plugins.psm1
<#
.SYNOPSIS Get a list of all registered plugins or a specific plugin by name. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credential information to a specific third party vault. Each plugin must be installed and configured individually. This cmdlet lists all of the plugins that have been installed along with the specific configuration parameters if invoked with no parameters. If a plugin name is provided, it will return the configuration parameters for the specific plugin. .PARAMETER PluginName The name of an installed plugin. .EXAMPLE Get-SgDevOpsPlugin .EXAMPLE Get-SgDevOpsPlugin -PluginName HashiCorpVault #> function Get-SgDevOpsPlugin { [CmdletBinding()] Param( [Parameter(Mandatory=$false, Position=0)] [string]$PluginName ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } if ($PluginName) { Invoke-SgDevOpsMethod GET "Plugins/$PluginName" } else { Invoke-SgDevOpsMethod GET "Plugins" } } <# .SYNOPSIS Upload and install a new plugin. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credential information to a specific third party vault. Each plugin must be installed and configured individually. The plugin must be a zip compressed file. The plugin is installed into the \ProgramData\SafeguardDevOpsService\ExternalPlugins folder. If a new plugin is being installed, restarting the service may not be necessary. However, if an existing plugin is being upgraded, the service does not have the ability to unload a loaded plugin. Therefore all plugin updates will be installed to a staging folder. The next time that the Secrets Broker service is restarted, all staged plugins will be moved to the external plugin folder and loaded. To restart automatically after installing a plugin, set the restart flag to true. .PARAMETER PluginZipFile The full path and file name of the plugin to be installed. .PARAMETER Restart A boolean that indicates whether the Secrets Broker should be restarted after installing the plugin. .EXAMPLE Install-SgDevOpsPlugin c:\my\plugin\path\pluginfile.zip #> function Install-SgDevOpsPlugin { [CmdletBinding()] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginZipFile, [Parameter(Mandatory=$false)] [switch]$Restart ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } $local:Bytes = [System.IO.File]::ReadAllBytes($PluginZipFile) $local:Base64PluginData = [System.Convert]::ToBase64String($local:Bytes) Invoke-SgDevOpsMethod POST "Plugins" -Parameters @{ restart = [bool]$Restart } -Body @{ Base64PluginData = $local:Base64PluginData } Write-Host "Plugin has been installed. Call Get-SgDevOpsPlugin to see installed plugins." if ($Restart) { Write-Host "The Secrets Broker will restart, you must reconnect using Connect-SgDevOps." } } <# .SYNOPSIS Delete the configuration for a specific plugin. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credential information to a specific third party vault. Each plugin must be installed and configured individually. This cmdlet removes the configuration for a specific plugin by name and unregisters the plugin from the Secrets Broker. However, it does not remove the plugin from the \ProgramData\SafeguardDevOpsService\ExternalPlugins folder. The plugin files must be manually removed from the ExternalPlugins folder once Secrets Broker service has been stopped. .PARAMETER PluginName The name of an installed plugin. .EXAMPLE Remove-SgDevOpsPlugin .EXAMPLE Remove-SgDevOpsPlugin -PluginName HashiCorpVault #> function Remove-SgDevOpsPlugin { [CmdletBinding()] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginName ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } Invoke-SgDevOpsMethod DELETE "Plugins/$PluginName" } <# .SYNOPSIS Get a list of accounts that are mapped to a vault plugin. .DESCRIPTION Secrets Broker uses individualized plugins that are capable of pushing credential information to a specific third party vault. Accounts must be mapped to each plugin so that the corresponding credential can be pushed to the third party vault. By mapping an account to a plugin, the Secrets Broker monitor will detect a password change for the mapped account and push the new credential to the plugin. .PARAMETER PluginName The name of an installed plugin. .EXAMPLE Get-SgDevOpsPluginVaultAccount #> function Get-SgDevOpsPluginVaultAccount { [CmdletBinding()] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginName ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } Invoke-SgDevOpsMethod GET "Plugins/$PluginName/VaultAccount" } <# .SYNOPSIS Map an account with the vault credential to a plugin. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credentials to a specific third party vault. Each plugin usually has a credential that is used to authenticate to the third party vault. This credential must be stored in the Safeguard appliance and fetched at the time when Safeguard Secrets Broker for DevOps needs to authenticate to the third party vault. The Asset and Account parameters will be used to resolve an asset-account that should be used by the plugin to authenticate to the third party valult. This asset-account will be mapped to the plugin and the credential that is associated with the asset-account will be pulled from Safeguard at the time when the plugin needs to authenticate to the third party vault. (See get-SgDevOpsAvailableAssetAccount) .PARAMETER PluginName The name of an installed plugin. .PARAMETER Asset The name of an asset. .PARAMETER Account The name of an account. .EXAMPLE Set-SgDevOpsPluginVaultAccount -PluginName HashiCorpVault -Asset MyVaultAsset -Account MyVaultAccount #> function Set-SgDevOpsPluginVaultAccount { [CmdletBinding()] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginName, [Parameter(Mandatory=$true, Position=1)] [object]$Asset, [Parameter(Mandatory=$true, Position=2)] [object]$Account ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } Import-Module -Name "$PSScriptRoot\ps-utilities.psm1" -Scope Local $local:AssetAccount = (Resolve-SgDevOpsAvailableAccount $Asset $Account -Domain $Domain)[0] Invoke-SgDevOpsMethod PUT "Plugins/$PluginName/VaultAccount" -Body $local:AssetAccount } <# .SYNOPSIS Get the settings for a specific plugin. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credentials to a specific third party vault. Each plugin must be installed and configured individually. .PARAMETER PluginName The name of an installed plugin. .PARAMETER SettingName The name of an plugin setting. .EXAMPLE Get-SgDevOpsPluginSetting -PluginName HashiCorpVault .EXAMPLE Get-SgDevOpsPluginSetting -PluginName HashiCorpVault -SettingName NetworkAddress #> function Get-SgDevOpsPluginSetting { [CmdletBinding()] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginName, [Parameter(Mandatory=$false, Position=1)] [string]$SettingName ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } $local:Plugin = (Get-SgDevOpsPlugin $PluginName) if ($SettingName) { $local:Plugin.Configuration[$SettingName] } else { $local:Plugin.Configuration } } <# .SYNOPSIS Update a setting for a plugin. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credentials to a specific third party vault. Each plugin must be installed and configured individually. .PARAMETER PluginName The name of an installed plugin. .PARAMETER SettingName The name of an plugin setting. .PARAMETER SettingValue New value for the plugin setting. .EXAMPLE Set-SgDevOpsPluginSetting -PluginName HashiCorpVault -SettingName NetworkAddress -SettingValue 192.168.1.1 #> function Set-SgDevOpsPluginSetting { [CmdletBinding()] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginName, [Parameter(Mandatory=$true, Position=1)] [string]$SettingName, [Parameter(Mandatory=$true, Position=2)] [string]$SettingValue ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } $local:Plugin = (Get-SgDevOpsPlugin $PluginName) $local:Plugin.Configuration.$SettingName = $SettingValue Invoke-SgDevOpsMethod PUT "Plugins/$PluginName" -Body $local:Plugin } <# .SYNOPSIS Get the list of accounts that are mapped to a vault plugin. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credentials to a specific third party vault. Accounts must be mapped to each plugin so that the corresponding credential can be pushed to the third party vault. By mapping an account to a plugin, the Secrets Broker monitor will detect a password change for the mapped account and push the new credential to the plugin. .PARAMETER PluginName The name of an installed plugin. .EXAMPLE Get-SgDevOpsMappedAssetAccount -PluginName HashiCorpVault #> function Get-SgDevOpsMappedAssetAccount { [CmdletBinding()] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginName ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } Invoke-SgDevOpsMethod GET "Plugins/$PluginName/Accounts" } <# .SYNOPSIS Map an account or an array of accounts to a vault plugin. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credentials to a specific third party vault. Accounts must be mapped to each plugin so that the corresponding credential can be pushed to the third party vault. By mapping an account to a plugin, the Secrets Broker monitor will detect a password change for the mapped account and push the new credential to the plugin. The Asset, Account and Domain parameters will be used to resolve an asset-account that will be added to the A2A registration. If an array of asset-accounts is provided, the Asset, Account and Domain parameters should omitted. .PARAMETER PluginName The name of an installed plugin. .PARAMETER Asset The name of an asset. .PARAMETER Account The name of an account. .PARAMETER Domain The name of a domain that the asset-account belong to. .PARAMETER AccountObjects An array of account objects to map to the plugin. (see Get-SgDevOpsRegisteredAssetAccount). .EXAMPLE Add-SgDevOpsMappedAssetAccount -PluginName HashiCorpVault -Asset MyServer -Account MyAccount .EXAMPLE Add-SgDevOpsMappedAssetAccount -PluginName HashiCorpVault -AccountObjects $MyAccounts #> function Add-SgDevOpsMappedAssetAccount { [CmdletBinding(DefaultParameterSetName="Attributes")] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginName, [Parameter(ParameterSetName="Attributes", Mandatory=$true, Position=1)] [string]$Asset, [Parameter(ParameterSetName="Attributes", Mandatory=$true, Position=2)] [string]$Account, [Parameter(ParameterSetName="Attributes", Mandatory=$false)] [string]$Domain, [Parameter(ParameterSetName="Objects", Mandatory=$true)] [object[]]$AccountObjects ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } Import-Module -Name "$PSScriptRoot\ps-utilities.psm1" -Scope Local [object[]]$local:NewList = @() if ($PsCmdlet.ParameterSetName -eq "Attributes") { $local:NewList += (Resolve-SgDevOpsRegisteredAccount $Asset $Account -Domain $Domain) } else { $AccountObjects | ForEach-Object { $local:NewList += (Resolve-SgDevOpsRegisteredAccount -Account $_) } } Invoke-SgDevOpsMethod PUT "Plugins/$PluginName/Accounts" -Body $local:NewList } <# .SYNOPSIS Remove an account or an array of accounts from a vault plugin. .DESCRIPTION The Secrets Broker uses individualized plugins that are capable of pushing credentials to a specific third party vault. Accounts must be mapped to each plugin so that the corresponding credential can be pushed to the third party vault. By mapping an account to a plugin, the Secrets Broker monitor will detect a password change for the mapped account and push the new credential to the plugin. The Asset, Account and Domain parameters will be used to resolve an asset-account that will be added to the A2A registration. If an array of asset-accounts is provided, the Asset, Account and Domain parameters should omitted. .PARAMETER PluginName The name of an installed plugin. .PARAMETER Asset The name of an asset. .PARAMETER Account The name of an account. .PARAMETER Domain The name of a domain that the asset-account belong to. .PARAMETER AccountObjects An array of account objects to unmap from the plugin. (see Get-SgDevOpsMappedAssetAccount). .EXAMPLE Remove-SgDevOpsMappedAssetAccount -PluginName HashiCorpVault -Asset MyServer -Account MyAccount .EXAMPLE Remove-SgDevOpsMappedAssetAccount -PluginName HashiCorpVault -AccountObjects $MyAccounts #> function Remove-SgDevOpsMappedAssetAccount { [CmdletBinding(DefaultParameterSetName="Attributes")] Param( [Parameter(Mandatory=$true, Position=0)] [string]$PluginName, [Parameter(ParameterSetName="Attributes", Mandatory=$true, Position=1)] [string]$Asset, [Parameter(ParameterSetName="Attributes", Mandatory=$true, Position=2)] [string]$Account, [Parameter(ParameterSetName="Attributes", Mandatory=$false)] [string]$Domain, [Parameter(ParameterSetName="Objects")] [object[]]$AccountObjects ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } $local:MappedAccounts = (Get-SgDevOpsRegisteredAssetAccount) [object[]]$local:RemoveList = @() if ($PsCmdlet.ParameterSetName -eq "Attributes") { if ($Domain) { $local:RemoveList += ($local:MappedAccounts | Where-Object { $_.SystemName -ieq $Asset -and $_.AccountName -ieq $Account -and $_.DomainName -ieq $Domain}) } else { $local:RemoveList += ($local:MappedAccounts | Where-Object { $_.SystemName -ieq $Asset -and $_.AccountName -ieq $Account }) } } else { $AccountObjects | ForEach-Object { $local:Object = $_ if ($local:Object.AccountId) { $local:RemoveList += ($local:MappedAccounts | Where-Object { $_.AccountId -eq $local:Object.AccountId }) } else { # try to match available asset accounts (they have an Id rather than an AccountId) $local:RemoveList += ($local:MappedAccounts | Where-Object { $_.AccountId -eq $local:Object.Id }) } } } if (-not $local:RemoveList) { throw "Unable to find specified mapped asset accounts to remove." } Invoke-SgDevOpsMethod DELETE "Plugins/$PluginName/Accounts" -Body $local:RemoveList # return the current list Get-SgDevOpsMappedAssetAccount $PluginName } |