Rapid7Nexpose

1.6.2.0

public/Update-NexposeUser.ps1

                                Function Update-NexposeUser {

<#

    .SYNOPSIS

        Updates the details of a user

    .DESCRIPTION

        Updates the details of a user

    .PARAMETER Id

        The identifier of the user

    .PARAMETER Login

        The login name of the user.

    .PARAMETER FullName

        The full name of the user.

    .PARAMETER SecurePassword

        The password to use for the user.

    .PARAMETER Role

        The privileges and role to assign the user.

    .PARAMETER AuthType

        The details of the authentication source used to authenticate the user.  Defaults to 'normal'

    .PARAMETER Email

        The email address of the user.

    .PARAMETER Disabled

        Whether the user account is enabled.  Defaults to 'false'

    .PARAMETER PasswordResetOnLogin

        Whether to require a reset of the user's password upon first login.  Defaults to 'false'.

    .EXAMPLE

        Update-NexposeUser -Id 23 -FullName 'Joe BillyBob'

    .NOTES

        For additional information please see my GitHub wiki page

    .FUNCTIONALITY

        PUT: users/{id}

    .LINK

        https://github.com/My-Random-Thoughts/Rapid7Nexpose

#>

    [CmdletBinding(SupportsShouldProcess)]

    Param (

        [Parameter(Mandatory = $true)]

        [string]$Id,

        [string]$Login,

        [string]$FullName,

        [securestring]$SecurePassword,

        [string]$Email,

        [ValidateSet('normal','admin','kerberos','ldap','saml')]

        [string]$AuthType = 'normal',

        [switch]$Disabled,

        [switch]$PasswordResetOnLogin

    )

    DynamicParam {

        $dynParam = (New-Object -Type 'System.Management.Automation.RuntimeDefinedParameterDictionary')

        New-DynamicParameter -Dictionary $dynParam -Name 'Role' -Type 'string' -ValidateSet @((Invoke-NexposeQuery -UrlFunction 'roles' -RestMethod Get).id)

        Return $dynParam

    }

    Begin {

        [string]$Role = $($PSBoundParameters.Role)

        # Convert securestring password into plaintext

        If ([string]::IsNullOrEmpty($SecurePassword) -eq $false) {

            [string]$Password = (ConvertFrom-SecureString -SecureString $SecurePassword)

            [string]$Password = ((New-Object System.Net.NetworkCredential('Null', $(ConvertTo-SecureString -String $Password), 'Null')).Password)

        }

        # Get current values

        $user = (Get-NexposeUser -Id $Id -ShowAsignedGroups -ShowAsignedSites)

        If ([string]::IsNullOrEmpty($Login)    -eq $true) { $Login    = $user.login   }

        If ([string]::IsNullOrEmpty($FullName) -eq $true) { $FullName = $user.name    }

        If ([string]::IsNullOrEmpty($Email)    -eq $true) { $Email    = $user.email   }

        If ([string]::IsNullOrEmpty($AuthType) -eq $true) { $AuthType = $user.authentication.type }

        If ([string]::IsNullOrEmpty($Role)     -eq $true) { $Role     = $user.role.id }

    }

    Process {

        [boolean]$allSites       = $false

        [boolean]$allAssetGroups = $false

        # Make sure correct authentication type is set

        If     (($AuthType -eq 'normal') -and ($Role -eq 'global-admin')) { $AuthType = 'admin'  }

        ElseIf (($AuthType -eq 'admin')  -and ($Role -ne 'global-admin')) { $AuthType = 'normal' }

        # Ensure correct sites and assets privileges are set

        $privileges = @((Get-NexposeRole -Id $Role).privileges)

        If (($privileges -contains 'all-permissions') -or

            ($privileges -contains 'manage-dynamic-asset-groups')) {

            $allAssetGroups = $true

        }

        If (($privileges -contains 'all-permissions') -or

            ($privileges -contains 'manage-sites') -or

            ($privileges -contains 'manage-tags')) {

            $allSites = $true

        }

        $apiQuery = @{

            login   =  $Login

            name    =  $FullName

            email   =  $Email.ToLower()

            enabled =  (-not $Disabled.IsPresent)

            role    = @{

                id             = $Role.ToLower()

                allSites       = $user.role.allSites

                allAssetGroups = $user.role.allAssetGroups

            }

            authentication = @{ type = $AuthType.ToLower() }

        }

        If (($AuthType -eq 'normal') -or ($AuthType -eq 'admin')) {

            $apiQuery += @{

                passwordResetOnLogin = ($PasswordResetOnLogin.IsPresent)

            }

            If ([string]::IsNullOrEmpty($Password) -eq $false) {

                $apiQuery += @{

                    password =  $Password

                }

            }

        }

        If ($PSCmdlet.ShouldProcess($Login)) {

            Write-Output (Invoke-NexposeQuery -UrlFunction "users/$Id" -ApiQuery $apiQuery -RestMethod Put)

            If ($($user.role.allSites) -eq $false) {

                ForEach ($siteId In $($user.role.sites)) {

                    Add-NexposeUserToSite -UserId $Id -SiteId $siteId    # Add user sites back, as they get removed

                }

            }

            If ($($user.role.allAssetGroups) -eq $false) {

                ForEach ($assGrpId In $($user.role.assetGroups)) {

                    Add-NexposeUserToAssetGroup -UserId $Id -AssetGroupId $assGrpId    # Add user asset groups back, as they get removed

                }

            }

        }

    }

    End {

    }

}