$script:apiProperties = @(
        ApiName  = 'Info'
        TypeName = 'SSLLabsScan.Info'
        ApiName  = 'Analyze'
        TypeName = 'SSLLabsScan.Host'
        ApiName  = 'GetStatusCodes'
        TypeName = 'SSLLabsScan.StatusCodes'
        ApiName  = 'GetEndpointData'
        TypeName = 'SSLLabsScan.EndPointData'

$script:baseEndpoint = ''

$script:resourceDirectoryName = $ExecutionContext.SessionState.Module.ModuleBase + '\Resources'
Function Invoke-SSLLabsScanApi
        Invoke the SSLLabs Scan API

        This function invokes the SSLLabs Scan API

    .PARAMETER ApiName
        Specifies the name of the API to invoke

    .PARAMETER QueryParameters
        Specifies the query parameters for the API



        Invoke-SSLLabsScanApi -ApiName 'info'

        Invokes the SSLLabs Scan Info API.

            Position = 1)]


    $endpoint = $script:baseEndpoint + $ApiName

    if ($QueryParameters)
        $queryString = '?' + ($QueryParameters -join '&')
        $Uri = $endpoint + $queryString
        $uri = $endpoint

    Write-Debug -Message "Invoking RestMethod with URI $Uri"

    # Disable Write-Progress for Invoke-RestMethod to improve performance
    $ProgressPreference = 'SilentlyContinue'

        $result = Invoke-RestMethod -Uri $Uri
        throw $_

    $typeName = ($script:apiProperties | Where-Object -Property 'ApiName' -eq $ApiName).TypeName
    $result.PSTypeNames.Insert(0, $typeName)

    return $result
function ConvertTo-SSLLabsScanHtml
        Converts an SSL Labs Scan to an HTML report

        This function converts an SSL Labs Scan to an HTML report

    .PARAMETER EndPointData
        Specifies the endpoint data to use for the report.

        Specifies the output path for the report.




        Converts an SSL Labs Scan to an HTML report



    $hostName = $EndPointData[0].hostName
    $scanDate = $EndPointData[0].details.hostStartTime

    $htmlBody = [System.String]::Empty

    if (-not $PSBoundParameters.ContainsKey('Path'))
        $fileName = "$hostName-SSLLabsScanReport-$($scanDate.ToString('yyyyMMdd-HHmmss')).html"
        $Path = Join-Path -Path ([Environment]::GetFolderPath('MyDocuments')) -ChildPath $fileName

    $inlineStyleSheet = @(
        (Get-Content -Path "$script:resourceDirectoryName\default.css")

    $header = "SSLLabs Scan for $hostName"

    $preContent = "<h2>$header</h2>"

    foreach ($endpoint in $EndpointData)
        $protocols = @()
        foreach ($protocol in $EndPointData.details.protocols)
            $protocols += "$($ v$($protocol.version)"

        $cipherSuites = ($ | Out-String).Trim() -replace ('\r\n', '<br/>')

        $openSslCcsStatusMapping = @{
            -1 = 'Test Failed'
            0  = 'Unknown'
            1  = 'Not Vulnerable'
            2  = 'Possible Vulnerable, but not Exploitable'
            3  = 'Vulnerable and Exploitable'

        $openSslCcsStatus = $openSslCcsStatusMapping[$EndPointData.details.openSslCcs]

        $openSslLuckyMinus20StatusMapping = @{
            -1 = 'Test Failed'
            0  = 'Unknown'
            1  = 'Not Vulnerable'
            2  = 'Vulnerable and Insecure'

        $openSslLuckyMinus20Status = $openSslLuckyMinus20StatusMapping[$EndPointData.details.openSSLLuckyMinus20]

        $poodleTlsStatusMapping = @{
            -3 = 'Timeout'
            -2 = 'TLS Not Supported'
            -1 = 'Test Failed'
            0  = 'Unknown'
            1  = 'Not Vulnerable'
            2  = 'Vulnerable'

        $poodleTlsStatus = $poodleTlsStatusMapping[$EndPointData.details.poodleTls]

        $reportData = [PSCustomObject][Ordered]@{
            'IP Address'                    = $EndPointData.ipAddress
            'Grade'                         = $EndPointData.grade
            'Grade Ignoring Trust'          = $EndPointData.gradeTrustIgnored
            'Has Warnings'                  = $EndPointData.hasWarnings
            'Is Exceptional'                = $EndPointData.isExceptional
            'Certificate Subject'           = $EndPointData.details.cert.subject
            'Supported Protocols'           = $protocols -join ', '
            'Supported Cipher Suites'       = $cipherSuites
            'BEAST Vulnerable'              = $EndPointData.details.vulnBeast
            'Heartbleed Vulnerable'         = $EndPointData.details.Heartbleed
            'Poodle Vulnerable'             = $EndPointData.details.poodle
            'PoodleTLS Status'              = $poodleTlsStatus
            'FREAK Vulnerable'              = $EndPointData.details.freak
            'Drown Vulnerable'              = $EndPointData.details.drownVulnerable
            'OpenSSL CCS Status'            = $openSslCcsStatus
            'OpenSSL Lucky Minus 20 Status' = $openSslLuckyMinus20Status

        $htmlBody += $reportData | ConvertTo-Html -As List -Fragment


    $htmlReport = ConvertTo-Html -Head $inlineStyleSheet -PreContent $preContent -PostContent $htmlBody

    [System.Net.WebUtility]::HtmlDecode($htmlReport) | Out-File -FilePath $Path -Encoding ascii
function Get-SSLLabsScanEndpointData
        Gets the endpoint data for a scan

        This function gets the endpoint data for a scan

    .PARAMETER HostName
        Specifies the hostname of the scan.

    .PARAMETER IPAddress
        Specifies the ip address of the host in the scan.

    .PARAMETER FromCache
        Specifies whether to retrieve the scan from the cache.



        Get-SSLLabsScanEndpointData -HostName -IPAddress

        Gets the endpoint data for a scan

    [CmdletBinding(DefaultParameterSetName = 'Default')]
    [OutputType( { ($script:ApiPropertes | Where-Object -Property ApiName -eq 'info').TypeName })]



    $apiName = 'getEndpointData'

    $baseQueryParams = @()

    $baseQueryParams += "host=$HostName"

    if ($PSBoundParameters.ContainsKey('FromCache'))
        $baseQueryParams += 'fromCache=on'

    foreach ($ip in $IPAddress)
        $queryParams = $baseQueryParams + "s=$ip"
        Write-Verbose "Getting SSL Labs Scan endpoint data on host $HostName, IP address $ip"

        $result = Invoke-SSLLabsScanApi -ApiName $apiName -QueryParameters $queryParams -Verbose:$false

        $result | Add-Member -Name 'hostName' -Value $HostName -MemberType NoteProperty
        $result.details.hostStartTime = ([System.DateTimeOffset]::FromUnixTimeMilliSeconds($result.details.hostStartTime)).UtcDateTime

        return $result
function Get-SSLLabsScanInfo
        Gets details of the SSLLabs Scan API

        This function gets details of the SSLLabs Scan API




        Gets the SSLLabs Scan API info.

    [OutputType({($script:ApiPropertes | Where-Object -Property ApiName -eq 'info').TypeName})]

    $apiName = 'info'

    Write-Verbose 'Getting SSL Labs Scan API Info'

    $result = Invoke-SSLLabsScanApi -ApiName $apiName

function Invoke-SSLLabsScanAssessment
        Invokes an SSL Labs scan assessment of a website

        This function invokes an SSL Labs scan assessment of a website

    .PARAMETER HostName
        Specifies the hostname for the scan

    .PARAMETER Publish
        Specifies whether to publish the scan results

    .PARAMETER StartNew
        Specifies whether to start a new scan

    .PARAMETER FromCache
        Specifies whether to retrieve a scan from the cache

        Specifies the maximum age in hours of a scan to retrieve from the cache

        If specified with a value of 'on', full information on individual endpoints will be returned.
        If specified with a value of 'done', full information on individual endpoints will only be returned if the
        assessment is complete.

    .PARAMETER IgnoreMismatch
        Specifies whether to ignore mismatches between the server certificate and the assessment hostname.

    .PARAMETER PollingInterval
        Specifies the polling interval in seconds between scan status checks.




        Invokes an SSL Labs scan assessment of a website

    [CmdletBinding(DefaultParameterSetName = 'Default')]
    [OutputType( { ($script:ApiPropertes | Where-Object -Property ApiName -eq 'info').TypeName })]


        [Parameter(ParameterSetName = 'StartNew')]

        [Parameter(ParameterSetName = 'FromCache')]

        [Parameter(ParameterSetName = 'FromCache')]

        [ValidateSet('On', 'Done')]


        $PollingInterval = 10


    $apiName = 'analyze'

    $queryParams = @()

    $queryParams += "host=$HostName"

    if ($PSBoundParameters.ContainsKey('Publish'))
        $queryParams += 'publish=on'

    if ($PSBoundParameters.ContainsKey('FromCache'))
        $queryParams += 'fromCache=on'

    if ($PSBoundParameters.ContainsKey('MaxAge'))
        $queryParams += "maxAge=$MaxAge"

    if ($PSBoundParameters.ContainsKey('All'))
        $queryParams += "all=$All"

    if ($PSBoundParameters.ContainsKey('IgnoreMismatch'))
        $queryParams += 'ignoreMismatch=on'

    $initialQueryParams = $queryParams

    # Only add the 'startNew' parameter on the initial query
    if ($PSBoundParameters.ContainsKey('StartNew'))
        $initialQueryParams += 'startNew=on'

    Write-Verbose "Invoking SSL Labs Scan API Analysis on host $HostName"

    $result = Invoke-SSLLabsScanApi -ApiName $apiName -QueryParameters $initialQueryParams -Verbose:$false

    while ($result.status -ne 'READY' -and $result.status -ne 'ERROR')
        Write-Verbose "Checking SSL Labs Scan API Analysis on host $HostName, last status: $($result.status)"

        Start-Sleep -Seconds $PollingInterval

        $result = Invoke-SSLLabsScanApi -ApiName $apiName -QueryParameters $queryParams -Verbose:$false

    # Convert Unix time fields to PowerShell DateTime objects
    $result.startTime = ([System.DateTimeOffset]::FromUnixTimeMilliSeconds($result.startTime)).UtcDateTime
    $result.testTime = ([System.DateTimeOffset]::FromUnixTimeMilliSeconds($result.testTime)).UtcDateTime

    return $result
