VaultServer

1.0.1

Public/Revoke-VaultToken.ps1

                                <#

    .SYNOPSIS

        This function revokes the Vault Token for the specified User.

    .DESCRIPTION

        See .SYNOPSIS

    .NOTES

    .PARAMETER VaultServerBaseUri

        This parameter is MANDATORY.

        This parameter takes a string that represents a Uri referencing the location of the Vault Server

        on your network. Example: "https://vaultserver.zero.lab:8200/v1"

    .PARAMETER VaultAuthToken

        This parameter is MANDATORY.

        This parameter takes a string that represents a Token for a Vault User that has (root) permission to

        lookup and delete Tokens using the Vault Server REST API.

    .PARAMETER VaultUserToDelete

        This parameter is MANDATORY.

        This parameter takes a string that represents the name of the user that you would like to revoke Tokens

        for. The UserName should match the .meta.username property from objects returned by the

        Get-VaultAccessorLookup function - which itself should match the Basic UserName in Active Directory.

        (For example, if the Domain User is 'zero\jsmith' the "Basic UserName" is 'jsmith', which

        is the value that you should supply to this paramter)

        IMPORTANT NOTE: ALL tokens granted to the specified user will be revoked.

    .EXAMPLE

        # Open an elevated PowerShell Session, import the module, and -

        PS C:\Users\zeroadmin> $SplatParams = @{

            VaultServerBaseUri      = $VaultServerBaseUri

            VaultAuthToken          = $ZeroAdminToken

            VaultuserToDelete       = "jsmith"

        }

        PS C:\Users\zeroadmin> Revoke-VaultToken @SplatParams

#>

function Revoke-VaultToken {

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$True)]

        [string]$VaultServerBaseUri, # Should be something like "http://192.168.2.12:8200/v1"

        [Parameter(Mandatory=$True)]

        [string]$VaultAuthToken, # Should be something like 'myroot' or '434f37ca-89ae-9073-8783-087c268fd46f'

        [Parameter(Mandatory=$True)]

        [string[]]$VaultUserToDelete # Should match .meta.username for the Accessor Lookup

    )

    if (!$PSVersionTable.Platform -or $PSVersionTable.Platform -eq "Win32NT") {

        [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

    }

    # Make sure $VaultServerBaseUri is a valid Url

    try {

        $UriObject = [uri]$VaultServerBaseUri

    }

    catch {

        Write-Error $_

        $global:FunctionResult = "1"

        return

    }

    if (![bool]$($UriObject.Scheme -match "http")) {

        Write-Error "'$VaultServerBaseUri' does not appear to be a URL! Halting!"

        $global:FunctionResult = "1"

        return

    }

    # If $VaultServerBaseUri ends in '/', remove it

    if ($VaultServerBaseUri[-1] -eq "/") {

        $VaultServerBaseUri = $VaultServerBaseUri.Substring(0,$VaultServerBaseUri.Length-1)

    }

    try {

        $AccessorInfo = Get-VaultAccessorLookup -VaultServerBaseUri $VaultServerBaseUri -VaultAuthToken $VaultAuthToken -ErrorAction Stop

        if (!$AccessorInfo) {throw "Ther Get-VaultAccessorLookup function failed! Halting!"}

    }

    catch {

        Write-Error $_

        $global:FunctionResult = "1"

        return

    }

    $AccessorToDelete = $($AccessorInfo | Where-Object {$_.meta.username -eq $VaultUserToDelete}).accessor

    if (!$AccessorToDelete) {

        Write-Error "Unable to find Accessor matching username $VaultUserToDelete! Halting!"

        $global:FunctionResult = "1"

        return

    }

    $jsonRequest = @"

{

    "accessor": "$AccessorToDelete"

}

"@

    try {

        # Validate JSON

        $JsonRequestAsSingleLineString = $jsonRequest | ConvertFrom-Json -EA Stop | ConvertTo-Json -Compress -EA Stop

    }

    catch {

        Write-Error "There was a problem with the JSON for deleting an accessor! Halting!"

    }

    $IWRSplatParams = @{

        Uri         = "$VaultServerBaseUri/auth/token/revoke-accessor"

        Headers     = @{"X-Vault-Token" = "$VaultAuthToken"}

        Body        = $JsonRequestAsSingleLineString

        Method      = "Post"

    }

    $RevokeTokenResult = Invoke-RestMethod @IWRSplatParams

    # NOTE: Revoking a Token does Not produce output, to $RevokeJSmithTokenResult should be $null

    # Make sure it no longer exists

    try {

        $AccessorInfo = Get-VaultAccessorLookup -VaultServerBaseUri $VaultServerBaseUri -VaultAuthToken $VaultAuthToken -ErrorAction Stop

        if (!$AccessorInfo) {throw "Ther Get-VaultAccessorLookup function failed! Halting!"}

    }

    catch {

        Write-Error $_

        $global:FunctionResult = "1"

        return

    }

    $AccessorStillExists = $($AccessorInfo | Where-Object {$_.meta.username -eq $VaultUserToDelete}).accessor

    if ($AccessorStillExists) {

        Write-Error "There was a problem deleting the accessor $AccessorToDelete for user $VaultUserToDelete! Halting!"

        $global:FunctionResult = '1'

        return

    }

    "Success"

}