VpasModule

14.2.1

public/Deny-VPASIncomingRequest.ps1

                                <#

.Synopsis

   DENY AN INCOMING REQUEST IN CYBERARK

   CREATED BY: Vadim Melamed, EMAIL: vmelamed5@gmail.com

.DESCRIPTION

   USE THIS FUNCTION TO DENY AN INCOMING REQUEST IN CYBERARK

.PARAMETER token

   HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc).

   If -token is not passed, function will use last known hashtable generated by New-VPASToken

.PARAMETER RequestedSafe

   Safe name that will be used to query for the target account if no AcctID is passed

.PARAMETER RequestedUsername

   Username that will be used to query for the target account if no AcctID is passed

.PARAMETER RequestedPlatform

   PlatformID that will be used to query for the target account if no AcctID is passed

.PARAMETER RequestedAddress

   Address that will be used to query for the target account if no AcctID is passed

.PARAMETER RequestedAcctID

   Unique ID that maps to a single account, passing this variable will skip query functions to find target account

.PARAMETER RequestedReason

   Reason that will be used to query and find the target account request

.PARAMETER requestID

   Unique ID that maps to a single account request, passing this variable will skip any query functions

.PARAMETER denyReason

   Reason for denying the incoming request, will be saved for audit purposes

.PARAMETER WhatIf

   Run code simulation to see what is affected by running the command as well as any possible implications

   This is a code simulation flag, meaning the command will NOT actually run

.PARAMETER HideWhatIfOutput

   Suppress any code simulation output from the console

.EXAMPLE

   $WhatIfSimulation = Deny-VPASIncomingRequest -RequestedAcctID {ACCTID VALUE} -requestID {REQUESTID VALUE} -denyReason {REASON VALUE} -WhatIf

.EXAMPLE

   $DenyIncomingRequestStatus = Deny-VPASIncomingRequest -RequestedAcctID {ACCTID VALUE} -requestID {REQUESTID VALUE} -denyReason {REASON VALUE}

.OUTPUTS

   $true if successful

   $false if failed

#>

function Deny-VPASIncomingRequest{

    [OutputType([bool],'System.Object')]

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=0)]

        [String]$RequestedSafe,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=1)]

        [String]$RequestedPlatform,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=2)]

        [String]$RequestedUsername,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=3)]

        [String]$RequestedAddress,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=4)]

        [String]$RequestedAcctID,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=5)]

        [String]$RequestedReason,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=6)]

        [String]$requestID,

        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,HelpMessage="Enter a reason for denying the incoming request (for example: Not needed to perform job function)",Position=7)]

        [String]$denyReason,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=8)]

        [hashtable]$token,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=9)]

        [Switch]$WhatIf,

        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=10)]

        [Switch]$HideWhatIfOutput

    )

    Begin{

        $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain = Get-VPASSession -token $token

        $CommandName = $MyInvocation.MyCommand.Name

        $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND

    }

    Process{

        try{

                if([String]::IsNullOrEmpty($requestID)){

                    Write-Verbose "NO REQUEST ID PROVIDED...INVOKING HELPER FUNCTION TO RETRIEVE UNIQUE ACCOUNT REQUEST ID BASED ON SPECIFIED PARAMETERS"

                    [String[]]$requestID = Get-VPASIncomingRequestIDHelper -AcctID $RequestedAcctID -token $token -UserReason $RequestedReason -Safe $RequestedSafe -Username $RequestedUsername -Address $RequestedAddress -Platform $RequestedPlatform

                }

                $reqCount = $requestID.count

                if($reqCount -eq 0 -or $reqCount -gt 1){

                    $log = Write-VPASTextRecorder -inputval "COULD NOT FIND UNIQUE INCOMING REQUEST ENTRY, INCLUDE MORE SEARCH PARAMETERS" -token $token -LogType MISC

                    $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC

                    Write-Verbose "COULD NOT FIND UNIQUE INCOMING REQUEST ENTRY, INCLUDE MORE SEARCH PARAMETERS"

                    Write-VPASOutput -str "COULD NOT FIND UNIQUE INCOMING REQUEST ENTRY, INCLUDE MORE SEARCH PARAMETERS" -type E

                    return $false

                }

                else{

                    $params += @{

                        Reason = $denyReason

                    }

                    $log = Write-VPASTextRecorder -inputval $params -token $token -LogType PARAMS

                    $params = $params | ConvertTo-Json

                    if($NoSSL){

                        Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS"

                        $uri = "http://$PVWA/PasswordVault/API/incomingrequests/$requestID/reject"

                    }

                    else{

                        Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS"

                        $uri = "https://$PVWA/PasswordVault/API/incomingrequests/$requestID/reject"

                    }

                    $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI

                    $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD

                    if($WhatIf){

                        $log = Write-VPASTextRecorder -token $token -LogType WHATIF1

                        $WhatIfHash = @{}

                        Write-Verbose "INITIATING COMMAND SIMULATION"

                        $WhatIfInfo = Get-VPASIncomingRequestDetails -requestID "$requestID"

                        $WhatIfPlatformID = $WhatIfInfo."$requestID".AccountDetails.Properties.PlatformName

                        $WhatIfSafeName = $WhatIfInfo."$requestID".AccountDetails.Properties.Safe

                        $WhatIfID = $WhatIfInfo."$requestID".AccountDetails.AccountID

                        $WhatIfName = $WhatIfInfo."$requestID".AccountDetails.Properties.Name

                        $WhatIfAddress = $WhatIfInfo."$requestID".AccountDetails.Properties.Address

                        $WhatIfUsername = $WhatIfInfo."$requestID".AccountDetails.Properties.UserName

                        $WhatIfReason = $WhatIfInfo."$requestID".RequestorReason

                        if(!$HideWhatIfOutput){

                            Write-VPASOutput -str "============ BEGIN COMMAND SIMULATION ============" -type S

                            Write-VPASOutput -str "THE FOLLOWING INCOMING REQUEST WOULD BE REJECTED:" -type S

                            Write-VPASOutput -str "RequestedPlatformID    : $WhatIfPlatformID" -type S

                            Write-VPASOutput -str "RequestedSafeName      : $WhatIfSafeName" -type S

                            Write-VPASOutput -str "RequestedAccountID     : $WhatIfID" -type S

                            Write-VPASOutput -str "RequestedObjectName    : $WhatIfName" -type S

                            Write-VPASOutput -str "RequestedAddress       : $WhatIfAddress" -type S

                            Write-VPASOutput -str "RequestedUserName      : $WhatIfUsername" -type S

                            Write-VPASOutput -str "RequestID              : $requestID" -type S

                            Write-VPASOutput -str "RequestReason          : $WhatIfReason" -type S

                            Write-VPASOutput -str "DenyReason             : $denyReason" -type S

                            Write-VPASOutput -str "---" -type S

                            Write-VPASOutput -str "URI                    : $uri" -type S

                            Write-VPASOutput -str "METHOD                 : POST" -type S

                            Write-VPASOutput -str " " -type S

                            Write-VPASOutput -str "======= END COMMAND SIMULATION =======" -type S

                        }

                        $WhatIfHash = @{

                            WhatIf = @{

                                PlatformID = $WhatIfPlatformID

                                SafeName = $WhatIfSafeName

                                AccountID = $WhatIfID

                                ObjectName = $WhatIfName

                                Address = $WhatIfAddress

                                UserName = $WhatIfUsername

                                RequestID = $requestID

                                RequestReason = $RequestedReason

                                DenyReason = $denyReason

                                RestURI = $uri

                                RestMethod = "POST"

                                Disclaimer = "THIS INCOMING REQUEST WILL BE DENIED IF -WhatIf FLAG IS REMOVED"

                            }

                        }

                        $WhatIfJSON = $WhatIfHash | ConvertTo-Json | ConvertFrom-Json

                        $log = Write-VPASTextRecorder -inputval $WhatIfJSON -token $token -LogType RETURNARRAY

                        $log = Write-VPASTextRecorder -token $token -LogType WHATIF2

                        return $WhatIfJSON

                    }

                    else{

                        if($sessionval){

                            $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" -WebSession $sessionval

                        }

                        else{

                            $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json"

                        }

                        $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: TRUE" -token $token -LogType MISC

                        Write-Verbose "INCOMING REQUEST WAS SUCCESSFULLY DENIED"

                        return $true

                    }

                }

            Write-Verbose "FAILED TO RETRIEVE INCOMING REQUEST DETAILS"

            Write-Verbose "RETURNING FALSE"

            return $false

        }catch{

            $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR

            $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC

            Write-Verbose "UNABLE TO RETRIEVE INCOMING REQUEST DETAILS"

            Write-VPASOutput -str $_ -type E

            return $false

        }

    }

    End{

        $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER

    }

}