public/Deny-VPASIncomingRequest.ps1
|
<#
.Synopsis DENY AN INCOMING REQUEST IN CYBERARK CREATED BY: Vadim Melamed, EMAIL: vpasmodule@gmail.com .DESCRIPTION USE THIS FUNCTION TO DENY AN INCOMING REQUEST IN CYBERARK .LINK https://vpasmodule.com/commands/Deny-VPASIncomingRequest .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER RequestedSafe Safe name that will be used to query for the target account if no AcctID is passed .PARAMETER RequestedUsername Username that will be used to query for the target account if no AcctID is passed .PARAMETER RequestedPlatform PlatformID that will be used to query for the target account if no AcctID is passed .PARAMETER RequestedAddress Address that will be used to query for the target account if no AcctID is passed .PARAMETER RequestedAcctID Unique ID that maps to a single account, passing this variable will skip query functions to find target account .PARAMETER RequestedReason Reason that will be used to query and find the target account request .PARAMETER requestID Unique ID that maps to a single account request, passing this variable will skip any query functions .PARAMETER denyReason Reason for denying the incoming request, will be saved for audit purposes .PARAMETER WhatIf Run code simulation to see what is affected by running the command as well as any possible implications This is a code simulation flag, meaning the command will NOT actually run .PARAMETER HideWhatIfOutput Suppress any code simulation output from the console .PARAMETER InputParameters HashTable of values containing the parameters required to make the API call .EXAMPLE $DenyIncomingRequestStatus = Deny-VPASIncomingRequest -RequestedSafe {SAFE VALUE} -RequestedPlatform {PLATFORM VALUE} -RequestedUsername {USERNAME VALUE} -RequestedAddress {ADDRESS VALUE} -denyReason {REASON VALUE} .EXAMPLE $DenyIncomingRequestStatus = Deny-VPASIncomingRequest -RequestedAcctID {ACCTID VALUE} -requestID {REQUESTID VALUE} -denyReason {REASON VALUE} .EXAMPLE $WhatIfSimulation = Deny-VPASIncomingRequest -RequestedAcctID {ACCTID VALUE} -requestID {REQUESTID VALUE} -denyReason {REASON VALUE} -WhatIf .EXAMPLE $InputParameters = @{ RequestedSafe = "TargetSafe" RequestedPlatform = "TargetPlatform" RequestedUsername = "TargetUsername" RequestedAddress = "TargetAddress" RequestedReason = "Vadim request this account to test for a demo" denyReason = "Vman denied this request" WhatIf = $true|$false HideWhatIfOutput = $true|$false } $DenyIncomingRequestStatus = Deny-VPASIncomingRequest -InputParameters $InputParameters .EXAMPLE $InputParameters = @{ RequestedAcctID = "22_123" RequestedReason = "Vadim request this account to test for a demo" denyReason = "Vman denied this request" WhatIf = $true|$false HideWhatIfOutput = $true|$false } $DenyIncomingRequestStatus = Deny-VPASIncomingRequest -InputParameters $InputParameters .EXAMPLE $InputParameters = @{ requestID = "123_4" denyReason = "Vman denied this request" WhatIf = $true|$false HideWhatIfOutput = $true|$false } $DenyIncomingRequestStatus = Deny-VPASIncomingRequest -InputParameters $InputParameters .OUTPUTS $true if successful --- $false if failed #> function Deny-VPASIncomingRequest{ [OutputType([bool],'System.Object')] [CmdletBinding(DefaultParameterSetName='Set1')] Param( [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$RequestedSafe, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$RequestedPlatform, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$RequestedUsername, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$RequestedAddress, [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Unique AccountID of the target account (for example: 22_123)")] [String]$RequestedAcctID, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [String]$RequestedReason, [Parameter(Mandatory=$true,ParameterSetName='Set3',ValueFromPipelineByPropertyName=$true,HelpMessage="Unique ID of the target Request (for example: 123_4)")] [String]$requestID, [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter a reason for denying the incoming request (for example: Not needed to perform job function)")] [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter a reason for denying the incoming request (for example: Not needed to perform job function)")] [Parameter(Mandatory=$true,ParameterSetName='Set3',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter a reason for denying the incoming request (for example: Not needed to perform job function)")] [String]$denyReason, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set3',ValueFromPipelineByPropertyName=$true)] [Switch]$WhatIf, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set3',ValueFromPipelineByPropertyName=$true)] [Switch]$HideWhatIfOutput, [Parameter(Mandatory=$true,ParameterSetName='InputParameters',ValueFromPipelineByPropertyName=$true,HelpMessage="Hashtable of parameters required to make API call, refer to get-help -examples for valid inputs")] [hashtable]$InputParameters, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain,$EnableTroubleshooting = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ try{ if($PSCmdlet.ParameterSetName -eq "InputParameters"){ $KeyHash = @{ set1 = @{ AcceptableKeys = @("RequestedSafe","RequestedPlatform","RequestedUsername","RequestedAddress","RequestedReason","denyReason","WhatIf","HideWhatIfOutput") MandatoryKeys = @("denyReason") } set2 = @{ AcceptableKeys = @("RequestedAcctID","RequestedReason","denyReason","WhatIf","HideWhatIfOutput") MandatoryKeys = @("RequestedAcctID","denyReason") } set3 = @{ AcceptableKeys = @("requestID","denyReason","WhatIf","HideWhatIfOutput") MandatoryKeys = @("requestID","denyReason") } } $CheckSet = Test-VPASHashtableKeysHelper -InputHash $InputParameters -KeyHash $KeyHash if(!$CheckSet){ $log = Write-VPASTextRecorder -inputval "FAILED TO FIND TARGET PARAMETER SET" -token $token -LogType MISC Write-Verbose "FAILED TO FIND TARGET PARAMETER SET" Write-VPASOutput -str "FAILED TO FIND TARGET PARAMETER SET...VIEW EXAMPLES BELOW:" -type E $examples = Write-VPASExampleHelper -CommandName $CommandName return $false } else{ foreach($key in $InputParameters.Keys){ Set-Variable -Name $key -Value $InputParameters.$key } } } }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "FAILED TO DENY ACCOUNT REQUEST" Write-VPASOutput -str $_ -type E return $false } try{ if([String]::IsNullOrEmpty($requestID)){ Write-Verbose "NO REQUEST ID PROVIDED...INVOKING HELPER FUNCTION TO RETRIEVE UNIQUE ACCOUNT REQUEST ID BASED ON SPECIFIED PARAMETERS" [String[]]$requestID = Get-VPASIncomingRequestIDHelper -AcctID $RequestedAcctID -token $token -UserReason $RequestedReason -Safe $RequestedSafe -Username $RequestedUsername -Address $RequestedAddress -Platform $RequestedPlatform } $reqCount = $requestID.count if($reqCount -eq 0 -or $reqCount -gt 1){ $log = Write-VPASTextRecorder -inputval "COULD NOT FIND UNIQUE INCOMING REQUEST ENTRY, INCLUDE MORE SEARCH PARAMETERS" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "COULD NOT FIND UNIQUE INCOMING REQUEST ENTRY, INCLUDE MORE SEARCH PARAMETERS" Write-VPASOutput -str "COULD NOT FIND UNIQUE INCOMING REQUEST ENTRY, INCLUDE MORE SEARCH PARAMETERS" -type E return $false } else{ $params += @{ Reason = $denyReason } $log = Write-VPASTextRecorder -inputval $params -token $token -LogType PARAMS $params = $params | ConvertTo-Json if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/incomingrequests/$requestID/reject" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/incomingrequests/$requestID/reject" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($WhatIf){ $log = Write-VPASTextRecorder -token $token -LogType WHATIF1 $WhatIfHash = @{} Write-Verbose "INITIATING COMMAND SIMULATION" $WhatIfInfo = Get-VPASIncomingRequestDetails -requestID "$requestID" $WhatIfPlatformID = $WhatIfInfo."$requestID".AccountDetails.Properties.PlatformName $WhatIfSafeName = $WhatIfInfo."$requestID".AccountDetails.Properties.Safe $WhatIfID = $WhatIfInfo."$requestID".AccountDetails.AccountID $WhatIfName = $WhatIfInfo."$requestID".AccountDetails.Properties.Name $WhatIfAddress = $WhatIfInfo."$requestID".AccountDetails.Properties.Address $WhatIfUsername = $WhatIfInfo."$requestID".AccountDetails.Properties.UserName $WhatIfReason = $WhatIfInfo."$requestID".RequestorReason if(!$HideWhatIfOutput){ Write-VPASOutput -str "============ BEGIN COMMAND SIMULATION ============" -type S Write-VPASOutput -str "THE FOLLOWING INCOMING REQUEST WOULD BE REJECTED:" -type S Write-VPASOutput -str "RequestedPlatformID : $WhatIfPlatformID" -type S Write-VPASOutput -str "RequestedSafeName : $WhatIfSafeName" -type S Write-VPASOutput -str "RequestedAccountID : $WhatIfID" -type S Write-VPASOutput -str "RequestedObjectName : $WhatIfName" -type S Write-VPASOutput -str "RequestedAddress : $WhatIfAddress" -type S Write-VPASOutput -str "RequestedUserName : $WhatIfUsername" -type S Write-VPASOutput -str "RequestID : $requestID" -type S Write-VPASOutput -str "RequestReason : $WhatIfReason" -type S Write-VPASOutput -str "DenyReason : $denyReason" -type S Write-VPASOutput -str "---" -type S Write-VPASOutput -str "URI : $uri" -type S Write-VPASOutput -str "METHOD : POST" -type S Write-VPASOutput -str " " -type S Write-VPASOutput -str "======= END COMMAND SIMULATION =======" -type S } $WhatIfHash = @{ WhatIf = @{ PlatformID = $WhatIfPlatformID SafeName = $WhatIfSafeName AccountID = $WhatIfID ObjectName = $WhatIfName Address = $WhatIfAddress UserName = $WhatIfUsername RequestID = $requestID RequestReason = $RequestedReason DenyReason = $denyReason RestURI = $uri RestMethod = "POST" Disclaimer = "THIS INCOMING REQUEST WILL BE DENIED IF -WhatIf FLAG IS REMOVED" } } $WhatIfJSON = $WhatIfHash | ConvertTo-Json | ConvertFrom-Json $log = Write-VPASTextRecorder -inputval $WhatIfJSON -token $token -LogType RETURNARRAY $log = Write-VPASTextRecorder -token $token -LogType WHATIF2 return $WhatIfJSON } else{ if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: TRUE" -token $token -LogType MISC Write-Verbose "INCOMING REQUEST WAS SUCCESSFULLY DENIED" return $true } } Write-Verbose "FAILED TO RETRIEVE INCOMING REQUEST DETAILS" Write-Verbose "RETURNING FALSE" return $false }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO RETRIEVE INCOMING REQUEST DETAILS" Write-VPASOutput -str $_ -type E return $false } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |