IAMClient.psm1
|
function Add-ETHGroupMember { <# .SYNOPSIS Adds members to a IAM group .DESCRIPTION Adds one or more members to a IAM group .EXAMPLE Add-ETHGroupMember biol-micro-isg "aurels" Adds one member "aurels" to the group "biol-micro-isg" .EXAMPLE "somegroup","someothergroup","somethirdgroup" | Add-ETHGroupMember "aurels","jgrand" Adds multiple members to multiple groups .OUTPUTS PSCustomObject An object containing all accepted / rejected / failed members .FUNCTIONALITY Adding members to a group #> [CmdletBinding(SupportsShouldProcess = 1)] param ( [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = 1)] [string]$Identity, [string[]]$Members ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null # Validate input arguments if (-not ($ExistingGroup = Get-ETHGroup -Identity $Identity)) { throw "Group $Identity was not found" } if ($Members.Count -le 0) { throw "No members specified" } $ToAddMembers = @($Members | Where-Object { $ExistingGroup.members -notcontains $_ }) if ($ToAddMembers.Count -eq 0) { Write-Debug "No new members added to group $Identity" return } } PROCESS { if ($PSCmdlet.ShouldProcess($Identity)) { try { $result = Invoke-IAMMethod -Url "/groupmgr/group/$Identity/members/add" -Method Put -Body $ToAddMembers -Credentials $script:IAMCreds } catch { throw "Could not update group $Identity, Error: $_" return } } } END { Write-Debug "Added $($ToAddMembers.Count) Members to Group $Identity" return $result } } function Add-ETHMaillistMember { param ( # List Name [Parameter(Position = 0, Mandatory = $true)] [string]$Identity, # Member to add or remove [Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true)] [string[]]$Members ) BEGIN { Test-IsIAMClientInitialized | Out-Null $Url = "/mailinglists/$Identity/members/add" } PROCESS { return (Invoke-IAMMethod -Url $Url -Body $Members -Method Put -Credentials $script:IAMCreds) } } function Add-ETHUserITService { param ( # ETH user name [Parameter(Position = 0, Mandatory = 1)] [string] $Identity, # IT Service Name [Parameter(Position = 1, Mandatory = 1)] [string] $ITServiceName, # Body [Parameter(Position = 2)] [psobject] $Body ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null if ($Body -eq $null) { $Body = @{ } } } PROCESS { return (Invoke-IAMMethod -Url "/usermgr/user/$Identity/service/$ITServiceName" -Method POST -Credentials $script:IAMCreds -Body $Body) } } function Add-ETHUserMailAlias { <# .SYNOPSIS Adds a new e-mail alias (proxyAddress) to a user's mailbox .DESCRIPTION Adds a new e-mail alias (proxyAddress) to a user's mailbox, this works by changing the main e-mail to the new alias and then back to the existing. !! WARNING: The Cmdlet currently does not reset the main e-mail address again, because IAM does not work (bug as of 14.02.2020) !! .PARAMETER Identity The user to add the alias to .PARAMETER Alias The alias(es) to give to the user .EXAMPLE Add-ETHUserMailAlias -Identity aurels -Alias "aurels.new@ethz.ch","my_cool_email@micro.biol.ethz.ch" #> [CmdletBinding()] param ( [Parameter(Position = 0, Mandatory = 1)] [string]$Identity, [Parameter(Position = 1, Mandatory = 1, ValueFromPipeline = 1)] [string[]]$Alias ) BEGIN { # Check if client is initialized $null = Test-IsIAMClientInitialized $User = Get-ETHUser -Identity $Identity $SavedEmail = $User.mail } PROCESS { foreach ($_alias in $Alias) { if ($User.proxyAdresses -contains "smtp:$_alias"){ # this alias already exists, nothing do to continue } $User.mail = $_alias $User = Set-ETHUser -Identity $Identity -User $User } } END { $User.mail = $SavedEmail Set-ETHUser -Identity $Identity -User $User } } function Clear-ETHMaillistMember { param ( # List Name [Parameter(Position = 0, Mandatory = $true)] [string]$Identity ) BEGIN { Test-IsIAMClientInitialized | Out-Null $Url = "/mailinglists/$Identity/members" } PROCESS { return (Invoke-IAMMethod -Url $Url -Method Delete -Credentials $script:IAMCreds) } } Function Compare-ObjectProperties { Param( [PSObject]$ReferenceObject, [PSObject]$DifferenceObject ) $objprops = $ReferenceObject | Get-Member -MemberType Property, NoteProperty | Select-Object -expand Name $objprops += $DifferenceObject | Get-Member -MemberType Property, NoteProperty | Select-Object -expand Name $objprops = $objprops | Sort-Object -Unique $diffs = @() foreach ($objprop in $objprops) { $diff = Compare-Object $ReferenceObject $DifferenceObject -Property $objprop if ($diff) { $diffprops = @{ PropertyName = $objprop RefValue = ($diff | Where-Object { $_.SideIndicator -eq '<=' } | Foreach-Object $($objprop)) DiffValue = ($diff | Where-Object { $_.SideIndicator -eq '=>' } | Foreach-Object $($objprop)) } $diffs += New-Object PSObject -Property $diffprops } } if ($diffs) { return ($diffs | Select-Object PropertyName, RefValue, DiffValue) } } Function Get-ObjectDiffs { param ( [PSObject]$ReferenceObject, [PSObject]$DifferenceObject ) $ChangedProps = @{ } Compare-ObjectProperties $ReferenceObject $DifferenceObject | ForEach-Object { $ChangedProps.Add($_.PropertyName, $_.DiffValue); } return $ChangedProps } function Compare-GroupMembers { param ( [string[]]$ExistingMembers, [string[]]$NewMembers ) BEGIN { $ToAddMembers = @() $ToRemoveMembers = @() $ToKeepMembers = @() } PROCESS { if ($ExistingMembers.Count -eq 0) { # No existing members -> add all $ToAddMembers = $NewMembers } elseif ($NewMembers.Count -eq 0) { # No new members -> remove all existing $ToRemoveMembers = $ExistingMembers } else { # everything fine, we can run compare-object $ComparisionResult = Compare-Object -ReferenceObject $ExistingMembers -DifferenceObject $Members -IncludeEqual $ToAddMembers = ($ComparisionResult | Where-Object SideIndicator -eq "=>").InputObject $ToRemoveMembers = ($ComparisionResult | Where-Object SideIndicator -eq "<=").InputObject $ToKeepMembers = ($ComparisionResult | Where-Object SideIndicator -eq "==").InputObject } return [PSCustomObject]@{ ToAdd = $ToAddMembers; ToRemove = $ToRemoveMembers; ToKeep = $ToKeepMembers; } } } function Find-ETHGroup { <# .SYNOPSIS Finds a Group in IAM .DESCRIPTION Finds a Group in IAM with the specified filter .PARAMETER Name The name of the group to find (accepts wildcards *) .PARAMETER AdminGroup The AdminGroup to filter on .EXAMPLE Find-ETHGroup -Name "biol-micro-isg*" In this example, the all groups are found that start with "biol-micro-isg*" .EXAMPLE Find-ETHGroup -Name "id-s4d*" -AdminGroup "D-BIOL" In this example, all groups of Admin Group "D-BIOL" are found that start with "id-s4d" #> param ( [CmdletBinding()] [Parameter(Position = 0)] [string]$Name, [Parameter(Position = 1)] [string]$AdminGroup ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null if (-not $Name -and -not $AdminGroup) { throw "Please specify at least one filter criterium!" } } PROCESS { $url = "/groupmgr/groups?" if ($Name) { $url += "name=$Name" } if ($AdminGroup -and $Name) { $url += "&" } if ($AdminGroup) { $url += "agroup=$AdminGroup" } Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds -ErrorAction Stop | ForEach-Object { $_.pstypenames.Insert(0, "ETHZ.ID.IAMClient.IAMGroupSearchResult"); $_ } | Sort-Object AdminGroup, type, Name } END { } } function Get-ETHGroup { <# .SYNOPSIS Gets details of a group from IAM .DESCRIPTION Gets properties (and members) from a group in IAM .EXAMPLE Get-ETHGroup biol-micro-isg Gets the details of a group in iam. .OUTPUTS PSCustomObject An object with all properties of a group .FUNCTIONALITY Loading a group #> param ( [CmdletBinding()] [Parameter(Position = 0, Mandatory = 1)] [string]$Identity ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null $url = "/groupmgr/group/$Identity" } PROCESS { return (Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds) } END { } } function Get-ETHGroupMember { <# .SYNOPSIS Gets members of a group in IAM .DESCRIPTION Gets members of a group in IAM .EXAMPLE Get-ETHGroupMember biol-micro-isg Gets all members of the group biol-micro-isg .OUTPUTS String[] A list of user/group names that are members of the group .FUNCTIONALITY Getting members of a group #> [CmdletBinding()] param ( [Parameter(Position = 0, Mandatory = 1, ValueFromPipelineByPropertyName = 1)] [string]$Identity ) BEGIN { $Group = Get-ETHGroup -Identity $Identity } PROCESS { return ($Group | Select-Object -expand members) } END { } } function Get-ETHMaillist { param ( # List Name [Parameter(Position = 0, Mandatory = $true)] [string]$Identity ) BEGIN { Test-IsIAMClientInitialized | Out-Null $Url = "/mailinglists/$Identity" } PROCESS { return (Invoke-IAMMethod -Url $Url -Method Get -Credentials $script:IAMCreds) } } function Get-ETHMaillistMember { [CmdletBinding()] param ( # List Name [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)] [string]$Identity ) BEGIN { } PROCESS { $membersCn = (Get-ETHMaillist -Identity $Identity).members foreach ($member in $membersCn) { $Name = Convert-CnToName $member # determine if the member is a user or a mailinglist if ($member -like "*OU=EthLists,*") { $objectClass = "group" } else { $objectClass = "user" } # create simple return object [pscustomobject]@{ name = $Name; objectClass = $objectClass; distinguishedName = $member; } } } } function Get-ETHPerson { param ( [Parameter(Position = 0, Mandatory = 1)] [string]$Identity ) BEGIN { $url = "/usermgr/person/$Identity" # is client initialized? Test-IsIAMClientInitialized | Out-Null } PROCESS { return (Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds) } END { } } function Get-ETHPersonServices { param ( # ETH user name [Parameter(Position = 0, Mandatory = 1)] [String]$Identity ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null } PROCESS { return (Invoke-IAMMethod -Url "/usermgr/user/$Identity/services" -Method GET -Credentials $script:IAMCreds) } } function Get-ETHUser { <# .SYNOPSIS Gets the parameters of a IT-Service for a user (Similar to Get-ADUser) .DESCRIPTION Gets all parameters for a given service from IAM for the given user Default is the "Mailbox" service .PARAMETER Identity The username to find .PARAMETER Service The service name to get the parameters for .EXAMPLE Get-ETHUser aurels .EXAMPLE Get-ETHUser aurels -Service LDAP #> param ( [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true)] [string]$Identity, [Parameter(Position = 1, Mandatory = 0)] [string]$Service = "Mailbox" ) BEGIN { $url = "/usermgr/user/$Identity/service/$Service" # is client initialized? Test-IsIAMClientInitialized | Out-Null } PROCESS { $result = Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds } END { return $result } } function Get-ETHUserGroupMembership { <# .SYNOPSIS Gets all memberships of the given user .DESCRIPTION This will load all group memberships with type "Custom","Admin" and "Netsup" for the given user(s) .PARAMETER Identity The username to find .EXAMPLE Get-ETHUserGroupMembership aurels .EXAMPLE "aurels","jgrand" | Get-ETHUserGroupMembership #> [CmdletBinding()] param ( [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = "Name")] [string]$Identity ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null } PROCESS { $url = "/groupmgr/user/$Identity" if (-not (Get-ETHUser $Identity)) { throw "User $Identity could not be found" } $groups = (Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds).Groups $groups | Add-Member -MemberType NoteProperty -Value $Identity -Name "User" # set type for all objects $groups | ForEach-Object { $_.pstypenames.Insert(0, "ETHZ.ID.IAMClient.IAMGroupMembership") } return ($groups | Sort-Object -property Type, Name) } END { } } Function Write-RequestToConsole { param ( [string]$Method, [hashtable]$Headers, [string]$JsonBody ) Write-Verbose "-- || -- || -- || -- || --" Write-Verbose "$($Method.toUpper()) $Uri" foreach ($h in $Headers.Keys) { # Do not print basic auth string to console, instead override with some value if ($h -ne "Authorization") { Write-Verbose "${h}: $($Headers[$h])" } else { Write-Verbose "${h}: Basic BasicAuthString99999=" } } Write-Verbose "Body: $JsonBody" } function Write-ResponseToConsole { param ( $Response ) Write-Verbose "------ RESPONSE:" if ($null -ne $Response) { Write-Verbose (ConvertTo-Json $Response) } } function Convert-CnToName { [CmdletBinding()] param( # Canonical Name [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)] [string]$Cn ) PROCESS { return ($Cn -split ",")[0] -replace "CN=" } } function ParseHttpException { [CmdLetBinding()] param( [Parameter(Position = 0, Mandatory = $true)] [System.Management.Automation.ErrorRecord]$InputObject ) # if response is a string, is contains a json object if ($null -ne $InputObject.Exception.Response) { # read answer from stream # > use .ToString() and string comparision instead of -is operator # > as the -is operator requires a vaild type, which is not the case in PowerShell 6 (type does not exist) if ($InputObject.Exception.Response.GetType().FullName -eq "System.Net.HttpWebResponse") { # PowerShell 5 $responseStream = $InputObject.Exception.Response.GetResponseStream() # create streamreader to read from stream $streamReader = New-Object System.IO.StreamReader -ArgumentList $responseStream # read $responseStream.Seek(0, [System.IO.SeekOrigin]::Begin) $errResponse = $streamReader.ReadToEnd() # clean up reader and stream $streamReader.Dispose() $responseStream.Dispose() } else { # PowerShell 6+ $errResponse = $InputObject.ErrorDetails.Message } # try to parse Response message if (-not [string]::IsNullOrEmpty($errResponse)) { try { $errObject = ConvertFrom-Json $errResponse $errMessage = ($errObject.level + " -> " + $errObject.message) } catch { $errMessage = $errResponse } $newException = New-Object System.Exception -ArgumentList $errMessage, $InputObject.Exception # response did not contain valid JSON, return original error message ( see below ) return $newException } # we did not get any additional info from the error message, just throw the original message # throw original error return $InputObject } } function IsPsWindows { <# .SYNOPSIS Used as fallback for the $isWindows variable on PSv5 and before #> if (Get-Variable -Name "isWindows" -ErrorAction SilentlyContinue) { return $isWindows } return ($PSVersionTable.PSVersion.Major -le 5) } function Test-IsIAMClientInitialized { if ($null -eq $script:IAMCreds) { # remove all "normal" output from this cmdlet -> do not display hints Initialize-IAMClient 6>$null return $true } return $true } function SaveCredToCredMan { <# .SYNOPSIS Stores a pscredential in the PwManager #> [CmdLetBinding()] param( [Parameter(Mandatory = $true)] [pscredential]$Credential, [Parameter(Mandatory = $true)] [string]$PwIdentifier ) $PwVault = InitCredMan -ErrorAction Stop $PwCred = New-Object Windows.Security.Credentials.PasswordCredential -ArgumentList ($PwIdentifier, $Credential.UserName, $Credential.GetNetworkCredential().Password) $PwVault.Add($PwCred) } function RetreiveCredFromCredMan { <# .SYNOPSIS Retrieves a password stored in the windows credential manager #> [CmdLetBinding()] param( [Parameter(Mandatory = $true)] [string]$PwIdentifier ) $PwVault = InitCredMan -ErrorAction Stop $PwCreds = $PwVault.FindAllByResource($PwIdentifier) if ($PwCreds.Count -ne 1) { throw "Found $($PwCreds.Count) matching credentials for identifier '$($PwIdentifier)'. Please clean up credman!" } # read password $PwCreds[0].RetrievePassword() return [pscredential]::new($PwCreds[0].UserName, (ConvertTo-SecureString $PwCreds[0].Password -AsPlainText -Force)) } function IsPwStoredInCredMan { <# .SYNOPSIS Checks if a password is stored in the windows credential manager #> [CmdLetBinding()] param( [Parameter(Mandatory = $true)] [string]$PwIdentifier ) $PwVault = InitCredMan -ErrorAction Stop try { return @($PwVault.FindAllByResource($PwIdentifier)).Count -ge 1 } catch { return $false } } function InitCredMan { <# .SYNOPSIS Initializes the Credential Manager and throws an error when is does not exist #> [CmdLetBinding()] param () try { return [Windows.Security.Credentials.PasswordVault, Windows.Security.Credentials, ContentType = WindowsRuntime]::new() } catch { throw [System.NotSupportedException]::new("Credential manager is only supported on Windows", $_.Exception) } } function Initialize-IAMClient { <# .SYNOPSIS Initializes the IAMClient to work with the API .DESCRIPTION Performs a login to the IAM Api and saves the credentials for the current session (or optionally permanent) .PARAMETER Credential The login to use when logging in to the API. If not given, PowerShell will ask manually for username / password. .PARAMETER SaveCredential When given, stores the password in the Windows Credential Manager for later re-use. **This works only on Windows!** .PARAMETER EnableDebugOutput Use this parameter to enable verbose logging if an error occures and you are not sure if the API answers correctly. The verbose output can used in e-mail communication (very recommended!) .PARAMETER ApiHost You can specify a custom API endpoint if you want f.ex to connect to the QSS environment. .EXAMPLE Initialize-IAMClient myuser4ea Signs in to the IAM api with the user "myuser4ea", you will be prompted for the password. .EXAMPLE Initialize-IAMClient myuser4ea -SaveCred See Example 1, but stores the credential in the Windows Credential Manager You will **never** need to perform the initialize command again! .FUNCTIONALITY Use this CmdLet to connect the PS Module with the API. #> [CmdletBinding()] param( # Credentials to validate [Parameter(Position = 0, Mandatory = $false)] [Alias("Credentials")] [pscredential]$Credential, [Parameter(Mandatory = $false)] [switch]$SaveCredential, # included for backwards compatibility [Parameter(DontShow = $true)] [switch]$Force, # for debug purposes [switch]$EnableDebugOutput, [Parameter(Mandatory = $false)] [ValidateScript({[Uri]::IsWellFormedUriString($_, [UriKind]::Absolute)})] [string]$ApiHost = "https://iam.passwort.ethz.ch/iam-ws-legacy/" ) if ($null -eq $Credential) { if ((IsPsWindows) -and (IsPwStoredInCredMan -PwIdentifier $ApiHost)){ $Credential = RetreiveCredFromCredMan -PwIdentifier $ApiHost } else { $Credential = Get-Credential -Message "Enter your credentials for IAM" } } # store the API host for the module to use $script:ApiHost = $ApiHost # message about force not being used. # TODO Remove in Version 2.0 if ($Force -eq $true) { Write-Warning "The -Force switch is included for backwards compatibility only, it has no functionality" } # Enable Debug mode for script if ($EnableDebugOutput) { $script:DebugMode = $true $VerbosePreference = "Continue" } else { $VerbosePreference = "SilentlyContinue" } # test credentials and fail if they were entered wrong if (-not (Test-ETHCredentials $Credential)) { $script:IAMCreds = $null throw "Could not validate your credentials" } if ($SaveCredential) { # save credential to credman SaveCredToCredMan -Credential $Credential -PwIdentifier $ApiHost } elseif ((IsPsWindows) -and -not (IsPwStoredInCredMan -PwIdentifier $ApiHost)) { # hints about new functionality Write-Host -f Cyan "HINT: Use the -SaveCredential switch to save your password to the Windows Credential Manager!" Write-Host -f Cyan "HINT: The password will then be stored secure and permanent!" Write-Host -f Cyan "Example: PS> Initialize-IAMClient -SaveCredential" } # save credentials in module $script:IAMCreds = $Credential Set-StrictMode -Version latest } Function Invoke-IAMMethod { [CmdletBinding(SupportsShouldProcess = 1)] param ( [Parameter(Position = 0, Mandatory = 1)] [string]$Url, [Parameter(Mandatory = 1)] [Microsoft.PowerShell.Commands.WebRequestMethod]$Method, [Parameter(Position = 1)] [psobject]$Body = "", [Parameter(Position = 2)] [pscredential]$Credentials ) BEGIN { $Headers = @{ } If ($Credentials -ne $null) { $AuthHeader = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($Credentials.UserName):$($Credentials.GetNetworkCredential().Password)")); # only set auth header when needed $Headers.Add("Authorization", $AuthHeader); } if ($Body -ne "") { if ($Body -is [Array]) { $JsonBody = ConvertTo-Json @($Body) -Compress } else { $JsonBody = ConvertTo-Json $Body -Compress } } else { $JsonBody = "" } # Accept header $Headers.Add("Accept", "application/json"); if (-not [string]::IsNullOrWhiteSpace($JsonBody)) { $Headers.Add("Content-type", "application/json; charset=utf-8"); } # Form complete URL and parse it $Uri = $script:ApiHost + $Url if (-not [uri]::IsWellFormedUriString($Uri, "Absolute")) { throw "Could not parse URI $Uri" return } } PROCESS { if ($PSCmdlet.ShouldProcess($Url)) { if ($script:DebugMode) { Write-RequestToConsole -Method $Method.ToString() -Headers $Headers -JsonBody $JsonBody } try { # only provide the body when needed, as it gives an error when used with GET if ($Method -eq [Microsoft.PowerShell.Commands.WebRequestMethod]::Get) { $Response = Invoke-RestMethod -Uri $Uri -Method $Method -Headers $Headers } else { $Response = Invoke-RestMethod -Uri $Uri -Method $Method -Headers $Headers -Body $JsonBody } # Only write to console if debug is enabled if ($script:DebugMode) { Write-ResponseToConsole -Response $Response } } catch { # parse the error message and throw the output throw (ParseHttpException -InputObject $_) } } } END { return $Response } } function New-ETHGroup { <# .SYNOPSIS Creates a new group in IAM .DESCRIPTION Creates a new group in IAM with the given properties .PARAMETER Name The name of the group .PARAMETER Description The description to give the group .PARAMETER Targets The targets to export the group to. Valid are "AD" and "LDAPS" (both can be specified) .PARAMETER AdminGroup The Admin Group to assign this group to .EXAMPLE New-ETHGroup -Name "biol-micro-isg-testgroup_api" -Description "20191203/asc: TestGroup" -Targets AD -AdminGroup "D-BIOL" This example creates one group, with the name "biol-micro-isg-testgroup_api" with a description and Admin Group "D-BIOL" exported to AD only. .EXAMPLE "biol-micro-testgroup1","biol-micro-testgroup2" | New-ETHGroup -Description "20191203/asc: TestGroup" -Targets AD -AdminGroup "D-BIOL" -Members "aurels","jgrand" This example creates two groups, both with the same members, "aurels" and "jgrand" #> param ( [CmdletBinding()] [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true)] [string]$Name, [Parameter(Position = 1, Mandatory = $false)] [string]$Description, [Parameter(Position = 2, Mandatory = $false)] [ValidateSet("AD", "LDAPS")] [string[]]$Targets, [Parameter(Position = 3, Mandatory = $true)] [string]$AdminGroup, [Parameter(Position = 4, Mandatory = $false)] [string[]]$Members ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null $url = "/groupmgr/group" } PROCESS { $Body = @{ "name" = $Name "description" = $Description "admingroup" = $AdminGroup "members" = $Members "targets" = $Targets } Invoke-IAMMethod -Url $url -Method Post -Body $Body -Credentials $script:IAMCreds } END { } } function New-ETHPersona { param( # Username of Persona parent [Parameter(Position = 0, Mandatory = 1)] [string] $ParentIdentity, # New Username [Parameter(Position = 1, Mandatory = 1)] [string] $NewUserName, [Parameter(Position = 2)] [string] $UserComment = "", # Initial Password [Parameter(Position = 3, Mandatory = 1)] [string] $InitPwd ) BEGIN { $NewUser = [PSCustomObject]@{ username = $NewUserName; memo = $UserComment; init_passwd = $NewPassword; } } PROCESS { Invoke-IAMMethod -Url "/usermgr/person/$ParentIdentity" -Method POST -Credentials $script:IAMCreds -Body $NewUser } } function Remove-ETHGroup { <# .SYNOPSIS Deletes a group in IAM .DESCRIPTION Deletes a group with the specified name in IAM .PARAMETER Name The name of the group .EXAMPLE Remove-ETHGroup -Name "biol-micro-isg-testgroup_api" In this example, the group "biol-micro-isg-testgroup_api" is deleted .EXAMPLE Get-ETHGroup "biol-micro-isg-testgroup_api" | Remove-ETHGroup In this example, the group "biol-micro-isg-testgroup_api" is deleted using the pipeline. #> param ( [CmdletBinding()] [Parameter(Position = 0, Mandatory = 1, ValueFromPipelineByPropertyName = "name")] [string]$Name ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null } PROCESS { $url = "/groupmgr/group/$Name" Invoke-IAMMethod -Url $url -Method Delete -Credentials $script:IAMCreds return $Name } END { } } function Remove-ETHGroupMember { <# .SYNOPSIS Removes members from a group in IAM .DESCRIPTION Removes members from a group in IAM .EXAMPLE Remove-ETHGroupMember -Identity "biol-micro-isg" -Members "aurels","jgrand" Removes two members from the group "biol-micro-isg" .EXAMPLE "somegroup","someothergroup","somethirdgroup" | Remove-ETHGroupMember -Members "aurels","jgrand" Removes multiple members from multiple groups .FUNCTIONALITY Removing users from groups #> [CmdletBinding(SupportsShouldProcess = $true)] param ( [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)] [string]$Identity, [Parameter(Position = 1, Mandatory = $true)] [string[]]$Members ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null # check if any members were specified if ($Members.Count -le 0) { throw "No members specified" } } PROCESS { # Validate group exists if (-not ($ExistingGroup = Get-ETHGroup -Identity $Identity)) { throw "Group $Identity was not found" } # get list of users to remove (skip non-members) $ToRemoveMembers = @($Members | Where-Object { $ExistingGroup.members -contains $_ }) # Check if there are any members in the group that need to be removed if ($ToRemoveMembers.Count -eq 0) { Write-Debug "Did not need to remove any members from $Identity" return $ExistingGroup } if ($PSCmdlet.ShouldProcess($Identity)) { try { return (Invoke-IAMMethod -Url "/groupmgr/group/$Identity/members/del" -Method Put -Body $ToRemoveMembers -Credentials $script:IAMCreds) } catch { throw "Could not update group $Identity" } } } END { } } function Remove-ETHMaillist { [CmdletBinding(SupportsShouldProcess = $true)] param ( # List Name [Parameter(Position = 0, ParameterSetName = "ByName")] [string]$Identity, [Parameter(ValueFromPipeline = $true, ParameterSetName = "ByPipeline")] [psobject]$MailObject ) BEGIN { Test-IsIAMClientInitialized | Out-Null if ($MailObject -ne $null) { $Identity = $MailObject.listName } $Url = "/mailinglists/$Identity" } PROCESS { if ($PSCmdlet.ShouldProcess("Deleting Mailliglist $Identity")) { return (Invoke-IAMMethod -Url $Url -Method Delete -Credentials $script:IAMCreds) } } } function Remove-ETHMaillistMember { param ( # List Name [Parameter(Position = 0, Mandatory = $true)] [string]$Identity, # Member to add or remove [Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true)] [string[]]$Members ) BEGIN { Test-IsIAMClientInitialized | Out-Null $Url = "/mailinglists/$Identity/members/del" } PROCESS { return (Invoke-IAMMethod -Url $Url -Body $Members -Method Put -Credentials $script:IAMCreds) } } function Reset-ETHUserPassword { param ( [Parameter(Position = 0, Mandatory = 1)] [string]$Identity, # Parameter help description [Parameter(Position = 1, Mandatory = 1)] [securestring]$NewPassword, [Parameter(Position = 2, Mandatory = 1)] [string]$ServiceName ) BEGIN { $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword) $PlainText = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) } PROCESS { try { $result = Invoke-IAMMethod -Url "/usermgr/user/$Identity/service/$ServiceName/password" -Body @{password = $PlainText } -Credentials $script:IAMCreds -Method Put return $result; } catch { Write-Error "Could not reset the password of the user $Identity, Error: $_" return; } } } function Set-ETHGroup { <# .SYNOPSIS Edits an existing group in IAM .DESCRIPTION Sets specific properties of an existing group in IAM .PARAMETER Identity The name of the group .PARAMETER NewName Rename the group to this new name .PARAMETER Description Set the description of this group .PARAMETER Targets !!Not implemented in IAM!! The targets to export the group to. Valid are "AD" and "LDAPS" (both can be specified) .PARAMETER AdminGroup !!Not implemented in IAM!! The Admin Group to assign this group to .EXAMPLE Set-ETHGroup -Identity "biol-micro-api_test" -Description "NewDescription" Change the description of the group "biol-micro-api_test". #> param ( [CmdletBinding()] [Parameter(Position = 0, Mandatory = $true, ValueFromPipelineByPropertyName = "name")] [string]$Identity, [Parameter(Position = 1, Mandatory = $false)] [string]$NewName, [Parameter(Position = 2, Mandatory = $false)] [string]$Description, [Parameter(Position = 3, Mandatory = $false)] [ValidateSet("AD", "LDAPS")] [string[]]$Targets, [Parameter(Position = 4, Mandatory = $false)] [string]$AdminGroup ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null } PROCESS { $url = "/groupmgr/group/$Identity" $Body = @{ } if ($NewName) { $Body["name"] = $NewName } if ($Description) { $Body["description"] = $Description } if ($Targets) { $Body["targets"] = $Targets } if ($AdminGroup) { $Body["admingroup"] = $AdminGroup } if ($body.Count -gt 0) { Invoke-IAMMethod -Url $url -Method Put -Body $Body -Credentials $script:IAMCreds -ea Continue } $Identity = if ($NewName) { $NewName } else { $Identity } Get-ETHGroup $Identity } END { } } function Set-ETHGroupMember { <# .SYNOPSIS Sets the members of an ETH group to the specified member list .DESCRIPTION Removes / Adds members to the given group until the memberlist is equal to the one submitted You can specify either usernames or *custom* groups .PARAMETER Identity The group to edit .PARAMETER Members The list of members to set the group memberlist to .EXAMPLE PS> Set-ETHGroupMember -Identity biol-micro-isg -Members @("aurels","ausc") .EXAMPLE PS> Set-ETHGroupMember -Identity biol-micro-isg -Members @("biol-micro-isg-sadm","aurels") Added: {"aurels", "ausc"} Removed: {} Kept: {} .OUTPUTS pscustomobject. Returns a custom object with 3 properties Added, Removed and Kept to show what the cmdlet did #> [CmdletBinding(SupportsShouldProcess = $true, HelpUri = "https://gitlab.ethz.ch/aurels/iam-powershell/tree/master/docs/Set-ETHGroupMember.md")] [OutputType([PSCustomObject])] param( # Group Name [Parameter(Position = 0, Mandatory = $true)] [string]$Identity, # Members to sync to [Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = "Name")] [AllowEmptyCollection()] [string[]] $Members ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null try { $ExistingMembers = @(Get-ETHGroupMember $Identity) } catch { throw "Could not find group $Identity" } } PROCESS { # get members to be removed & added $MemberCompare = Compare-GroupMembers -ExistingMembers $ExistingMembers -NewMembers $Members $ToBeAdded = $MemberCompare.ToAdd $ToBeRemoved = $MemberCompare.ToRemove try { if ($ToBeAdded.Count -gt 0) { if ($PSCmdlet.ShouldProcess($Identity, "Add-ETHGroupMember")) { # Discard output of Add-ETHGroupMember $null = Add-ETHGroupMember -Identity $Identity -Members $ToBeAdded } } if ($ToBeRemoved.Count -gt 0) { if ($PSCmdlet.ShouldProcess($Identity, "Remove-ETHGroupMember")) { $null = Remove-ETHGroupMember -Identity $Identity -Members $ToBeRemoved } } } catch { throw "Failed to update group membership of group $Identity, try again to restore group integrity!`r`nError: $_" } return @{ Added = $ToBeAdded; Removed = $ToBeRemoved; Kept = $MemberCompare.ToKeep; } } END { } } function Set-ETHMaillistMembers { [CmdletBinding()] param ( # Maillist name [Parameter(Position = 0, Mandatory = $true)] [string] $Identity, # Members [Parameter(Position = 1, Mandatory = $true)] [string[]]$Members ) BEGIN { Test-IsIAMClientInitialized | Out-Null try { $ExistingMembers = @((Get-ETHMaillistMember -Identity $Identity).name) } catch { throw "Could not find Mailinglist $Identity" } } PROCESS { $MemberCompare = Compare-GroupMembers -ExistingMembers $ExistingMembers -NewMembers $Members $ToAddMembers = $MemberCompare.ToAdd $ToRemoveMembers = $MemberCompare.ToRemove # Add members try { if ($ToAddMembers.Count -gt 0) { $null = Add-ETHMaillistMember -Identity $Identity -Members $ToAddMembers Write-Debug "Successfully added $($ToAddMembers.Count) new members to Mailinglist $Identity" } } catch { Write-Error "Failed to add $($ToAddMembers.Count) members to mailinglist. $([System.Environment]::NewLine)Error: $_" return } # Remove members try { if ($ToRemoveMembers.Count -gt 0) { $null = Remove-ETHMaillistMember -Identity $Identity -Members $ToRemoveMembers Write-Debug "Successfully removed $($ToRemoveMembers.Count) members from Mailinglist $Identity" } } catch { Write-Error "Failed to remove $($ToRemoveMembers.Count) members from mailinglist. $([System.Environment]::NewLine)Error: $_" return } return @{ Added = $ToAddMembers; Removed = $ToRemoveMembers; Kept = $MemberCompare.ToKeep; } } } function Set-ETHUser { <# .SYNOPSIS Sets the parameters of an IT-Service for a user (Similar to Set-ADUser) .DESCRIPTION Sets all given paramters to the given values .PARAMETER Identity The username to update .PARAMETER User The modified user object to save, use the output of Get-ETHUser. .EXAMPLE PS C:\> $user = Get-ETHUser aurels PS C:\> $user.homeDrive = "P:" PS C:\> $user.homeDirectory = "\\server\share\%username%" PS C:\> $user.profilePath = "" PS C:\> Set-ETHUser -Identity aurels -User $user #> [CmdletBinding()] param ( [Parameter(Position = 0, Mandatory = 1)] [string]$Identity, [Parameter(Position = 1, Mandatory = 1, ValueFromPipeline = 1)] [psobject]$User, [Parameter(Position = 2, Mandatory = 0)] [string]$Service = "Mailbox" ) # Check if client is initialized $null = Test-IsIAMClientInitialized $sourceUser = Get-ETHUser -Identity $Identity $changedProperties = Get-ObjectDiffs $sourceUser $User if ($changedProperties.Count -eq 0){ # nothing to do return $sourceUser } Invoke-IAMMethod -Url "/usermgr/user/$Identity/service/$Service" -Method Put -Body $changedProperties -Credentials $script:IAMCreds } function Set-ETHUserITService { param ( # ETH user name [Parameter(Position = 0, Mandatory = 1)] [string] $Identity, # IT Service Name [Parameter(Position = 1, Mandatory = 1)] [string] $ITServiceName, # Body [Parameter(Position = 2, Mandatory = 1)] [psobject] $Body ) BEGIN { # Check if client is initialized Test-IsIAMClientInitialized | Out-Null } PROCESS { return (Invoke-IAMMethod -Url "/usermgr/user/$Identity/service/$ITServiceName" -Method Put -Credentials $script:IAMCreds -Body $Body) } } function Sync-ETHGroupMember { <# .SYNOPSIS Synchronizes users from multiple groups and mailing lists to a group and a mailinglist .DESCRIPTION Copies all **users** from the source groups/lists to the given destination group/list .PARAMETER SourceGroups The list of groups to read members from .PARAMETER SourceLists The list of mailinglists to read members from .PARAMETER DestGroup The destination group that will be set to all members from the given groups / lists .PARAMETER DestList The destination mailinglist that will be set to all members from the given groups / lists .EXAMPLE PS> Sync-ETHGroupMember -SourceGroups "biol-micro-isg" -DestList "MICRO_IT_STAFF" Copies all members from the group "biol-micro-isg" to the Maillinglist "MICRO_IT_STAFF" .EXAMPLE PS> Sync-ETHGroupMember -SourceLists "MICRO_IT_STAFF","MICRO_AD_STAFF" -DestList "MICRO_STAFF" Copies all members from the source lists to the destination list .EXAMPLE PS> Sync-ETHGroupMember -SourceLists "MICRO_IT_STAFF","MICRO_AD_STAFF" -SourceGroups "biol-micro-institute" -DestGroup "biol-micro-institute" Adds all members from the given lists to the destination group without removing users .OUTPUTS System.Collections.Hashtable A hashtable with a report on each group/list that was modified and what was done (Add / Remove / Keep Members) #> [CmdletBinding(SupportsShouldProcess = $true, DefaultParameterSetName = "ToGroup")] [OutputType([System.Collections.HashTable])] param( # Group Name [Parameter(Position = 0)] [Alias("ReferenceGroups")] [string[]]$SourceGroups, # Mailinglist to sync from [Parameter(Position = 1)] [string[]]$SourceLists, # Group to sync members to [Parameter(Position = 2, ParameterSetName = "ToGroup", Mandatory = 1)] [Parameter(ParameterSetName = "ToBoth", Mandatory = 1)] [Alias("SyncGroup")] [string]$DestGroup, # List to sync members to [Parameter(Position = 3, ParameterSetName = "ToList", Mandatory = 1)] [Parameter(ParameterSetName = "ToBoth", Mandatory = 1)] [string]$DestList, # Falls back to AD if group cannot be loaded via IAM [Parameter()] [switch]$AllowADFallback ) BEGIN { # Validate input arguments if ($SourceGroups.Count -eq 0 -and $SourceLists.Count -eq 0) { throw "At least one source group or list has to be specified!" } if ([string]::IsNullOrWhiteSpace($DestGroup) -and [string]::IsNullOrWhiteSpace($DestList)) { throw "At least one destination group has to be specified!" } if ($AllowADFallback -and (Get-Module).Name -notcontains "ActiveDirectory") { try { Import-Module ActiveDirectory } catch { throw "To use the ActiveDirectory fallback, install RSAT tools!" } } # Check if client is initialized Test-IsIAMClientInitialized | Out-Null # Validate destination group exists if ($DestGroup) { try { $null = Get-ETHGroup -Identity $DestGroup # discard output } catch { throw "Could not find group $DestGroup" } } if ($DestList) { try { $null = Get-ETHMaillist -Identity $DestList # discard output } catch { throw "Could not find list $DestList" } } $ListsToProcess = @() $GroupsToProcess = @() if ($SourceLists.Count -gt 0) { $ListsToProcess = @($SourceLists | ForEach-Object { [PSCustomObject]@{Name = $_; Type = "List" } }) } if ($SourceGroups.Count -gt 0) { $GroupsToProcess = @($SourceGroups | ForEach-Object { [PSCustomObject]@{Name = $_; Type = "Group" } }) } } PROCESS { # Store all members from the different sourcegroups in a hashset, # so that duplicates are automatically eliminated $AllMembersList = New-Object 'System.Collections.Generic.HashSet[string]' foreach ($Source in @($ListsToProcess + $GroupsToProcess)) { # retrieve type for output messages $SourceType = $Source.Type try { switch ($SourceType) { "Group" { # Get Group members $Group = Get-ETHGroup $Source.Name $AllMembersList.UnionWith([string[]]@($Group.members)) } "List" { # Get Maillist members $ListMembers = Get-ETHMaillistMember $Source.Name | Where-Object objectClass -eq "user" $AllMembersList.UnionWith([string[]]@($ListMembers.name)) # add all members to the list } Default { # Invalid throw "GroupType '$SourceType' invalid. Valid are 'List','Group'!" } } } catch { # Group / List was not found in IAM # Perform ad fallback if needed if (-not $AllowADFallback) { throw "Could not find $SourceType '$($Source.Name)' in IAM" } try { # get all users from AD group as fallback $Members = Get-ADGroupMember -Identity $Source.Name | Where-Object objectClass -eq "user" $AllMembersList.UnionWith([string[]]($Members.name)) } catch { throw "Could not find $SourceType '$($Source.Name)' in AD" } } } # Store changes in a hashtable for every group modified $Changes = @{ } if ($DestGroup -ne "" -and $PSCmdlet.ShouldProcess($DestGroup, "Set-ETHGroupMember")) { $Changes.Add($DestGroup, (Set-ETHGroupMember -Identity $DestGroup -Members $AllMembersList)) } if ($DestList -ne "" -and $PSCmdlet.ShouldProcess("$DestList", "Set-ETHMaillistMembers")) { $Changes.Add($DestList, (Set-ETHMaillistMembers -Identity $DestList -Members $AllMembersList)) } return $Changes } END { } } function Test-ETHCredentials { [CmdletBinding()] param ( [Parameter(Position = 0, Mandatory = 1)] [ValidateNotNull()] [pscredential]$Credentials ) $script:IAMCreds = $Credentials try { Get-ETHUser -Identity $Credentials.UserName -ErrorAction Stop return $true } catch { # write error to error stream as non-terminating error Write-Error $_ return $false } finally { $script:IAMCreds = $null } } $script:IAMCreds = $null $script:ApiHost = "" # will set during initialization $script:DebugMode = $false if ($PSVersionTable.PSVersion.Major -le 5){ # set TLS1.2 as default when running in PSv5 # if TLS1.3 is out, this should be specified # https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem#update-windows-powershell-scripts-or-related-registry-settings [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 } Export-ModuleMember -Function 'Invoke-IAMMethod','Add-ETHGroupMember','Find-ETHGroup','Get-ETHGroup','Get-ETHGroupMember','New-ETHGroup','Remove-ETHGroup','Remove-ETHGroupMember','Set-ETHGroup','Set-ETHGroupMember','Sync-ETHGroupMember','Add-ETHMaillistMember','Clear-ETHMaillistMember','Get-ETHMaillist','Get-ETHMaillistMember','Remove-ETHMaillist','Remove-ETHMaillistMember','Set-ETHMaillistMembers','Get-ETHPerson','Get-ETHPersonServices','New-ETHPersona','Add-ETHUserITService','Add-ETHUserMailAlias','Get-ETHUser','Get-ETHUserGroupMembership','Reset-ETHUserPassword','Set-ETHUser','Set-ETHUserITService','Initialize-IAMClient','Test-ETHCredentials' |