TlsCertificateValidation.psm1

# Copyright WebMD Health Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License

#Requires -Version 5.1
Set-StrictMode -Version 'Latest'

# Functions should use $moduleRoot as the relative root from which to find
# things. A published module has its function appended to this file, while a
# module in development has its functions in the Functions directory.
$moduleRoot = $PSScriptRoot

Import-Module -Name (Join-Path -Path $PSScriptRoot -ChildPath 'Modules\Carbon.Core' -Resolve) `
              -Function @('Test-CType')

if (-not (Test-CType -Name 'TlsCertificateValidation.ServerCertificateCallbackShim'))
{
    Add-Type -Path (Join-Path -Path $moduleRoot -ChildPath 'ServerCertificateCallbackShim.cs')
}

$functionsPath = Join-Path -Path $moduleRoot -ChildPath 'Functions\*.ps1'
if( (Test-Path -Path $functionsPath) )
{
    foreach( $functionPath in (Get-Item $functionsPath) )
    {
        . $functionPath.FullName
    }
}



function Clear-TlsCertificateValidator
{
    <#
    .SYNOPSIS
    Removes the current server certificate validation callback function.
 
    .DESCRIPTION
    The `Clear-TlsCertificateValidator` function removes the current server certificate validaton function. .NET allows
    you to set a custom callback function that it will call when validating TLS certificates. This function sets that
    callback function to `$null` (i.e. sets the `[Net.ServicePointManager]::ServerCertificateValidationCallback`
    property to `$null`).
 
    .EXAMPLE
    Clear-TlsCertificateValidator
 
    Demonstrates how to remove the current custom server certificate validator.
    #>

    [CmdletBinding()]
    param(
    )

    Set-StrictMode -Version 'Latest'

    [Net.ServicePointManager]::ServerCertificateValidationCallback = $null
}




function Disable-TlsCertificateValidation
{
    <#
    .SYNOPSIS
    Turns off TLS server certificate validation in the current PowerShell session.
 
    .DESCRIPTION
    The `Disable-TlsCertificateValidation` function disables TLS server certificate validation for the current
    PowerShell session by setting the `[Net.ServicePointManager]::ServerCertificateValidationCallback` to a function
    that accepts all certificates. All https web requests made after calling `Disable-TlsCertificateValidation` will
    accept all invalid TLS certificates.
 
    To re-enable server certificate validation, use the `Enable-TlsCertificateValidation` function.
 
    .EXAMPLE
    Disable-TlsCertificateValidation
 
    Demonstrates how to turn off TLS server certificate validation.
    #>

    [CmdletBinding()]
    param(
        [switch] $Force
    )

    Set-StrictMode -Version 'Latest'

    Set-TlsCertificateValidator -ScriptBlock { return $true }
}



function Enable-TlsCertificateValidation
{
    <#
    .SYNOPSIS
    Turns on TLS server certificate validation in the current PowerShell session.
 
    .DESCRIPTION
    The `Enable-TlsCertificateValidation` function enables TLS server certificate validation for the current
    PowerShell session by clearing the `[Net.ServicePointManager]::ServerCertificateValidationCallback`. All https web
    requests made after calling `Enable-TlsCertificateValidation` will reject all invalid TLS certificates.
 
    To disable server certificate validation, use the `Disable-TlsCertificateValidation` function.
 
    .EXAMPLE
    Enable-TlsCertificateValidation
 
    Demonstrates how to turn on TLS server certificate validation.
    #>

    [CmdletBinding()]
    param(
        [switch] $Force
    )

    Set-StrictMode -Version 'Latest'

    Clear-TlsCertificateValidator
}



function Set-TlsCertificateValidator
{
    <#
    .SYNOPSIS
    Sets the .NET custom server certificate validation callback function to use a PowerShell script block.
 
    .DESCRIPTION
    The `Set-TlsCertificateValidator` allows you use a PowerShell script block to add custom validation when .NET is
    valiating a server's TLS certificate. Pass the script block to the `ScriptBlock` parameter. Your script block *must*
    return `$true` if the certificate is valid and should be trusted, or `$false` or nothing if the certificate is
    invalid and should not be trusted.
 
    The script block is passed four *optional* parameters, in this order:
     
    * `[Object] $Sender`: contains state information for the validation.
    * `[Security.Cryptography.X509Certificates.X509Certificate2] $Certificate`: the certificate to validate.
    * `[Security.Cryptography.X509Certificates.X509Chain] $Chain`: the certificate chain of the certificate.
    * `[Net.Security.SslPolicyErrors] $PolicyErrors`: a flags enum for the certificate's policy errors (if any).
 
    Your validator will continue to be used in the current PowerShell session until you call the
    `Clear-TlsCertificateValidator` function to remove it.
 
    .EXAMPLE
    Set-TlsCertificateValidator { $true }
 
    Demonstrates how to use this function to trust all TLS certificates.
    #>

    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position=0)]
        [scriptblock] $ScriptBlock
    )

    Set-StrictMode -Version 'Latest'

    [TlsCertificateValidation.ServerCertificateCallbackShim]::RegisterScriptBlockValidator($ScriptBlock)
}



function Test-SkipCertificateCheck
{
    <#
    .SYNOPSIS
    Tests if PowerShell supports the `SkipCertificateCheck` parameter on `Invoke-WebRequest` and `Invoke-RestMethod`.
 
    .DESCRIPTION
    The `Test-SkipCertificateCheck` function tests if the `Invoke-WebRequest` and `Invoke-RestMethod` have the
    `SkipCertificateCheck` switch. The purpose of this function is for use in cross-platform or cross-edition scripts
    when they need to ignore invalid TLS certificates. If this function returns `$true`, code should use the
    `SkipCertificateCheck` switch on `Invoke-WebRequest` and `Invoke-RestMethod`. If `$false`, scripts should use the
    `Disable-TlsCertificateValidation` and `Enable-TlsCertificateValidation` functions. This logic is shown in the
    following sample code:
 
        $iwrArgs = @{}
        if( (Test-SkipCertificateCheck) )
        {
            $iwrArgs['SkipCertificateCheck'] = $true
        }
        else
        {
            Disable-TlsCertificateValidation
        }
 
        try
        {
            Invoke-WebRequest -Uri 'https://expired.badssl.com/' @iwrArgs
        }
        finally
        {
            if( -not (Test-SkipCertificateCheck) )
            {
                Enable-TlsCertificateValidation
            }
        }
 
    .EXAMPLE
    Test-SkipCertificateCheck
    #>

    [CmdletBinding()]
    param(
    )

    Set-StrictMode -Version 'Latest'

    return $null -ne (Get-Command -Name 'Invoke-WebRequest' -ParameterName 'SkipCertificateCheck' -ErrorAction Ignore)
}



function Use-CallerPreference
{
    <#
    .SYNOPSIS
    Sets the PowerShell preference variables in a module's function based on the callers preferences.
 
    .DESCRIPTION
    Script module functions do not automatically inherit their caller's variables, including preferences set by common
    parameters. This means if you call a script with switches like `-Verbose` or `-WhatIf`, those that parameter don't
    get passed into any function that belongs to a module.
 
    When used in a module function, `Use-CallerPreference` will grab the value of these common parameters used by the
    function's caller:
 
     * ErrorAction
     * Debug
     * Confirm
     * InformationAction
     * Verbose
     * WarningAction
     * WhatIf
     
    This function should be used in a module's function to grab the caller's preference variables so the caller doesn't
    have to explicitly pass common parameters to the module function.
 
    This function is adapted from the [`Get-CallerPreference` function written by David Wyatt](https://gallery.technet.microsoft.com/scriptcenter/Inherit-Preference-82343b9d).
 
    There is currently a [bug in PowerShell](https://connect.microsoft.com/PowerShell/Feedback/Details/763621) that
    causes an error when `ErrorAction` is implicitly set to `Ignore`. If you use this function, you'll need to add
    explicit `-ErrorAction $ErrorActionPreference` to every `Write-Error` call. Please vote up this issue so it can get
    fixed.
 
    .LINK
    about_Preference_Variables
 
    .LINK
    about_CommonParameters
 
    .LINK
    https://gallery.technet.microsoft.com/scriptcenter/Inherit-Preference-82343b9d
 
    .LINK
    http://powershell.org/wp/2014/01/13/getting-your-script-module-functions-to-inherit-preference-variables-from-the-caller/
 
    .EXAMPLE
    Use-CallerPreference -Cmdlet $PSCmdlet -SessionState $ExecutionContext.SessionState
 
    Demonstrates how to set the caller's common parameter preference variables in a module function.
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory)]
        #[Management.Automation.PSScriptCmdlet]
        # The module function's `$PSCmdlet` object. Requires the function be decorated with the `[CmdletBinding()]`
        # attribute.
        $Cmdlet,

        [Parameter(Mandatory)]
        # The module function's `$ExecutionContext.SessionState` object. Requires the function be decorated with the
        # `[CmdletBinding()]` attribute.
        #
        # Used to set variables in its callers' scope, even if that caller is in a different script module.
        [Management.Automation.SessionState]$SessionState
    )

    Set-StrictMode -Version 'Latest'

    # List of preference variables taken from the about_Preference_Variables and their common parameter name (taken
    # from about_CommonParameters).
    $commonPreferences = @{
                              'ErrorActionPreference' = 'ErrorAction';
                              'DebugPreference' = 'Debug';
                              'ConfirmPreference' = 'Confirm';
                              'InformationPreference' = 'InformationAction';
                              'VerbosePreference' = 'Verbose';
                              'WarningPreference' = 'WarningAction';
                              'WhatIfPreference' = 'WhatIf';
                          }

    foreach( $prefName in $commonPreferences.Keys )
    {
        $parameterName = $commonPreferences[$prefName]

        # Don't do anything if the parameter was passed in.
        if( $Cmdlet.MyInvocation.BoundParameters.ContainsKey($parameterName) )
        {
            continue
        }

        $variable = $Cmdlet.SessionState.PSVariable.Get($prefName)
        # Don't do anything if caller didn't use a common parameter.
        if( -not $variable )
        {
            continue
        }

        if( $SessionState -eq $ExecutionContext.SessionState )
        {
            Set-Variable -Scope 1 -Name $variable.Name -Value $variable.Value -Force -Confirm:$false -WhatIf:$false
        }
        else
        {
            $SessionState.PSVariable.Set($variable.Name, $variable.Value)
        }
    }
}