Noveris.CertCheck.psm1
<# #> ######## # Global settings $ErrorActionPreference = "Stop" $InformationPreference = "Continue" Set-StrictMode -Version 2 # Import Azure functions, but don't fail if we cant # All Azure Tables code should be in a separate module, but is here for the moment # Not requiring AzTable allows the module to be imported for systems that # wont use Azure functionality and don't have AzTable installed Import-Module AzTable -EA SilentlyContinue <# #> Function New-NormalisedUri { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] [CmdletBinding()] [OutputType([System.Uri])] param( [Parameter(Mandatory=$true)] [ValidateNotNull()] $Obj ) process { $tempUri = [Uri]::New($Obj.ToString()) $uri = [Uri]::New(("{0}://{1}:{2}" -f $tempUri.Scheme, $tempUri.Host, $tempUri.Port)) $uri } } Class CertificateInfo { CertificateInfo() { } CertificateInfo([string] $uri) { $this.Uri = New-NormalisedUri $uri } CertificateInfo([Uri] $uri) { $this.Uri = New-NormalisedUri $uri } CertificateInfo([HashTable] $table) { $this.UpdateFromHashTable($table) } CertificateInfo([PSObject] $obj) { $this.UpdateFromObject($obj) } [HashTable] ToHashTable() { $table = @{} ($this | Get-Member | Where-Object {$_.MemberType -eq "Property"}).Name | ForEach-Object { $prop = $_ switch ($this.$prop.GetType().FullName) { "System.DateTime" { $table[$prop] = $this.$prop.ToUniversalTime().ToString("o") break } default { $table[$prop] = [string]($this.$prop) break } } } return $table } [void] UpdateFromObject([PSObject] $obj) { ($obj | Get-Member | Where-Object {$_.MemberType -eq "NoteProperty" -or $_.MemberType -eq "Property"}).Name | ForEach-Object { if (($this | Get-Member | Where-Object {$_.MemberType -eq "Property"}).Name -contains $_) { $this.UpdatePropertyFromString($_, $obj.$_.ToString()) } } } [void] UpdateFromHashTable([HashTable] $table) { $table.Keys | ForEach-Object { if (($this | Get-Member | Where-Object {$_.MemberType -eq "Property"}).Name -contains $_) { $this.UpdatePropertyFromString($_, $table[$_].ToString()) } } } [void] UpdatePropertyFromString([string] $prop, [string] $val) { switch ($this.$prop.GetType().FullName) { "System.Uri" { $this.$prop = New-NormalisedUri $val break } "System.Boolean" { $this.$prop = [bool]::Parse($val) break } "System.DateTime" { $this.$prop = [DateTime]::Parse($val).ToUniversalTime() break } default { $this.$prop = $val } } } [int] DaysRemaining() { return [Math]::Round(($this.NotAfter - [DateTime]::UtcNow).TotalDays, 2) } [int] DaysSinceLastAttempt() { return [Math]::Round(($this.LastAttempt - [DateTime]::UtcNow).TotalDays, 2) } [int] DaysSinceLastConnect() { return [Math]::Round(($this.LastConnect - [DateTime]::UtcNow).TotalDays, 2) } [bool] IsDateValid() { if ([DateTime]::UtcNow -lt $this.NotBefore.ToUniversalTime() -or [DateTime]::UtcNow -gt $this.NotAfter.ToUniversalTime()) { return $false } return $true } [Uri]$Uri = [string]::Empty [bool]$Connected = $false [DateTime]$LastAttempt [DateTime]$LastConnect [string]$Perspective = [string]::Empty [string]$Subject = [string]::Empty [string]$Issuer = [string]::Empty [DateTime]$NotBefore [DateTime]$NotAfter [string]$Thumbprint = [string]::Empty [bool]$LocallyTrusted = $false [string]$SAN = [string]::Empty [string]$EKU = [string]::Empty [string]$BasicConstraints = [string]::Empty [string]$Extensions = [string]::Empty [DateTime]$LastError [string]$LastErrorMsg = [string]::Empty [string]$Addresses = [string]::Empty [string]$CertPath = [string]::Empty } <# #> Function New-CertificateInfo { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] [CmdletBinding()] param( [Parameter(Mandatory=$false,ValueFromPipeline)] [ValidateNotNull()] $Obj ) process { if ($PSBoundParameters.Keys -contains "Obj") { [CertificateInfo]::New($Obj) } else { [CertificateInfo]::New() } } } <# #> Function Get-EndpointCertificate { [CmdletBinding()] param( [Parameter(Mandatory=$true,ValueFromPipeline)] [ValidateNotNull()] [CertificateInfo]$Endpoint, [Parameter(Mandatory=$false)] [ValidateNotNull()] [Int]$ConcurrentChecks = 30, [Parameter(Mandatory=$false)] [ValidateNotNull()] [Int]$TimeoutSec = 10 ) begin { # We'll verbose report on the total run time later on $beginTime = [DateTime]::UtcNow # Create runspace environment Write-Verbose "Creating runspace pool" $pool = [RunSpaceFactory]::CreateRunspacePool(1, $ConcurrentChecks) if (($pool | Get-Member).Name -contains "ApartmentState") { $pool.ApartmentState = "MTA" } $pool.Open() # Use a custom object so the wait block can replace the list with a new list # (i.e. update the reference) $state = [PSCustomObject]@{ runspaces = New-Object System.Collections.Generic.List[PSCustomObject] } # Common wait block to use to process finished runspaces # $target is the is the high count before we can schedule more checks # script returns a hashtable of properties to update on the CertificateInfo object $waitScript = { param($state, $target) while (($state.runspaces | Measure-Object).Count -gt $target) { # Separate tasks in to completed and not $tempList = New-Object System.Collections.Generic.List[PSCustomObject] $completeList = New-Object System.Collections.Generic.List[PSCustomObject] $state.runspaces | ForEach-Object { if ($_.Status.IsCompleted) { $completeList.Add($_) } else { $tempList.Add($_) } } $state.runspaces = $tempList # Process completed runspaces $completeList | ForEach-Object { $runspace = $_ try { $result = $runspace.Runspace.EndInvoke($runspace.Status) | Select-Object -First 1 # Build and pass CertificateInfo on in the pipeline [CertificateInfo]::New($result) } catch { Write-Warning "Error reading return from runspace job: $_" Write-Warning ($_ | Format-List -property * | Out-String) } $runspace.Runspace.Dispose() $runspace.Status = $null } Start-Sleep -Seconds 1 } } # Script for checking certificates on endpoint $checkScript = { param( [Parameter(Mandatory=$true)] [ValidateNotNull()] [Uri]$Uri, [Parameter(Mandatory=$false)] [ValidateNotNull()] [Int]$TimeoutSec = 10 ) # Note - The check script runs in a runspace, so doesn't have implicit access # to all of the types in the parent powershell scope. This script doesn't have # access to the CertificateInfo type. # Global settings $InformationPreference = "Continue" $ErrorActionPreference = "Stop" Set-StrictMode -Version 2 # Script to retrieve certificate extensions Function Get-CertificateExtension { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$KeyName, [Parameter(Mandatory=$true)] [ValidateNotNull()] [HashTable]$Extensions ) process { $content = [string]::Empty if ($Extensions.Keys -contains $KeyName) { $val = $Extensions[$KeyName] if ($null -ne $val) { $content = $val.ToString() } } $content } } Function Get-CertificateData { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateNotNull()] [Uri]$Uri, [Parameter(Mandatory=$false)] [ValidateNotNull()] [switch]$NoValidation, [Parameter(Mandatory=$false)] [ValidateNotNull()] [Int]$TimeoutSec = 10 ) process { # 'No Validation' callback $certValidation = { $true } # stream and client for disposal later $client = $null $stream = $null # Status object to report on connection, auth and cert $status = [PSCustomObject]@{ AuthSuccess = $false Connected = $false Certificate = $null Error = [string]::Empty } try { # Construct TcpClient and stream to target Write-Verbose ("{0}: Connecting" -f $Uri) $client = New-Object System.Net.Sockets.TcpClient # Tasks for connect and timeout $connect = $client.ConnectAsync($Uri.Host, $Uri.Port) $connect.Wait($TimeoutSec * 1000) | Out-Null # Check if we timed out if (!$connect.IsCompleted) { # Connect didn't finish in time Write-Error ("{0}: Failed to connect" -f $Uri) } # Update status $status.Connected = $true # Configure the SslStream connection $stream = $null if ($NoValidation) { $stream = New-Object System.Net.Security.SslStream -ArgumentList $client.GetStream(), $false, $certValidation } else { $stream = New-Object System.Net.Security.SslStream -ArgumentList $client.GetStream(), $false } # This supplies the SNI to the endpoint Write-Verbose ("{0}: Sending SNI as {1}" -f $Uri, $Uri.Host) $stream.AuthenticateAsClient($Uri.Host) # Update status $status.AuthSuccess = $true # Capture the remote certificate from the stream Write-Verbose ("{0}: Retrieving remote certificate" -f $Uri) $streamCert = $stream.RemoteCertificate $status.Certificate = New-Object 'System.Security.Cryptography.X509Certificates.X509Certificate2' -ArgumentList $streamCert } catch { $status.Error = $_.ToString() } finally { if ($null -ne $stream) { $stream.Dispose() } if ($null -ne $client) { $client.Dispose() } } # Return status object $status } } # Build status object $status = @{ Uri = $Uri LastAttempt = [DateTime]::UtcNow Connected = $false } try { # Get-CertificateData doesn't throw errors, just returns the status object # Attempt to connect with certificate validation on first attempt $connectStatus = Get-CertificateData -Uri $Uri -TimeoutSec $TimeoutSec # If we can't connect, just stop here if (!$connectStatus.Connected) { Write-Verbose "Coult not connect to endpoint" Write-Error $connectStatus.Error } $failedAuth = $false if (!$connectStatus.AuthSuccess -or $null -eq $connectStatus.Certificate) { # We connected, but failed authentication or didn't receive a certificate # Attempt to reconnect, but without validation of certificates Write-Verbose "Validation of remote endpoint failed. Reattempting without validation." $connectStatus = Get-CertificateData -Uri $Uri -TimeoutSec $TimeoutSec -NoValidation $failedAuth = $true } if (!$connectStatus.AuthSuccess -or !$connectStatus.Connected -or $null -eq $connectStatus.Certificate) { # Issue with connecting to the endpoint here. Can't continue Write-Verbose "Endpoint connectivity or auth failure" Write-Error $connectStatus.Error } $cert = $connectStatus.Certificate # Convert the extensions to friendly names with data Write-Verbose ("{0}: Unpacking certificate extensions" -f $Uri) $extensions = @{} $cert.Extensions | ForEach-Object { # Extract name. Use Oid if no friendly name $name = $_.Oid.Value if (![string]::IsNullOrEmpty($_.Oid.FriendlyName)) { $name = $_.Oid.FriendlyName } $asndata = New-Object 'System.Security.Cryptography.AsnEncodedData' -ArgumentList $_.Oid, $_.RawData $extensions[$name] = $asndata.Format($false) } # Pack the extensions in to a string object $extensionStr = $extensions.Keys | ForEach-Object { $val = $extensions[$_] if ([string]::IsNullOrEmpty($val)) { $val = [string]::Empty } ("{0} = {1}" -f $_, $val) } | Join-String -Separator ([Environment]::Newline) # Get addresses for this endpoint $addresses = [System.Net.DNS]::GetHostAddresses($Uri.Host) # Build chain information for this certificate $chain = [System.Security.Cryptography.X509Certificates.X509Chain]::New() $chain.Build($cert) | Out-Null $certPath = $chain.ChainElements | ForEach-Object { $_.Certificate.Subject.ToString() } | Join-String -Separator ([Environment]::Newline) # Update the hashtable with the entries we want to update on the CertificateInfo object Write-Verbose ("{0}: Updating object" -f $Uri) $status["Connected"] = $true $status["LastConnect"] = [DateTime]::UtcNow $status["Subject"] = $cert.Subject $status["Issuer"] = $cert.Issuer $status["NotBefore"] = $cert.NotBefore.ToUniversalTime() $status["NotAfter"] = $cert.NotAfter.ToUniversalTime() $status["Thumbprint"] = $cert.Thumbprint $status["LocallyTrusted"] = !$failedAuth $status["Extensions"] = $extensionStr $status["SAN"] = Get-CertificateExtension -KeyName "X509v3 Subject Alternative Name" -Extensions $extensions $status["EKU"] = Get-CertificateExtension -KeyName "X509v3 Extended Key Usage" -Extensions $extensions $status["BasicConstraints"] = Get-CertificateExtension -KeyName "X509v3 Basic Constraints" -Extensions $extensions $status["Addresses"] = $addresses | ForEach-Object { $_.ToString()} | Join-String -Separator ([Environment]::Newline) $status["CertPath"] = $certPath } catch { Write-Warning ("{0}: Failed to check endpoint: {1}" -f $Uri, $_) $status["LastErrorMsg"] = [string]$_ $status["LastError"] = [DateTime]::UtcNow } # Return the state object $status } } process { # Wait for runspace level to go under ConcurrentChecks Invoke-Command -Script $waitScript -ArgumentList $state, ($ConcurrentChecks-1) # Schedule a run for this uri Write-Verbose ("{0}: Scheduling check" -f $Endpoint.Uri) $runspace = [PowerShell]::Create() $runspace.AddScript($checkScript) | Out-Null $runspace.AddParameter("Uri", $Endpoint.Uri) | Out-Null $runspace.AddParameter("TimeoutSec", $TimeoutSec) | Out-Null $runspace.RunspacePool = $pool $state.runspaces.Add([PSCustomObject]@{ Runspace = $runspace Status = $runspace.BeginInvoke() }) } end { # Wait for all runspaces to finish Write-Verbose "Waiting for remainder of runspaces to finish" Invoke-Command -Script $waitScript -ArgumentList $state, 0 # Close everything off $pool.Close() $pool.Dispose() Write-Verbose ("Total runtime: {0} seconds" -f ([DateTime]::UtcNow - $beginTime).TotalSeconds) } } <# #> Function Write-ReportSection { [CmdletBinding()] [OutputType([string], [System.Management.Automation.PSObject[]])] param( [Parameter(Mandatory=$false)] [ValidateNotNull()] [bool]$AsHtml, [Parameter(Mandatory=$true)] [AllowNull()] [AllowEmptyCollection()] [PSObject[]]$Content, [Parameter(Mandatory=$true)] [ValidateNotNull()] [string]$Title, [Parameter(Mandatory=$true)] [ValidateNotNull()] [string]$Description ) process { # Write title and description information if ($AsHtml) { ("<b>{0}</b><br>" -f $Title) ("<i>{0}</i><br><p>" -f $Description) if ($null -ne $Content -and ($Content | Measure-Object).Count -gt 0) { $Content | ConvertTo-Html -As Table -Fragment } else { "No Content<br>" } "<br>" } else { Write-Information $Title Write-Information "================" Write-Information $Description Write-Information "" $Content Write-Information "" } } } <# #> Function Format-EndpointCertificateReport { [CmdletBinding()] [OutputType([string])] param( [Parameter(Mandatory=$true,ValueFromPipeline)] [ValidateNotNull()] [CertificateInfo]$CertificateInfo, [Parameter(Mandatory=$false)] [ValidateNotNull()] [int]$AgeThresholdDays = 5, [Parameter(Mandatory=$false)] [switch]$AsHTML = $false ) begin { # The function will accumulate the objects in to a list to report on # in 'end' $info = New-Object 'System.Collections.Generic.List[CertificateInfo]' } process { # Add the object to the list to report on once all objects have een received $info.Add($CertificateInfo) | Out-Null } end { $AgeThresholdDays = [Math]::Abs($AgeThresholdDays) if ($AsHTML) { "<!DOCTYPE html PUBLIC `"-//W3C//DTD XHTML 1.0 Strict//EN`" `"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd`">" "<html xmlns=`"http://www.w3.org/1999/xhtml`">" "<head>" "<title>HTML TABLE</title>" "</head><body>" } # Display endpoints that couldn't be contacted $results = $info | Where-Object {$_.Connected -eq $false -or $_.LastConnect -lt ([DateTime]::UtcNow.AddDays(-$AgeThresholdDays))} | Select-Object -Property Uri,Perspective,Subject,LastAttempt,LastConnect,Connected,LastError,LastErrorMsg Write-ReportSection -Content $results -AsHtml $AsHtml -Title "Inaccessible endpoints" -Description "Endpoints not connected within last $AgeThresholdDays days or failed connection" # get all endpoint data where the endpoint could be queried $connected = $info | Where-Object {$_.Connected} $results = $connected | Where-Object {$_.LocallyTrusted -eq $false -or $_.IsDateValid() -eq $false} | Group-Object -Property Uri,Thumbprint | ForEach-Object { $group = $_ # Determine all perspectives $perspectives = $group.Group | ForEach-Object { $_.Perspective } | Select-Object -Unique | Join-String -Separator ", " # Since thumbprint is the same for all in this group, we only need the cert information from the first object $first = $group.Group | Select-Object -First 1 [PSCustomObject]@{ Uri = $first.Uri Perspectives = $perspectives Subject = $first.Subject Issuer = $first.Issuer DaysRemaining = $first.DaysRemaining() # Locally Trusted is perspective based, so not guaranteed to be the same between separate checkers, # however this if filtered by 'LocallyTrusted -eq $false' above, so they should all be the same LocallyTrusted = $first.LocallyTrusted } } Write-ReportSection -Content $results -AsHtml $AsHtml -Title "Invalid certificates" -Description "Endpoints with an invalid certificate (untrusted or date out of range)" $results = $connected | Where-Object {$_.NotAfter -lt ([DateTime]::UtcNow.AddDays(90))} | Group-Object -Property Uri,Thumbprint | ForEach-Object { $group = $_ # Determine all perspectives $perspectives = $group.Group | ForEach-Object { $_.Perspective } | Select-Object -Unique | Join-String -Separator ", " # Since thumbprint is the same for all in this group, we only need the cert information from the first object $first = $group.Group | Select-Object -First 1 [PSCustomObject]@{ Uri = $first.Uri Perspectives = $perspectives Subject = $first.Subject Issuer = $first.Issuer DaysRemaining = $first.DaysRemaining() NotAfter = $first.NotAfter # LocallyTrusted is not included here as it may be different between checkers depending on # local trusted CA configuration # LocallyTrusted = $first.LocallyTrusted } } | Sort-Object -Property NotAfter Write-ReportSection -Content $results -AsHtml $AsHtml -Title "Endpoints expiring soon" -Description "All endpoints expiring within 90 days (Locally trusted or not)" if ($AsHTML) { "</body></html>" } } } <# #> Function Get-EndpointsFromAzureTableStorage { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateNotNull()] [Microsoft.Azure.Cosmos.Table.CloudTable]$Table, [Parameter(Mandatory=$false)] [ValidateNotNullOrEmpty()] [string]$Perspective ) process { # Args for Get-AzTableRow $getArgs = @{ Table = $Table } # Refine to a perspective, if requested if (![string]::IsNullOrEmpty($Perspective)) { $getArgs["PartitionKey"] = $Perspective } # Get all rows, perhaps filtering to a perspective/partitionkey Get-AzTableRow @getArgs | ForEach-Object { $row = $_ # Extract properties from the row and populate the status object $info = [CertificateInfo]::New($row) $info.Perspective = $row.PartitionKey # Check Uri try { # Extract the Uri from the RowKey $bytes = [Convert]::FromBase64String($row.RowKey) $uri = [System.Text.Encoding]::Unicode.GetString($bytes) $testUri = [Uri]::New($uri) if ([string]::IsNullOrEmpty($testUri.Host) -or $testUri.Port -eq 0) { Write-Warning "Missing host and/or port in Uri: $uri" } else { $info.Uri = $testUri $info } } catch { Write-Warning ("Invalid format for uri. Raw RowKey({0})" -f $row.RowKey) } } } } <# #> Function Update-EndpointsInAzureTableStorage { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateNotNull()] [Microsoft.Azure.Cosmos.Table.CloudTable]$Table, [Parameter(Mandatory=$false)] [ValidateNotNullOrEmpty()] [string]$Perspective, [Parameter(Mandatory=$true,ValueFromPipeline)] [ValidateNotNull()] [CertificateInfo]$Update ) process { $uri = $Update.Uri # Check for host and port if ([string]::IsNullOrEmpty($uri.Host) -or $uri.Port -eq 0) { Write-Error "Missing host and/or port in Uri" } $status = $Update.ToHashTable() # Determine PartitionKey # Use the supplied Perspective. If empty, use the Perspective in the CertificateInfo $partitionKey = $Perspective if ([string]::IsNullOrEmpty($partitionKey) -and $status.Keys -contains "Perspective") { $partitionKey = $status["Perspective"] } # No supplied Perspective and no Perspective in the CertificateInfo object, so use "global" if ([string]::IsNullOrEmpty($partitionKey)) { $partitionKey = "global" } # Write it back to the status object so that the content in Azure Tables is consistent $status["Perspective"] = $partitionKey # Rewrite/transform uri to base64 encoding $bytes = [System.Text.Encoding]::Unicode.GetBytes($uri) $rowKey = [Convert]::ToBase64String($bytes) # Add/Update the row Write-Verbose "Updating Partition($Perspective) RowKey($rowKey)" Write-Verbose "Properties: " Write-Verbose ([PSCustomObject]$status | ConvertTo-Json) Add-AzTableRow -Table $table -PartitionKey $partitionKey -RowKey $rowKey -Property $status -UpdateExisting | Out-Null } } Function Add-EndpointCategoryUri { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateNotNull()] [Microsoft.Azure.Cosmos.Table.CloudTable]$Table, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$CategoryName, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [Uri]$Uri ) process { # Normalise Uri for processing $Uri = New-NormalisedUri $Uri # only lowercase for category names $CategoryName = $CategoryName.ToLower() # Generate Base64 representations $rowKey = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Uri)) $partitionKey = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($CategoryName)) # Data for the entry $entry = @{} # Add/Update the row Write-Verbose "Updating Partition($partitionKey) RowKey($rowKey)" Write-Verbose "Properties: " Write-Verbose ([PSCustomObject]$entry | ConvertTo-Json) Add-AzTableRow -Table $table -PartitionKey $partitionKey -RowKey $rowKey -Property $entry -UpdateExisting | Out-Null } } Function Get-EndpointCategoryUri { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateNotNull()] [Microsoft.Azure.Cosmos.Table.CloudTable]$Table, [Parameter(Mandatory=$false)] [ValidateNotNullOrEmpty()] [string]$CategoryName, [Parameter(Mandatory=$false)] [ValidateNotNullOrEmpty()] [Uri]$Uri ) process { # Base for parameters for the request $getParams = @{ Table = $Table } # Set the partition key to the category name, if supplied if ($PSBoundParameters.Keys -contains "CategoryName") { # only lowercase for category names $CategoryName = $CategoryName.ToLower() $getParams["PartitionKey"] = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($CategoryName)) } # Set the row key to the Uri, if supplied if ($PSBoundParameters.Keys -contains "Uri") { # Normalise Uri for processing $Uri = New-NormalisedUri $Uri $getParams["RowKey"] = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Uri)) } # Retrieve the rows and convert to native category name and uri Get-AzTableRow @getParams | ForEach-Object { try { [PSCustomObject]@{ CategoryName = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($_.PartitionKey)) Uri = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($_.RowKey)) } } catch { Write-Warning "Error retrieving/converting document: $_" } } } } Function Remove-EndpointCategoryUri { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateNotNull()] [Microsoft.Azure.Cosmos.Table.CloudTable]$Table, [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName)] [ValidateNotNullOrEmpty()] [string]$CategoryName, [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName)] [ValidateNotNullOrEmpty()] [Uri]$Uri ) process { # Normalise Uri for processing $Uri = New-NormalisedUri $Uri # only lowercase for category names $CategoryName = $CategoryName.ToLower() # Base for parameters for the request $removeParams = @{ Table = $Table PartitionKey = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($CategoryName)) RowKey = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Uri)) } # Retrieve the rows and convert to native category name and uri try { Remove-AzTableRow @removeParams } catch { Write-Error "Error removing Azure Table row: $_" } } } <# #> Function Format-EndpointCategoryReport { [CmdletBinding()] [OutputType([string])] param( [Parameter(Mandatory=$true)] [ValidateNotNull()] [Microsoft.Azure.Cosmos.Table.CloudTable]$CategoryTable, [Parameter(Mandatory=$true)] [ValidateNotNull()] [Microsoft.Azure.Cosmos.Table.CloudTable]$EndpointTable, [Parameter(Mandatory=$false)] [switch]$AsHTML = $false ) process { # Get a list of the categories and Uris to process $categoryMap = Get-EndpointCategoryUri -Table $CategoryTable | Group-Object -Property CategoryName -AsHashTable # Get all endpoints from Azure storage $tempEndpointMap = Get-EndpointsFromAzureTableStorage -Table $EndpointTable | Group-Object -Property Uri -AsHashTable # Convert Uri objects to string representation $endpointMap = @{} $tempEndpointMap.Keys | ForEach-Object { $endpointMap[$_.ToString()] = $tempEndpointMap[$_] } # Merge maps together $map = @{} $categoryMap.Keys | ForEach-Object { $categoryName = $_ # Add an entry for this category name $map[$categoryName] = @{} # Iterate through each Uri $categoryMap[$categoryName] | ForEach-Object { $uri = $_.Uri # Add an entry for this Uri for this category $map[$categoryName][$uri] = @() # Find all endpoint entries that match this uri if ($endpointMap.Keys -contains $uri) { $map[$categoryName][$uri] = $endpointMap[$uri] } } } # Html preamble if ($AsHTML) { "<!DOCTYPE html PUBLIC `"-//W3C//DTD XHTML 1.0 Strict//EN`" `"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd`">" "<html xmlns=`"http://www.w3.org/1999/xhtml`">" "<head>" "<title>HTML TABLE</title>" "</head><body>" } # Write a section for each category name $map.Keys | ForEach-Object { $categoryName = $_ # Generate content for this section $content = $map[$categoryName].Keys | ForEach-Object { $uri = $_ # Group by thumbprint and locallytrusted so they are easily distinguishable in the report $map[$categoryName][$uri] | Group-Object -Property Thumbprint,LocallyTrusted | ForEach-Object { $group = $_.Group # Base status in case we have no endpoint data $status = [PSCustomObject]@{ Uri = $uri Perspectives = "No Data" Subject = "No Data" Issuer = "No Data" DaysRemaining = 0 LocallyTrusted = $false Thumbprint = "No Data" } # If we have endpoint data, add perspectives and other cert data if (($group | Measure-Object).Count -gt 0) { $first = $group | Select-Object -First 1 $status.Perspectives = $group | ForEach-Object { $_.Perspective } | Join-String -Separator ", " $status.Subject = $first.Subject $status.Issuer = $first.Issuer $status.DaysRemaining = $first.DaysRemaining() $status.LocallyTrusted = $first.LocallyTrusted $status.Thumbprint = $first.Thumbprint } # Pass the status on in the pipeline $status } } Write-ReportSection -Content $content -AsHtml $AsHtml -Title "Category: $_" -Description "Endpoint summary for $categoryName" } if ($AsHTML) { "</body></html>" } } } |