public/Get-VPASPasswordHistory.ps1
|
<#
.Synopsis GET PASSWORD HISTORY CREATED BY: Vadim Melamed, EMAIL: vpasmodule@gmail.com .DESCRIPTION USE THIS FUNCTION TO GET HISTORY OF OLD PASSWORDS OF AN ACCOUNT IN CYBERARK .LINK https://vpasmodule.com/commands/Get-VPASPasswordHistory .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER safe Safe name that will be used to query for the target account if no AcctID is passed .PARAMETER username Username that will be used to query for the target account if no AcctID is passed .PARAMETER platform PlatformID that will be used to query for the target account if no AcctID is passed .PARAMETER address Address that will be used to query for the target account if no AcctID is passed .PARAMETER AcctID Unique ID that maps to a single account, passing this variable will skip any query functions .PARAMETER InputParameters HashTable of values containing the parameters required to make the API call .PARAMETER ShowTemporary Specify if temporary passwords should be included in the history that is being pulled Temporary passwords are passwords that the CPM attempted to set on the account but failed to do so .EXAMPLE $AccountPasswordsHistoryJSON = Get-VPASPasswordHistory -ShowTemporary -safe {SAFE VALUE} -address {ADDRESS VALUE} .EXAMPLE $InputParameters = @{ safe = "TargetSafe" platform = "TargetPlatformID" username = "TargetUsername" address = "TargetAddress" ShowTemporary = $true|$false } $AccountPasswordsHistoryJSON = Get-VPASPasswordHistory -InputParameters $InputParameters .EXAMPLE $InputParameters = @{ AcctID = "25_13" ShowTemporary = $true|$false } $AccountPasswordsHistoryJSON = Get-VPASPasswordHistory -InputParameters $InputParameters .OUTPUTS If successful: { "Versions": [ { "versionID": 43, "modifiedBy": "vadim@vman.com", "modificationDate": 1721098334, "isTemporary": false }, { "versionID": 44, "modifiedBy": "vadim@vman.com", "modificationDate": 1721098984, "isTemporary": false } ], "Total": 2 } --- $false if failed #> function Get-VPASPasswordHistory{ [OutputType('System.Object',[bool])] [CmdletBinding(DefaultParameterSetName='Set1')] Param( [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$safe, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$platform, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$username, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$address, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [Switch]$ShowTemporary, [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Unique AccountID of the target account (for example: 22_123)")] [String]$AcctID, [Parameter(Mandatory=$true,ParameterSetName='InputParameters',ValueFromPipelineByPropertyName=$true,HelpMessage="Hashtable of parameters required to make API call, refer to get-help -examples for valid inputs")] [hashtable]$InputParameters, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain,$EnableTroubleshooting = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ try{ if($PSCmdlet.ParameterSetName -eq "InputParameters"){ $KeyHash = @{ set1 = @{ AcceptableKeys = @("safe","platform","username","address","ShowTemporary") MandatoryKeys = @() } set2 = @{ AcceptableKeys = @("AcctID","ShowTemporary") MandatoryKeys = @("AcctID") } } $CheckSet = Test-VPASHashtableKeysHelper -InputHash $InputParameters -KeyHash $KeyHash if(!$CheckSet){ $log = Write-VPASTextRecorder -inputval "FAILED TO FIND TARGET PARAMETER SET" -token $token -LogType MISC Write-Verbose "FAILED TO FIND TARGET PARAMETER SET" Write-VPASOutput -str "FAILED TO FIND TARGET PARAMETER SET...VIEW EXAMPLES BELOW:" -type E $examples = Write-VPASExampleHelper -CommandName $CommandName return $false } else{ foreach($key in $InputParameters.Keys){ Set-Variable -Name $key -Value $InputParameters.$key } } } }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "FAILED TO RETRIEVE PASSWORD HISTORY" Write-VPASOutput -str $_ -type E return $false } if([String]::IsNullOrEmpty($AcctID)){ Write-Verbose "NO ACCOUNT ID PROVIDED, INVOKING HELPER FUNCTION" $AcctID = Get-VPASAccountIDHelper -token $token -safe $safe -platform $platform -username $username -address $address write-verbose "ACCOUNT ID WAS RETURNED" if($AcctID -eq -1){ $log = Write-VPASTextRecorder -inputval "COULD NOT FIND UNIQUE ACCOUNT ENTRY, INCLUDE MORE SEARCH PARAMETERS" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "COULD NOT FIND UNIQUE ACCOUNT ENTRY WITH SPECIFIED PARAMETERS" Write-VPASOutput -str "COULD NOT FIND UNIQUE ACCOUNT ENTRY, INCLUDE MORE SEARCH PARAMETERS" -type E return $false } elseif($AcctID -eq -2){ $log = Write-VPASTextRecorder -inputval "COULD NOT FIND ACCOUNT WITH SPECIFIED PARAMETERS" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "COULD NOT FIND ACCOUNT WITH SPECIFIED PARAMETERS" Write-VPASOutput -str "NO ACCOUNTS FOUND" -type E return $false } else{ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" if($ShowTemporary){ write-verbose "SHOWTEMPORARY PASSWORDS ENABLED" $uri = "http://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Versions?showTemporary=true" } else{ write-verbose "SHOWTEMPORARY PASSWORD IS NOT ENABLED" $uri = "http://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Versions?showTemporary=false" } } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" if($ShowTemporary){ write-verbose "SHOWTEMPORARY PASSWORDS ENABLED" $uri = "https://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Versions?showTemporary=true" } else{ write-verbose "SHOWTEMPORARY PASSWORD IS NOT ENABLED" $uri = "https://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Versions?showTemporary=false" } } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "GET" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURN $log = Write-VPASTextRecorder -inputval "===BREAK===" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURNARRAY Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING PASSWORD HISTORY" return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "COULD NOT RETRIEVE PASSWORD HISTORY" Write-VPASOutput -str $_ -type E return $false } } } else{ Write-Verbose "ACCOUNT ID PROVIDED, SKIPPING HELPER FUNCTION" try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" if($ShowTemporary){ write-verbose "SHOWTEMPORARY PASSWORDS ENABLED" $uri = "http://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Versions?showTemporary=true" } else{ write-verbose "SHOWTEMPORARY PASSWORD IS NOT ENABLED" $uri = "http://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Versions?showTemporary=false" } } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" if($ShowTemporary){ write-verbose "SHOWTEMPORARY PASSWORDS ENABLED" $uri = "https://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Versions?showTemporary=true" } else{ write-verbose "SHOWTEMPORARY PASSWORD IS NOT ENABLED" $uri = "https://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Versions?showTemporary=false" } } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "GET" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURN $log = Write-VPASTextRecorder -inputval "===BREAK===" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURNARRAY Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING PASSWORD HISTORY" return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "COULD NOT RETRIEVE PASSWORD HISTORY" Write-VPASOutput -str $_ -type E return $false } } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |