a2a.psm1

# Helper
function Resolve-SafeguardA2aId
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$A2a
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($A2a.Id -as [int])
    {
        $A2a = $User.Id
    }

    if (-not ($A2a -as [int]))
    {
        try
        {
            $local:A2as = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET A2ARegistrations `
                                -Parameters @{ filter = "AppName ieq '$A2a'" })
            if (-not $local:A2as)
            {
                $local:A2as = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET A2ARegistrations `
                                    -Parameters @{ filter = "CertificateUser ieq '$A2a'" })
            }
        }
        catch
        {
            Write-Verbose $_
            Write-Verbose "Caught exception with ieq filter, trying with q parameter"
            $local:A2as = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET A2ARegistrations `
                                -Parameters @{ q = $A2as })
        }
        if (-not $local:A2as)
        {
            throw "Unable to find A2A registration matching '$A2a'"
        }
        if ($local:A2as.Count -ne 1)
        {
            throw "Found $($local:A2as.Count) A2A registration matching '$A2a'"
        }
        $local:A2as[0].Id
    }
    else
    {
        $A2a
    }
}

function Resolve-SafeguardA2aAccountId
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [int]$A2aId,
        [Parameter(Mandatory=$true,Position=1)]
        [object]$Account,
        [Parameter(Mandatory=$false)]
        [object]$System
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($Account.Id -as [int])
    {
        $Account = $Account.Id
    }

    if (-not ($Account -as [int]))
    {
        $local:Filter = "AccountName ieq '$Account'"
        if ($PSBoundParameters.ContainsKey("System") -and $System)
        {
            $local:Filter += "and SystemName ieq '$System'"
        }
        try
        {
            $local:Accounts = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                                    Core GET "A2ARegistrations/$A2aId/RetrievableAccounts" -Parameters @{ filter = $local:Filter })
        }
        catch
        {
            Write-Verbose $_
            Write-Verbose "Caught exception with ieq filter, trying with q parameter"
            $local:Accounts = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                                    Core GET "A2ARegistrations/$A2aId/RetrievableAccounts" -Parameters @{ q = $Account })
        }
        if (-not $local:Accounts)
        {
            throw "Unable to find a2a account matching '$Account'"
        }
        if ($local:Accounts.Count -ne 1)
        {
            throw "Found $($local:Accounts.Count) a2a accounts matching '$Account'"
        }
        $local:Accounts[0].AccountId
    }
    else
    {
        $Account
    }
}

<#
.SYNOPSIS
Get status of the A2A service on this Safeguard appliance via the Web API.
 
.DESCRIPTION
By default the A2A service is not running on a Safeguard appliance. It must be enabled
on the desired appliances in order to begin using any A2A registration configured in the
cluster. This cmdlet gets the current status of the A2A service on this appliance.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2aServiceStatus -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Get-SafeguardA2aServiceStatus
#>

function Get-SafeguardA2aServiceStatus
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Appliance GET "A2AService/Status"
}

<#
.SYNOPSIS
Enable the A2A service on this Safeguard appliance via the Web API.
 
.DESCRIPTION
By default the A2A service is not running on a Safeguard appliance. It must be enabled
on the desired appliances in order to begin using any A2A registration configured in the
cluster. This cmdlet enables the A2A service on this appliance.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Enable-SafeguardA2aService -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Enable-SafeguardA2aService
#>

function Enable-SafeguardA2aService
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Appliance POST "A2AService/Enable"
}

<#
.SYNOPSIS
Disable the A2A service on this Safeguard appliance via the Web API.
 
.DESCRIPTION
By default the A2A service is not running on a Safeguard appliance. It must be enabled
on the desired appliances in order to begin using any A2A registration configured in the
cluster. This cmdlet disables the A2A service on this appliance.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Disable-SafeguardA2aService -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Disable-SafeguardA2aService
#>

function Disable-SafeguardA2aService
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Appliance POST "A2AService/Disable"
}

<#
.SYNOPSIS
Get A2A registrations managed by Safeguard via the Web API.
 
.DESCRIPTION
Get the A2A registrations that have been added to Safeguard. Accounts for
credential retrieval and an access request broker can be added to A2A registrations.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER A2aToGet
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2a -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Get-SafeguardA2a "Ticket System"
#>

function Get-SafeguardA2a
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$false,Position=0)]
        [object]$A2aToGet
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PSBoundParameters.ContainsKey("A2aToGet"))
    {
        $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $A2aToGet)
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "A2ARegistrations/$($local:A2aId)"
    }
    else
    {
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "A2ARegistrations"
    }
}

<#
.SYNOPSIS
Create new A2A registration in Safeguard via the Web API.
 
.DESCRIPTION
Create a new A2A registration in Safeguard that can be used to retrieve credentials
and an access request broker.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER Name
A string containing the display name for this A2A registration.
 
.PARAMETER Description
A string containing a description for this A2A registration.
 
.PARAMETER CertificateUser
An integer containing the ID of the certificate user or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
New-SafeguardA2a -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
New-SafeguardA2a "Ticket System" TicketSystemUser -Description "Ticket System Requester"
#>

function New-SafeguardA2a
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [string]$Name,
        [Parameter(Mandatory=$true,Position=1)]
        [object]$CertificateUser,
        [Parameter(Mandatory=$false)]
        [string]$Description
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    Import-Module -Name "$PSScriptRoot\users.psm1" -Scope Local
    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $CertificateUser)

    $local:Body = @{
        "CertificateUserId" = $local:UserId;
        "AppName" = $Name;
    }

    if ($PSBoundParameters.ContainsKey("Description")) { $local:Body.Description = $Description }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "A2ARegistrations" -Body $local:Body
}

<#
.SYNOPSIS
Remove an A2A registration from Safeguard via the Web API.
 
.DESCRIPTION
Remove an A2A registration from Safeguard. Make sure it is not in use before
you remove it.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER A2aToDelete
An integer containing the ID of the A2A registration to remove or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Remove-SafeguardA2a -AccessToken $token -Appliance 10.5.32.54 -Insecure 5
 
.EXAMPLE
Remove-SafeguardA2a "Ticket System"
#>

function Remove-SafeguardA2a
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$false,Position=0)]
        [object]$A2aToDelete
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $PSBoundParameters.ContainsKey("A2aToDelete"))
    {
        $A2aToDelete = (Read-Host "A2aToDelete")
    }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $A2aToDelete)
    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core DELETE "A2ARegistrations/$A2aId"
}

<#
.SYNOPSIS
Edit existing A2A registration in Safeguard via the Web API.
 
.DESCRIPTION
Edit an existing A2A registration in Safeguard that can be used to retrieve credentials
and an access request broker.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER A2aObject
An object containing the existing A2A registration with desired properties set.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Edit-SafeguardA2a -AccessToken $token -Appliance 10.5.32.54 -Insecure -A2aObject $obj
#>

function Edit-SafeguardA2a
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(ParameterSetName="Object",Mandatory=$true,Position=0,ValueFromPipeline=$true)]
        [object]$A2aObject
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }


    if (-not $A2aObject)
    {
        throw "A2aObject must not be null"
    }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core PUT "A2ARegistrations/$($A2aObject.Id)" -Body $A2aObject
}

<#
.SYNOPSIS
Get configuration of credential retrieval for an account from an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Get all or one of the accounts configured for credential retrieval in an A2A registrations that have
been added to Safeguard. Accounts for credential retrieval are given API keys and may be configured
with IP address restrictions.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER AccountObj
An object representing the account to get the credential retrieval configuration for.
 
.PARAMETER System
An integer containing the ID of the system or a string containing the name.
 
.PARAMETER Account
An integer containing the ID of the account or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2aCredentialRetrieval -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Get-SafeguardA2aCredentialRetrieval "Ticket System" linux.test.machine root
#>

function Get-SafeguardA2aCredentialRetrieval
{
    [CmdletBinding(DefaultParameterSetName="None")]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(ParameterSetName="Names",Mandatory=$false,Position=1)]
        [object]$System,
        [Parameter(ParameterSetName="Names",Mandatory=$true,Position=2)]
        [object]$Account,
        [Parameter(ParameterSetName="Object",Mandatory=$true)]
        [object]$AccountObj
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)

    if ($PsCmdlet.ParameterSetName -eq "None")
    {
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            Core GET "A2ARegistrations/$($local:A2aId)/RetrievableAccounts"
    }
    else
    {
        if ($PsCmdlet.ParameterSetName -eq "Object")
        {
            if (-not $AccountObj)
            {
                throw "AccountObj must not be null"
            }
            if ($AccountObj.AccountId) { $local:AccountId = $AccountObj.AccountId }
            else { $local:AccountId = $AccountObj.Id }
        }
        else
        {
            $local:AccountId = (Resolve-SafeguardA2aAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                $local:A2aId $Account -System $System)
        }

        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                Core GET "A2ARegistrations/$($local:A2aId)/RetrievableAccounts/$($local:AccountId)"
    }
}

<#
.SYNOPSIS
Add configuration of account credential retrieval to an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Add an account credential retrieval to an A2A registration that has been added to Safeguard.
Accounts for credential retrieval are given API keys and may be configured with IP address
restrictions.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER AccountObj
An object representing the account to get the credential retrieval configuration for.
 
.PARAMETER System
An integer containing the ID of the system or a string containing the name.
 
.PARAMETER Account
An integer containing the ID of the account or a string containing the name.
 
.PARAMETER IpRestrictions
A list of strings containing IP address that may use this credential retrieval configuration.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Add-SafeguardA2aCredentialRetrieval -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Add-SafeguardA2aCredentialRetrieval "Ticket System" linux.test.machine root -IpRestrictions "10.5.5.32","10.5.5.33"
#>

function Add-SafeguardA2aCredentialRetrieval
{
    [CmdletBinding(DefaultParameterSetName="Names")]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(ParameterSetName="Names",Mandatory=$false,Position=1)]
        [object]$System,
        [Parameter(ParameterSetName="Names",Mandatory=$true,Position=2)]
        [object]$Account,
        [Parameter(ParameterSetName="Object",Mandatory=$true)]
        [object]$AccountObj,
        [Parameter(Mandatory=$false)]
        [string[]]$IpRestrictions
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PsCmdlet.ParameterSetName -eq "Object" -and -not $AccountObj)
    {
        throw "AccountObj must not be null"
    }

    if ($IpRestrictions)
    {
        Import-Module -Name "$PSScriptRoot\ps-utilities.psm1" -Scope Local
        $IpRestrictions | ForEach-Object {
            if (-not (Test-IpAddress $_))
            {
                throw "IP restriction '$_' is not an IP address"
            }
        }
    }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)

    $local:Body = @{}
    if ($PsCmdlet.ParameterSetName -eq "Object")
    {
        $local:Body.AccountId = $AccountObj.Id
        $local:Body.SystemId = $AccountObj.SystemId
    }
    else
    {
        Import-Module -Name "$PSScriptRoot\sg-utilities.psm1" -Scope Local
        if ($System)
        {
            $local:Body.SystemId = (Resolve-SafeguardSystemId -Appliance $Appliance -AccessToken $AccessToken -Insecure:$Insecure $System)
            $local:Body.AccountId = (Resolve-SafeguardAccountIdWithSystemId -Appliance $Appliance -AccessToken $AccessToken -Insecure:$Insecure `
                $local:Body.SystemId $Account)
        }
        else
        {
            Import-Module -Name "$PSScriptRoot\assets.psm1" -Scope Local
            $local:Body.AccountId = (Resolve-SafeguardAccountIdWithoutSystemId -Appliance $Appliance -AccessToken $AccessToken -Insecure:$Insecure $Account)
        }
    }

    if ($IpRestrictions)
    {
        $local:Body.IpRestrictions = $IpRestrictions
    }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core POST "A2ARegistrations/$($local:A2aId)/RetrievableAccounts" -Body $local:Body
}

<#
.SYNOPSIS
Remove configuration of an account credential retrieval from an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Remove an account credential retrieval from an A2A registration that has been added to Safeguard.
Accounts for credential retrieval are given API keys and may be configured with IP address
restrictions.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER AccountObj
An object representing the account to get the credential retrieval configuration for.
 
.PARAMETER System
An integer containing the ID of the system or a string containing the name.
 
.PARAMETER Account
An integer containing the ID of the account or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Remove-SafeguardA2aCredentialRetrieval -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Remove-SafeguardA2aCredentialRetrieval "Ticket System" linux.test.machine root
#>

function Remove-SafeguardA2aCredentialRetrieval
{
    [CmdletBinding(DefaultParameterSetName="Names")]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(ParameterSetName="Names",Mandatory=$false,Position=1)]
        [object]$System,
        [Parameter(ParameterSetName="Names",Mandatory=$true,Position=2)]
        [object]$Account,
        [Parameter(ParameterSetName="Object",Mandatory=$true)]
        [object]$AccountObj
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PsCmdlet.ParameterSetName -eq "Object" -and -not $AccountObj)
    {
        throw "AccountObj must not be null"
    }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    if ($PsCmdlet.ParameterSetName -eq "Object")
    {
        if ($AccountObj.AccountId) { $local:AccountId = $AccountObj.AccountId }
        else { $local:AccountId = $AccountObj.Id }
    }
    else
    {
        $local:AccountId = (Resolve-SafeguardA2aAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            $local:A2aId $Account -System $System)
    }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            Core DELETE "A2ARegistrations/$($local:A2aId)/RetrievableAccounts/$($local:AccountId)"
}

<#
.SYNOPSIS
Get the IP address restrictions from an account credential retrieval from an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Get the IP addresses that are whitelisted for calling an account credential retrieval of an A2A registration
that has been added to Safeguard.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER AccountObj
An object representing the account to get the credential retrieval configuration for.
 
.PARAMETER System
An integer containing the ID of the system or a string containing the name.
 
.PARAMETER Account
An integer containing the ID of the account or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2aCredentialRetrievalIpRestriction -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Get-SafeguardA2aCredentialRetrievalIpRestriction "Ticket System" linux.test.machine root
#>

function Get-SafeguardA2aCredentialRetrievalIpRestriction
{
    [CmdletBinding(DefaultParameterSetName="Names")]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(ParameterSetName="Names",Mandatory=$false,Position=1)]
        [object]$System,
        [Parameter(ParameterSetName="Names",Mandatory=$true,Position=2)]
        [object]$Account,
        [Parameter(ParameterSetName="Object",Mandatory=$true)]
        [object]$AccountObj
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    if ($PsCmdlet.ParameterSetName -eq "Object")
    {
        if (-not $AccountObj)
        {
            throw "AccountObj must not be null"
        }
        (Get-SafeguardA2aCredentialRetrieval -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            $local:A2aId -AccountObj $AccountObj).IpRestrictions
    }
    else
    {
        (Get-SafeguardA2aCredentialRetrieval -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            $local:A2aId $System $Account).IpRestrictions
    }
}

<#
.SYNOPSIS
Set the IP address restrictions for an account credential retrieval for an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Set the IP addresses that are whitelisted for calling an account credential retrieval of an A2A registration
that has been added to Safeguard.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER AccountObj
An object representing the account to get the credential retrieval configuration for.
 
.PARAMETER System
An integer containing the ID of the system or a string containing the name.
 
.PARAMETER Account
An integer containing the ID of the account or a string containing the name.
 
.PARAMETER IpRestrictions
A list of strings containing IP address that may use this credential retrieval configuration.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Set-SafeguardA2aCredentialRetrievalIpRestriction -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Set-SafeguardA2aCredentialRetrievalIpRestriction "Ticket System" linux.test.machine root -IpRestrictions "10.0.0.11","10.0.0.12"
#>

function Set-SafeguardA2aCredentialRetrievalIpRestriction
{
    [CmdletBinding(DefaultParameterSetName="Names")]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(ParameterSetName="Names",Mandatory=$false,Position=1)]
        [object]$System,
        [Parameter(ParameterSetName="Names",Mandatory=$true,Position=2)]
        [object]$Account,
        [Parameter(ParameterSetName="Object",Mandatory=$true)]
        [object]$AccountObj,
        [Parameter(Mandatory=$true)]
        [string[]]$IpRestrictions
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $IpRestrictions)
    {
        throw "IpRestrictions cannot be null"
    }

    Import-Module -Name "$PSScriptRoot\ps-utilities.psm1" -Scope Local
    $IpRestrictions | ForEach-Object {
        if (-not (Test-IpAddress $_))
        {
            throw "IP restriction '$_' is not an IP address"
        }
    }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    if ($PsCmdlet.ParameterSetName -eq "Object")
    {
        if (-not $AccountObj)
        {
            throw "AccountObj must not be null"
        }
        $local:A2aCr = (Get-SafeguardA2aCredentialRetrieval -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                            $local:A2aId -AccountObj $AccountObj)
    }
    else
    {
        $local:A2aCr = (Get-SafeguardA2aCredentialRetrieval -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                            $local:A2aId $System $Account)
    }

    $local:A2aCr.IpRestrictions = $IpRestrictions

    (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core PUT "A2ARegistrations/$($local:A2aId)/RetrievableAccounts/$($local:A2aCr.AccountId)" -Body $local:A2aCr).IpRestrictions
}

<#
.SYNOPSIS
Remove all the IP address restrictions for an account credential retrieval for an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Remove all the IP addresses that are whitelisted for calling an account credential retrieval of an A2A registration
that has been added to Safeguard. This means it can be called from anywhere.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER AccountObj
An object representing the account to get the credential retrieval configuration for.
 
.PARAMETER System
An integer containing the ID of the system or a string containing the name.
 
.PARAMETER Account
An integer containing the ID of the account or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Clear-SafeguardA2aCredentialRetrievalIpRestriction -AccessToken $token -Appliance 10.5.32.54 -Insecure
 
.EXAMPLE
Clear-SafeguardA2aCredentialRetrievalIpRestriction "Ticket System" linux.test.machine root
#>

function Clear-SafeguardA2aCredentialRetrievalIpRestriction
{
    [CmdletBinding(DefaultParameterSetName="Names")]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(ParameterSetName="Names",Mandatory=$false,Position=1)]
        [object]$System,
        [Parameter(ParameterSetName="Names",Mandatory=$true,Position=2)]
        [object]$Account,
        [Parameter(ParameterSetName="Object",Mandatory=$true)]
        [object]$AccountObj
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    if ($PsCmdlet.ParameterSetName -eq "Object")
    {
        if (-not $AccountObj)
        {
            throw "AccountObj must not be null"
        }
        $local:A2aCr = (Get-SafeguardA2aCredentialRetrieval -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                            $local:A2aId -AccountObj $AccountObj)
    }
    else
    {
        $local:A2aCr = (Get-SafeguardA2aCredentialRetrieval -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
                            $local:A2aId $System $Account)
    }

    $local:A2aCr.IpRestrictions = $null

    (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core PUT "A2ARegistrations/$($local:A2aId)/RetrievableAccounts/$($local:A2aCr.AccountId)" -Body $local:A2aCr).IpRestrictions
}

<#
.SYNOPSIS
Regenerate the API key for an account credential retrieval for an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Ask Safeguard to regenerate the API key used for calling an account credential retrieval of an A2A registration
that has been added to Safeguard.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER AccountObj
An object representing the account to get the credential retrieval configuration for.
 
.PARAMETER System
An integer containing the ID of the system or a string containing the name.
 
.PARAMETER Account
An integer containing the ID of the account or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Reset-SafeguardA2aCredentialRetrievalApiKey "Ticket System" linux.test.machine root
#>

function Reset-SafeguardA2aCredentialRetrievalApiKey
{
    [CmdletBinding(DefaultParameterSetName="Names")]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(ParameterSetName="Names",Mandatory=$false,Position=1)]
        [object]$System,
        [Parameter(ParameterSetName="Names",Mandatory=$true,Position=2)]
        [object]$Account,
        [Parameter(ParameterSetName="Object",Mandatory=$true)]
        [object]$AccountObj
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PsCmdlet.ParameterSetName -eq "Object" -and -not $AccountObj)
    {
        throw "AccountObj must not be null"
    }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    if ($PsCmdlet.ParameterSetName -eq "Object")
    {
        if ($AccountObj.AccountId) { $local:AccountId = $AccountObj.AccountId }
        else { $local:AccountId = $AccountObj.Id }
    }
    else
    {
        $local:AccountId = (Resolve-SafeguardA2aAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            $local:A2aId $Account -System $System)
    }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            Core POST "A2ARegistrations/$($local:A2aId)/RetrievableAccounts/$($local:AccountId)/ApiKey"
}

<#
.SYNOPSIS
Get the API key used for requesting an account credential retrieval configured in an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Ask Safeguard for the API key used for calling an account credential retrieval of an A2A registration
that has been added to Safeguard.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER AccountObj
An object representing the account to get the credential retrieval configuration for.
 
.PARAMETER System
An integer containing the ID of the system or a string containing the name.
 
.PARAMETER Account
An integer containing the ID of the account or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2aCredentialRetrievalApiKey "Ticket System" linux.test.machine root
#>

function Get-SafeguardA2aCredentialRetrievalApiKey
{
    [CmdletBinding(DefaultParameterSetName="Names")]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(ParameterSetName="Names",Mandatory=$false,Position=1)]
        [object]$System,
        [Parameter(ParameterSetName="Names",Mandatory=$true,Position=2)]
        [object]$Account,
        [Parameter(ParameterSetName="Object",Mandatory=$true)]
        [object]$AccountObj
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PsCmdlet.ParameterSetName -eq "Object" -and -not $AccountObj)
    {
        throw "AccountObj must not be null"
    }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    if ($PsCmdlet.ParameterSetName -eq "Object")
    {
        if ($AccountObj.AccountId) { $local:AccountId = $AccountObj.AccountId }
        else { $local:AccountId = $AccountObj.Id }
    }
    else
    {
        $local:AccountId = (Resolve-SafeguardA2aAccountId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            $local:A2aId $Account -System $System)
    }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
            Core GET "A2ARegistrations/$($local:A2aId)/RetrievableAccounts/$($local:AccountId)/ApiKey"
}

<#
.SYNOPSIS
Get summary information of A2A registrations in Safeguard via the Web API.
 
.DESCRIPTION
Get summary information of A2A registrations in Safeguard to make it easier to call
Safeguard A2A with the appropriate parameters.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2aCredentialRetrievalInformation
 
.EXAMPLE
Get-SafeguardA2aCredentialRetrievalInformation linux.test.machine root
#>

function Get-SafeguardA2aCredentialRetrievalInformation
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$false, Position = 0)]
        [string]$AssetName,
        [Parameter(Mandatory=$false, Position = 1)]
        [string]$AccountName,
        [Parameter(Mandatory=$false, Position = 2)]
        [string]$DomainName
    )

    $local:Infos = ((Get-SafeguardA2a -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure) | ForEach-Object {
        $local:A2a = $_
        (Get-SafeguardA2aCredentialRetrieval -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -ParentA2a $local:A2a.Id) | ForEach-Object {
            $local:Hash = [ordered]@{
                AppName = $local:A2a.AppName;
                Description = $local:A2a.Description;
                CertificateUserThumbPrint = $local:A2a.CertificateUserThumbPrint;
                ApiKey = $_.ApiKey;
                AssetName = $_.SystemName;
                AccountName = $_.AccountName;
                DomainName = $_.DomainName;
            }
            New-Object PSObject -Property $local:Hash
        }
    })
    if ($AssetName) { $local:Infos = ($local:Infos | Where-Object { $_.AssetName -ieq $AssetName }) }
    if ($AccountName) { $local:Infos = ($local:Infos | Where-Object { $_.AccountName -ieq $AccountName }) }
    if ($DomainName) { $local:Infos = ($local:Infos | Where-Object { $_.DomainName -ieq $DomainName }) }
    $local:Infos
}

<#
.SYNOPSIS
Get the configuration used for brokering access requests to an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Get an access request broker from an A2A registration that has been added to Safeguard.
There may be only one access request broker per A2A registration. An access request broker
is given an API and may be configured with IP address restrictions.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2aAccessRequestBroker "Ticket System"
#>

function Get-SafeguardA2aAccessRequestBroker
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core GET "A2ARegistrations/$($local:A2aId)/AccessRequestBroker"
}

<#
.SYNOPSIS
Add the configuration used for brokering access requests to an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Add an access request broker to an A2A registration that has been added to Safeguard.
There may be only one access request broker per A2A registration. An access request broker
is given an API and may be configured with IP address restrictions.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER Users
An array of integers containing user IDs or an array of strings containing user names.
 
.PARAMETER Groups
An array of integers containing user group IDs or an array of strings containing user group names.
 
.PARAMETER IpRestrictions
A list of strings containing IP address that may use this access request broker configuration.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Set-SafeguardA2aAccessRequestBroker "Ticket System" -Users BlueBoy,GreenMan
 
.EXAMPLE
Set-SafeguardA2aAccessRequestBroker "Ticket System" -Groups "My Admins",YourAdmins
 
.EXAMPLE
Set-SafeguardA2aAccessRequestBroker "Ticket System" -Users BlueBoy,GreenMan -Groups "My Admins",YourAdmins
#>

function Set-SafeguardA2aAccessRequestBroker
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(Mandatory=$false)]
        [object[]]$Users,
        [Parameter(Mandatory=$false)]
        [object[]]$Groups,
        [Parameter(Mandatory=$false)]
        [string[]]$IpRestrictions
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ((-not $Users) -and (-not $Groups))
    {
        throw "You must specify either Users or Groups or both"
    }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    $local:Body = @{}

    if ($Users)
    {
        Import-Module -Name "$PSScriptRoot\users.psm1" -Scope Local
        $local:Body.Users = @()
        $Users | ForEach-Object {
            $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $_)
            $local:Body.Users += @{ UserId = $local:UserId }
        }
    }

    if ($Groups)
    {
        Import-Module -Name "$PSScriptRoot\groups.psm1" -Scope Local
        $local:Body.Groups = @()
        $Groups | ForEach-Object {
            $local:GroupId = (Resolve-SafeguardGroupId  -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure User $_)
            $local:Body.Groups += @{ GroupId = $local:GroupId }
        }
    }

    if ($IpRestrictions)
    {
        Import-Module -Name "$PSScriptRoot\ps-utilities.psm1" -Scope Local
        $IpRestrictions | ForEach-Object {
            if (-not (Test-IpAddress $_))
            {
                throw "IP restriction '$_' is not an IP address"
            }
        }
        $local:Body.IpRestrictions = $IpRestrictions
    }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core PUT "A2ARegistrations/$($local:A2aId)/AccessRequestBroker" -Body $local:Body
}

<#
.SYNOPSIS
Remove the configuration used for brokering access requests from an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Remove an access request broker from an A2A registration that has been added to Safeguard.
There may be only one access request broker per A2A registration. An access request broker
is given an API and may be configured with IP address restrictions.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Clear-SafeguardA2aAccessRequestBroker "Ticket System"
#>

function Clear-SafeguardA2aAccessRequestBroker
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core DELETE "A2ARegistrations/$($local:A2aId)/AccessRequestBroker"
}

<#
.SYNOPSIS
Get the IP address restrictions for an access request broker for an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Get the IP addresses that are whitelisted for calling the access request broker of an A2A registration
that has been added to Safeguard.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2aAccessRequestBrokerIpRestriction "Ticket System"
#>

function Get-SafeguardA2aAccessRequestBrokerIpRestriction
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    (Get-SafeguardA2aAccessRequestBroker -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a).IpRestrictions
}

<#
.SYNOPSIS
Set the IP address restrictions for an access request broker for an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Set the IP addresses that are whitelisted for calling the access request broker of an A2A registration
that has been added to Safeguard.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.PARAMETER IpRestrictions
A list of strings containing IP address that may use this access request broker configuration.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Set-SafeguardA2aAccessRequestBrokerIpRestriction "Ticket System" -IpRestrictions "10.0.0.11","10.0.0.12"
#>

function Set-SafeguardA2aAccessRequestBrokerIpRestriction
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a,
        [Parameter(Mandatory=$true)]
        [string[]]$IpRestrictions
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $IpRestrictions)
    {
        throw "IpRestrictions cannot be null"
    }

    Import-Module -Name "$PSScriptRoot\ps-utilities.psm1" -Scope Local
    $IpRestrictions | ForEach-Object {
        if (-not (Test-IpAddress $_))
        {
            throw "IP restriction '$_' is not an IP address"
        }
    }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    $local:A2aBroker = (Get-SafeguardA2aAccessRequestBroker -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:A2aId)

    $local:A2aBroker.IpRestrictions = $IpRestrictions

    (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core PUT "A2ARegistrations/$($local:A2aId)/AccessRequestBroker" -Body $local:A2aBroker).IpRestrictions
}

<#
.SYNOPSIS
Remove all the IP address restrictions for an access request broker for an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Remove all the IP addresses that are whitelisted for calling the access request broker of an A2A registration
that has been added to Safeguard. This means it can be called from anywhere.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Clear-SafeguardA2aAccessRequestBrokerIpRestriction "Ticket System"
#>

function Clear-SafeguardA2aAccessRequestBrokerIpRestriction
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a
    )

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)
    $local:A2aBroker = (Get-SafeguardA2aAccessRequestBroker -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:A2aId)

    $local:A2aBroker.IpRestrictions = $null

    (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core PUT "A2ARegistrations/$($local:A2aId)/AccessRequestBroker" -Body $local:A2aBroker).IpRestrictions
}

<#
.SYNOPSIS
Regenerate the API key used for brokering access requests using an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Ask Safeguard to regenerate the API key used for calling the A2A service for creating an access request
on behalf of another user.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Reset-SafeguardA2aAccessRequestBrokerApiKey "Ticket System"
#>

function Reset-SafeguardA2aAccessRequestBrokerApiKey
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core POST "A2ARegistrations/$($local:A2aId)/AccessRequestBroker/ApiKey"
}

<#
.SYNOPSIS
Get the API key used for brokering access requests using an A2A registration in Safeguard
via the Web API.
 
.DESCRIPTION
Ask Safeguard for the API key used for calling the A2A service for creating an access request
on behalf of another user.
 
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
 
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
 
.PARAMETER Insecure
Ignore verification of Safeguard appliance SSL certificate.
 
.PARAMETER ParentA2a
An integer containing the ID of the A2A registration to get or a string containing the name.
 
.INPUTS
None.
 
.OUTPUTS
JSON response from Safeguard Web API.
 
.EXAMPLE
Get-SafeguardA2aAccessRequestBrokerApiKey "Ticket System"
#>

function Get-SafeguardA2aAccessRequestBrokerApiKey
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)]
        [string]$Appliance,
        [Parameter(Mandatory=$false)]
        [object]$AccessToken,
        [Parameter(Mandatory=$false)]
        [switch]$Insecure,
        [Parameter(Mandatory=$true,Position=0)]
        [object]$ParentA2a
    )

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:A2aId = (Resolve-SafeguardA2aId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $ParentA2a)

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure `
        Core GET "A2ARegistrations/$($local:A2aId)/AccessRequestBroker/ApiKey"
}