ScriptProperty -Name Platform -Value {
            if ( $this.Server -eq $script:CloudUrl ) {
                'VaaS'
            }
            else {
                'TPP'
            }
        }

        $this | Add-Member -MemberType ScriptProperty -Name AuthType -Value {
            if ( $this.Key ) {
                'Key'
            }
            elseif ($this.Token ) {
                'Token'
            }
            else {
                $null
            }
        }

        $this | Add-Member -MemberType ScriptProperty -Name Expires -Value {
            if ( $this.Token ) {
                $this.Token.Expires
            }
            elseif ($this.Key ) {
                $this.Key.Expires
            }
            else {
                $null
            }
        }
    }
}