From 78e8e25ef5a11733f264e158c24edc5853e9573f Mon Sep 17 00:00:00 2001 From: Pete Maan Date: Sat, 31 Aug 2019 03:31:12 +0100 Subject: [PATCH] :sparkles: UPDATE New-PASSession ADD `SkipCertificateCheck` parameter. Enables SSL Validation to be skipped for the session. `Invoke-PASRestMethod` updated with separate flows for PWSH + PowerShell. PWSH uses the `SkipCertificateCheck` parameter present in `Invoke-WebRequest`. PowerShell uses code contained in `Skip-CertificateCheck.ps1`. Using SkipCertificateCheck parameter is not secure and is not recommended. Use at your own risk. Closes #196 --- .../Authentication/New-PASSession.ps1 | 24 +++++++- psPAS/Private/Invoke-PASRestMethod.ps1 | 60 ++++++++++++++++++- psPAS/Private/Skip-CertificateCheck.ps1 | 40 +++++++++++++ 3 files changed, 120 insertions(+), 4 deletions(-) create mode 100644 psPAS/Private/Skip-CertificateCheck.ps1 diff --git a/psPAS/Functions/Authentication/New-PASSession.ps1 b/psPAS/Functions/Authentication/New-PASSession.ps1 index cc079e3d..58213148 100644 --- a/psPAS/Functions/Authentication/New-PASSession.ps1 +++ b/psPAS/Functions/Authentication/New-PASSession.ps1 @@ -81,6 +81,12 @@ See Invoke-WebRequest The thumbprint of the certificate to use for client certificate authentication. + .PARAMETER SkipCertificateCheck + Skips certificate validation checks. + Using this parameter is not secure and is not recommended. + This switch is only intended to be used against known hosts using a self-signed certificate for testing purposes. + Use at your own risk. + .EXAMPLE New-PASSession -Credential $cred -BaseURI https://PVWA -type LDAP @@ -147,6 +153,11 @@ New-PASSession -UseSharedAuthentication -BaseURI https://pvwa.some.co -CertificateThumbprint 0e194289c57e666115109d6e2800c24fb7db6edb If authentication via certificates is configured, provide CertificateThumbprint details. + + .EXAMPLE + New-PASSession -Credential $cred -BaseURI $url -SkipCertificateCheck + + Skip SSL Certificate validation for the session. #> [CmdletBinding(SupportsShouldProcess, DefaultParameterSetName = "v10")] param( @@ -348,7 +359,14 @@ ValueFromPipeline = $false, ValueFromPipelinebyPropertyName = $false )] - [string]$CertificateThumbprint + [string]$CertificateThumbprint, + + [parameter( + Mandatory = $false, + ValueFromPipeline = $false, + ValueFromPipelinebyPropertyName = $true + )] + [switch]$SkipCertificateCheck ) @@ -361,6 +379,7 @@ $LogonRequest["Method"] = "POST" $LogonRequest["SessionVariable"] = "PASSession" $LogonRequest["UseDefaultCredentials"] = $UseDefaultCredentials.IsPresent + $LogonRequest["SkipCertificateCheck"] = $SkipCertificateCheck.IsPresent If ($CertificateThumbprint) { $LogonRequest["CertificateThumbprint"] = $CertificateThumbprint } @@ -416,7 +435,7 @@ PROCESS { #Get request parameters - $boundParameters = $PSBoundParameters | Get-PASParameter -ParametersToRemove Credential, SkipVersionCheck, + $boundParameters = $PSBoundParameters | Get-PASParameter -ParametersToRemove Credential, SkipVersionCheck, SkipCertificateCheck, UseDefaultCredentials, CertificateThumbprint, BaseURI, PVWAAppName, OTP, type, OTPMode, OTPDelimiter, RadiusChallenge If (($PSCmdlet.ParameterSetName -match "^v9*") -or ($PSCmdlet.ParameterSetName -match "^v10*") ) { @@ -542,7 +561,6 @@ If ($PASSession.length -ge 180) { #V10 Auth Token. - $CyberArkLogonResult = $PASSession } diff --git a/psPAS/Private/Invoke-PASRestMethod.ps1 b/psPAS/Private/Invoke-PASRestMethod.ps1 index 54ba1b5d..66b67f44 100644 --- a/psPAS/Private/Invoke-PASRestMethod.ps1 +++ b/psPAS/Private/Invoke-PASRestMethod.ps1 @@ -46,6 +46,9 @@ See Invoke-WebRequest The thumbprint of the certificate to use for client certificate authentication. + .PARAMETER SkipCertificateCheck + Skips certificate validation checks. + .EXAMPLE Invoke-PASRestMethod -Uri $URI -Method DELETE -WebSession $Script:WebSession @@ -86,7 +89,10 @@ [int]$TimeoutSec, [Parameter(Mandatory = $false)] - [string]$CertificateThumbprint + [string]$CertificateThumbprint, + + [Parameter(Mandatory = $false)] + [switch]$SkipCertificateCheck ) Begin { @@ -104,6 +110,58 @@ } + Switch ($PSBoundParameters.ContainsKey("SkipCertificateCheck")) { + + $true { + + #SkipCertificateCheck Declared + if ( -not ($IsCoreCLR)) { + + #Remove parameter, incompatible with PowerShell + $PSBoundParameters.Remove("SkipCertificateCheck") | Out-Null + + if ($SkipCertificateCheck) { + + #Skip SSL Validation + Skip-CertificateCheck + + } + + } else { + + #PWSH + if ($SkipCertificateCheck) { + + #Ongoing SSL Validation Bypass Required + $Script:SkipCertificateCheck = $true + + } + + } + + } + + $false { + + #SkipCertificateCheck Not Declared + #SSL Validation Bypass Previously Requested + If ($Script:SkipCertificateCheck) { + + #PWSH Zone + if ($IsCoreCLR) { + + #Add SkipCertificateCheck to PS Core command + #Parameter must be included for all pwsh invocations of Invoke-WebRequest + $PSBoundParameters.Add("SkipCertificateCheck", $true) + + } + + } + + } + + } + #If Tls12 Security Protocol is available if (([Net.SecurityProtocolType].GetEnumNames() -contains "Tls12") -and diff --git a/psPAS/Private/Skip-CertificateCheck.ps1 b/psPAS/Private/Skip-CertificateCheck.ps1 new file mode 100644 index 00000000..1b75a651 --- /dev/null +++ b/psPAS/Private/Skip-CertificateCheck.ps1 @@ -0,0 +1,40 @@ +Function Skip-CertificateCheck { + <# + .SYNOPSIS + Bypass SSL Validation + + .DESCRIPTION + Enables skipping of ssl certificate validation for current PowerShell session. + + .EXAMPLE + Skip-CertificateCheck + + #> + + #Only required to be executed once per ps session + $Provider = New-Object Microsoft.CSharp.CSharpCodeProvider + $Compiler = $Provider.CreateCompiler() + $Params = New-Object System.CodeDom.Compiler.CompilerParameters + $Params.GenerateExecutable = $false + $Params.GenerateInMemory = $true + $Params.IncludeDebugInformation = $false + $Params.ReferencedAssemblies.Add("System.DLL") | Out-Null + $TASource = @' + namespace Local.ToolkitExtensions.Net.CertificatePolicy + { + public class TrustAll : System.Net.ICertificatePolicy + { + public bool CheckValidationResult(System.Net.ServicePoint sp,System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Net.WebRequest req, int problem) + { + return true; + } + } + } +'@ + + $TAResults = $Provider.CompileAssemblyFromSource($Params, $TASource) + $TAAssembly = $TAResults.CompiledAssembly + ## Create an instance of TrustAll and attach it to the ServicePointManager + $TrustAll = $TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll") + [System.Net.ServicePointManager]::CertificatePolicy = $TrustAll +} \ No newline at end of file