Devolutions.Server

2022.3.0.0

Public/Vaults/Set-DSVaultRoles.ps1

                                function Set-DSVaultRoles {

    <#

    .SYNOPSIS

        Sets the allowed user groups for a given vault.

        .DESCRIPTION

        Sets which user groups have access to a given vault. If the "Update" flag is present and a supplied user group's name is already a member of the vault, it will remove this user group.

        .EXAMPLE

        No update flag, no user groups allowed

        Current user groups allowed in vault:

        None

        Set-DSVaultRoles @("Role1", "Role2")

        -> Allowed user groups: Role1, Role2

        .EXAMPLE

        No update flag, some user groups allowed

        Current user groups allowed in vault:

        Role1, Role2

        Set-DSVaultRoles @("Role3")

        -> Allowed user groups: Role3

        .EXAMPLE

        Update flag present, some user groups allowed (Add another)

        Current user groups allowed in vault:

        Role1

        Set-DSVaultRoles @("Role2") -Update 

        -> Allowed user groups: Role1, Role2

        .EXAMPLE

        Update flag present, some user groups allowed (Remove an user group)

        Current user groups allowed in vault:

        Role1, Role2

        Set-DSVaultRoles @("Role2", "Role3") -Update 

        -> Allowed user groups: Role1, Role3

    #>

    [CmdletBinding()]

    PARAM (

        [ValidateNotNullOrEmpty()]

        #Vault's ID to update

        [guid]$VaultID,

        #String array with user groups names (Not ID's) to allow in vault

        [string[]]$AllowedRolesList,

        #Used to know if we're creating a vault or updating a currently existing one

        [switch]$Update

    )

    PROCESS {

        try {

            [object[]]$Roles = if ($Update) {

                (Invoke-DS -URI "$Script:DSBaseURI/api/security/repositories/$VaultID/roles" -Method "GET").Body.data

            }

            else {

                if (($res = Invoke-DS -URI "$Script:DSBaseURI/api/security/roles/basic" -Method "GET").isSuccess) {

                    if ($res.Body.data.Length -eq 0) { throw "No roles were found." }

                    $res.Body.data

                } 

                else { 

                    throw "Error getting roles list." 

                }

            }

            $RolesListToSave = @()

            $Roles.GetEnumerator() | ForEach-Object {                

                $RolesListToSave += @{

                    description     = ""

                    gravatarUrl     = ""

                    isAdministrator = if ($_.isAdministrator) { $true } else { $false }

                    isMember        = if ($Update) {

                        if ($_.name -in $AllowedRolesList) {

                            if ($_.isMember) {

                                $false 

                                Write-Warning "Removed $($_.name) from allowed user groups."

                            }

                            else { $true }                        

                        }

                        else { $_.isMember }

                    }

                    else {

                        if ($_.name -in $AllowedRolesList) { $true } else { $false }

                    }

                    isRole          = $true

                    name            = $_.name

                    repositoryId    = $VaultID

                    userId          = if ($Update) { $_.userId } else { $_.id }

                }

            }

            $RequestParams = @{

                URI    = "$Script:DSBaseURI/api/security/repositories/$VaultID/roles"

                Method = "PUT"

                Body   = ConvertTo-Json $RolesListToSave

            }

            $res = Invoke-DS @RequestParams -Verbose

            return $res

        }

        catch {

            Write-Error $_.Exception.Message

        }

    }

}