entitlements.psm1
|
# Helpers function Resolve-SafeguardEntitlementId { [CmdletBinding()] Param( [Parameter(Mandatory=$false)] [string]$Appliance, [Parameter(Mandatory=$false)] [object]$AccessToken, [Parameter(Mandatory=$false)] [switch]$Insecure, [Parameter(Mandatory=$true,Position=0)] [object]$Entitlement ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } if ($Entitlement.Id -as [int]) { $Entitlement = $Entitlement.Id } if (-not ($Entitlement -as [int])) { try { $local:Entitlements = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Roles ` -Parameters @{ filter = "Name ieq '$Entitlement'" }) } catch { Write-Verbose $_ Write-Verbose "Caught exception with ieq filter, trying with q parameter" $local:Entitlements = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Roles ` -Parameters @{ q = $Entitlement }) } if (-not $local:Entitlements) { throw "Unable to find Entitlement matching '$Entitlement'" } if ($local:Entitlements.Count -ne 1) { throw "Found $($local:Entitlements.Count) Entitlements matching '$Entitlement'" } $local:Entitlements[0].Id } else { $Entitlement } } <# .SYNOPSIS Get entitlements in Safeguard via the Web API. .DESCRIPTION Entitlement is a set of access request policies that restrict system access to authorized users .PARAMETER Appliance IP address or hostname of a Safeguard appliance. .PARAMETER AccessToken A string containing the bearer token to be used with Safeguard Web API. .PARAMETER Insecure Ignore verification of Safeguard appliance SSL certificate. .PARAMETER EntitlementToGet An integer containing the ID or a string containing the name of the entitlement to get. .PARAMETER Fields An array of the entitlement property names to return. .INPUTS None. .OUTPUTS JSON response from Safeguard Web API. .EXAMPLE Get-SafeguardEntitlement -AccessToken $token -Appliance 10.5.32.54 -Insecure .EXAMPLE Get-SafeguardEntitlement testEntitlement .EXAMPLE Get-SafeguardEntitlement 123 #> function Get-SafeguardEntitlement { [CmdletBinding()] Param( [Parameter(Mandatory=$false)] [string]$Appliance, [Parameter(Mandatory=$false)] [object]$AccessToken, [Parameter(Mandatory=$false)] [switch]$Insecure, [Parameter(Mandatory=$false,Position=0)] [object]$EntitlementToGet, [Parameter(Mandatory=$false)] [string[]]$Fields ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } $local:Parameters = $null if ($Fields) { $local:Parameters = @{ fields = ($Fields -join ",")} } if ($PSBoundParameters.ContainsKey("EntitlementToGet")) { $local:EntitlementId = Resolve-SafeguardEntitlementId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $EntitlementToGet Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core ` GET "Roles/$($local:EntitlementId)" -Parameters $local:Parameters } else { Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core ` GET Roles -Parameters $local:Parameters } } <# .SYNOPSIS Create a new Entitlement in Safeguard via the Web API. .DESCRIPTION Create a new Entitlement in Safeguard. Access policies can be attached to Entitlements. Users and groups can be created using separate cmdlets and added as members via this cmdlet. .PARAMETER Appliance IP address or hostname of a Safeguard appliance. .PARAMETER AccessToken A string containing the bearer token to be used with Safeguard Web API. .PARAMETER Insecure Ignore verification of Safeguard appliance SSL certificate. .PARAMETER Name The name of the entitlement. .PARAMETER MemberUsers Array of IDs or names of the users to be added to the entitlement. .PARAMETER MemberGroups Array of IDs or names of the users to be added to the entitlement. .INPUTS None. .OUTPUTS JSON response from Safeguard Web API. .EXAMPLE New-SafeguardEntitlement "Lab Administrator" #> function New-SafeguardEntitlement { [CmdletBinding()] Param( [Parameter(Mandatory=$false)] [string]$Appliance, [Parameter(Mandatory=$false)] [object]$AccessToken, [Parameter(Mandatory=$false)] [switch]$Insecure, [Parameter(Mandatory=$true,Position=0)] [string]$Name, [Parameter(Mandatory=$false,Position=1)] [object[]]$MemberUsers, [Parameter(Mandatory=$false,Position=2)] [object[]]$MemberGroups ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } [object[]]$Members = $null foreach ($local:User in $MemberUsers) { $local:ResolvedUserId = (Get-SafeguardUser -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -UserToGet $local:User).Id $local:Member = @{ Id = $local:ResolvedUserId; PrincipalKind = "User" } $local:Members += $($local:Member) } foreach ($local:Group in $MemberGroups) { $local:ResolvedGroupId = (Get-SafeguardUserGroup -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -GroupToGet $local:Group).Id $local:Member = @{ Id = $local:ResolvedGroupId; PrincipalKind = "Group" } $local:Members += $($local:Member) } Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST Roles ` -Body @{ Name = $Name; Members = $local:Members} } <# .SYNOPSIS Remove entitlements in Safeguard via the Web API. .DESCRIPTION Entitlement is a set of access request policies that restrict system access to authorized users .PARAMETER Appliance IP address or hostname of a Safeguard appliance. .PARAMETER AccessToken A string containing the bearer token to be used with Safeguard Web API. .PARAMETER Insecure Ignore verification of Safeguard appliance SSL certificate. .PARAMETER EntitlementToDelete An integer containing the ID or a string containing the name of the entitlement to delete. .INPUTS None. .OUTPUTS JSON response from Safeguard Web API. .EXAMPLE Remove-SafeguardEntitlement -AccessToken $token -Appliance 10.5.32.54 -Insecure .EXAMPLE Remove-SafeguardEntitlement testEntitlement .EXAMPLE Remove-SafeguardEntitlement 123 #> function Remove-SafeguardEntitlement { [CmdletBinding()] Param( [Parameter(Mandatory=$false)] [string]$Appliance, [Parameter(Mandatory=$false)] [object]$AccessToken, [Parameter(Mandatory=$false)] [switch]$Insecure, [Parameter(Mandatory=$true,Position=0)] [object]$EntitlementToDelete ) if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" } if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") } $local:EntitlementId = Resolve-SafeguardEntitlementId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $EntitlementToDelete Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core DELETE "Roles/$($local:EntitlementId)" } |