VenafiPS

5.1.1

Public/Revoke-TppGrant.ps1

                                function Revoke-TppGrant {

    <#

    .SYNOPSIS

    Revoke all grants for a specific user

    .DESCRIPTION

    Revoke all grants for a specific user.

    You must either be an administrator or oauth administrator to perform this action.

    Also, your token must have the admin:delete scope.

    .PARAMETER ID

    Prefixed universal id for the user.  To search, use Find-TppIdentity.

    .PARAMETER VenafiSession

    Authentication for the function.

    The value defaults to the script session object $VenafiSession created by New-VenafiSession.

    A TPP token can also provided.

    If providing a TPP token, an environment variable named TPP_SERVER must also be set.

    .INPUTS

    ID

    .OUTPUTS

    None

    .EXAMPLE

    Revoke-TppGrant -ID local:{9e9db8d6-234a-409c-8299-e3b81ce2f916}

    Revoke all grants for a user

    .EXAMPLE

    Get-VenafiIdentity -ID me@x.com | Revoke-TppGrant

    Revoke all grants getting universal id from other identity functions

    .LINK

    http://VenafiPS.readthedocs.io/en/latest/functions/Revoke-TppGrant/

    .LINK

    https://github.com/Venafi/VenafiPS/blob/main/VenafiPS/Public/Revoke-TppGrant.ps1

    .LINK

    https://doc.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-POST-oauth-revokegrants.htm

    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]

    param (

        [Parameter(ValueFromPipelineByPropertyName)]

        [ValidateScript( {

                if ( Test-TppIdentityFormat -ID $_ -Format 'Universal' ) {

                    $true

                } else {

                    throw "'$_' is not a valid prefixed universal identity format.  See https://docs.venafi.com/Docs/current/TopNav/Content/SDK/WebSDK/r-SDK-IdentityInformation.php."

                }

            })]

        [Alias('PrefixedUniversalID', 'IdentityID')]

        [string[]] $ID

    )

    begin {

        Test-VenafiSession -VenafiSession $VenafiSession -Platform 'TPP' -AuthType 'token'

        if ( $VenafiSession.Version -lt [Version]::new('22', '3', '0') ) {

            throw 'Revoke-TppGrant is available on TPP v22.3 and greater'

        }

        $params = @{

            VenafiSession = $VenafiSession

            Method        = 'Post'

            UriLeaf       = 'oauth/revokegrants'

            Body          = @{}

            FullResponse  = $true

        }

    }

    process {

        foreach ($thisID in $ID) {

            $params.Body.GranteePrefixedUniversal = $thisID

            if ( $PSCmdlet.ShouldProcess($thisID, 'Revoke all grants') ) {

                $response = Invoke-VenafiRestMethod @params

                switch ( $response.StatusCode ) {

                    200 {

                        if ( $response.Result -eq 1 ) {

                            Write-Error 'Grant revocation was unsuccessful'

                        }

                    }

                    401 {

                        if ( $response.Error.error -eq 'insufficient_rights' ) {

                            throw 'The token user account does not have sufficient permissions for this request.  You must be an administrator or OAuth administrator.'

                        }

                    }

                    403 {

                        throw 'The access token provided does not have the admin:delete scope.  Create a new token with this scope and try again.'

                    }

                    Default {

                        throw $response.Error

                    }

                }

            }

        }

    }

}