public/Invoke-VPASAccountPasswordAction.ps1
<#
.Synopsis ACCOUNT PASSWORD ACTION CREATED BY: Vadim Melamed, EMAIL: vpasmodule@gmail.com .DESCRIPTION USE THIS FUNCTION TO TRIGGER A VERIFY/RECONCILE/CHANGE/CHANGE SPECIFY NEXT PASSWORD/CHANGE ONLY IN VAULT/GENERATE PASSWORD ACTIONS ON AN ACCOUNT IN CYBERARK .LINK https://vpasmodule.com/commands/Invoke-VPASAccountPasswordAction .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER safe Safe name that will be used to query for the target account if no AcctID is passed .PARAMETER username Username that will be used to query for the target account if no AcctID is passed .PARAMETER platform PlatformID that will be used to query for the target account if no AcctID is passed .PARAMETER address Address that will be used to query for the target account if no AcctID is passed .PARAMETER AcctID Unique ID that maps to a single account, passing this variable will skip any query functions .PARAMETER action Specify what action will be run on the account Possible values: Verify, Reconcile, Change, ChangeOnlyInVault, ChangeSetNew, GeneratePassword .PARAMETER InputParameters HashTable of values containing the parameters required to make the API call .PARAMETER newpass Provide a new password if the action is ChangeOnlyInVault or ChangeSetNew .EXAMPLE $AccountPasswordActionJSON = Invoke-VPASAccountPasswordAction -action {ACTION VALUE} -safe {SAFE VALUE} -address {ADDRESS VALUE} -username {USERNAME VALUE} .EXAMPLE $InputParameters = @{ action = "Verify"|"Reconcile"|"Change"|"GeneratePassword"|"ChangeOnlyInVault"|"ChangeSetNew" safe = "TargetSafeName" platform = "TargetPlatformID" username = "TargetUsername" address = "TargetAddress" newPass = "NewSecretPassword" } $AccountPasswordActionJSON = Invoke-VPASAccountPasswordAction -InputParameters $InputParameters .EXAMPLE $InputParameters = @{ action = "Verify"|"Reconcile"|"Change"|"GeneratePassword"|"ChangeOnlyInVault"|"ChangeSetNew" newPass = "NewSecretPassword" AcctID = "12_31" } $AccountPasswordActionJSON = Invoke-VPASAccountPasswordAction -InputParameters $InputParameters .OUTPUTS $true if action was marked successfully GeneratedPassword if action is GENERATE PASSWORD --- $false if failed #> function Invoke-VPASAccountPasswordAction{ [OutputType('System.Object',[bool])] [CmdletBinding(DefaultParameterSetName='Set1')] Param( [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter action on account (Verify, Reconcile, Change, ChangeOnlyInVault, ChangeSetNew, GeneratePassword)")] [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter action on account (Verify, Reconcile, Change, ChangeOnlyInVault, ChangeSetNew, GeneratePassword)")] [ValidateSet('Verify','Reconcile','Change','GeneratePassword','ChangeOnlyInVault','ChangeSetNew')] [String]$action, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$safe, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$platform, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$username, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$address, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [String]$newPass, [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Unique AccountID of the target account (for example: 22_123)")] [String]$AcctID, [Parameter(Mandatory=$true,ParameterSetName='InputParameters',ValueFromPipelineByPropertyName=$true,HelpMessage="Hashtable of parameters required to make API call, refer to get-help -examples for valid inputs")] [hashtable]$InputParameters, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain,$EnableTroubleshooting = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ try{ if($PSCmdlet.ParameterSetName -eq "InputParameters"){ $KeyHash = @{ set1 = @{ AcceptableKeys = @("action","safe","platform","username","address","newPass") MandatoryKeys = @("action") } set2 = @{ AcceptableKeys = @("action","AcctID","newPass") MandatoryKeys = @("action","AcctID") } } $CheckSet = Test-VPASHashtableKeysHelper -InputHash $InputParameters -KeyHash $KeyHash if(!$CheckSet){ $log = Write-VPASTextRecorder -inputval "FAILED TO FIND TARGET PARAMETER SET" -token $token -LogType MISC Write-Verbose "FAILED TO FIND TARGET PARAMETER SET" Write-VPASOutput -str "FAILED TO FIND TARGET PARAMETER SET...VIEW EXAMPLES BELOW:" -type E $examples = Write-VPASExampleHelper -CommandName $CommandName return $false } else{ foreach($key in $InputParameters.Keys){ Set-Variable -Name $key -Value $InputParameters.$key } } } }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "FAILED TO INVOKE A PASSWORD ACTION" Write-VPASOutput -str $_ -type E return $false } $triggeraction = 0 $actionlower = $action.ToLower() if($actionlower -eq "verify"){ Write-Verbose "ACTION SET TO VERIFY" $triggeraction = 1 } elseif($actionlower -eq "reconcile"){ Write-Verbose "ACTION SET TO RECONCILE" $triggeraction = 2 } elseif($actionlower -eq "changeonlyinvault"){ Write-Verbose "ACTION SET TO CHANGE PASSWORD ONLY IN VAULT" $triggeraction = 3 if([String]::IsNullOrEmpty($newPass)){ $log = Write-VPASTextRecorder -inputval "CHANGE PASSWORD IN VAULT MUST BE SUPPLIED WITH A NEW PASSWORD" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "CHANGE PASSWORD IN VAULT MUST BE SUPPLIED WITH A NEW PASSWORD" Write-VPASOutput -str "CHANGE PASSWORD IN VAULT MUST BE SUPPLIED WITH A NEW PASSWORD" -type E return $false } } elseif($actionlower -eq "changesetnew"){ Write-Verbose "ACTION SET TO CHANGE PASSWORD SET NEW PASSWORD" $triggeraction = 4 if([String]::IsNullOrEmpty($newPass)){ $log = Write-VPASTextRecorder -inputval "CHANGE PASSWORD SET NEW PASSWORD MUST BE SUPPLIED WITH A NEW PASSWORD" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "CHANGE PASSWORD SET NEW PASSWORD MUST BE SUPPLIED WITH A NEW PASSWORD" Write-VPASOutput -str "CHANGE SET NEW PASSWORD MUST BE SUPPLIED WITH A NEW PASSWORD" -type E return $false } } elseif($actionlower -eq "change"){ Write-Verbose "ACTION SET TO CHANGE" $triggeraction = 5 } elseif($actionlower -eq "generatepassword"){ Write-Verbose "ACTION SET TO GENERATE PASSWORD" $triggeraction = 6 } if([String]::IsNullOrEmpty($AcctID)){ Write-Verbose "NO ACCOUNT ID PROVIDED, INVOKING HELPER FUNCTION" $AcctID = Get-VPASAccountIDHelper -token $token -safe $safe -platform $platform -username $username -address $address Write-Verbose "RETURNING ACCOUNT ID" if($AcctID -eq -1){ $log = Write-VPASTextRecorder -inputval "COULD NOT FIND UNIQUE ACCOUNT ENTRY, INCLUDE MORE SEARCH PARAMETERS" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "COULD NOT FIND UNIQUE ACCOUNT ENTRY, INCLUDE MORE SEARCH PARAMETERS" Write-VPASOutput -str "COULD NOT FIND UNIQUE ACCOUNT ENTRY, INCLUDE MORE SEARCH PARAMETERS" -type E return $false } elseif($AcctID -eq -2){ $log = Write-VPASTextRecorder -inputval "NO ACCOUNTS FOUND" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "NO ACCOUNTS FOUND" Write-VPASOutput -str "NO ACCOUNTS FOUND" -type E return $false } } else{ Write-Verbose "ACCOUNT ID PROVIDED, SKIPPING HELPER FUNCTION" } if($triggeraction -eq 1){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/Verify" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/Verify" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: TRUE" -token $token -LogType MISC Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO TRIGGER VERIFY ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 2){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/Reconcile" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/Reconcile" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: TRUE" -token $token -LogType MISC Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO TRIGGER RECONCILE ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 3){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" $params = @{ NewCredentials = $newPass } | ConvertTo-Json $logparams = @{ NewCredentials = "{NewCredentials}" } $log = Write-VPASTextRecorder -inputval $logparams -token $token -LogType PARAMS if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/Password/Update" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/Password/Update" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: TRUE" -token $token -LogType MISC Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO TRIGGER CHANGE PASSWORD IN VAULT ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 4){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" $params = @{ ChangeImmediately = $true NewCredentials = $newPass } | ConvertTo-Json $logparams = @{ ChangeImmediately = $true NewCredentials = "{NewCredentials}" } $log = Write-VPASTextRecorder -inputval $logparams -token $token -LogType PARAMS if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/SetNextPassword" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/SetNextPassword" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: TRUE" -token $token -LogType MISC Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO TRIGGER CHANGE PASSWORD SET NEW PASSWORD ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 5){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/Change" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/Change" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: TRUE" -token $token -LogType MISC Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO TRIGGER CHANGE ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 6){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Generate" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Generate" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: {GeneratedPassword}" -token $token -LogType MISC Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING ACCEPTABLE PASSWORD BASED ON PLATFORM POLICY" Write-VPASOutput -str "RETURNING ACCEPTABLE PASSWORD BASED ON PLATFORM POLICY" -type M Write-VPASOutput -str "NOTE - THIS DID NOT UPDATE THE ACCOUNT IN CYBERARK" -type M return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO TRIGGER GENERATE PASSWORD ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |