Scripts/Get-CMSSecret.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
function Get-CMSSecret
{
  <#
      .Synopsis
      Gets encrypted settings stored in the registry
      .Description
      Gets encrypted settings stored in the registry
      .Example
      Get-CMSSecret
 
      The above example gets all encrypted MCS secrets currently stored in the current user's registry.
      .Example
      PS C:\> Get-CMSSecret -Name my-AzureCredential
 
      Name Type EncryptedData
      ---- ---- -------------
      my-AzureCredential System.Management.Automation.PSCredential -----BEGIN CMS-----...
      .Example
      PS C:\> Get-CMSSecret -Name my-AzureCredential -Decrypted
 
      Name Type DecryptedData
      ---- ---- -------------
      my-AzureCredential System.Management.Automation.PSCredential System.Management.Automation.PSCredential
      .Example
      PS C:\> Get-CMSSecret -Name my-AzureCredential -ValueOnly
 
      UserName Password
      -------- --------
      ad\adUsername System.Security.SecureString
      .Link
      Add-CMSSecret
      .Link
      Remove-CMSSecret
  #>
    
  [Alias('cms')]
  [OutputType('PSObj.CMSData')]
  param(
    # The name of the secure setting
    [Parameter(Position=0,ValueFromPipelineByPropertyName=$true)]
    [String]
    $Name,
    
    # The type of the secure setting
    [Validateset('String','Object','PSCredential','Hashtable')]
    [Parameter(Position=1,ValueFromPipelineByPropertyName=$true)]
    [String]
    $Type,
    
    # If set, will decrypt the setting value
    [Parameter(ValueFromPipelineByPropertyName=$true)]
    [Switch]
    $Decrypted,
    
    # If set, will decrypt the setting value and return the data
    [Parameter(ValueFromPipelineByPropertyName=$true)]
    [switch]
    $ValueOnly,

    # Parameter help description
    [Parameter()]
    [string]
    $cmsFolderName = 'CMSData'            
  )
    
  begin 
  {

    # region Create Registry Location If It Doesn't Exist
    # If we dont do this when we run get-cmssecret the first time we get an error about missing reg key
    $registryPath = "HKCU:\Software\$cmsFolderName\"
    $fullRegistryPath = "$registryPath\$($psCmdlet.ParameterSetName)"
    if (-not (Test-Path $fullRegistryPath)) 
    {
      $null = New-Item $fullRegistryPath  -Force
    }         
        
                
    $getSecureSetting = {
      $Obj = $_
      $typeName = $_.pschildName
      foreach ($propName in ($obj.psobject.properties | Select-Object -ExpandProperty Name)) 
      {
        if ('PSPath', 'PSParentPath', 'PSChildName', 'PSProvider' -contains $propName) 
        {
          $obj.psobject.properties.Remove($propname)
        }
      }
      $Obj.psobject.properties | 
      ForEach-Object {
        $secureSetting = New-Object PSObject 
        $null = $secureSetting.pstypenames.insert(0,'PSObj.CMSData')
        $secureSetting | 
        Add-Member NoteProperty Name $_.Name -PassThru |
        Add-Member NoteProperty Type ($typename -as [Type]) -PassThru |
        Add-Member NoteProperty EncryptedData $_.Value -PassThru 

      }
    }
  }
   
  process 
  {
                   
    Get-ChildItem $registryPath | Get-ItemProperty | ForEach-Object $getSecureSetting |
    Where-Object {
      if ($psBoundParameters.Name -and $_.Name -ne $name){return}
      if ($psBoundParameters.Type -and $_.Type -ne ($Type -as [type])) { return } 
      $true
    } |
    ForEach-Object -Begin {
      $TempCredTable = @{}
    } -Process {
      if (-not ($decrypted -or $ValueOnly)) { return $_ }
                
      #region Decrypt and Convert Output
      $inputObject = $_
      if ([Hashtable], [string] -contains $_.Type) 
      {
                        
        $decryptedValue= $_.EncryptedData | Unprotect-CmsMessage 
                    
        if ($_.Type -eq [Hashtable]) 
        {

          $decryptedValue = . ([ScriptBlock]::Create($decryptedValue))
        }

      } 
      elseif($_.Type -eq [Object])
      {
        $decryptedValue = $_.EncryptedData | Unprotect-CmsMessage | ConvertFrom-Json
            
      }
      elseif($_.Type -eq [Management.Automation.PSCredential])
      {
        $decryptedCredObject = $_.EncryptedData | Unprotect-CmsMessage | ConvertFrom-Json
        $secpasswd = ConvertTo-SecureString $decryptedCredObject.Password -AsPlainText -Force
        $decryptedValue = New-Object Management.Automation.PSCredential ($decryptedCredObject.UserName,$secpasswd)
                            
      }            
      $null = $inputObject.psobject.properties.Remove('EncryptedData')
      $inputObject | Add-Member NoteProperty DecryptedData $decryptedValue -PassThru | ForEach-Object {
          if ($ValueOnly) 
          {
            $_.DecryptedData
          } 
          else 
          {
            $_
          }
                  
      }# Foreach inputobject

    }
                    
  }

}