SecretManagement.KeyChain.Extension/SecretManagement.KeyChain.Extension.psm1

$keyChainName = 'SecretManagement.KeyChain'
$securityCmd = '/usr/bin/security'

# Helpers

# SecretManagement converts strings in hashtable to securestring before handing it to extensions
# since I need to serialize to json, we need to convert everything to just strings
function Convert-HashTable([hashtable]$h) {
    $newh = @{}
    foreach ($key in $h.Keys) {
        if ($h[$key] -is [hashtable]) {
            $newh.$key = Convert-HashTable $h[$key]
        }
        elseif ($h[$key] -is [PSCredential]) {
            $newh.$key = @{
                __type = 'PSCredential'
                UserName = $h[$key].UserName
                Password = $h[$key].Password | ConvertFrom-SecureString -AsPlainText
            }
        }
        elseif ($h[$key] -is [SecureString]) {
            $newh.$key = $h[$key] | ConvertFrom-SecureString -AsPlainText
        }
        else {
            $newh.$key = $h[$key]
        }
    }

    $newh
}

function Convert-HashTableCreds([hashtable]$h) {
    $newh = @{}
    foreach ($key in $h.Keys) {
        if ($h[$key].__type -eq 'PSCredential') {
            $newh.$key = [PSCredential]::new($h[$key].UserName, ($h[$key].Password | ConvertTo-SecureString -AsPlainText))
        }
        elseif ($h[$key] -is [hashtable]) {
            $newh.$key = Convert-HashTableCreds $h[$key]
        }
        else {
            $newh.$key = $h[$key]
        }
    }

    $newh
}

function ConvertTo-Base64([string]$text) {
    $bytes = [System.Text.Encoding]::UTF8.GetBytes($text)
    [System.Convert]::ToBase64String($bytes)
}

function ConvertFrom-Base64([string]$base64) {
    $bytes = [System.Convert]::FromBase64String($base64)
    [System.Text.Encoding]::UTF8.GetString($bytes)
}

function Get-SecretType($typename) {
    switch($typename) {
        'STRG' {
            [Microsoft.PowerShell.SecretManagement.SecretType]::String
        }
        'SSTR' {
            [Microsoft.PowerShell.SecretManagement.SecretType]::SecureString
        }
        'BYTE' {
            [Microsoft.PowerShell.SecretManagement.SecretType]::ByteArray
        }
        'CRED' {
            [Microsoft.PowerShell.SecretManagement.SecretType]::PSCredential
        }
        'HASH' {
            [Microsoft.PowerShell.SecretManagement.SecretType]::Hashtable
        }
        default {
            [Microsoft.PowerShell.SecretManagement.SecretType]::Unknown
        }
    }    
}

function Convert-KeyChainSecret([string]$text) {
    # Example output that needs to be parsed:
    #
    # keychain: "/Users/steve/Library/Keychains/SecretManagement.KeyChain-db"
    # version: 512
    # class: "genp"
    # attributes:
    # 0x00000007 <blob>="KeyChain"
    # 0x00000008 <blob>=<NULL>
    # "acct"<blob>="mysecret"
    # "cdat"<timedate>=0x32303230313030393233303831315A00 "20201009230811Z\000"
    # "crtr"<uint32>="STRG"
    # "cusi"<sint32>=<NULL>
    # "desc"<blob>=<NULL>
    # "gena"<blob>=<NULL>
    # "icmt"<blob>=<NULL>
    # "invi"<sint32>=<NULL>
    # "mdat"<timedate>=0x32303230313030393233303831315A00 "20201009230811Z\000"
    # "nega"<sint32>=<NULL>
    # "prot"<blob>=<NULL>
    # "scrp"<sint32>=<NULL>
    # "svce"<blob>="KeyChain"
    # "type"<uint32>=<NULL>
    # password: "secret"

    if ($text -match '"acct"\<blob\>="(.*?)"') {
        $name = $matches[1]
    }

    if ($text -match '"crtr"<uint32>="(.*?)"') {
        $typename = $matches[1]
    }

    if ($text -match 'password: "(.*?)"') {
        $secret = ConvertFrom-Base64 $matches[1]
    }

    if ($null -eq $name -or $null -eq $typename) {
        throw "Failed to parse KeyChain text output: $text"
    }

    [PSCustomObject]@{
        Name = $name
        TypeName = $typename
        Type = (Get-SecretType $typename)
        Secret = $secret
    }
}

# KeyChain is case sensitive, so make sure to use the original casing
function Get-VaultName([string]$name) {
    $vault = Get-SecretVault -Name $name
    $vault.Name
}

# Public functions
function Get-Secret {
    param (
        [string] $Name,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    $Name = $Name.ToLower()
    $VaultName = Get-VaultName $VaultName

    $out = & $securityCmd find-generic-password -a $Name -s $VaultName -g $keyChainName 2>&1
    if (!$?) {
        throw $out
    }

    $secret = Convert-KeyChainSecret $out
    if ($null -eq $secret.Secret) {
        throw "Not able to parse KeyChain for secret"
    }

    switch ($secret.TypeName) {
        'STRG' {
            $secretObj = $secret.Secret
        }
        'SSTR' {
            $secretObj = ConvertTo-SecureString $secret.Secret -AsPlainText
        }
        'HASH' {
            $secretObj = $secret.Secret | ConvertFrom-Json -AsHashTable
            $secretObj = Convert-HashTableCreds $secretObj
        }
        'BYTE' {
            $secretObj = [byte[]]::new($secret.Secret.Length / 2)

            for ($i = 0; $i -lt $secret.Secret.Length; $i += 2) {
                $secretObj[$i/2] = [System.Convert]::ToByte($secret.Secret.Substring($i, 2), 16)
            }
        }
        'CRED' {
            $cred = $secret.Secret | ConvertFrom-Json
            $secretObj = [PSCredential]::new($cred.UserName, ($cred.Password | ConvertTo-SecureString -AsPlainText))
        }
        default {
            throw "Unknown type: $($secret.TypeName)"
        }
    }

    return $secretObj
}

function Set-Secret {
    param (
        [string] $Name,
        [object] $Secret,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    $VaultName = Get-VaultName $VaultName
    Test-SecretVault -VaultName $VaultName

    # KeyChain is case-sensitive, so always use lowercase
    $Name = $Name.ToLower()

    switch ($Secret.GetType()) {
        'String' {
            $type = 'STRG'
        }
        'SecureString' {
            $type = 'SSTR'
            $Secret = $Secret | ConvertFrom-SecureString -AsPlainText
        }
        'Hashtable' {
            $type = 'HASH'
            $Secret = Convert-HashTable $secret | ConvertTo-Json -Depth 100 -Compress
        }
        'Byte[]' {
            $type = 'BYTE'
            $Secret = [System.BitConverter]::ToString($Secret).Replace('-','')
        }
        'PSCredential' {
            $type = 'CRED'
            $Secret = [PSCustomObject]@{
                UserName = $Secret.UserName
                Password = $Secret.Password | ConvertFrom-SecureString -AsPlainText
            } | ConvertTo-Json -Compress
        }
        default {
            throw "Unsupported object type: $($Secret.GetType().Name)"
        }
    }

    $Secret = ConvertTo-Base64 $Secret
    $out = & $securityCmd add-generic-password -a $Name -s $VaultName -c $type -w $Secret -U $keyChainName 2>&1
    if (!$?) {
        throw $out
    }

    return $?
}

function Remove-Secret {
    param (
        [string] $Name,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    $VaultName = Get-VaultName $VaultName

    # KeyChain is case-sensitive, so always use lowercase
    $Name = $Name.ToLower()

    $out = & $securityCmd delete-generic-password -a $Name -s $VaultName $keyChainName 2>&1
    if (!$?) {
        throw $out
    }
    return $?
}

function Get-SecretInfo {
    param (
        [string] $Filter,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    $VaultName = Get-VaultName $VaultName

    if ($filter.Contains('*')) {
        $output = & $securityCmd dump-keychain $keyChainName | Out-String
        if (!$?) {
            throw "Unable to get contents of KeyChain"
        }

        if ($null -eq $output) {
            return
        }

        foreach ($secretText in $output.Split('keychain:', [System.StringSplitOptions]::RemoveEmptyEntries)) {
            $secret = Convert-KeyChainSecret $secretText

            if ($secret.Name -like $Filter) {
                [Microsoft.PowerShell.SecretManagement.SecretInformation]::new(
                    $secret.Name,
                    $secret.Type,
                    $VaultName
                )
            }
        }
    }
    else {
        $output = & $securityCmd find-generic-password -a $Filter -s $VaultName $keyChainName | Out-String
        if (!$?) {
            return $null
        }

        $secret = Convert-KeyChainSecret $output
        [Microsoft.PowerShell.SecretManagement.SecretInformation]::new(
            $secret.Name,
            $secret.Type,
            $VaultName
        )
    }
}

function Test-SecretVault {
    param (
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    $null = & $securityCmd show-keychain-info $keyChainName 2>&1
    if (!$?) {
        & $securityCmd create-keychain -P $keyChainName
    }

    return $?
}