src/cmdlets/common/CertificateHelper.ps1
# Copyright 2021, Adam Edwards # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. . (import-script DisplayTypeFormatter) . (import-script ../../graphservice/ApplicationAPI) . (import-script ../../common/LocalCertificate) . (import-script ../../common/Secret) . (import-script ../../common/GraphApplicationCertificate) . (import-script CommandContext) . (import-script ../Set-GraphApplicationCertificate) ScriptClass CertificateHelper { $appId = $null $objectId = $null $applicationName = $null $certValidityTimespan = $null $certValidityStart = $null $keyLength = $null $connection = $null $app = $null function __initialize($appId, $objectId, [string] $applicationName, $certValidityTimespan, $certValidityStart, $connection, $keyLength) { $this.appId = $appid $this.applicationName = $applicationName $this.certValidityTimespan = $certValidityTimespan $this.certValidityStart = $certValidityStart $this.keyLength = $keyLength $this.connection = $connection $this.app = $null } function NewCertificate([string] $certDirectory, $certStoreLocation, [PSCredential] $certCredential, [bool] $noCertCredential, [bool] $updateApplication, [string] $certificateFilePath, [int] $keyLength) { $targetCertCredential = __GetCertCredentialForDirectory $certDirectory $certCredential $noCertCredential if ( $updateApplication ) { __SyncApplication } $certificate = __NewLocalCertificate $certStoreLocation if ( $updateApplication ) { __UpdateApplication $certificate } $exportedCertLocation = if ( $certDirectory -or $certificateFilePath) { __ExportCertificate $certificate $targetCertCredential $certDirectory $certificateFilePath } [PSCustomObject] @{ Certificate = $certificate ExportedLocation = $exportedCertLocation } } function __GetCertCredentialForDirectory([string] $certDirectory, [PSCredential] $certCredential, [bool] $noCertCredential) { if ( $certDirectory ) { if (! (test-path -pathtype container $certDirectory) ) { throw [ArgumentException]::new("The specified certificate output directory '$certDirectory' is not a valid directory") } if ( $certCredential ) { $certCredential } elseif ( ! $noCertCredential ) { $userName = if ( $env:user ) { $env:user } else { $env:username } Get-Credential -username $userName -Message "Enter password for certificate to be stored in output directory '$certDirectory'" } } } function __NewLocalCertificate($certStorelocation) { $certificate = new-so GraphApplicationCertificate $this.appId $null $this.applicationName $this.certValidityTimeSpan $this.certValidityStart $certStoreLocation $null $this.keyLength $certificate |=> Create $certificate } function __SyncApplication { if ( $this.app ) { throw 'The application has already been synchronized' } $commandContext = new-so CommandContext $this.connection $null $null $null $::.ApplicationAPI.DefaultApplicationApiVersion $appAPI = new-so ApplicationAPI $commandContext.connection $commandContext.version $app = if ( $this.AppId ) { $appAPI |=> GetApplicationByAppId $this.appId } else { $appAPI |=> GetApplicationByObjectId $this.objectId } if ( ! $this.objectId ) { $this.objectId = $app.id } elseif ( $app.id -ne $this.objectId ) { throw "The object id '$($this.objectId)' specified for the application did not match the actual application object id '$($app.id)'" } if ( ! $this.appId ) { $this.appId = $app.appId } elseif ( $app.id -ne $this.objectId ) { throw "The app id '$($this.appId)' specified for the application did not match the actual application app id '$($app.appId)'" } if ( ! $this.applicationName ) { $this.applicationName = $app.displayName } $this.app = $app } function __UpdateApplication($certificate) { if ( ! $this.app ) { throw 'The application must be queried before performing this operation' } $connectionParameter = @{} if ( $this.connection ) { @{Connection = $this.connection} } Set-GraphApplicationCertificate -AppId $this.appId -ObjectId $this.objectId -Certificate $certificate.X509Certificate } function __ExportCertificate($certificate, [PSCredential] $exportedCertCredential, [string] $certOutputDirectory, [string] $certificateFilePath ) { $certpassword = if ( $exportedCertCredential ) { $exportedCertCredential.Password } $certificate |=> Export $certOutputDirectory $certificateFilePath $certPassword } static { const CERTIFICATE_DISPLAY_TYPE 'AutoGraph.Certificate' function __initialize { __RegisterDisplayType } function CertificateInfoToDisplayableObject($friendlyName, $subject, $graphKeyId, $appId, $appObjectId, $notBefore, $notAfter, $thumbprint, $certificatePath, $exportedCertificatePath) { $::.Secret |=> ToDisplayableSecretInfo Certificate $friendlyName $subject $graphKeyId $appId $appObjectId $notBefore $notAfter $thumbprint $certificatePath $CERTIFICATE_DISPLAY_TYPE $exportedCertificatePath } function CertificateToDisplayableObject($x509Certificate, $appId, $appObjectId, $certStorePath, $keyId, $certificateFilePath) { $notAfter = [DateTimeOffset]::new($x509Certificate.notAfter) $notBefore = [DateTimeOffset]::new($x509Certificate.notBefore) $targetPath = if ( $certStorePath ) { __NormalizeCertStorePath $certStorePath } else { $certificateFilePath } CertificateInfoToDisplayableObject $x509Certificate.FriendlyName $x509Certificate.Subject $null $appId $appObjectId $notBefore $notAfter $x509Certificate.Thumbprint $targetPath $certificateFilePath } function GetConnectionCertCredential($connection, [PSCredential] $certCredential, [boolean] $promptForCertCredentialIfNeeded, [boolean] $noCertCredential) { if ( ! $noCertCredential -and ( $certCredential -or $promptForCertCredentialIfNeeded ) ) { $targetCertificatePath = $connection |=> GetCertificatePath $targetCertCredential = if ( $promptForCertCredentialIfNeeded -and $targetCertificatePath ) { $::.LocalCertificate |=> PromptForCertificateCredential $targetCertificatePath } else { $certCredential } $targetCertCredential.Password } } function __RegisterDisplayType { $typeProperties = @( 'Thumbprint' 'AppId' 'KeyId' 'FriendlyName' 'Subject' 'NotAfter' 'AppId' 'KeyId' 'CertificatePath' 'NotBefore' 'AppObjectId' ) $::.DisplayTypeFormatter |=> RegisterDisplayType $CERTIFICATE_DISPLAY_TYPE $typeProperties $true } function __NormalizeCertStorePath([string] $certStorePath) { $driveAndPath = $certStorePath -split '::' if ( $driveAndPath.length -eq 2 ) { join-path -Path 'Cert:' -ChildPath $driveAndPath[1] } else { $certStorePath } } } } $::.CertificateHelper |=> __initialize |