Get VDC certificate status, export vc report (#381)

Author: gdbarron

RELEASE.md

@@ -1,7 +1,3 @@
-- Honor the default certificate creation timeout builtin to CMSH.  Remove the default of 60 seconds from `New-VdcCertificate -TimeoutSec`.  There is a chance if you've been relying on the 60 seconds default and haven't set it in product, this could break your script.  If this is the case, add `-TimeoutSec 60` to your script.  To set the default timeout, see https://docs.venafi.com/Docs/currentSDK/TopNav/Content/SDK/WebSDK/r-SDK-Certificates-API-settings.php.  Closes [#371](https://github.com/Venafi/VenafiPS/issues/371).
-- Add tab completion to all CMSH functions with parameters 'CertificateAuthorityPath', 'CredentialPath', 'CertificatePath', 'ApplicationPath', 'EnginePath', 'CertificateLinkPath', and 'NewPath'.
-- Fix incorrect token expiration timezone when using `New-VcToken`
-- Add `New-VenafiSession -VcAccessToken` if the access token is obtained outside VenafiPS
-- Fix `Set-VcCertificate -Tag` when the tag includes both a name and value
-- Add support to `Get-VcTag -Tag` for getting by name and value
-- Fix for parallel processing across CMSH environments, eg. `Export-VdcCertificate -VenafiSession $sess1 | Import-VdcCertificate -VenafiSession $sess2`
+- Add `Get-VdcCertificate -IncludeStatus` to include `Status` and `StatusText` properties in the response.  These correspond to the Certificate Status as seen in the WebAdmin Certificate -> Summary tab.
+- Add `Export-VcReport` to export a Certificate Manager SaaS custom report either to a file or pipeline as a pscustomobject.
+- Final round of VenafiSession improvements.  All advanced use cases, eg. pipe from one environment to another, are now working across ps5/ps7 and parallel processing or not.

VenafiPS/Private/Get-VdcCertificateStatus.ps1

@@ -0,0 +1,200 @@
+# PowerShell implementation of X509StatusHelper.GetStatus() logic
+
+function Get-VdcCertificateStatus {
+    <#
+    .SYNOPSIS
+    Calculate the Status field for a certificate, similar to what's shown on the Certificate Summary tab.
+
+    .DESCRIPTION
+    This function replicates the logic from X509StatusHelper.GetStatus() to determine the certificate status.
+    It checks InError, Status attribute, workflow tickets, revocation status, disabled state,
+    consumer errors, and certificate expiration.
+
+    The current use for this is from Get-VdcCertificate -IncludeStatus
+
+    .PARAMETER Certificate
+    Output from certificates/{guid} api call
+
+    .PARAMETER VenafiSession
+    Authentication for the function.
+    The value defaults to the script session object $VenafiSession created by New-VenafiSession.
+
+    #>
+
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory, ValueFromPipeline)]
+        [object]$Certificate,
+
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
+        [psobject] $VenafiSession = (Get-VenafiSession)
+
+    )
+
+    process {
+        # Initialize status
+        $statusSummary = 'Ok'  # Ok, Warning, Error
+        $statusText = ''
+
+        $attribs = Get-VdcAttribute -Path $Certificate.DN -Attribute 'Disabled', 'Ticket DN' -VenafiSession $VenafiSession
+        $certAttributes = @{
+            'In Error'  = $Certificate.ProcessingDetails.InError
+            'Status'    = $Certificate.ProcessingDetails.Status
+            'Disabled'  = $attribs.Disabled -eq 1
+            'Ticket DN' = $attribs.'Ticket DN'
+        }
+
+        # Check InError attribute
+        $inError = $certAttributes.'In Error'
+        if ($inError) {
+            $statusSummary = 'Error'
+        }
+
+        # Check Status attribute
+        $statusAttr = $certAttributes.'Status'
+        if ($statusAttr) {
+            $statusText = $statusAttr
+            if (-not $inError) {
+                $statusSummary = 'Warning'
+            }
+        }
+        else {
+            if (-not $inError) {
+                $statusText = 'OK'
+                $statusSummary = 'Ok'
+            }
+        }
+
+        # Check for pending workflow (Ticket DN)
+        $ticketDN = $certAttributes.'Ticket DN'
+        if ($ticketDN) {
+            $statusSummary = 'Warning'
+            $statusText = 'Pending workflow resolution'
+        }
+
+        $stage = $certAttributes.'Stage'
+        # Check revocation status from CertificateDetails.RevocationStatus
+        # Known values: Requested, Confirmed, Complete, DiscoveredRevoked, Failed, Pending
+        if (-not $ticketDN -and -not $stage -and $Certificate.CertificateDetails.RevocationStatus) {
+
+            $statusSummary = 'Warning'
+            if ($Certificate.CertificateDetails.RevocationDate) {
+                $revocationDate = ([DateTime]$Certificate.CertificateDetails.RevocationDate).ToLocalTime().ToString()
+            }
+
+            switch ($Certificate.CertificateDetails.RevocationStatus) {
+                'Complete' {
+                    $statusText = if ($statusText) { '{0}; External Revocation Reported By CA' -f $statusText } else { 'External Revocation Reported By CA' }
+                    if ($Certificate.CertificateDetails.RevocationDate) {
+                        $statusText += " On: $revocationDate"
+                    }
+                }
+                'Confirmed' {
+                    if ($Certificate.CertificateDetails.RevocationDate) {
+                        $statusText = 'Revocation Submitted On {0} But Not Confirmed By CA' -f $revocationDate
+                    }
+                    else {
+                        $statusText = 'Revocation Submitted But Not Confirmed By CA'
+                    }
+                }
+                'DiscoveredRevoked' {
+                    $statusText = if ($statusText) { '{0}; External Revocation Reported By CA' -f $statusText } else { 'External Revocation Reported By CA' }
+                    if ($Certificate.CertificateDetails.RevocationDate) {
+                        $statusText += " On: $revocationDate"
+                    }
+                }
+                'Pending' {
+                    $statusText = if ($statusText) { '{0}; Revocation Pending' -f $statusText } else { 'Revocation Pending' }
+                }
+                'Failed' {
+                    $statusSummary = 'Error'
+                    # to get the underlying error involves a bit more digging in SecretStore.  TODO possibly.
+                    $statusText = if ($statusText) { '{0}; Revocation Failed' -f $statusText } else { 'Revocation Failed' }
+                }
+            }
+
+            # check for user who initiated the revocation
+            if ( $Certificate.CertificateDetails.RevocationInitiatedBy ) {
+                $identity = Get-VdcIdentity -ID $Certificate.CertificateDetails.RevocationInitiatedBy
+                $initBy = if ( $identity.FullName ) {
+                    $identity.FullName
+                }
+                elseif ($identity.Name ) {
+                    $identity.Name
+                }
+                else {
+                    $Certificate.CertificateDetails.RevocationInitiatedBy
+                }
+
+                $statusText += '; Initiated By {0}' -f $initBy
+            }
+        }
+
+        # Check Disabled attribute
+        if ($certAttributes.'Disabled') {
+            if ($statusText) {
+                $statusText += ' (Processing disabled)'
+            }
+            else {
+                $statusText = 'Processing disabled'
+            }
+            $statusSummary = 'Warning'
+        }
+
+        # Check consumer (application) errors
+        if ($statusSummary -eq 'Ok' -and $Certificate.Consumers) {
+            $consumerErrors = 0
+            $consumerWarnings = 0
+            $consumerDisabled = 0
+            $consumerOk = 0
+
+            $allAttribs = $Certificate.Consumers | Get-VdcAttribute -Attribute @('In Error', 'Status', 'Disabled') -VenafiSession $VenafiSession
+            foreach ($consumerAttrs in $allAttribs) {
+                try {
+
+                    if ($consumerAttrs.'Disabled' -eq 1) {
+                        $consumerDisabled++
+                        $statusSummary = 'Warning'
+                        continue
+                    }
+
+                    if ($consumerAttrs.'In Error' -eq 1) {
+                        $consumerErrors++
+                        $statusSummary = 'Error'
+                    }
+                    elseif ($consumerAttrs.'Status') {
+                        $consumerWarnings++
+                        $statusSummary = 'Warning'
+                    }
+                    else {
+                        $consumerOk++
+                    }
+                }
+                catch {
+                    # Consumer may not be accessible
+                    Write-Verbose "Could not read consumer: $consumerPath"
+                }
+            }
+
+            if ($statusSummary -ne 'Ok') {
+                $statusText = "Certificate Ok; Application errors: $consumerErrors, caution: $consumerWarnings, disabled: $consumerDisabled, Ok: $consumerOk"
+            }
+        }
+
+        # Check certificate expiration
+        if ($statusSummary -eq 'Ok' -and $Certificate.CertificateDetails.ValidTo) {
+            $validTo = [DateTime]$Certificate.CertificateDetails.ValidTo
+            if ($validTo -lt (Get-Date)) {
+                $statusSummary = 'Error'
+                $statusText = 'Certificate expired'
+            }
+        }
+
+        # Return results
+        @{
+            Status     = $statusSummary
+            StatusText = $statusText
+        }
+    }
+}

VenafiPS/Private/Invoke-VcGraphQL.ps1

@@ -28,7 +28,7 @@ function Invoke-VcGraphQL {
 
         [Parameter()]
         [ValidateNotNullOrEmpty()]
-        [psobject] $VenafiSession
+        [psobject] $VenafiSession = (Get-VenafiSession)
     )
 
     $params = @{
@@ -39,8 +39,6 @@ function Invoke-VcGraphQL {
         ErrorAction     = 'Stop'
     }
 
-    $VenafiSession = Get-VenafiSession
-
     $Server = $VenafiSession.Server
     $auth = $VenafiSession.Key.GetNetworkCredential().password
     $SkipCertificateCheck = $VenafiSession.SkipCertificateCheck

VenafiPS/Private/Invoke-VenafiParallel.ps1

@@ -45,6 +45,7 @@ function Invoke-VenafiParallel {
     In your ScriptBlock:
     - Use either $PSItem or $_ to reference the current input object
     - Remember, hashtables are reference types so be sure to clone if 'using' from parent
+    - all function calls which call the api require '-VenafiSession $using:VenafiSession' to be provided
 
     #>
 
@@ -88,11 +89,9 @@ function Invoke-VenafiParallel {
 
     # throttle to 1 = no parallel
     if ( -not $goParallel ) {
-        # remove $using: from vars, not threaded and not supported
-        $scriptBlockWithoutUsing = [ScriptBlock]::Create(($ScriptBlock.ToString() -ireplace [regex]::Escape('$using:'), '$'))
 
         # Add progress bar for non-parallel execution if progress is enabled
-        if ( $ProgressPreference -eq 'Continue' -and $InputObject.Count -gt 25 ) {
+        if ( $ProgressPreference -eq 'Continue' -and $InputObject.Count -gt 10 ) {
             $totalCount = $InputObject.Count
             $currentCount = 0
 
@@ -102,31 +101,32 @@ function Invoke-VenafiParallel {
             $progressInterval = [Math]::Max(1, [Math]::Floor($totalCount / 100))  # Update every 1% or minimum every item
             if ($totalCount -lt 20) { $progressInterval = 1 }  # Always show progress for small sets
 
-            $InputObject | ForEach-Object -Process {
+            $progressSb = {
                 $currentCount++
 
                 # Only update progress at intervals or for the last item
                 if (($currentCount % $progressInterval -eq 0) -or ($currentCount -eq $totalCount)) {
                     $percent = [int](($currentCount / $totalCount) * 100)
                     Write-Progress -Activity $ProgressTitle -Status ("{0}% complete ({1}/{2})" -f $percent, $currentCount, $totalCount) -PercentComplete $percent
                 }
-
-                & $scriptBlockWithoutUsing
             }
 
+            # remove $using: from vars, not threaded and not supported
+            $sb = ([ScriptBlock]::Create($progressSb.ToString() + ($ScriptBlock.ToString() -ireplace [regex]::Escape('$using:'), '$')))
+            $InputObject | ForEach-Object -Process $sb
+
             Write-Progress -Completed -Activity $ProgressTitle
         }
         else {
             # No progress bar needed
-            $InputObject | ForEach-Object -Process $scriptBlockWithoutUsing
+            # remove $using: from vars which is only available in the parallel context
+            $InputObject | ForEach-Object -Process ([ScriptBlock]::Create(($ScriptBlock.ToString() -ireplace [regex]::Escape('$using:'), '$')))
         }
         return
     }
 
     # parallel processing from here down
 
-    # $VenafiSession = Get-VenafiSession
-
     $starterSb = {
 
         # need to import module until https://github.com/PowerShell/PowerShell/issues/12240 is complete
@@ -202,4 +202,3 @@ function Invoke-VenafiParallel {
     }
 
 }
-