Signed-off-by: Dimitar Milov <dmilov@vmware.com>
This commit is contained in:
dmilov
GitHub
329
Modules/VMware.vSphere.SsoAdmin/AuthenticationPolicy.ps1
Normal file
329
Modules/VMware.vSphere.SsoAdmin/AuthenticationPolicy.ps1
Normal file
@@ -0,0 +1,329 @@
|
||||
<#
|
||||
Copyright 2021 VMware, Inc.
|
||||
SPDX-License-Identifier: BSD-2-Clause
|
||||
#>
|
||||
|
||||
function Get-SsoAuthenticationPolicy {
|
||||
<#
|
||||
.NOTES
|
||||
===========================================================================
|
||||
Created on: 7/28/2021
|
||||
Created by: Dimitar Milov
|
||||
Twitter: @dimitar_milov
|
||||
Github: https://github.com/dmilov
|
||||
===========================================================================
|
||||
|
||||
.SYNOPSIS
|
||||
Gets Authentication Policy
|
||||
|
||||
.DESCRIPTION
|
||||
Gets Authentication Policy.
|
||||
|
||||
.PARAMETER Server
|
||||
Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
|
||||
If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
|
||||
|
||||
.EXAMPLE
|
||||
Get-SsoAuthenticationPolicy
|
||||
|
||||
Gets the Authentication Policy for the connected servers
|
||||
|
||||
#>
|
||||
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'Connected SsoAdminServer object')]
|
||||
[ValidateNotNull()]
|
||||
[VMware.vSphere.SsoAdminClient.DataTypes.SsoAdminServer]
|
||||
$Server)
|
||||
|
||||
Process {
|
||||
$serversToProcess = $global:DefaultSsoAdminServers.ToArray()
|
||||
if ($null -ne $Server) {
|
||||
$serversToProcess = $Server
|
||||
}
|
||||
|
||||
foreach ($connection in $serversToProcess) {
|
||||
if (-not $connection.IsConnected) {
|
||||
Write-Error "Server $connection is disconnected"
|
||||
continue
|
||||
}
|
||||
|
||||
# Output is the result of 'GetAuthenticationPolicy'
|
||||
try {
|
||||
$connection.Client.GetAuthenticationPolicy()
|
||||
}
|
||||
catch {
|
||||
Write-Error (FormatError $_.Exception)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function Set-SsoAuthenticationPolicy {
|
||||
<#
|
||||
.NOTES
|
||||
===========================================================================
|
||||
Created on: 7/28/2021
|
||||
Created by: Dimitar Milov
|
||||
Twitter: @dimitar_milov
|
||||
Github: https://github.com/dmilov
|
||||
===========================================================================
|
||||
|
||||
.SYNOPSIS
|
||||
Updates Authentication Policy
|
||||
|
||||
.DESCRIPTION
|
||||
Updates Authentication Policy settings
|
||||
|
||||
.PARAMETER AuthenticationPolicy
|
||||
An AuthenticationPolicy to update retrieved from Set-SsoAuthenticationPolicy cmdlet
|
||||
|
||||
.PARAMETER PasswordAuthnEnabled
|
||||
Enables or disables Password Authentication
|
||||
|
||||
.PARAMETER WindowsAuthnEnabled
|
||||
Enables or disables Windows Authentication
|
||||
|
||||
.PARAMETER SmartCardAuthnEnabled
|
||||
Enables or disables Smart Card Authentication
|
||||
|
||||
.PARAMETER CRLCacheSize
|
||||
Specifies CRL Cache size
|
||||
|
||||
.PARAMETER CRLUrl
|
||||
Specifies CRL Url
|
||||
|
||||
.PARAMETER OCSPEnabled
|
||||
Enables or disables OCSP
|
||||
|
||||
.PARAMETER OCSPResponderSigningCert
|
||||
OCSP Responder Signing Certificate
|
||||
|
||||
.PARAMETER OCSPUrl
|
||||
|
||||
.PARAMETER OIDs
|
||||
|
||||
.PARAMETER SendOCSPNonce
|
||||
|
||||
.PARAMETER TrustedCAs
|
||||
|
||||
.PARAMETER UseCRLAsFailOver,
|
||||
|
||||
.PARAMETER UseInCertCRL
|
||||
|
||||
.EXAMPLE
|
||||
$myServer = Connect-SsoAdminServer -Server MyServer -User myUser -Password myPassword
|
||||
Get-SsoAuthenticationPolicy -Server $myServer | Set-SsoAuthenticationPolicy -SmartCardAuthnEnabled $true
|
||||
|
||||
Enables SmartCard Authnetication on server $myServer
|
||||
|
||||
#>
|
||||
|
||||
[CmdletBinding(ConfirmImpact = 'Medium')]
|
||||
param(
|
||||
[Parameter(
|
||||
Mandatory = $true,
|
||||
ValueFromPipeline = $true,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'AuthenticationPolicy object to update')]
|
||||
[ValidateNotNull()]
|
||||
[VMware.vSphere.SsoAdminClient.DataTypes.AuthenticationPolicy]
|
||||
$AuthenticationPolicy,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'Enables or disables Password Authentication')]
|
||||
[bool]
|
||||
$PasswordAuthnEnabled,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'Enables or disables Windows Authentication')]
|
||||
[bool]
|
||||
$WindowsAuthnEnabled,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'Enables or disables Smart Card Authentication')]
|
||||
[bool]
|
||||
$SmartCardAuthnEnabled,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'CRL Cache size')]
|
||||
[int]
|
||||
$CRLCacheSize,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'CRL Url')]
|
||||
[string]
|
||||
$CRLUrl,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'Enables or disables OCSP')]
|
||||
[bool]
|
||||
$OCSPEnabled,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'OCSP Responder Signing Certificate')]
|
||||
[System.Security.Cryptography.X509Certificates.X509Certificate2]
|
||||
$OCSPResponderSigningCert,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'OCSP Url')]
|
||||
[string]
|
||||
$OCSPUrl,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'OIDs')]
|
||||
[string[]]
|
||||
$OIDs,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'Enables or disables seinding OCSP Nonce')]
|
||||
[bool]
|
||||
$SendOCSPNonce,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'List of trusted CAs')]
|
||||
[string[]]
|
||||
$TrustedCAs,
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'Specifies whether to use CRL fail over')]
|
||||
[bool]
|
||||
$UseCRLAsFailOver,
|
||||
|
||||
|
||||
[Parameter(
|
||||
Mandatory = $false,
|
||||
ValueFromPipeline = $false,
|
||||
ValueFromPipelineByPropertyName = $false,
|
||||
HelpMessage = 'Specifiеs whether to use CRL from certificate')]
|
||||
[bool]
|
||||
$UseInCertCRL)
|
||||
|
||||
Process {
|
||||
|
||||
try {
|
||||
foreach ($a in $AuthenticationPolicy) {
|
||||
$ssoAdminClient = $a.GetClient()
|
||||
|
||||
if ((-not $ssoAdminClient)) {
|
||||
Write-Error "Object '$a' is from disconnected server"
|
||||
continue
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('PasswordAuthnEnabled')) {
|
||||
$PasswordAuthnEnabled = $a.PasswordAuthnEnabled
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('WindowsAuthnEnabled')) {
|
||||
$WindowsAuthnEnabled = $a.WindowsAuthnEnabled
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('SmartCardAuthnEnabled')) {
|
||||
$SmartCardAuthnEnabled = $a.SmartCardAuthnEnabled
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('CRLCacheSize')) {
|
||||
$CRLCacheSize = $a.CRLCacheSize
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('CRLUrl')) {
|
||||
$CRLUrl = $a.CRLUrl
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('OCSPEnabled')) {
|
||||
$OCSPEnabled = $a.OCSPEnabled
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('OCSPResponderSigningCert')) {
|
||||
$OCSPResponderSigningCert = $a.OCSPResponderSigningCert
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('OCSPUrl')) {
|
||||
$OCSPUrl = $a.OCSPUrl
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('OIDs')) {
|
||||
$OIDs = $a.OIDs
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('SendOCSPNonce')) {
|
||||
$SendOCSPNonce = $a.SendOCSPNonce
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('TrustedCAs')) {
|
||||
$TrustedCAs = $a.TrustedCAs
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('UseCRLAsFailOver')) {
|
||||
$UseCRLAsFailOver = $a.UseCRLAsFailOver
|
||||
}
|
||||
|
||||
if (-not $PSBoundParameters.ContainsKey('UseInCertCRL')) {
|
||||
$UseInCertCRL = $a.UseInCertCRL
|
||||
}
|
||||
|
||||
$ssoAdminClient.SetAuthenticationPolicy(
|
||||
$PasswordAuthnEnabled,
|
||||
$WindowsAuthnEnabled,
|
||||
$SmartCardAuthnEnabled,
|
||||
$CRLCacheSize,
|
||||
$CRLUrl,
|
||||
$OCSPEnabled,
|
||||
$OCSPResponderSigningCert,
|
||||
$OCSPUrl,
|
||||
$OIDs,
|
||||
$SendOCSPNonce,
|
||||
$TrustedCAs,
|
||||
$UseCRLAsFailOver,
|
||||
$UseInCertCRL
|
||||
)
|
||||
|
||||
# Output updated policy
|
||||
Write-Output ($ssoAdminClient.GetAuthenticationPolicy())
|
||||
}
|
||||
} catch {
|
||||
Write-Error (FormatError $_.Exception)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,22 +1,21 @@
|
||||
<#
|
||||
Copyright 2021 VMware, Inc.
|
||||
SPDX-License-Identifier: BSD-2-Clause
|
||||
#>
|
||||
|
||||
#
|
||||
# Module manifest for module 'VMware.vSphere.SsoAdmin'
|
||||
#
|
||||
# Generated by: dmilov@vmware.com
|
||||
# Generated by: Dimitar Milov
|
||||
#
|
||||
# Generated on: 7/28/2021
|
||||
#
|
||||
# Generated on: 9/25/20
|
||||
|
||||
@{
|
||||
|
||||
# Script module or binary module file associated with this manifest
|
||||
# Script module or binary module file associated with this manifest.
|
||||
RootModule = 'VMware.vSphere.SsoAdmin.psm1'
|
||||
|
||||
# Version number of this module.
|
||||
ModuleVersion = '1.3.2'
|
||||
ModuleVersion = '1.3.3'
|
||||
|
||||
# Supported PSEditions
|
||||
# CompatiblePSEditions = @()
|
||||
|
||||
# ID used to uniquely identify this module
|
||||
GUID = 'b3e25326-e809-4d68-a252-ca5fcaf1eb8b'
|
||||
@@ -33,27 +32,111 @@ Copyright = 'Copyright (c) VMware, Inc. All rights reserved.'
|
||||
# Description of the functionality provided by this module
|
||||
Description = 'PowerShell Module for Managing VMware vSphere SSO Admin functionality.'
|
||||
|
||||
# Minimum version of the PowerShell engine required by this module
|
||||
# PowerShellVersion = ''
|
||||
|
||||
# Name of the PowerShell host required by this module
|
||||
# PowerShellHostName = ''
|
||||
|
||||
# Minimum version of the PowerShell host required by this module
|
||||
# PowerShellHostVersion = ''
|
||||
|
||||
# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
|
||||
# DotNetFrameworkVersion = ''
|
||||
|
||||
# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
|
||||
# ClrVersion = ''
|
||||
|
||||
# Processor architecture (None, X86, Amd64) required by this module
|
||||
# ProcessorArchitecture = ''
|
||||
|
||||
# Modules that must be imported into the global environment prior to importing this module
|
||||
RequiredModules = @(
|
||||
@{"ModuleName"="VMware.VimAutomation.Common";"ModuleVersion"="12.0.0.15939652"}
|
||||
)
|
||||
RequiredModules = @(@{ModuleName = 'VMware.VimAutomation.Common'; ModuleVersion = '12.0.0.15939652'; })
|
||||
|
||||
# Functions to export from this module
|
||||
FunctionsToExport = @(
|
||||
'Connect-SsoAdminServer', 'Disconnect-SsoAdminServer',
|
||||
'New-SsoPersonUser', 'Get-SsoPersonUser', 'Set-SsoPersonUser', 'Remove-SsoPersonUser', 'Set-SsoSelfPersonUserPassword'
|
||||
'New-SsoGroup', 'Get-SsoGroup', 'Set-SsoGroup', 'Remove-SsoGroup', 'Add-GroupToSsoGroup', 'Remove-GroupFromSsoGroup', 'Add-UserToSsoGroup', 'Remove-UserFromSsoGroup'
|
||||
'Get-SsoPasswordPolicy', 'Set-SsoPasswordPolicy',
|
||||
'Get-SsoLockoutPolicy', 'Set-SsoLockoutPolicy',
|
||||
'Get-SsoTokenLifetime', 'Set-SsoTokenLifetime',
|
||||
'Get-IdentitySource', 'Remove-IdentitySource', 'Add-ActiveDirectoryIdentitySource', 'Add-LDAPIdentitySource', 'Set-LDAPIdentitySource')
|
||||
# Assemblies that must be loaded prior to importing this module
|
||||
# RequiredAssemblies = @()
|
||||
|
||||
# Cmdlets to export from this module
|
||||
# Script files (.ps1) that are run in the caller's environment prior to importing this module.
|
||||
# ScriptsToProcess = @()
|
||||
|
||||
# Type files (.ps1xml) to be loaded when importing this module
|
||||
# TypesToProcess = @()
|
||||
|
||||
# Format files (.ps1xml) to be loaded when importing this module
|
||||
# FormatsToProcess = @()
|
||||
|
||||
# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
|
||||
# NestedModules = @()
|
||||
|
||||
# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
|
||||
FunctionsToExport = 'Connect-SsoAdminServer', 'Disconnect-SsoAdminServer',
|
||||
'New-SsoPersonUser', 'Get-SsoPersonUser', 'Set-SsoPersonUser',
|
||||
'Remove-SsoPersonUser', 'Set-SsoSelfPersonUserPassword',
|
||||
'New-SsoGroup', 'Get-SsoGroup', 'Set-SsoGroup', 'Remove-SsoGroup',
|
||||
'Add-GroupToSsoGroup', 'Remove-GroupFromSsoGroup',
|
||||
'Add-UserToSsoGroup', 'Remove-UserFromSsoGroup',
|
||||
'Get-SsoPasswordPolicy', 'Set-SsoPasswordPolicy',
|
||||
'Get-SsoLockoutPolicy', 'Set-SsoLockoutPolicy',
|
||||
'Get-SsoTokenLifetime', 'Set-SsoTokenLifetime', 'Get-IdentitySource',
|
||||
'Remove-IdentitySource', 'Add-ActiveDirectoryIdentitySource',
|
||||
'Add-LDAPIdentitySource', 'Set-LDAPIdentitySource',
|
||||
'Get-SsoAuthenticationPolicy', 'Set-SsoAuthenticationPolicy'
|
||||
|
||||
# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
|
||||
CmdletsToExport = @()
|
||||
|
||||
# Variables to export from this module
|
||||
VariablesToExport = ''
|
||||
# VariablesToExport = @()
|
||||
|
||||
# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
|
||||
AliasesToExport = 'Add-ActiveDirectoryIdentitySource'
|
||||
|
||||
# DSC resources to export from this module
|
||||
# DscResourcesToExport = @()
|
||||
|
||||
# List of all modules packaged with this module
|
||||
# ModuleList = @()
|
||||
|
||||
# List of all files packaged with this module
|
||||
# FileList = @()
|
||||
|
||||
# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
|
||||
PrivateData = @{
|
||||
PSData = @{
|
||||
|
||||
# Tags applied to this module. These help with module discovery in online galleries.
|
||||
# Tags = @()
|
||||
|
||||
# A URL to the license for this module.
|
||||
# LicenseUri = ''
|
||||
|
||||
# A URL to the main website for this project.
|
||||
# ProjectUri = ''
|
||||
|
||||
# A URL to an icon representing this module.
|
||||
IconUri = 'https://blogs.vmware.com/PowerCLI/files/2020/10/PowerCLI.png'
|
||||
|
||||
# ReleaseNotes of this module
|
||||
# ReleaseNotes = ''
|
||||
|
||||
# Prerelease string of this module
|
||||
# Prerelease = ''
|
||||
|
||||
# Flag to indicate whether the module requires explicit user acceptance for install/update/save
|
||||
# RequireLicenseAcceptance = $false
|
||||
|
||||
# External dependent modules of this module
|
||||
# ExternalModuleDependencies = @()
|
||||
|
||||
} # End of PSData hashtable
|
||||
|
||||
} # End of PrivateData hashtable
|
||||
|
||||
# HelpInfo URI of this module
|
||||
# HelpInfoURI = ''
|
||||
|
||||
# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
|
||||
# DefaultCommandPrefix = ''
|
||||
|
||||
}
|
||||
|
||||
# Aliases to export from this module
|
||||
AliasesToExport = @('Add-ActiveDirectoryIdentitySource')
|
||||
}
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,36 @@
|
||||
/*
|
||||
Copyright 2021 VMware, Inc.
|
||||
SPDX-License-Identifier: BSD-2-Clause
|
||||
*/
|
||||
|
||||
using System.Security.Cryptography.X509Certificates;
|
||||
|
||||
namespace VMware.vSphere.SsoAdminClient.DataTypes
|
||||
{
|
||||
public class AuthenticationPolicy
|
||||
{
|
||||
SsoAdminClient _client;
|
||||
public AuthenticationPolicy(SsoAdminClient client) {
|
||||
_client = client;
|
||||
}
|
||||
|
||||
public SsoAdminClient GetClient() {
|
||||
return _client;
|
||||
}
|
||||
|
||||
public bool PasswordAuthnEnabled { get; internal set; }
|
||||
public bool WindowsAuthnEnabled { get; internal set; }
|
||||
public bool SmartCardAuthnEnabled { get; internal set; }
|
||||
public bool OCSPEnabled { get; internal set; }
|
||||
public bool UseCRLAsFailOver { get; internal set; }
|
||||
public bool SendOCSPNonce { get; internal set; }
|
||||
public string OCSPUrl { get; internal set; }
|
||||
public X509Certificate2 OCSPResponderSigningCert { get; internal set; }
|
||||
public bool UseInCertCRL { get; internal set; }
|
||||
public string CRLUrl { get; internal set; }
|
||||
public int CRLCacheSize { get; internal set; }
|
||||
public string[] Oids { get; internal set; }
|
||||
public string[] TrustedCAs { get; internal set; }
|
||||
|
||||
}
|
||||
}
|
||||
@@ -1296,5 +1296,130 @@ namespace VMware.vSphere.SsoAdminClient
|
||||
}
|
||||
}
|
||||
#endregion
|
||||
|
||||
#region AuthenticationConfiguration
|
||||
public DataTypes.AuthenticationPolicy GetAuthenticationPolicy() {
|
||||
var authorizedInvocationContext =
|
||||
CreateAuthorizedInvocationContext();
|
||||
|
||||
var authnPolicy = authorizedInvocationContext.
|
||||
InvokeOperation(() =>
|
||||
_ssoAdminBindingClient.GetAuthnPolicyAsync(
|
||||
new ManagedObjectReference
|
||||
{
|
||||
type = "SsoAdminConfigurationManagementService",
|
||||
Value = "configurationManagementService"
|
||||
})).Result;
|
||||
|
||||
return new DataTypes.AuthenticationPolicy(this)
|
||||
{
|
||||
PasswordAuthnEnabled = authnPolicy.PasswordAuthnEnabled,
|
||||
WindowsAuthnEnabled = authnPolicy.WindowsAuthEnabled,
|
||||
SmartCardAuthnEnabled = authnPolicy.CertAuthEnabled,
|
||||
CRLCacheSize = authnPolicy.clientCertPolicy.crlCacheSize,
|
||||
CRLUrl = authnPolicy.clientCertPolicy.crlUrl,
|
||||
OCSPEnabled = authnPolicy.clientCertPolicy.ocspEnabled,
|
||||
OCSPResponderSigningCert = string.IsNullOrEmpty(authnPolicy.clientCertPolicy.ocspResponderSigningCert) ? null : new X509Certificate2(authnPolicy.clientCertPolicy.ocspResponderSigningCert),
|
||||
OCSPUrl = authnPolicy.clientCertPolicy.ocspUrl,
|
||||
Oids = authnPolicy.clientCertPolicy.oids,
|
||||
SendOCSPNonce = authnPolicy.clientCertPolicy.sendOCSPNonce,
|
||||
TrustedCAs = authnPolicy.clientCertPolicy.trustedCAs,
|
||||
UseCRLAsFailOver = authnPolicy.clientCertPolicy.useCRLAsFailOver,
|
||||
UseInCertCRL = authnPolicy.clientCertPolicy.useInCertCRL
|
||||
};
|
||||
}
|
||||
|
||||
public void SetAuthenticationPolicy(
|
||||
bool passwordAuthnEnabled,
|
||||
bool windowsAuthnEnabled,
|
||||
bool smartCardAuthnEnabled,
|
||||
int crlCacheSize,
|
||||
string crlUrl,
|
||||
bool ocspEnabled,
|
||||
X509Certificate2 ocspResponderSigningCert,
|
||||
string ocspUrl,
|
||||
string[] oids,
|
||||
bool sendOCSPNonce,
|
||||
string[] trustedCAs,
|
||||
bool useCRLAsFailOver,
|
||||
bool useInCertCRL
|
||||
) {
|
||||
var authorizedInvocationContext =
|
||||
CreateAuthorizedInvocationContext();
|
||||
|
||||
var ssoAdminAuthnPolicy = new SsoAdminAuthnPolicy{
|
||||
PasswordAuthnEnabled = passwordAuthnEnabled,
|
||||
WindowsAuthEnabled = windowsAuthnEnabled,
|
||||
CertAuthEnabled = smartCardAuthnEnabled,
|
||||
clientCertPolicy = new SsoAdminClientCertPolicy {
|
||||
enabled = smartCardAuthnEnabled,
|
||||
crlCacheSize = crlCacheSize,
|
||||
crlUrl = crlUrl,
|
||||
ocspEnabled = ocspEnabled,
|
||||
ocspUrl = ocspUrl,
|
||||
oids = oids,
|
||||
sendOCSPNonce = sendOCSPNonce,
|
||||
trustedCAs = trustedCAs,
|
||||
useCRLAsFailOver = useCRLAsFailOver,
|
||||
useInCertCRL = useInCertCRL
|
||||
}
|
||||
};
|
||||
if (ocspResponderSigningCert != null) {
|
||||
ssoAdminAuthnPolicy.clientCertPolicy.ocspResponderSigningCert = Convert.ToBase64String(ocspResponderSigningCert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks);
|
||||
}
|
||||
|
||||
|
||||
authorizedInvocationContext.
|
||||
InvokeOperation(() =>
|
||||
_ssoAdminBindingClient.SetAuthnPolicyAsync(
|
||||
new ManagedObjectReference
|
||||
{
|
||||
type = "SsoAdminConfigurationManagementService",
|
||||
Value = "configurationManagementService"
|
||||
},
|
||||
ssoAdminAuthnPolicy
|
||||
)).Wait();
|
||||
}
|
||||
#endregion
|
||||
|
||||
#region Global Permission
|
||||
public void SetRoleForUser(DataTypes.PersonUser user, string role) {
|
||||
var authorizedInvocationContext =
|
||||
CreateAuthorizedInvocationContext();
|
||||
|
||||
var authnPolicy = authorizedInvocationContext.
|
||||
InvokeOperation(() =>
|
||||
_ssoAdminBindingClient.SetRoleAsync(
|
||||
new ManagedObjectReference
|
||||
{
|
||||
type = "SsoAdminRoleManagementService",
|
||||
Value = "roleManagementService"
|
||||
},
|
||||
new SsoPrincipalId{
|
||||
domain = user.Domain,
|
||||
name = user.Name
|
||||
},
|
||||
role)).Result;
|
||||
}
|
||||
|
||||
public void SetRoleForGroup(DataTypes.Group group, string role) {
|
||||
var authorizedInvocationContext =
|
||||
CreateAuthorizedInvocationContext();
|
||||
|
||||
var authnPolicy = authorizedInvocationContext.
|
||||
InvokeOperation(() =>
|
||||
_ssoAdminBindingClient.SetRoleAsync(
|
||||
new ManagedObjectReference
|
||||
{
|
||||
type = "SsoAdminRoleManagementService",
|
||||
Value = "roleManagementService"
|
||||
},
|
||||
new SsoPrincipalId{
|
||||
domain = group.Domain,
|
||||
name = group.Name
|
||||
},
|
||||
role)).Result;
|
||||
}
|
||||
#endregion
|
||||
}
|
||||
}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
BIN
Modules/VMware.vSphere.SsoAdmin/src/resources/powercli.png
Normal file
BIN
Modules/VMware.vSphere.SsoAdmin/src/resources/powercli.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 4.6 KiB |
@@ -0,0 +1,95 @@
|
||||
<#
|
||||
Copyright 2021 VMware, Inc.
|
||||
SPDX-License-Identifier: BSD-2-Clause
|
||||
#>
|
||||
|
||||
param(
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]
|
||||
$VcAddress,
|
||||
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]
|
||||
$User,
|
||||
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]
|
||||
$Password
|
||||
)
|
||||
|
||||
# Import Vmware.vSphere.SsoAdmin Module
|
||||
$modulePath = Join-Path (Split-Path $PSScriptRoot | Split-Path) "VMware.vSphere.SsoAdmin.psd1"
|
||||
Import-Module $modulePath
|
||||
|
||||
Describe "AuthentcicationPolicy Tests" {
|
||||
BeforeEach {
|
||||
$connection = Connect-SsoAdminServer `
|
||||
-Server $VcAddress `
|
||||
-User $User `
|
||||
-Password $Password `
|
||||
-SkipCertificateCheck
|
||||
}
|
||||
AfterEach {
|
||||
$connectionsToCleanup = $global:DefaultSsoAdminServers.ToArray()
|
||||
foreach ($connection in $connectionsToCleanup) {
|
||||
Disconnect-SsoAdminServer -Server $connection
|
||||
}
|
||||
}
|
||||
|
||||
Context "Get-SsoAuthenticationPolicy" {
|
||||
It 'Retrieves Authentication Policy' {
|
||||
# Act
|
||||
$actual = Get-SsoAuthenticationPolicy
|
||||
|
||||
# Assert
|
||||
$actual | Should -Not -Be $null
|
||||
$actual.GetType().FullName | Should -Be 'VMware.vSphere.SsoAdminClient.DataTypes.AuthenticationPolicy'
|
||||
$actual.PasswordAuthnEnabled | Should -Be $true
|
||||
}
|
||||
}
|
||||
|
||||
Context "Set-SsoAuthenticationPolicy" {
|
||||
It 'Updates AuthenticationPolicy enabling and disabling Smart Card authetication' {
|
||||
# Arrange
|
||||
$expected = Get-SsoAuthenticationPolicy
|
||||
|
||||
# Act
|
||||
$actual = $expected | Set-SsoAuthenticationPolicy -SmartCardAuthnEnabled $true
|
||||
|
||||
# Assert
|
||||
$actual | Should -Not -Be $null
|
||||
$actual.GetType().FullName | Should -Be 'VMware.vSphere.SsoAdminClient.DataTypes.AuthenticationPolicy'
|
||||
$actual.SmartCardAuthnEnabled | Should -Be $true
|
||||
## Assert other properties are not modified
|
||||
$actual.PasswordAuthnEnabled | Should -Be $expected.PasswordAuthnEnabled
|
||||
$actual.WindowsAuthnEnabled | Should -Be $expected.WindowsAuthnEnabled
|
||||
$actual.CRLCacheSize | Should -Be $expected.CRLCacheSize
|
||||
$actual.CRLUrl | Should -Be $expected.CRLUrl
|
||||
$actual.OCSPEnabled | Should -Be $expected.OCSPEnabled
|
||||
$actual.OCSPResponderSigningCert | Should -Be $expected.OCSPResponderSigningCert
|
||||
$actual.OCSPUrl | Should -Be $expected.OCSPUrl
|
||||
$actual.OIDs | Should -Be $expected.OIDs
|
||||
$actual.SendOCSPNonce | Should -Be $expected.SendOCSPNonce
|
||||
$actual.TrustedCAs | Should -Be $expected.TrustedCAs
|
||||
$actual.UseCRLAsFailOver | Should -Be $expected.UseCRLAsFailOver
|
||||
$actual.UseInCertCRL | Should -Be $expected.UseInCertCRL
|
||||
|
||||
# Revert SmartCardAuthnEnabled to $false
|
||||
$actual = $actual | Set-SsoAuthenticationPolicy -SmartCardAuthnEnabled $false
|
||||
$actual.SmartCardAuthnEnabled | Should -Be $false
|
||||
## Assert other properties are not modified
|
||||
$actual.PasswordAuthnEnabled | Should -Be $expected.PasswordAuthnEnabled
|
||||
$actual.WindowsAuthnEnabled | Should -Be $expected.WindowsAuthnEnabled
|
||||
$actual.CRLCacheSize | Should -Be $expected.CRLCacheSize
|
||||
$actual.CRLUrl | Should -Be $expected.CRLUrl
|
||||
$actual.OCSPEnabled | Should -Be $expected.OCSPEnabled
|
||||
$actual.OCSPResponderSigningCert | Should -Be $expected.OCSPResponderSigningCert
|
||||
$actual.OCSPUrl | Should -Be $expected.OCSPUrl
|
||||
$actual.OIDs | Should -Be $expected.OIDs
|
||||
$actual.SendOCSPNonce | Should -Be $expected.SendOCSPNonce
|
||||
$actual.TrustedCAs | Should -Be $expected.TrustedCAs
|
||||
$actual.UseCRLAsFailOver | Should -Be $expected.UseCRLAsFailOver
|
||||
$actual.UseInCertCRL | Should -Be $expected.UseInCertCRL
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user