SecureMFA

1.0.0.5

Get-xHashiCorp_Vault_ClientToken.ps1

                                <#

     .SYNOPSIS

        Retrieves HashiCorp Vaul Client token from OIDC Auth provider.

    .DESCRIPTION

        Retrieves HashiCorp Vaul Client token from OIDC Auth provider which allows to query HashiCorp Vault for secrets. 

        Dependencies:

            * System which executes a script must have Microsoft Framework 4.6.1 and above installed.

            * SecureMFA_SupportTools.dll file must be present in script directory.  

            * SecureMFA_SupportTools.json configuration file must be present in script directory. 

            Below is Json config file sections which needs to be updated with your environment settings:

                {

                    "serialkey": "f01145697",                    

                    "hashicorp_auth_endpoint": "http://hscvault.adatum.labnet:8200/v1/auth/oidc/oidc/auth_url",

                    "hashicorp_token_endpoint": "http://hscvault.adatum.labnet:8200/v1/auth/oidc/oidc/callback",

                    "hashicorp_oidc_role": "kv-mgr9",

                    "hashicorp_oidc_uri": "uri:securemfa:testapp2:nativeapp:test",

                    "proxy": "http://proxy.adatum.labnet:8080",

                    "bypassproxyonlocal": "false"

                }

    .PARAMETER  ProxyFromConfig

        Decryption parameter is required for systems which use secret key encryption with AES256. 

        ‘encryption_passphrase’ value must match setting which is defined in SecureMFA OTP provider configuration. Otherwise displayed OTP codes will not be valid.

    .NOTES

        Version:        1.0.0.3

        Author:         SecureMfa.com

        Creation Date:  01/10/2019

        Purpose/Change: Incorporated into module 

    .EXAMPLE

        C:\PS> Get-xHashiCorp_Vault_ClientToken 

        This command will retrieve client token from HashiCorp Vault using OIDC auth configuration.  

    .EXAMPLE

        C:\PS> Get-xHashiCorp_Vault_ClientToken -Proxy SystemDefaults

        This command will execute CLI commands using default systems proxy settings.

    .EXAMPLE

        C:\PS> Get-xHashiCorp_Vault_ClientToken -Proxy UseConfig

        This command will execute CLI commands using proxy settings from SecureMFA PS Module json config file.

    .EXAMPLE

        C:\PS> Get-xHashiCorp_Vault_ClientToken -Proxy none

        This command will execute CLI commands without proxy settings.    

#>

#>

Function Get-xHashiCorp_Vault_ClientToken {

Param

(

    [Parameter(Mandatory=$false)]

    [ValidateSet('SystemDefaults','UseConfig','none')]

    [string]$Proxy='SystemDefaults'

)

#Static Parameters

$Event_Source = "SecureMFA_SupportTools"

#Checking Dependencies

#Config file dependency

$configfile = (Join-Path -Path $PSScriptRoot -ChildPath SecureMFA_SupportTools.json)

$ErrMsg = "$configfile file is missing. Please copy a file to script directory and try again."

if (!(Test-Path $configfile)) { write-host $ErrMsg -ForegroundColor red; pause; break }

#DLL file dependency

$dllpath = (Join-Path -Path $PSScriptRoot -ChildPath SecureMFA_SupportTools.dll)

$ErrMsg = "$configfile file is missing. Please copy a file to script directory and try again."

if (!(Test-Path $dllpath)) { write-host $ErrMsg -ForegroundColor red; pause; break }

#Read JSON file Configuration

$json = Get-Content -Raw $configfile | ConvertFrom-Json

$serialkey = $json.serialkey

$hashicorp_auth_endpoint = $json.hashicorp_auth_endpoint

$hashicorp_token_endpoint = $json.hashicorp_token_endpoint

$hashicorp_oidc_role = $json.hashicorp_oidc_role

$hashicorp_oidc_uri = $json.hashicorp_oidc_uri

$webproxy = $json.proxy

$bypassproxyonlocal; if($json.bypassproxyonlocal -eq "true") {$bypassproxyonlocal = 1} else {$bypassproxyonlocal = 0}

Try {

    [System.Reflection.Assembly]::LoadFile($dllpath) | Out-Null    

    [string]$access_token = $null

    #Set proxy settings for CLI

    if ($proxy -eq 'UseConfig') 

        {

        [system.net.webrequest]::defaultwebproxy = new-object system.net.webproxy($webproxy)

        [system.net.webrequest]::defaultwebproxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

        [system.net.webrequest]::defaultwebproxy.BypassProxyOnLocal = $bypassproxyonlocal

        }

    elseif ($proxy -eq 'none') {netsh winhttp reset proxy | out-null ; [system.net.webrequest]::defaultwebproxy = $null}

    else {netsh winhttp import proxy source=ie | out-null}

    #Retreve client token using Hasicorp Vaul OIDC auth flow

    $atoken = [SecureMFA_SupportTools.IDPAUTH]::RetrieveHashicorpAccesToken($hashicorp_auth_endpoint, $hashicorp_oidc_role, $hashicorp_oidc_uri,$hashicorp_token_endpoint,$serialkey,[ref]$access_token) | Out-String

    try {$hashiauthtoken = ConvertFrom-Json $access_token -ErrorAction Stop;$validJson = $true;} catch {$validJson = $false;}

    #Validate client token

    $client_token = $access_token 

    $token = $null

    if ($validJson) {

        $client_token = $hashiauthtoken.auth.client_token

        write-host "Issued Hashicorp Vault client token: $client_token" -ForegroundColor Cyan

        #Return client token as auth header object for API

        $token = @{"X-Vault-Token" = "$client_token"}

    }  

    return $atoken,$token

    }

#On error acction 

catch [System.Exception] { 

        $completed = get-date

        $line = $_.InvocationInfo.ScriptLineNumber

        $msg = $_.Exception.Message 

        Write-Host -ForegroundColor Red "Error: $msg"

        Write-EventLog –LogName Application –Source $Event_Source –EntryType Error –EventID 5559 –Message “$msg Executed by: $env:username Computer: $env:computername Line: $line”                 

        }    

pause

}