From 4e9093d0e5cf8f14ebc2e1fd40d36ed9cb0fefef Mon Sep 17 00:00:00 2001
From: Brian Wuchner <brian.wuchner@gmail.com>
Date: Fri, 21 Jan 2022 15:11:17 -0500
Subject: [PATCH] Update SaltStackConfig.psm1

In the previous version of Connect-SscServer, we assumed that the SaltStack Config master node has an SSL certificate from an authority trusted by the powershell client and that the client supports the same TLS version as the server.  However, this may not be the case.  Therefore this commit adds support for a switch parameter named SkipCertificateCheck which ignores untrusted certificates and sets support for various TLS versions.  All SSC servers I've tested with have only supported Tls12, but lower levels were added to this function for backwards compatibility.

Signed-off-by: Brian Wuchner <brian.wuchner@gmail.com>
---
 Modules/SaltStackConfig/SaltStackConfig.psm1 | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/Modules/SaltStackConfig/SaltStackConfig.psm1 b/Modules/SaltStackConfig/SaltStackConfig.psm1
index cf2d5f8..f714f4e 100644
--- a/Modules/SaltStackConfig/SaltStackConfig.psm1
+++ b/Modules/SaltStackConfig/SaltStackConfig.psm1
@@ -35,7 +35,8 @@ Function Connect-SscServer {
     [Parameter(Mandatory=$true, ParameterSetName='PlainText', Position=1)][string]$username,
     [Parameter(Mandatory=$true, ParameterSetName='PlainText', Position=2)][ValidateNotNullOrEmpty()][string]$password,
     [Parameter(Mandatory=$false, Position=3)][string]$AuthSource='internal',
-    [Parameter(Mandatory=$false, ParameterSetName='Credential')][PSCredential]$Credential
+    [Parameter(Mandatory=$false, ParameterSetName='Credential')][PSCredential]$Credential,
+    [Parameter(Mandatory=$false)][Switch]$SkipCertificateCheck
   )
 
   if ($PSCmdlet.ParameterSetName -eq 'Credential' -AND $Credential -eq $null) { $Credential = Get-Credential}
@@ -43,6 +44,23 @@ Function Connect-SscServer {
     $username = $Credential.GetNetworkCredential().username
     $password = $Credential.GetNetworkCredential().password
   }
+
+  if ($SkipCertificateCheck) {
+    # This if statement is using example code from https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
+    add-type @"
+    using System.Net;
+    using System.Security.Cryptography.X509Certificates;
+    public class TrustAllCertsPolicy : ICertificatePolicy {
+        public bool CheckValidationResult(
+            ServicePoint srvPoint, X509Certificate certificate,
+            WebRequest request, int certificateProblem) {
+            return true;
+        }
+    }
+"@
+    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'
+    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
+  } # end if SkipCertificate Check
   
   $loginBody = @{'username'=$username; 'password'=$password; 'config_name'=$AuthSource}
   try {