Add-SecretPermission - new command

thycotic-ps · Jun 26, 2021 · bcefc77 · bcefc77
1 parent bbad8c7
commit bcefc77
Show file tree

Hide file tree

Showing 3 changed files with 157 additions and 6 deletions.
diff --git a/src/functions/secrets/Add-SecretPermission.ps1 b/src/functions/secrets/Add-SecretPermission.ps1
@@ -0,0 +1,123 @@
+function Add-SecretPermission {
+    <#
+    .SYNOPSIS
+    Add a User or Group permission to a Secret
+
+    .DESCRIPTION
+    Add a User or Group permission to a Secret. Use -Force to break inheritance.
+
+    .EXAMPLE
+    session = New-TssSession -SecretServer https://alpha -Credential $ssCred
+    Add-TssSecretPermission -TssSession $session -Id 65 -Type User -Name bob -AccessRole Owner
+
+    Add bob to Secret 65 granting Secret role of owner
+
+    .EXAMPLE
+    $session = New-TssSession -SecretServer https://alpha -Credential $ssCred
+    $secrets = Search-TssSecret -TssSession $session | Where-Object -not InheritPermission
+    $secrets | Add-TssSecretPermission -TssSession $session -Username chance.wayne -AccessRole View
+
+    Add "chance.wayne" to all Secrets that do not have Inherit Permissions enabled. Granting Secret role of View
+
+    .EXAMPLE
+    $session = New-TssSession -SecretServer https://alpha -Credential $ssCred
+    $Secrets = Search-TssSecret -TssSession $session -SearchText 'App'
+    $Secrets | Add-TssSecretPermission -TssSession $session -Username chad -AccessRole Owner -Force
+
+    Add "chad" as owner for Secrets that have "App" in their name, will also break inheritance if enabled on any of the Secrets
+
+    .LINK
+    https://thycotic-ps.github.io/thycotic.secretserver/commands/Secrets/Add-TssSecretPermission
+
+    .LINK
+    https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/Secrets/Add-SecretPermission.ps1
+
+    .NOTES
+    Requires TssSession object returned by New-TssSession
+    #>
+    [CmdletBinding()]
+    [OutputType('TssSecretPermission')]
+    param (
+        # TssSession object created by New-TssSession for auth
+        [Parameter(Mandatory, ValueFromPipeline, Position = 0)]
+        [TssSession]
+        $TssSession,
+
+        # Secret Id
+        [Parameter(Mandatory, ValueFromPipeline)]
+        [int[]]
+        $SecretId,
+
+        # Secret Access Role Name
+        [Parameter(Mandatory, ValueFromPipeline)]
+        [ValidateSet('List', 'View', 'Edit', 'Owner')]
+        [string]
+        $AccessRole,
+
+        #  Domain Name (the friendly name), if user or group is an Directory Service domain
+        [Parameter()]
+        [string]
+        $DomainName,
+
+        #  Group Name
+        [Parameter(ValueFromPipeline)]
+        [string]
+        $GroupName,
+
+        # Username
+        [Parameter(ValueFromPipeline)]
+        [string]
+        $Username,
+
+        # If provided will break inheritance on the secret and add the permission
+        [Parameter()]
+        [switch]
+        $Force
+    )
+    begin {
+        $tssParams = $PSBoundParameters
+    }
+    process {
+        Write-Verbose "Provided command parameters: $(. $GetInvocation $PSCmdlet.MyInvocation)"
+        if ($tssParams.ContainsKey('TssSession') -and $TssSession.IsValidSession()) {
+            . $CheckVersion $TssSession '10.9.000000' $PSCmdlet.MyInvocation
+
+            if ($tssParams.ContainsKey('Username')) {
+                $users = Search-TssUser -TssSession $TssSession
+                $username = $users.Where({ $_.Username -eq $Username }).Username
+            }
+            if ($tssParams.ContainsKey('Group')) {
+                $groups = Search-TssGroup -TssSession $TssSession
+                $groupName = $groups.Where({ $_.GroupName -eq $GroupName }).GroupName
+            }
+
+            if ($username.Count -gt 1) {
+                Write-Warning "More than one matching Username was found, please provide a more unique name"
+                return
+            } elseif ($groupName.Count -gt 1) {
+                Write-Warning "More than one matching Group Name was found, please provide a more unique name"
+                return
+            }
+
+            if ($username -or $groupName) {
+                $newSecretPermParams = @{
+                    TssSession = $TssSession
+                    SecretId   = $SecretId
+                    DomainName = $DomainName
+                    AccessRole = $AccessRole
+                }
+                if ($username) {
+                    $newSecretPermParams.Add('Username',$username)
+                } elseif ($groupName) {
+                    $newSecretPermParams.Add('GroupName',$groupName)
+                }
+                if ($tssParams.ContainsKey('Force')) {
+                    $newSecretPermParams.Add('Force',$Force)
+                }
+                New-TssSecretPermission @newSecretPermParams
+            }
+        } else {
+            Write-Warning 'No valid session found'
+        }
+    }
+}
diff --git a/src/parts/SearchSecrets.ps1 b/src/parts/SearchSecrets.ps1
@@ -4,26 +4,30 @@ param(
     [TssSession]
     $TssSession,
 
-    [Parameter(Mandatory,Position = 1)]
+    [Parameter(Position = 1)]
     [int]
     $FolderId,
 
-    [Parameter(Mandatory,Position = 2)]
+    [Parameter(Position = 2)]
     [string]
     $SearchText
 )
 begin {
     $invokeParams = . $GetInvokeTssParams $TssSession
 }
 process {
-    . $CheckVersion $TssSession '10.9.000000' $PSCmdlet.MyInvocation
     $uri = $TssSession.ApiUrl, 'secrets' -join '/'
     $uri += "?take=$($TssSession.Take)"
-    $uri += "&filter.includeRestricted=true&filter.isExactmatch=true"
+    $uri += "&filter.includeRestricted=true"
 
     $filters = @()
-    $filters += "filter.searchText=$SearchText"
-    $filters += "filter.folderId=$FolderId"
+    if ($FolderId) {
+        $filters += "filter.folderId=$FolderId"
+    }
+    if ($SearchText) {
+        $filters += "filter.searchText=$SearchText"
+        $filters += "filter.isExactmatch=true"
+    }
 
     if ($filters) {
         $uriFilter = $filters -join '&'

diff --git a/tests/secrets/Add-SecretPermission.Tests.ps1 b/tests/secrets/Add-SecretPermission.Tests.ps1
@@ -0,0 +1,24 @@
+BeforeDiscovery {
+    $commandName = Split-Path ($PSCommandPath.Replace('.Tests.ps1','')) -Leaf
+}
+Describe "$commandName verify parameters" {
+    BeforeDiscovery {
+        [object[]]$knownParameters = 'TssSession', 'SecretId', 'AccessRole', 'DomainName', 'GroupName', 'Username', 'Force'
+        [object[]]$currentParams = ([Management.Automation.CommandMetaData]$ExecutionContext.SessionState.InvokeCommand.GetCommand($commandName,'Function')).Parameters.Keys
+        [object[]]$commandDetails = [System.Management.Automation.CommandInfo]$ExecutionContext.SessionState.InvokeCommand.GetCommand($commandName,'Function')
+        $unknownParameters = Compare-Object -ReferenceObject $knownParameters -DifferenceObject $currentParams -PassThru
+    }
+    Context "Verify parameters" -Foreach @{currentParams = $currentParams } {
+        It "$commandName should contain <_> parameter" -TestCases $knownParameters {
+            $_ -in $currentParams | Should -Be $true
+        }
+        It "$commandName should not contain parameter: <_>" -TestCases $unknownParameters {
+            $_ | Should -BeNullOrEmpty
+        }
+    }
+    Context "Command specific details" {
+        It "$commandName should set OutputType to TssSecretPermission" -TestCases $commandDetails {
+            $_.OutputType.Name | Should -Be 'TssSecretPermission'
+        }
+    }
+}