Skip to content

Commit

Permalink
Test-TssDistributedEngineCloudAccess - new command to verify port acc…
Browse files Browse the repository at this point in the history 
…ess from DE to Secret Server Cloud
  • Loading branch information
@wsmelton
wsmelton committed Oct 7, 2021
1 parent 0052393 commit 0228004
Show file tree
Hide file tree
Showing 8 changed files with 380 additions and 0 deletions.
103 changes: 103 additions & 0 deletions docs/commands/distributed-engines/Test-TssDistributedEngineCloudAccess.md
View file
@@ -0,0 +1,103 @@
# Test-TssDistributedEngineCloudAccess

## SYNOPSIS
Validate network and firewall access to Secret Server Cloud from a device

## SYNTAX

```
Test-TssDistributedEngineCloudAccess [-TssSession] <Session> [-TransportType <Object>] [-Timeout <Int32>]
[<CommonParameters>]
```

## DESCRIPTION
Validate network and firewall access to Secret Server Cloud (SSC) from a device.
The command validates port access for SSC and the Azure Service Bus host.
This function would be used from your Distributed Engine to verify the proper outputbound access is in place for a Distributed Engine to communicate with SSC.

## EXAMPLES

### EXAMPLE 1
```
$session = New-TssSession -SecretServer https://alpha -Credential $ssCred
Test-TssDistributedEngineCloudAccess -TssSession $session -TransportType AMQP -Timeout 30
```

Run Hostname and IP port test for SSC URL and Service Bus with ports 5671 and 5672 for AMQP, with a timeout of 30 seconds

### EXAMPLE 2
```
$session = New-TssSession -SecretServer https://alpha -Credential $ssCred
Test-TssDistributedEngineCloudAccess -TssSession $session
```

Run Hostname and IP port test for SSC URL and Service Bus with port 443 (Web Sockets), with a default timeout of 5 seconds

## PARAMETERS

### -TssSession
TssSession object created by New-TssSession for authentication

```yaml
Type: Session
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
```

### -TransportType
Azure ServiceBus Transport Type (Admin \> Distributed Engine \> Configuration tab), defaults to WebSockets

```yaml
Type: Object
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: Web Sockets
Accept pipeline input: False
Accept wildcard characters: False
```

### -Timeout
Timeout for connection test, defaults to 5 seconds

```yaml
Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: 5
Accept pipeline input: False
Accept wildcard characters: False
```

### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).

## INPUTS

## OUTPUTS

### Thycotic.PowerShell.DistributedEngines.CloudAccessResult
## NOTES
Requires TssSession object returned by New-TssSession

Details on IP and Hostnames used:
- https://docs.thycotic.com/ss/11.0.0/secret-server-setup/upgrading/ssc-ip-change-3-21#new_ip_addresses_and_hostnames
- https://docs.thycotic.com/ss-arc/1.0.0/secret-server/secret-server-cloud

## RELATED LINKS

[https://thycotic-ps.github.io/thycotic.secretserver/commands/distributed-engines/Test-TssDistributedEngineCloudAccess](https://thycotic-ps.github.io/thycotic.secretserver/commands/distributed-engines/Test-TssDistributedEngineCloudAccess)

[https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/distributed-engines/Test-TssDistributedEngineCloudAccess.ps1](https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/distributed-engines/Test-TssDistributedEngineCloudAccess.ps1)

35 changes: 35 additions & 0 deletions src/Thycotic.SecretServer.Format.ps1xml
View file
Expand Up @@ -3675,5 +3675,40 @@
</TableRowEntries>
</TableControl>
</View>

<!-- Thycotic.PowerShell.DistributedEngines.CloudAccessResult -->
<View>
<Name>DistributedEngines.CloudAccessResult</Name>
<ViewSelectedBy>
<TypeName>Thycotic.PowerShell.DistributedEngines.CloudAccessResult</TypeName>
</ViewSelectedBy>
<TableControl>
<TableHeaders>
<TableColumnHeader />
<TableColumnHeader />
<TableColumnHeader />
<TableColumnHeader />
</TableHeaders>
<TableRowEntries>
<TableRowEntry>
<TableColumnItems>
<TableColumnItem>
<PropertyName>ItemName</PropertyName>
</TableColumnItem>
<TableColumnItem>
<PropertyName>HostAddress</PropertyName>
</TableColumnItem>
<TableColumnItem>
<PropertyName>Port</PropertyName>
</TableColumnItem>
<TableColumnItem>
<PropertyName>Status</PropertyName>
</TableColumnItem>
</TableColumnItems>
</TableRowEntry>
</TableRowEntries>
</TableControl>
</View>

</ViewDefinitions>
</Configuration>
15 changes: 15 additions & 0 deletions src/Thycotic.SecretServer/classes/distributed-engines/CloudAccessResult.cs
View file
@@ -0,0 +1,15 @@
using System;
using System.Threading.Tasks;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

namespace Thycotic.PowerShell.DistributedEngines
{
public class CloudAccessResult
{
public string ItemName { get; set; }
public string HostAddress { get; set; }
public int Port { get; set; }
public string Status { get; set; }
}
}
168 changes: 168 additions & 0 deletions src/functions/distributed-engines/Test-TssDistributedEngineCloudAccess.ps1
View file
@@ -0,0 +1,168 @@
function Test-TssDistributedEngineCloudAccess {
<#
.SYNOPSIS
Validate network and firewall access to Secret Server Cloud from a device
.DESCRIPTION
Validate network and firewall access to Secret Server Cloud (SSC) from a device. The command validates port access for SSC and the Azure Service Bus host.
This function would be used from your Distributed Engine to verify the proper outputbound access is in place for a Distributed Engine to communicate with SSC.
.EXAMPLE
$session = New-TssSession -SecretServer https://alpha -Credential $ssCred
Test-TssDistributedEngineCloudAccess -TssSession $session -TransportType AMQP -Timeout 30
Run Hostname and IP port test for SSC URL and Service Bus with ports 5671 and 5672 for AMQP, with a timeout of 30 seconds
.EXAMPLE
$session = New-TssSession -SecretServer https://alpha -Credential $ssCred
Test-TssDistributedEngineCloudAccess -TssSession $session
Run Hostname and IP port test for SSC URL and Service Bus with port 443 (Web Sockets), with a default timeout of 5 seconds
.LINK
https://thycotic-ps.github.io/thycotic.secretserver/commands/distributed-engines/Test-TssDistributedEngineCloudAccess
.LINK
https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/distributed-engines/Test-TssDistributedEngineCloudAccess.ps1
.NOTES
Requires TssSession object returned by New-TssSession
Details on IP and Hostnames used:
- https://docs.thycotic.com/ss/11.0.0/secret-server-setup/upgrading/ssc-ip-change-3-21#new_ip_addresses_and_hostnames
- https://docs.thycotic.com/ss-arc/1.0.0/secret-server/secret-server-cloud
#>
[cmdletbinding()]
[OutputType('Thycotic.PowerShell.DistributedEngines.CloudAccessResult')]
param(
# TssSession object created by New-TssSession for authentication
[Parameter(Mandatory, ValueFromPipeline, Position = 0)]
[Thycotic.PowerShell.Authentication.Session]
$TssSession,

# Azure ServiceBus Transport Type (Admin > Distributed Engine > Configuration tab), defaults to WebSockets
[ValidateSet('Web Sockets', 'AMQP')]
$TransportType = 'Web Sockets',

# Timeout for connection test, defaults to 5 seconds
[int]
$Timeout = 5
)
begin {
$tssParams = $PSBoundParameters
}
process {
Get-TssInvocation $PSCmdlet.MyInvocation
if ($tssParams.ContainsKey('TssSession') -and $TssSession.IsValidSession()) {
$secretServerUrl = $TssSession.SecretServer
$secretServerHost = ([uri]$TssSession.SecretServer).Host
$tssSscDomains = . $SscDomains
$tssSscDomainIps = . $sscDomainIps
$tssServiceBusHosts = . $SscAzureServiceBusHosts

switch ([string]$TransportType) {
'Web Sockets' { $testPortServiceBus = 443 }
'AMQP' { $testPortServiceBus = 5671,5672 }
}

$regionDomain = $tssSscDomains.Where({ $secretServerUrl -match $_.Domain })
$region = $regionDomain.Region
$domain = $regionDomain.Domain
Write-Verbose "Setting region to: $region"
Write-Verbose "Host domain for Secret Server Cloud: $domain"

$testSBHosts = $tssServiceBusHosts.Where({ $_.Domain -eq $domain })
$testDomainIPs = $tssSscDomainIps.Where({ $_.Domain -eq $domain })
$results = @()

$ssTcp = [System.Net.Sockets.TcpClient]::new()
$sscResult = [Thycotic.PowerShell.DistributedEngines.CloudAccessResult]@{
ItemName = 'Secret Server Cloud Domain'
HostAddress = $secretServerHost
Port = 443
Status = $null
}
Write-Verbose "Testing Secret Server Cloud Domain [$secretServerHost] on port [443]"
if ($ssTcp.ConnectAsync($secretServerHost,443).Wait([timespan]::FromSeconds($Timeout))) {
Write-Warning "Secret Server Cloud Domain test failed on port [443]"
$sscResult.Status = 'Failed'
} else {
Write-Verbose "Secret Server Cloud Domain test successful on port [443]"
$sscResult.Status = 'Successful'
}
$results += $sscResult

$siteConnector = Search-TssDistributedEngineConnector -TssSession $TssSession
if ($siteConnector) {
foreach ($port in $testPortServiceBus) {
$customerServiceBus = $siteConnector.Hostname
Write-Verbose "Testing Customer Service Bus host [$CustomerServiceBus] on port [$port]"

$cSbTcp = [System.Net.Sockets.TcpClient]::new()
$cSbResult = [Thycotic.PowerShell.DistributedEngines.CloudAccessResult]@{
ItemName = 'Customer Service Bus Hostname'
HostAddress = $customerServiceBus
Port = $port
Status = $null
}
if ($cSbTcp.ConnectAsync($customerServiceBus,$port).Wait([timespan]::FromSeconds($Timeout))) {
Write-Warning "Service Bus Host test failed on port [$port]"
$cSbResult.Status = 'Failed'
} else {
Write-Verbose "Service Bus Host test successful on port [$port]"
$cSbResult.Status = 'Successful'
}
$results += $cSbResult

<# Test Azure Service Bus Hostname connection #>
foreach ($sbHost in $testSBHosts) {
$currentSBResult = [Thycotic.PowerShell.DistributedEngines.CloudAccessResult]@{
ItemName = 'Azure Service Bus Hostname'
HostAddress = $sbHost.HostAddress
Port = $port
Status = $null
}
$sbTcp = [System.Net.Sockets.TcpClient]::new()
Write-Verbose "Testing Azure Service Bus hostname: [$($sbHost.HostAddress)]"
if ($sbTcp.ConnectAsync($sbHost.HostAddress,$port).Wait([timespan]::FromSeconds($Timeout))) {
Write-Warning "Azure Service Bus hostname test failed on port [$port]"
$currentSBResult.Status = 'Failed'
} else {
Write-Verbose "Azure Service Bus hostname test successful on port [$port]"
$currentSBResult.Status = 'Successful'
}
$sbTcp.Close()
$sbTcp.Dispose()
$results += $currentSBResult
}
}
} else {
Write-Warning "Unable to retrieve Site Connector details"
}
<# Test Domain IPs #>
foreach ($domainIP in $testDomainIPs) {
$currentIPResult = [Thycotic.PowerShell.DistributedEngines.CloudAccessResult]@{
ItemName = 'Secret Server Cloud Domain IP'
HostAddress = $domainIP.HostAddress
Port = 443
Status = $null
}
$dTcp = [System.Net.Sockets.TcpClient]::new()
Write-Verbose "Testing Secret Server Cloud Domain IP: [$($domainIP.HostAddress)]"
if ($dTcp.ConnectAsync($domainIP.HostAddress,443).Wait([timespan]::FromSeconds($Timeout))) {
Write-Warning "Secret Server Cloud Domain IP test failed [$($domainIP.HostAddress)]"
$currentIPResult.Status = 'Failed'
} else {
Write-Verbose "Secret Server Cloud Domain IP test successful [$($domainIP.HostAddress)]"
$currentIPResult.Status = 'Successful'
}
$dTcp.Close()
$dTcp.Dispose()
$results += $currentIPResult
}
$results | Sort-Object ItemName
} else {
Write-Warning "No valid session found"
}
}
}
20 changes: 20 additions & 0 deletions src/parts/SscAzureServiceBusHosts.ps1
View file
@@ -0,0 +1,20 @@
"secretservercloud.com,thycotic-ssc-us-er-sb-01-prod-b.servicebus.windows.net",
"secretservercloud.com,thycotic-ssc-us-er-sb-01-prod-g.servicebus.windows.net",
"secretservercloud.com,thycotic-ssc-us-er-sb-02-prod-b.servicebus.windows.net",
"secretservercloud.com,thycotic-ssc-us-er-sb-02-prod-g.servicebus.windows.net",
"secretservercloud.com.au,thycotic-ssc-au-er-sb-01-prod-b.servicebus.windows.net",
"secretservercloud.com.au,thycotic-ssc-au-er-sb-01-prod-g.servicebus.windows.net",
"secretservercloud.com.au,thycotic-ssc-au-er-sb-02-prod-b.servicebus.windows.net",
"secretservercloud.com.au,thycotic-ssc-au-er-sb-02-prod-g.servicebus.windows.net",
"secretservercloud.ca,thycotic-ssc-ca-er-sb-01-prod-b.servicebus.windows.net",
"secretservercloud.ca,thycotic-ssc-ca-er-sb-01-prod-g.servicebus.windows.net",
"secretservercloud.ca,thycotic-ssc-ca-er-sb-02-prod-b.servicebus.windows.net",
"secretservercloud.ca,thycotic-ssc-ca-er-sb-02-prod-g.servicebus.windows.net",
"secretservercloud.eu,thycotic-ssc-eu-er-sb-01-prod-b.servicebus.windows.net",
"secretservercloud.eu,thycotic-ssc-eu-er-sb-01-prod-g.servicebus.windows.net",
"secretservercloud.eu,thycotic-ssc-eu-er-sb-02-prod-b.servicebus.windows.net",
"secretservercloud.eu,thycotic-ssc-eu-er-sb-02-prod-g.servicebus.windows.net",
"secretservercloud.com.sg,thycotic-ssc-sea-er-sb-01-prod-b.servicebus.windows.net",
"secretservercloud.com.sg,thycotic-ssc-sea-er-sb-01-prod-g.servicebus.windows.net",
"secretservercloud.com.sg,thycotic-ssc-sea-er-sb-02-prod-b.servicebus.windows.net",
"secretservercloud.com.sg,thycotic-ssc-sea-er-sb-02-prod-g.servicebus.windows.net" | ConvertFrom-Csv -Header 'Domain', 'HostAddress'
10 changes: 10 additions & 0 deletions src/parts/SscDomainIps.ps1
View file
@@ -0,0 +1,10 @@
"secretservercloud.com,52.224.253.7",
"secretservercloud.com,52.224.253.4",
"secretservercloud.com.au,20.37.251.37",
"secretservercloud.com.au,20.37.251.120",
"secretservercloud.ca,52.228.117.246",
"secretservercloud.ca,52.228.113.119",
"secretservercloud.eu,20.79.64.213",
"secretservercloud.eu,20.79.65.3",
"secretservercloud.com.sg,20.195.97.220",
"secretservercloud.com.sg,20.195.98.154" | ConvertFrom-Csv -Header 'Domain', 'HostAddress'
5 changes: 5 additions & 0 deletions src/parts/SscDomains.ps1
View file
@@ -0,0 +1,5 @@
"US,secretservercloud.com",
"AU,secretservercloud.com.au",
"CA,secretservercloud.ca",
"EU,secretservercloud.eu",
"SG,secretservecloud.com.sg" | ConvertFrom-Csv -Header 'Region', 'Domain'
24 changes: 24 additions & 0 deletions tests/distributed-engines/Test-TssDistributedEngineCloudAccess.Tests.ps1
View file
@@ -0,0 +1,24 @@
BeforeDiscovery {
$commandName = Split-Path ($PSCommandPath.Replace('.Tests.ps1','')) -Leaf
}
Describe "$commandName verify parameters" {
BeforeDiscovery {
[object[]]$knownParameters = 'TssSession', 'TransportType', 'Timeout'
[object[]]$currentParams = ([Management.Automation.CommandMetaData]$ExecutionContext.SessionState.InvokeCommand.GetCommand($commandName,'Function')).Parameters.Keys
[object[]]$commandDetails = [System.Management.Automation.CommandInfo]$ExecutionContext.SessionState.InvokeCommand.GetCommand($commandName,'Function')
$unknownParameters = Compare-Object -ReferenceObject $knownParameters -DifferenceObject $currentParams -PassThru
}
Context "Verify parameters" -Foreach @{currentParams = $currentParams } {
It "$commandName should contain <_> parameter" -TestCases $knownParameters {
$_ -in $currentParams | Should -Be $true
}
It "$commandName should not contain parameter: <_>" -TestCases $unknownParameters {
$_ | Should -BeNullOrEmpty
}
}
Context "Command specific details" {
It "$commandName should set OutputType to Thycotic.PowerShell.DistributedEngines.CloudAccessResult" -TestCases $commandDetails {
$_.OutputType.Name | Should -Be 'Thycotic.PowerShell.DistributedEngines.CloudAccessResult'
}
}
}

0 comments on commit 0228004

Please sign in to comment.