public/Invoke-VPASAccountPasswordAction.ps1
|
<#
.Synopsis ACCOUNT PASSWORD ACTION CREATED BY: Vadim Melamed, EMAIL: vmelamed5@gmail.com .DESCRIPTION USE THIS FUNCTION TO TRIGGER A VERIFY/RECONCILE/CHANGE/CHANGE SPECIFY NEXT PASSWORD/CHANGE ONLY IN VAULT/GENERATE PASSWORD ACTIONS ON AN ACCOUNT IN CYBERARK .EXAMPLE $AccountPasswordActionJSON = Invoke-VPASAccountPasswordAction -action {ACTION VALUE} -safe {SAFE VALUE} -address {ADDRESS VALUE} -username {USERNAME VALUE} .OUTPUTS $true if action was marked successfully GeneratedPassword if action is GENERATE PASSWORD $false if failed #> function Invoke-VPASAccountPasswordAction{ [OutputType('System.Object',[bool])] [CmdletBinding()] Param( [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,Position=0)] [ValidateSet('Verify','Reconcile','Change','ChangeOnlyInVault','ChangeSetNew','GeneratePassword')] [String]$action, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=1)] [String]$newPass, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=2)] [String]$safe, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=3)] [String]$platform, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=4)] [String]$username, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=5)] [String]$address, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=6)] [String]$AcctID, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=7)] [Switch]$HideWarnings, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=8)] [hashtable]$token, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=9)] [Switch]$NoSSL ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL = Get-VPASSession -token $token } Process{ Write-Verbose "SUCCESSFULLY PARSED PVWA VALUE" Write-Verbose "SUCCESSFULLY PARSED TOKEN VALUE" Write-Verbose "SUCCESSFULLY PARSED ACTION VALUE: $action" $triggeraction = 0 $actionlower = $action.ToLower() if($actionlower -eq "verify"){ Write-Verbose "ACTION SET TO VERIFY" $triggeraction = 1 } elseif($actionlower -eq "reconcile"){ Write-Verbose "ACTION SET TO RECONCILE" $triggeraction = 2 } elseif($actionlower -eq "changeonlyinvault"){ Write-Verbose "ACTION SET TO CHANGE PASSWORD ONLY IN VAULT" $triggeraction = 3 if([String]::IsNullOrEmpty($newPass)){ Write-Verbose "CHANGE PASSWORD IN VAULT MUST BE SUPPLIED WITH A NEW PASSWORD" Write-VPASOutput -str "CHANGE PASSWORD IN VAULT MUST BE SUPPLIED WITH A NEW PASSWORD" -type E return $false } } elseif($actionlower -eq "changesetnew"){ Write-Verbose "ACTION SET TO CHANGE PASSWORD SET NEW PASSWORD" $triggeraction = 4 if([String]::IsNullOrEmpty($newPass)){ Write-Verbose "CHANGE PASSWORD SET NEW PASSWORD MUST BE SUPPLIED WITH A NEW PASSWORD" Write-VPASOutput -str "CHANGE SET NEW PASSWORD MUST BE SUPPLIED WITH A NEW PASSWORD" -type E return $false } } elseif($actionlower -eq "change"){ Write-Verbose "ACTION SET TO CHANGE" $triggeraction = 5 } elseif($actionlower -eq "generatepassword"){ Write-Verbose "ACTION SET TO GENERATE PASSWORD" $triggeraction = 6 } if([String]::IsNullOrEmpty($AcctID)){ Write-Verbose "NO ACCOUNT ID PROVIDED, INVOKING HELPER FUNCTION" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $AcctID = Get-VPASAccountIDHelper -token $token -safe $safe -platform $platform -username $username -address $address -NoSSL } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $AcctID = Get-VPASAccountIDHelper -token $token -safe $safe -platform $platform -username $username -address $address } Write-Verbose "RETURNING ACCOUNT ID" if($AcctID -eq -1){ Write-Verbose "COULD NOT FIND UNIQUE ACCOUNT ENTRY, INCLUDE MORE SEARCH PARAMETERS" Write-VPASOutput -str "COULD NOT FIND UNIQUE ACCOUNT ENTRY, INCLUDE MORE SEARCH PARAMETERS" -type E return $false } elseif($AcctID -eq -2){ Write-Verbose "NO ACCOUNTS FOUND" Write-VPASOutput -str "NO ACCOUNTS FOUND" -type E return $false } } else{ Write-Verbose "ACCOUNT ID PROVIDED, SKIPPING HELPER FUNCTION" } if($triggeraction -eq 1){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/Verify" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/Verify" } if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" } Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ Write-Verbose "UNABLE TO TRIGGER VERIFY ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 2){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/Reconcile" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/Reconcile" } if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" } Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ Write-Verbose "UNABLE TO TRIGGER RECONCILE ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 3){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" $params = @{ NewCredentials = $newPass } | ConvertTo-Json if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/Password/Update" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/Password/Update" } if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" } Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ Write-Verbose "UNABLE TO TRIGGER CHANGE PASSWORD IN VAULT ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 4){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" $params = @{ ChangeImmediately = $true NewCredentials = $newPass } | ConvertTo-Json if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/SetNextPassword" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/SetNextPassword" } if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" } Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ Write-Verbose "UNABLE TO TRIGGER CHANGE PASSWORD SET NEW PASSWORD ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 5){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/Accounts/$AcctID/Change" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/Accounts/$AcctID/Change" } if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" } Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING TRUE" return $true }catch{ Write-Verbose "UNABLE TO TRIGGER CHANGE ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } elseif($triggeraction -eq 6){ try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Generate" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/Accounts/$AcctID/Secret/Generate" } if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -ContentType "application/json" } Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING ACCEPTABLE PASSWORD BASED ON PLATFORM POLICY" if(!$HideWarnings){ Write-VPASOutput -str "RETURNING ACCEPTABLE PASSWORD BASED ON PLATFORM POLICY" -type M Write-VPASOutput -str "NOTE - THIS DID NOT UPDATE THE ACCOUNT IN CYBERARK" -type M } return $response }catch{ Write-Verbose "UNABLE TO TRIGGER GENERATE PASSWORD ACTION ON THE ACCOUNT" Write-VPASOutput -str $_ -type E return $false } } } End{ } } |