From c27b48c35629e00e1b3e465d704603bf3bcd254d Mon Sep 17 00:00:00 2001 From: Phill Pover Date: Thu, 27 Oct 2022 09:32:15 +0100 Subject: [PATCH 1/3] Added Login parameter to Unlock-SecretVault and Invoke-VaultToken. --- ...anagement.Hashicorp.Vault.KV.Extension.psm1 | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 b/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 index a6d66c9..8bd4211 100644 --- a/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 +++ b/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 @@ -154,6 +154,8 @@ function Invoke-VaultToken { #> [CmdletBinding()] param ( + [Parameter()] + [string] $Login, [Parameter()] [SecureString] $Password, [Parameter()] @@ -172,13 +174,13 @@ function Invoke-VaultToken { Write-Verbose "Retrieving a Token for authenticating to Vault" $RenewToken = $false #continue - } elseif ($Null -ne $script:VaultToken -and $script:TokenExpireTime -lt (Get-date) -and -not $script:RootToken) { + } elseif ($Null -ne $script:VaultToken -and $script:TokenExpireTime -lt (Get-Date) -and -not $script:RootToken) { # Retrieve a new token if expired Write-Verbose "Token Expired at $($script:TokenExpireTime). Retieving a new token" $script:VaultToken = $null $RenewToken = $false #continue - } elseif ($Null -ne $script:VaultToken -and (New-TimeSpan -Start (Get-date) -End ($script:TokenExpireTime)).Minutes -le 1 -and $script:TokenRenewable) { + } elseif ($Null -ne $script:VaultToken -and (New-TimeSpan -Start (Get-Date) -End ($script:TokenExpireTime)).Minutes -le 1 -and $script:TokenRenewable) { # Renew a new token if about to expire Write-Verbose "Token about to Expire at $($script:TokenExpireTime). Renewing the token for $($script:TokenLifespan) seconds." $RenewToken = $true @@ -196,7 +198,9 @@ function Invoke-VaultToken { $AuthType = $script:VaultAuthType if ($Password -and $AuthType -ne 'Token' -and -not $RenewToken) { - $Login = Read-Host -Prompt "What is the $(if($AuthType -eq 'Approle'){'Role-Id'} else {'Username'})?" + if ($Null -eq $Login) { + $Login = Read-Host -Prompt "What is the $(if($AuthType -eq 'Approle'){'Role-Id'} else {'Username'})?" + } $Credential = [System.Management.Automation.PSCredential]::new($Login, $Password) } switch ($script:VaultAuthType) { @@ -564,8 +568,8 @@ function Get-SecretInfo { $Filter = "*$Filter" $VaultSecrets = Resolve-VaultSecretPath -VaultName $VaultName @VerboseSplat $VaultSecrets | - Where-Object { $PSItem -like $Filter } | - ForEach-Object { + Where-Object { $PSItem -like $Filter } | + ForEach-Object { if ($script:KVVersion -eq 'v1') { $Metadata = $null } else { @@ -737,6 +741,8 @@ function Unlock-SecretVault { #> [CmdletBinding()] param ( + [Parameter(ValueFromPipelineByPropertyName)] + [string] $Login, [Parameter(ValueFromPipelineByPropertyName)] [SecureString] $Password, [Parameter(ValueFromPipelineByPropertyName)] @@ -747,7 +753,7 @@ function Unlock-SecretVault { [hashtable] $AdditionalParameters ) process { - Invoke-VaultToken -Password $Password -VaultName $VaultName -AdditionalParameters $AdditionalParameters + Invoke-VaultToken -Login $Login -Password $Password -VaultName $VaultName -AdditionalParameters $AdditionalParameters } } function Unregister-SecretVault { From 54efe143153d5eded25b9f79a38901e21ad914db Mon Sep 17 00:00:00 2001 From: Phill Pover Date: Mon, 31 Oct 2022 11:06:53 +0000 Subject: [PATCH 2/3] Revert "Added Login parameter to Unlock-SecretVault and Invoke-VaultToken." This reverts commit c27b48c35629e00e1b3e465d704603bf3bcd254d. --- ...anagement.Hashicorp.Vault.KV.Extension.psm1 | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 b/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 index 8bd4211..a6d66c9 100644 --- a/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 +++ b/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 @@ -154,8 +154,6 @@ function Invoke-VaultToken { #> [CmdletBinding()] param ( - [Parameter()] - [string] $Login, [Parameter()] [SecureString] $Password, [Parameter()] @@ -174,13 +172,13 @@ function Invoke-VaultToken { Write-Verbose "Retrieving a Token for authenticating to Vault" $RenewToken = $false #continue - } elseif ($Null -ne $script:VaultToken -and $script:TokenExpireTime -lt (Get-Date) -and -not $script:RootToken) { + } elseif ($Null -ne $script:VaultToken -and $script:TokenExpireTime -lt (Get-date) -and -not $script:RootToken) { # Retrieve a new token if expired Write-Verbose "Token Expired at $($script:TokenExpireTime). Retieving a new token" $script:VaultToken = $null $RenewToken = $false #continue - } elseif ($Null -ne $script:VaultToken -and (New-TimeSpan -Start (Get-Date) -End ($script:TokenExpireTime)).Minutes -le 1 -and $script:TokenRenewable) { + } elseif ($Null -ne $script:VaultToken -and (New-TimeSpan -Start (Get-date) -End ($script:TokenExpireTime)).Minutes -le 1 -and $script:TokenRenewable) { # Renew a new token if about to expire Write-Verbose "Token about to Expire at $($script:TokenExpireTime). Renewing the token for $($script:TokenLifespan) seconds." $RenewToken = $true @@ -198,9 +196,7 @@ function Invoke-VaultToken { $AuthType = $script:VaultAuthType if ($Password -and $AuthType -ne 'Token' -and -not $RenewToken) { - if ($Null -eq $Login) { - $Login = Read-Host -Prompt "What is the $(if($AuthType -eq 'Approle'){'Role-Id'} else {'Username'})?" - } + $Login = Read-Host -Prompt "What is the $(if($AuthType -eq 'Approle'){'Role-Id'} else {'Username'})?" $Credential = [System.Management.Automation.PSCredential]::new($Login, $Password) } switch ($script:VaultAuthType) { @@ -568,8 +564,8 @@ function Get-SecretInfo { $Filter = "*$Filter" $VaultSecrets = Resolve-VaultSecretPath -VaultName $VaultName @VerboseSplat $VaultSecrets | - Where-Object { $PSItem -like $Filter } | - ForEach-Object { + Where-Object { $PSItem -like $Filter } | + ForEach-Object { if ($script:KVVersion -eq 'v1') { $Metadata = $null } else { @@ -741,8 +737,6 @@ function Unlock-SecretVault { #> [CmdletBinding()] param ( - [Parameter(ValueFromPipelineByPropertyName)] - [string] $Login, [Parameter(ValueFromPipelineByPropertyName)] [SecureString] $Password, [Parameter(ValueFromPipelineByPropertyName)] @@ -753,7 +747,7 @@ function Unlock-SecretVault { [hashtable] $AdditionalParameters ) process { - Invoke-VaultToken -Login $Login -Password $Password -VaultName $VaultName -AdditionalParameters $AdditionalParameters + Invoke-VaultToken -Password $Password -VaultName $VaultName -AdditionalParameters $AdditionalParameters } } function Unregister-SecretVault { From a86509d7f5b1694a1a2d59284e9db18d4433c139 Mon Sep 17 00:00:00 2001 From: Phill Pover Date: Wed, 2 Nov 2022 10:39:48 +0000 Subject: [PATCH 3/3] Added Login parameter into AdditionalParameters. --- ...anagement.Hashicorp.Vault.KV.Extension.psd1 | 2 +- ...anagement.Hashicorp.Vault.KV.Extension.psm1 | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psd1 b/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psd1 index 51dc2c0..82ea560 100644 --- a/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psd1 +++ b/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psd1 @@ -1,5 +1,5 @@ @{ - ModuleVersion = '2.0.1' + ModuleVersion = '2.0.2' RootModule = 'SecretManagement.Hashicorp.Vault.KV.Extension.psm1' FunctionsToExport = @('Set-Secret', 'Get-Secret', 'Remove-Secret', 'Get-SecretInfo', 'Test-SecretVault', 'Unlock-SecretVault', 'Unregister-SecretVault') } \ No newline at end of file diff --git a/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 b/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 index a6d66c9..cc392fc 100644 --- a/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 +++ b/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1 @@ -2,8 +2,8 @@ using namespace System.Collections.ObjectModel using namespace System.Collections.Generic # enum and Variables setup for use -$script:HashicorpVaultConfigValues = @('VaultServer', 'VaultAuthType', 'VaultToken', 'VaultAPIVersion', 'VaultSkipVerify', 'KVVersion', 'OutputType', 'Verbose') -$script:AllVariables = @('VaultServer', 'VaultAuthType', 'VaultToken', 'VaultAPIVersion', 'VaultSkipVerify', 'KVVersion', 'OutputType', 'TokenRenewable', 'TokenLifespan', 'TokenType', 'TokenExpireTime', 'Verbose') +$script:HashicorpVaultConfigValues = @('VaultServer', 'VaultAuthType', 'VaultToken', 'VaultAPIVersion', 'VaultSkipVerify', 'KVVersion', 'Login', 'OutputType', 'Verbose') +$script:AllVariables = @('VaultServer', 'VaultAuthType', 'VaultToken', 'VaultAPIVersion', 'VaultSkipVerify', 'KVVersion', 'Login', 'OutputType', 'TokenRenewable', 'TokenLifespan', 'TokenType', 'TokenExpireTime', 'Verbose') enum HashicorpVaultAuthTypes { None @@ -172,13 +172,13 @@ function Invoke-VaultToken { Write-Verbose "Retrieving a Token for authenticating to Vault" $RenewToken = $false #continue - } elseif ($Null -ne $script:VaultToken -and $script:TokenExpireTime -lt (Get-date) -and -not $script:RootToken) { + } elseif ($Null -ne $script:VaultToken -and $script:TokenExpireTime -lt (Get-Date) -and -not $script:RootToken) { # Retrieve a new token if expired Write-Verbose "Token Expired at $($script:TokenExpireTime). Retieving a new token" $script:VaultToken = $null $RenewToken = $false #continue - } elseif ($Null -ne $script:VaultToken -and (New-TimeSpan -Start (Get-date) -End ($script:TokenExpireTime)).Minutes -le 1 -and $script:TokenRenewable) { + } elseif ($Null -ne $script:VaultToken -and (New-TimeSpan -Start (Get-Date) -End ($script:TokenExpireTime)).Minutes -le 1 -and $script:TokenRenewable) { # Renew a new token if about to expire Write-Verbose "Token about to Expire at $($script:TokenExpireTime). Renewing the token for $($script:TokenLifespan) seconds." $RenewToken = $true @@ -196,7 +196,11 @@ function Invoke-VaultToken { $AuthType = $script:VaultAuthType if ($Password -and $AuthType -ne 'Token' -and -not $RenewToken) { - $Login = Read-Host -Prompt "What is the $(if($AuthType -eq 'Approle'){'Role-Id'} else {'Username'})?" + if (-not $AdditionalParameters['Login']) { + $Login = Read-Host -Prompt "What is the $(if($AuthType -eq 'Approle'){'Role-Id'} else {'Username'})?" + } else { + $Login = $AdditionalParameters['Login'] + } $Credential = [System.Management.Automation.PSCredential]::new($Login, $Password) } switch ($script:VaultAuthType) { @@ -564,8 +568,8 @@ function Get-SecretInfo { $Filter = "*$Filter" $VaultSecrets = Resolve-VaultSecretPath -VaultName $VaultName @VerboseSplat $VaultSecrets | - Where-Object { $PSItem -like $Filter } | - ForEach-Object { + Where-Object { $PSItem -like $Filter } | + ForEach-Object { if ($script:KVVersion -eq 'v1') { $Metadata = $null } else {