Rapid7Nexpose

1.6.4.0

public/New-NexposeUser.ps1

                                Function New-NexposeUser {

<#

    .SYNOPSIS

        Creates a new user

    .DESCRIPTION

        Creates a new user

    .PARAMETER Login

        The login name of the user.

    .PARAMETER FullName

        The full name of the user.

    .PARAMETER SecurePassword

        The password to use for the user.

    .PARAMETER Role

        The privileges and role to assign the user.

    .PARAMETER AuthType

        The details of the authentication source used to authenticate the user.  Defaults to 'normal'

    .PARAMETER Email

        The email address of the user.

    .PARAMETER Disabled

        Whether the user account is enabled.  Defaults to 'false'

    .PARAMETER PasswordResetOnLogin

        Whether to require a reset of the user's password upon first login.  Defaults to 'false'.

    .PARAMETER SiteAccess

        The name or identifier of one or more sites to assign this user to.  This option is ignored if the user is an administrator

    .PARAMETER AssetGroupAccess

        The name or identifier of one or more asset groups to assign this user to.  This option is ignored if the user is an administrator

    .EXAMPLE

        New-NexposeUser -Login 'JoeB' -FullName 'Joe Bloggs' -SecurePassword $pass -Email 'jb@example.com' -Disabled

    .EXAMPLE

        New-NexposeUser -Login 'JoeB' -FullName 'Joe Bloggs' -SecurePassword $pass -Email 'jb@example.com' -Disabled -SiteAccess ('Site A', 23)

    .NOTES

        For additional information please see my GitHub wiki page

    .FUNCTIONALITY

        GET: roles

        POST: users

    .LINK

        https://github.com/My-Random-Thoughts/Rapid7Nexpose

#>

    [CmdletBinding(SupportsShouldProcess)]

    Param (

        [Parameter(Mandatory = $true)]

        [string]$Login,

        [Parameter(Mandatory = $true)]

        [string]$FullName,

        [Parameter(Mandatory = $true)]

        [securestring]$SecurePassword,

        [Parameter(Mandatory = $true)]

        [string]$Email,

        [ValidateSet('normal','admin','kerberos','ldap','saml')]

        [string]$AuthType = 'normal',

        [switch]$Disabled,

        [switch]$PasswordResetOnLogin,

        [ValidateSet('Global Administrator','Security Manager','Site Owner','Asset Owner','User')]

        [string]$Role = 'user',

        [string[]]$SiteAccess,

        [string[]]$AssetGroupAccess

    )

    Begin {

        # Convert securestring password into plaintext

        [string]$Password = (ConvertFrom-SecureString -SecureString $SecurePassword)

        [string]$Password = ((New-Object System.Net.NetworkCredential('Null', $(ConvertTo-SecureString -String $Password), 'Null')).Password)

        # Convert Role to correct internal name

        Switch ($Role) {

            'Global Administrator' { $intRole = 'global-admin'     }

            'Security Manager'     { $intRole = 'security-manager' }

            'Site Owner'           { $intRole = 'site-admin'       }

            'Asset Owner'          { $intRole = 'system-admin'     }

            'User'                 { $intRole = 'user'             }

        }

        # Make sure correct authentication type is set

        If (($AuthType -eq 'normal') -and ($intRole -eq 'global-admin')) { $AuthType = 'admin' }

        If (($intRole -eq 'site-admin') -and ([string]::IsNullOrEmpty($SiteAccess))) {

            Throw 'For site admins, you need to specifiy one or more sites'

        }

        If (($intRole -eq 'site-admin') -and (-not [string]::IsNullOrEmpty($AssetGroupAccess))) {

            Throw 'For site admins, you must not specify any asset groups'

        }

    }

    Process {

        [boolean]$allSites       = $false

        [boolean]$allAssetGroups = $false

        # Ensure correct sites and assets privileges are set

        $privileges = @((Get-NexposeRole -Id $intRole).privileges)

        If (($privileges -contains 'all-permissions') -or

            ($privileges -contains 'manage-dynamic-asset-groups')) {

            $allAssetGroups = $true

        }

        If (($privileges -contains 'all-permissions') -or

            ($privileges -contains 'manage-sites') -or

            ($privileges -contains 'manage-tags')) {

            $allSites = $true

        }

        $apiQuery = @{

            login   =  $Login

            name    =  $FullName

            email   =  $Email.ToLower()

            enabled =  (-not $Disabled.IsPresent)

            role    = @{

                id             = $intRole.ToLower()

                allSites       = $allSites

                allAssetGroups = $allAssetGroups

            }

            authentication = @{ type = $AuthType.ToLower() }

        }

        If (($AuthType -eq 'normal') -or ($AuthType -eq 'admin')) {

            $apiQuery += @{

                password             =  $Password

                passwordResetOnLogin = ($PasswordResetOnLogin.IsPresent)

            }

        }

        If ($PSCmdlet.ShouldProcess($Login)) {

            $user = (Invoke-NexposeQuery -UrlFunction 'users' -ApiQuery $apiQuery -RestMethod Post)

            If ($user.id -is [int]) {

                If (($allSites -eq $false) -and ($SiteAccess.Count -gt 0)) {

                    Add-NexposeUserToSite -UserId $($user.id) -SiteId $SiteAccess | Out-Null

                }

                If (($allAssetGroups -eq $false) -and ($AssetGroupAccess.Count -gt 0)) {

                    Add-NexposeUserToAssetGroup -UserId ($user.id) -AssetGroupId $AssetGroupAccess | Out-Null

                }

                Get-NexposeUser -Id $($user.id)

            }

        }

    }

    End {

    }

}