Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Test-TssDistributedEngineCloudAccess - new command to verify port acc…
…ess from DE to Secret Server Cloud
- Loading branch information
Showing
8 changed files
with
380 additions
and
0 deletions.
There are no files selected for viewing
103 changes: 103 additions & 0 deletions
103
docs/commands/distributed-engines/Test-TssDistributedEngineCloudAccess.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
# Test-TssDistributedEngineCloudAccess | ||
|
||
## SYNOPSIS | ||
Validate network and firewall access to Secret Server Cloud from a device | ||
|
||
## SYNTAX | ||
|
||
``` | ||
Test-TssDistributedEngineCloudAccess [-TssSession] <Session> [-TransportType <Object>] [-Timeout <Int32>] | ||
[<CommonParameters>] | ||
``` | ||
|
||
## DESCRIPTION | ||
Validate network and firewall access to Secret Server Cloud (SSC) from a device. | ||
The command validates port access for SSC and the Azure Service Bus host. | ||
This function would be used from your Distributed Engine to verify the proper outputbound access is in place for a Distributed Engine to communicate with SSC. | ||
|
||
## EXAMPLES | ||
|
||
### EXAMPLE 1 | ||
``` | ||
$session = New-TssSession -SecretServer https://alpha -Credential $ssCred | ||
Test-TssDistributedEngineCloudAccess -TssSession $session -TransportType AMQP -Timeout 30 | ||
``` | ||
|
||
Run Hostname and IP port test for SSC URL and Service Bus with ports 5671 and 5672 for AMQP, with a timeout of 30 seconds | ||
|
||
### EXAMPLE 2 | ||
``` | ||
$session = New-TssSession -SecretServer https://alpha -Credential $ssCred | ||
Test-TssDistributedEngineCloudAccess -TssSession $session | ||
``` | ||
|
||
Run Hostname and IP port test for SSC URL and Service Bus with port 443 (Web Sockets), with a default timeout of 5 seconds | ||
|
||
## PARAMETERS | ||
|
||
### -TssSession | ||
TssSession object created by New-TssSession for authentication | ||
|
||
```yaml | ||
Type: Session | ||
Parameter Sets: (All) | ||
Aliases: | ||
|
||
Required: True | ||
Position: 1 | ||
Default value: None | ||
Accept pipeline input: True (ByValue) | ||
Accept wildcard characters: False | ||
``` | ||
|
||
### -TransportType | ||
Azure ServiceBus Transport Type (Admin \> Distributed Engine \> Configuration tab), defaults to WebSockets | ||
|
||
```yaml | ||
Type: Object | ||
Parameter Sets: (All) | ||
Aliases: | ||
|
||
Required: False | ||
Position: Named | ||
Default value: Web Sockets | ||
Accept pipeline input: False | ||
Accept wildcard characters: False | ||
``` | ||
|
||
### -Timeout | ||
Timeout for connection test, defaults to 5 seconds | ||
|
||
```yaml | ||
Type: Int32 | ||
Parameter Sets: (All) | ||
Aliases: | ||
|
||
Required: False | ||
Position: Named | ||
Default value: 5 | ||
Accept pipeline input: False | ||
Accept wildcard characters: False | ||
``` | ||
|
||
### CommonParameters | ||
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). | ||
|
||
## INPUTS | ||
|
||
## OUTPUTS | ||
|
||
### Thycotic.PowerShell.DistributedEngines.CloudAccessResult | ||
## NOTES | ||
Requires TssSession object returned by New-TssSession | ||
|
||
Details on IP and Hostnames used: | ||
- https://docs.thycotic.com/ss/11.0.0/secret-server-setup/upgrading/ssc-ip-change-3-21#new_ip_addresses_and_hostnames | ||
- https://docs.thycotic.com/ss-arc/1.0.0/secret-server/secret-server-cloud | ||
|
||
## RELATED LINKS | ||
|
||
[https://thycotic-ps.github.io/thycotic.secretserver/commands/distributed-engines/Test-TssDistributedEngineCloudAccess](https://thycotic-ps.github.io/thycotic.secretserver/commands/distributed-engines/Test-TssDistributedEngineCloudAccess) | ||
|
||
[https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/distributed-engines/Test-TssDistributedEngineCloudAccess.ps1](https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/distributed-engines/Test-TssDistributedEngineCloudAccess.ps1) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
src/Thycotic.SecretServer/classes/distributed-engines/CloudAccessResult.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
using System; | ||
using System.Threading.Tasks; | ||
using System.Management.Automation; | ||
using System.Management.Automation.Runspaces; | ||
|
||
namespace Thycotic.PowerShell.DistributedEngines | ||
{ | ||
public class CloudAccessResult | ||
{ | ||
public string ItemName { get; set; } | ||
public string HostAddress { get; set; } | ||
public int Port { get; set; } | ||
public string Status { get; set; } | ||
} | ||
} |
168 changes: 168 additions & 0 deletions
168
src/functions/distributed-engines/Test-TssDistributedEngineCloudAccess.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,168 @@ | ||
function Test-TssDistributedEngineCloudAccess { | ||
<# | ||
.SYNOPSIS | ||
Validate network and firewall access to Secret Server Cloud from a device | ||
.DESCRIPTION | ||
Validate network and firewall access to Secret Server Cloud (SSC) from a device. The command validates port access for SSC and the Azure Service Bus host. | ||
This function would be used from your Distributed Engine to verify the proper outputbound access is in place for a Distributed Engine to communicate with SSC. | ||
.EXAMPLE | ||
$session = New-TssSession -SecretServer https://alpha -Credential $ssCred | ||
Test-TssDistributedEngineCloudAccess -TssSession $session -TransportType AMQP -Timeout 30 | ||
Run Hostname and IP port test for SSC URL and Service Bus with ports 5671 and 5672 for AMQP, with a timeout of 30 seconds | ||
.EXAMPLE | ||
$session = New-TssSession -SecretServer https://alpha -Credential $ssCred | ||
Test-TssDistributedEngineCloudAccess -TssSession $session | ||
Run Hostname and IP port test for SSC URL and Service Bus with port 443 (Web Sockets), with a default timeout of 5 seconds | ||
.LINK | ||
https://thycotic-ps.github.io/thycotic.secretserver/commands/distributed-engines/Test-TssDistributedEngineCloudAccess | ||
.LINK | ||
https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/distributed-engines/Test-TssDistributedEngineCloudAccess.ps1 | ||
.NOTES | ||
Requires TssSession object returned by New-TssSession | ||
Details on IP and Hostnames used: | ||
- https://docs.thycotic.com/ss/11.0.0/secret-server-setup/upgrading/ssc-ip-change-3-21#new_ip_addresses_and_hostnames | ||
- https://docs.thycotic.com/ss-arc/1.0.0/secret-server/secret-server-cloud | ||
#> | ||
[cmdletbinding()] | ||
[OutputType('Thycotic.PowerShell.DistributedEngines.CloudAccessResult')] | ||
param( | ||
# TssSession object created by New-TssSession for authentication | ||
[Parameter(Mandatory, ValueFromPipeline, Position = 0)] | ||
[Thycotic.PowerShell.Authentication.Session] | ||
$TssSession, | ||
|
||
# Azure ServiceBus Transport Type (Admin > Distributed Engine > Configuration tab), defaults to WebSockets | ||
[ValidateSet('Web Sockets', 'AMQP')] | ||
$TransportType = 'Web Sockets', | ||
|
||
# Timeout for connection test, defaults to 5 seconds | ||
[int] | ||
$Timeout = 5 | ||
) | ||
begin { | ||
$tssParams = $PSBoundParameters | ||
} | ||
process { | ||
Get-TssInvocation $PSCmdlet.MyInvocation | ||
if ($tssParams.ContainsKey('TssSession') -and $TssSession.IsValidSession()) { | ||
$secretServerUrl = $TssSession.SecretServer | ||
$secretServerHost = ([uri]$TssSession.SecretServer).Host | ||
$tssSscDomains = . $SscDomains | ||
$tssSscDomainIps = . $sscDomainIps | ||
$tssServiceBusHosts = . $SscAzureServiceBusHosts | ||
|
||
switch ([string]$TransportType) { | ||
'Web Sockets' { $testPortServiceBus = 443 } | ||
'AMQP' { $testPortServiceBus = 5671,5672 } | ||
} | ||
|
||
$regionDomain = $tssSscDomains.Where({ $secretServerUrl -match $_.Domain }) | ||
$region = $regionDomain.Region | ||
$domain = $regionDomain.Domain | ||
Write-Verbose "Setting region to: $region" | ||
Write-Verbose "Host domain for Secret Server Cloud: $domain" | ||
|
||
$testSBHosts = $tssServiceBusHosts.Where({ $_.Domain -eq $domain }) | ||
$testDomainIPs = $tssSscDomainIps.Where({ $_.Domain -eq $domain }) | ||
$results = @() | ||
|
||
$ssTcp = [System.Net.Sockets.TcpClient]::new() | ||
$sscResult = [Thycotic.PowerShell.DistributedEngines.CloudAccessResult]@{ | ||
ItemName = 'Secret Server Cloud Domain' | ||
HostAddress = $secretServerHost | ||
Port = 443 | ||
Status = $null | ||
} | ||
Write-Verbose "Testing Secret Server Cloud Domain [$secretServerHost] on port [443]" | ||
if ($ssTcp.ConnectAsync($secretServerHost,443).Wait([timespan]::FromSeconds($Timeout))) { | ||
Write-Warning "Secret Server Cloud Domain test failed on port [443]" | ||
$sscResult.Status = 'Failed' | ||
} else { | ||
Write-Verbose "Secret Server Cloud Domain test successful on port [443]" | ||
$sscResult.Status = 'Successful' | ||
} | ||
$results += $sscResult | ||
|
||
$siteConnector = Search-TssDistributedEngineConnector -TssSession $TssSession | ||
if ($siteConnector) { | ||
foreach ($port in $testPortServiceBus) { | ||
$customerServiceBus = $siteConnector.Hostname | ||
Write-Verbose "Testing Customer Service Bus host [$CustomerServiceBus] on port [$port]" | ||
|
||
$cSbTcp = [System.Net.Sockets.TcpClient]::new() | ||
$cSbResult = [Thycotic.PowerShell.DistributedEngines.CloudAccessResult]@{ | ||
ItemName = 'Customer Service Bus Hostname' | ||
HostAddress = $customerServiceBus | ||
Port = $port | ||
Status = $null | ||
} | ||
if ($cSbTcp.ConnectAsync($customerServiceBus,$port).Wait([timespan]::FromSeconds($Timeout))) { | ||
Write-Warning "Service Bus Host test failed on port [$port]" | ||
$cSbResult.Status = 'Failed' | ||
} else { | ||
Write-Verbose "Service Bus Host test successful on port [$port]" | ||
$cSbResult.Status = 'Successful' | ||
} | ||
$results += $cSbResult | ||
|
||
<# Test Azure Service Bus Hostname connection #> | ||
foreach ($sbHost in $testSBHosts) { | ||
$currentSBResult = [Thycotic.PowerShell.DistributedEngines.CloudAccessResult]@{ | ||
ItemName = 'Azure Service Bus Hostname' | ||
HostAddress = $sbHost.HostAddress | ||
Port = $port | ||
Status = $null | ||
} | ||
$sbTcp = [System.Net.Sockets.TcpClient]::new() | ||
Write-Verbose "Testing Azure Service Bus hostname: [$($sbHost.HostAddress)]" | ||
if ($sbTcp.ConnectAsync($sbHost.HostAddress,$port).Wait([timespan]::FromSeconds($Timeout))) { | ||
Write-Warning "Azure Service Bus hostname test failed on port [$port]" | ||
$currentSBResult.Status = 'Failed' | ||
} else { | ||
Write-Verbose "Azure Service Bus hostname test successful on port [$port]" | ||
$currentSBResult.Status = 'Successful' | ||
} | ||
$sbTcp.Close() | ||
$sbTcp.Dispose() | ||
$results += $currentSBResult | ||
} | ||
} | ||
} else { | ||
Write-Warning "Unable to retrieve Site Connector details" | ||
} | ||
<# Test Domain IPs #> | ||
foreach ($domainIP in $testDomainIPs) { | ||
$currentIPResult = [Thycotic.PowerShell.DistributedEngines.CloudAccessResult]@{ | ||
ItemName = 'Secret Server Cloud Domain IP' | ||
HostAddress = $domainIP.HostAddress | ||
Port = 443 | ||
Status = $null | ||
} | ||
$dTcp = [System.Net.Sockets.TcpClient]::new() | ||
Write-Verbose "Testing Secret Server Cloud Domain IP: [$($domainIP.HostAddress)]" | ||
if ($dTcp.ConnectAsync($domainIP.HostAddress,443).Wait([timespan]::FromSeconds($Timeout))) { | ||
Write-Warning "Secret Server Cloud Domain IP test failed [$($domainIP.HostAddress)]" | ||
$currentIPResult.Status = 'Failed' | ||
} else { | ||
Write-Verbose "Secret Server Cloud Domain IP test successful [$($domainIP.HostAddress)]" | ||
$currentIPResult.Status = 'Successful' | ||
} | ||
$dTcp.Close() | ||
$dTcp.Dispose() | ||
$results += $currentIPResult | ||
} | ||
$results | Sort-Object ItemName | ||
} else { | ||
Write-Warning "No valid session found" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
"secretservercloud.com,thycotic-ssc-us-er-sb-01-prod-b.servicebus.windows.net", | ||
"secretservercloud.com,thycotic-ssc-us-er-sb-01-prod-g.servicebus.windows.net", | ||
"secretservercloud.com,thycotic-ssc-us-er-sb-02-prod-b.servicebus.windows.net", | ||
"secretservercloud.com,thycotic-ssc-us-er-sb-02-prod-g.servicebus.windows.net", | ||
"secretservercloud.com.au,thycotic-ssc-au-er-sb-01-prod-b.servicebus.windows.net", | ||
"secretservercloud.com.au,thycotic-ssc-au-er-sb-01-prod-g.servicebus.windows.net", | ||
"secretservercloud.com.au,thycotic-ssc-au-er-sb-02-prod-b.servicebus.windows.net", | ||
"secretservercloud.com.au,thycotic-ssc-au-er-sb-02-prod-g.servicebus.windows.net", | ||
"secretservercloud.ca,thycotic-ssc-ca-er-sb-01-prod-b.servicebus.windows.net", | ||
"secretservercloud.ca,thycotic-ssc-ca-er-sb-01-prod-g.servicebus.windows.net", | ||
"secretservercloud.ca,thycotic-ssc-ca-er-sb-02-prod-b.servicebus.windows.net", | ||
"secretservercloud.ca,thycotic-ssc-ca-er-sb-02-prod-g.servicebus.windows.net", | ||
"secretservercloud.eu,thycotic-ssc-eu-er-sb-01-prod-b.servicebus.windows.net", | ||
"secretservercloud.eu,thycotic-ssc-eu-er-sb-01-prod-g.servicebus.windows.net", | ||
"secretservercloud.eu,thycotic-ssc-eu-er-sb-02-prod-b.servicebus.windows.net", | ||
"secretservercloud.eu,thycotic-ssc-eu-er-sb-02-prod-g.servicebus.windows.net", | ||
"secretservercloud.com.sg,thycotic-ssc-sea-er-sb-01-prod-b.servicebus.windows.net", | ||
"secretservercloud.com.sg,thycotic-ssc-sea-er-sb-01-prod-g.servicebus.windows.net", | ||
"secretservercloud.com.sg,thycotic-ssc-sea-er-sb-02-prod-b.servicebus.windows.net", | ||
"secretservercloud.com.sg,thycotic-ssc-sea-er-sb-02-prod-g.servicebus.windows.net" | ConvertFrom-Csv -Header 'Domain', 'HostAddress' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
"secretservercloud.com,52.224.253.7", | ||
"secretservercloud.com,52.224.253.4", | ||
"secretservercloud.com.au,20.37.251.37", | ||
"secretservercloud.com.au,20.37.251.120", | ||
"secretservercloud.ca,52.228.117.246", | ||
"secretservercloud.ca,52.228.113.119", | ||
"secretservercloud.eu,20.79.64.213", | ||
"secretservercloud.eu,20.79.65.3", | ||
"secretservercloud.com.sg,20.195.97.220", | ||
"secretservercloud.com.sg,20.195.98.154" | ConvertFrom-Csv -Header 'Domain', 'HostAddress' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
"US,secretservercloud.com", | ||
"AU,secretservercloud.com.au", | ||
"CA,secretservercloud.ca", | ||
"EU,secretservercloud.eu", | ||
"SG,secretservecloud.com.sg" | ConvertFrom-Csv -Header 'Region', 'Domain' |
24 changes: 24 additions & 0 deletions
24
tests/distributed-engines/Test-TssDistributedEngineCloudAccess.Tests.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
BeforeDiscovery { | ||
$commandName = Split-Path ($PSCommandPath.Replace('.Tests.ps1','')) -Leaf | ||
} | ||
Describe "$commandName verify parameters" { | ||
BeforeDiscovery { | ||
[object[]]$knownParameters = 'TssSession', 'TransportType', 'Timeout' | ||
[object[]]$currentParams = ([Management.Automation.CommandMetaData]$ExecutionContext.SessionState.InvokeCommand.GetCommand($commandName,'Function')).Parameters.Keys | ||
[object[]]$commandDetails = [System.Management.Automation.CommandInfo]$ExecutionContext.SessionState.InvokeCommand.GetCommand($commandName,'Function') | ||
$unknownParameters = Compare-Object -ReferenceObject $knownParameters -DifferenceObject $currentParams -PassThru | ||
} | ||
Context "Verify parameters" -Foreach @{currentParams = $currentParams } { | ||
It "$commandName should contain <_> parameter" -TestCases $knownParameters { | ||
$_ -in $currentParams | Should -Be $true | ||
} | ||
It "$commandName should not contain parameter: <_>" -TestCases $unknownParameters { | ||
$_ | Should -BeNullOrEmpty | ||
} | ||
} | ||
Context "Command specific details" { | ||
It "$commandName should set OutputType to Thycotic.PowerShell.DistributedEngines.CloudAccessResult" -TestCases $commandDetails { | ||
$_.OutputType.Name | Should -Be 'Thycotic.PowerShell.DistributedEngines.CloudAccessResult' | ||
} | ||
} | ||
} |