Skip to content

Commit

Permalink
💥 ✨ UPDATE New-PASDirectoryMapping & Set-PASDirectoryMapping
Browse files Browse the repository at this point in the history 
Breaking Change.
Updates to `New-PASDirectoryMapping` & `Set-PASDirectoryMapping`
- Moved Authorizations Enum to `psPAS.psm1` to be imported to module scope.
- Changed parameter type for MappingAuthorizations to Authorizations Enum
  - Parameter now accepts list of strings associated with the enum instead of `[int]`
- Removed individual parameters now replaced by proper use of the Authorizations Enum.
- Logic update to allow Enum Flags to be converted to array for inclusion in request body.
  • Loading branch information
@pspete
pspete committed Jan 14, 2020
1 parent a57fe50 commit 0c7f340
Show file tree
Hide file tree
Showing 7 changed files with 144 additions and 543 deletions.
14 changes: 7 additions & 7 deletions Tests/New-PASDirectoryMapping.Tests.ps1
View file
Expand Up @@ -58,7 +58,7 @@ Describe $FunctionName {

It "does not throw - v10.4 parameterset" {
$Script:ExternalVersion = "10.4"
{ $InputObj | New-PASDirectoryMapping -RestoreAllSafes } | Should -Not -Throw
{ $InputObj | New-PASDirectoryMapping -MappingAuthorizations RestoreAllSafes } | Should -Not -Throw
}


Expand All @@ -73,13 +73,13 @@ Describe $FunctionName {
}

It "sends request" {
$InputObj | New-PASDirectoryMapping -RestoreAllSafes
$InputObj | New-PASDirectoryMapping -MappingAuthorizations RestoreAllSafes
Assert-MockCalled Invoke-PASRestMethod -Times 1 -Exactly -Scope It

}

It "sends request to expected endpoint" {
$InputObj | New-PASDirectoryMapping -RestoreAllSafes
$InputObj | New-PASDirectoryMapping -MappingAuthorizations RestoreAllSafes
Assert-MockCalled Invoke-PASRestMethod -ParameterFilter {

$URI -eq "$($Script:BaseURI)/api/Configuration/LDAP/Directories/SomeDirectory/Mappings"
Expand All @@ -89,14 +89,14 @@ Describe $FunctionName {
}

It "uses expected method" {
$InputObj | New-PASDirectoryMapping -RestoreAllSafes
$InputObj | New-PASDirectoryMapping -MappingAuthorizations RestoreAllSafes
Assert-MockCalled Invoke-PASRestMethod -ParameterFilter { $Method -match 'POST' } -Times 1 -Exactly -Scope It

}

It "throws error if version requirement not met" {
$Script:ExternalVersion = "1.0"
{ $InputObj | New-PASDirectoryMapping -RestoreAllSafes -BackupAllSafes } | Should -Throw
{ $InputObj | New-PASDirectoryMapping -MappingAuthorizations RestoreAllSafes, BackupAllSafes } | Should -Throw
$Script:ExternalVersion = "0.0"
}

Expand All @@ -108,13 +108,13 @@ Describe $FunctionName {

It "throws error if version requirement not met" {
$Script:ExternalVersion = "10.9"
{ $InputObj | New-PASDirectoryMapping -RestoreAllSafes -BackupAllSafes -VaultGroups "Group1", "Group2" -UserActivityLogPeriod 10 } | Should -Throw
{ $InputObj | New-PASDirectoryMapping -MappingAuthorizations RestoreAllSafes, BackupAllSafes -VaultGroups "Group1", "Group2" -UserActivityLogPeriod 10 } | Should -Throw
$Script:ExternalVersion = "0.0"
}

It "does not throw if version requirement met" {
$Script:ExternalVersion = "10.10"
{ $InputObj | New-PASDirectoryMapping -RestoreAllSafes -BackupAllSafes -VaultGroups "Group1", "Group2" -UserActivityLogPeriod 10 } | Should -Not -Throw
{ $InputObj | New-PASDirectoryMapping -MappingAuthorizations RestoreAllSafes, BackupAllSafes -VaultGroups "Group1", "Group2" -UserActivityLogPeriod 10 } | Should -Not -Throw
$Script:ExternalVersion = "0.0"
}

Expand Down
6 changes: 3 additions & 3 deletions Tests/Set-PASDirectoryMapping.Tests.ps1
View file
Expand Up @@ -57,13 +57,13 @@ Describe $FunctionName {
}

It "sends request" {
$InputObj | Set-PASDirectoryMapping -AddUpdateUsers -ActivateUsers
$InputObj | Set-PASDirectoryMapping -MappingAuthorizations AddUpdateUsers ActivateUsers
Assert-MockCalled Invoke-PASRestMethod -Times 1 -Exactly -Scope It

}

It "sends request to expected endpoint" {
$InputObj | Set-PASDirectoryMapping -AddUpdateUsers -ActivateUsers
$InputObj | Set-PASDirectoryMapping -MappingAuthorizations AddUpdateUsers, ActivateUsers
Assert-MockCalled Invoke-PASRestMethod -ParameterFilter {

$URI -eq "$($Script:BaseURI)/api/Configuration/LDAP/Directories/SomeDirectory/Mappings/SomeMappingID"
Expand All @@ -73,7 +73,7 @@ Describe $FunctionName {
}

It "uses expected method" {
$InputObj | Set-PASDirectoryMapping -AddUpdateUsers -ActivateUsers
$InputObj | Set-PASDirectoryMapping -MappingAuthorizations AddUpdateUsers, ActivateUsers
Assert-MockCalled Invoke-PASRestMethod -ParameterFilter { $Method -match 'PUT' } -Times 1 -Exactly -Scope It

}
Expand Down
144 changes: 27 additions & 117 deletions docs/collections/_commands/New-PASDirectoryMapping.md
View file
Expand Up @@ -4,33 +4,26 @@ title: New-PASDirectoryMapping

## SYNOPSIS

Adds a new Directory Mapping for an existing directory
Adds a new Directory Mapping for an existing directory

## SYNTAX

New-PASDirectoryMapping -DirectoryName <String> -MappingName <String> -LDAPBranch <String>
-DomainGroups <String[]> [-VaultGroups <String[]>] [-Location <String>] [-LDAPQuery <String>]
[-AddUpdateUsers] [-AddSafes] [-AddNetworkAreas] [-ManageServerFileCategories] [-AuditUsers]
[-BackupAllSafes] [-RestoreAllSafes] [-ResetUsersPasswords] [-ActivateUsers]
[-UserActivityLogPeriod <Int32>]

New-PASDirectoryMapping -DirectoryName <String> -MappingName <String> -LDAPBranch <String>
-DomainGroups <String[]> [-VaultGroups <String[]>] [-Location <String>] [-LDAPQuery <String>]
[-MappingAuthorizations <Int32[]>] [-UserActivityLogPeriod <Int32>]
New-PASDirectoryMapping [-DirectoryName] <String> [-MappingName] <String> [-LDAPBranch] <String> [-DomainGroups] <String[]> [[-VaultGroups] <String[]>] [[-Location] <String>] [[-LDAPQuery] <String>]
[[-MappingAuthorizations] {AddUpdateUsers | AddSafes | AddNetworkAreas | ManageServerFileCategories | AuditUsers | BackupAllSafes | RestoreAllSafes | ResetUsersPasswords | ActivateUsers}]
[[-UserActivityLogPeriod] <Int32>] [-WhatIf] [-Confirm] [<CommonParameters>]

## DESCRIPTION

Adds an LDAP directory to the Vault.

Membership of the Vault Admins group required.
Adds a directory mapping.
Membership of the Vault Admins group required.

## PARAMETERS

-DirectoryName <String>
The name of the directory the mapping is for.

Required? true
Position? named
Position? 1
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
Expand All @@ -39,7 +32,7 @@ Membership of the Vault Admins group required.
The name of the PAS role that will be created.

Required? true
Position? named
Position? 2
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
Expand All @@ -48,149 +41,69 @@ Membership of the Vault Admins group required.
The LDAP branch that will be used for external directory queries

Required? true
Position? named
Position? 3
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-DomainGroups <String[]>
Users who belong to these LDAP groups will be automatically assigned to the relevant roles
in the PAS system.
Users who belong to these LDAP groups will be automatically assigned to the relevant roles in the PAS system.

Required? true
Position? named
Position? 4
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-VaultGroups <String[]>
A list of Vault groups that a mapped user will be added to.
Requires CyberArk version 10.7+

Required? false
Position? named
Position? 5
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-Location <String>
The path of the Vault location that mapped users are added under.
This value cannot be updated.
Requires CyberArk version 10.7+

Required? false
Position? named
Position? 6
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-LDAPQuery <String>
Match LDAP query results to mapping
Requires CyberArk version 10.7+

Required? false
Position? named
Position? 7
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-MappingAuthorizations <Int32[]>
The integer flag representation of the security attributes and authorizations that will be
applied when an LDAP User Account is created in the Vault.
-MappingAuthorizations
Specify authorizations that will be applied when an LDAP User Account is created in the Vault.
To apply specific authorizations to a mapping, the user must have the same authorizations.
Possible authorizations: AddSafes, AuditUsers, AddUpdateUsers, ResetUsersPasswords,
ActivateUsers, AddNetworkAreas, ManageServerFileCategories, BackupAllSafes, RestoreAllSafes.
Possible authorizations: AddSafes, AuditUsers, AddUpdateUsers, ResetUsersPasswords, ActivateUsers,
AddNetworkAreas, ManageServerFileCategories, BackupAllSafes, RestoreAllSafes.

Required? false
Position? named
Position? 8
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-AddUpdateUsers [<SwitchParameter>]
Specify switch to add the AddUpdateUsers authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-AddSafes [<SwitchParameter>]
Specify switch to add the AddSafes authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-AddNetworkAreas [<SwitchParameter>]
Specify switch to add the AddNetworkAreas authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-ManageServerFileCategories [<SwitchParameter>]
Specify switch to add the ManageServerFileCategories authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-AuditUsers [<SwitchParameter>]
Specify switch to add the AuditUsers authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-BackupAllSafes [<SwitchParameter>]
Specify switch to add the BackupAllSafes authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-RestoreAllSafes [<SwitchParameter>]
Specify switch to add the RestoreAllSafes authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-ResetUsersPasswords [<SwitchParameter>]
Specify switch to add the ResetUsersPasswords authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-ActivateUsers [<SwitchParameter>]
Specify switch to add the ActivateUsers authorization to the directory mapping

Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false

-UserActivityLogPeriod <Int32>
Retention period in days for user activity logs
Requires CyberArk version 10.10+

Required? false
Position? named
Position? 9
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
Expand All @@ -215,14 +128,13 @@ Membership of the Vault Admins group required.
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).## EXAMPLES
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).

## EXAMPLES

-------------------------- EXAMPLE 1 --------------------------

PS C:\>New-PASDirectoryMapping -DirectoryName "domain.com" -LDAPBranch "DC=DOMAIN,DC=COM"
-DomainGroups ADGroup -MappingName Map3 -RestoreAllSafes -BackupAllSafes
PS C:\>New-PASDirectoryMapping -DirectoryName "domain.com" -LDAPBranch "DC=DOMAIN,DC=COM" -DomainGroups ADGroup -MappingName Map3 -MappingAuthorizations RestoreAllSafes, BackupAllSafes

Creates a new LDAP directory mapping in the Vault with the following authorizations:
BackupAllSafes, RestoreAllSafes
Expand All @@ -232,8 +144,7 @@ Membership of the Vault Admins group required.

-------------------------- EXAMPLE 2 --------------------------

PS C:\>New-PASDirectoryMapping -DirectoryName "domain.com" -LDAPBranch "DC=DOMAIN,DC=COM"
-DomainGroups ADGroup -MappingName Map2 -MappingAuthorizations 1536
PS C:\>New-PASDirectoryMapping -DirectoryName "domain.com" -LDAPBranch "DC=DOMAIN,DC=COM" -DomainGroups ADGroup -MappingName Map2 -MappingAuthorizations BackupAllSafes, RestoreAllSafes

Creates a new LDAP directory mapping in the Vault with the following authorizations:
BackupAllSafes, RestoreAllSafes
Expand All @@ -243,8 +154,7 @@ Membership of the Vault Admins group required.

-------------------------- EXAMPLE 3 --------------------------

PS C:\>New-PASDirectoryMapping -DirectoryName "domain.com" -LDAPBranch "DC=DOMAIN,DC=COM"
-DomainGroups ADGroup -MappingName Map1 -MappingAuthorizations 1,3,512
PS C:\>New-PASDirectoryMapping -DirectoryName "domain.com" -LDAPBranch "DC=DOMAIN,DC=COM" -DomainGroups ADGroup -MappingName Map1 -MappingAuthorizations AddUpdateUsers, AddSafes, BackupAllSafes

Creates a new LDAP directory mapping in the Vault with the following authorizations:
AddUpdateUsers, AddSafes, BackupAllSafes

0 comments on commit 0c7f340

Please sign in to comment.