voltron/PowerCLI-Example-Scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implement Add and Remove principal to/from SsoGroup

Browse Source 
Signed-off-by: Dimitar Milov <dmilov@vmware.com>
This commit is contained in:
Dimitar Milov
2021-05-26 10:54:15 +03:00
parent f0cf0f58bd
commit 5d221fdb15
8 changed files with 420 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

299
Modules/VMware.vSphere.SsoAdmin/Group.ps1
View File

@@ -264,6 +264,7 @@ function Remove-SsoGroup {
Twitter: @dimitar_milov Twitter: @dimitar_milov
Github: https://github.com/dmilov Github: https://github.com/dmilov
=========================================================================== ===========================================================================
.DESCRIPTION .DESCRIPTION
This function removes existing local group. This function removes existing local group.
@@ -305,8 +306,302 @@ function Remove-SsoGroup {
} }
} }
function Add-PrincipalToSsoGroup { function Add-GroupToSsoGroup {
<#
.NOTES
===========================================================================
Created on: 5/26/2021
Created by: Dimitar Milov
Twitter: @dimitar_milov
Github: https://github.com/dmilov
===========================================================================
.SYNOPSIS
Adds a group to another group
.DESCRIPTION
Adds the specified group on $Group parameter to target group specified on $TargetGroup parameter
.PARAMETER Group
A Group instance to be added to the $TargetGroup
.PARAMETER TargetGroup
A target group to which the $Group will be added.
.EXAMPLE
$administratosGroup = Get-SsoGroup -Name 'Administrators' -Domain 'vsphere.local'
Get-SsoGroup -Name 'TestGroup' -Domain 'MyDomain' | Add-GroupToSsoGroup -TargetGroup $administratosGroup
Adds 'TestGroup' from 'MyDomain' domain to vsphere.local Administrators group.
#>
[CmdletBinding(ConfirmImpact = 'Medium')]
param(
[Parameter(
Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'SsoGroup instance you want to add to the target group')]
[VMware.vSphere.SsoAdminClient.DataTypes.Group]
$Group,
[Parameter(
Mandatory = $true,
ValueFromPipeline = $false,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'Target SsoGroup instance where the $Group wtill be added')]
[ValidateNotNull()]
[VMware.vSphere.SsoAdminClient.DataTypes.Group]
$TargetGroup)
Process {
try {
foreach ($g in $Group) {
$ssoAdminClient = $g.GetClient()
if ((-not $ssoAdminClient)) {
Write-Error "Object '$g' is from disconnected server"
continue
}
if ($g.GetClient().ServiceUri -ne $TargetGroup.GetClient().ServiceUri) {
Write-Error "Group '$g' is not from the same server as the target group"
continue
}
$result = $ssoAdminClient.AddGroupToGroup($g, $TargetGroup)
if (-not $result) {
Write-Error "Group '$g' was not added to the target group. The Server operation result doesn't indicate success"
continue
}
}
}
catch {
Write-Error (FormatError $_.Exception)
}
}
} }
function Remove-PrincipalFromSsoGroup { function Remove-GroupFromSsoGroup {
<#
.NOTES
===========================================================================
Created on: 5/26/2021
Created by: Dimitar Milov
Twitter: @dimitar_milov
Github: https://github.com/dmilov
===========================================================================
.SYNOPSIS
Removes a group to another group
.DESCRIPTION
Removes the specified group on $Group parameter from target group specified on $TargetGroup parameter
.PARAMETER Group
A Group instance to be removed from the $TargetGroup
.PARAMETER TargetGroup
A target group from which the $Group will be removed.
.EXAMPLE
$administratosGroup = Get-SsoGroup -Name 'Administrators' -Domain 'vsphere.local'
Get-SsoGroup -Name 'TestGroup' -Domain 'MyDomain' | Remove-GroupFromSsoGroup -TargetGroup $administratosGroup
Removes 'TestGroup' from 'MyDomain' domain from vsphere.local Administrators group.
#>
[CmdletBinding(ConfirmImpact = 'Medium')]
param(
[Parameter(
Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'SsoGroup instance you want to remove from the target group')]
[VMware.vSphere.SsoAdminClient.DataTypes.Group]
$Group,
[Parameter(
Mandatory = $true,
ValueFromPipeline = $false,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'Target SsoGroup instance from which the $Group wtill be removed')]
[ValidateNotNull()]
[VMware.vSphere.SsoAdminClient.DataTypes.Group]
$TargetGroup)
Process {
try {
foreach ($g in $Group) {
$ssoAdminClient = $g.GetClient()
if ((-not $ssoAdminClient)) {
Write-Error "Object '$g' is from disconnected server"
continue
}
if ($g.GetClient().ServiceUri -ne $TargetGroup.GetClient().ServiceUri) {
Write-Error "Group '$g' is not from the same server as the target group"
continue
}
$result = $ssoAdminClient.RemoveGroupFromGroup($g, $TargetGroup)
if (-not $result) {
Write-Error "Group '$g' was not removed to the target group. The Server operation result doesn't indicate success"
continue
}
}
}
catch {
Write-Error (FormatError $_.Exception)
}
}
}
function Add-UserToSsoGroup {
<#
.NOTES
===========================================================================
Created on: 5/26/2021
Created by: Dimitar Milov
Twitter: @dimitar_milov
Github: https://github.com/dmilov
===========================================================================
.SYNOPSIS
Adds an user to a group
.DESCRIPTION
Adds the user on $User parameter to target group specified on $TargetGroup parameter
.PARAMETER User
A PersonUser instance to be added to the $TargetGroup
.PARAMETER TargetGroup
A target group to which the $User will be added.
.EXAMPLE
$administratosGroup = Get-SsoGroup -Name 'Administrators' -Domain 'vsphere.local'
Get-SsoPersonUser -Name 'TestUser' -Domain 'MyDomain' | Add-UserToSsoGroup -TargetGroup $administratosGroup
Adds 'TestUser' from 'MyDomain' domain to vsphere.local Administrators group.
#>
[CmdletBinding(ConfirmImpact = 'Medium')]
param(
[Parameter(
Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'PersonUser instance you want to add to the target group')]
[VMware.vSphere.SsoAdminClient.DataTypes.PersonUser]
$User,
[Parameter(
Mandatory = $true,
ValueFromPipeline = $false,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'Target SsoGroup instance where the $Group wtill be added')]
[ValidateNotNull()]
[VMware.vSphere.SsoAdminClient.DataTypes.Group]
$TargetGroup)
Process {
try {
foreach ($u in $User) {
$ssoAdminClient = $u.GetClient()
if ((-not $ssoAdminClient)) {
Write-Error "Object '$u' is from disconnected server"
continue
}
if ($u.GetClient().ServiceUri -ne $TargetGroup.GetClient().ServiceUri) {
Write-Error "User '$u' is not from the same server as the target group"
continue
}
$result = $ssoAdminClient.AddPersonUserToGroup($u, $TargetGroup)
if (-not $result) {
Write-Error "User '$u' was not added to the target group. The Server operation result doesn't indicate success"
continue
}
}
}
catch {
Write-Error (FormatError $_.Exception)
}
}
}
function Remove-UserFromSsoGroup {
<#
.NOTES
===========================================================================
Created on: 5/26/2021
Created by: Dimitar Milov
Twitter: @dimitar_milov
Github: https://github.com/dmilov
===========================================================================
.SYNOPSIS
Removes a person user from group
.DESCRIPTION
Removes the specified person user on $User parameter from target group specified on $TargetGroup parameter
.PARAMETER User
A PersonUser instance to be removed from the $TargetGroup
.PARAMETER TargetGroup
A target group from which the $User will be removed.
.EXAMPLE
$administratosGroup = Get-SsoGroup -Name 'Administrators' -Domain 'vsphere.local'
Get-SsoPersonUser -Name 'TestUser' -Domain 'MyDomain' | Remove-UserFromSsoGroup -TargetGroup $administratosGroup
Removes 'TestUser' from 'MyDomain' domain from vsphere.local Administrators group.
#>
[CmdletBinding(ConfirmImpact = 'Medium')]
param(
[Parameter(
Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'PersonUser instance you want to remove from the target group')]
[VMware.vSphere.SsoAdminClient.DataTypes.PersonUser]
$User,
[Parameter(
Mandatory = $true,
ValueFromPipeline = $false,
ValueFromPipelineByPropertyName = $false,
HelpMessage = 'Target SsoGroup instance from which the $User wtill be removed')]
[ValidateNotNull()]
[VMware.vSphere.SsoAdminClient.DataTypes.Group]
$TargetGroup)
Process {
try {
foreach ($u in $User) {
$ssoAdminClient = $u.GetClient()
if ((-not $ssoAdminClient)) {
Write-Error "Object '$u' is from disconnected server"
continue
}
if ($u.GetClient().ServiceUri -ne $TargetGroup.GetClient().ServiceUri) {
Write-Error "User '$u' is not from the same server as the target group"
continue
}
$result = $ssoAdminClient.RemovePersonUserFromGroup($u, $TargetGroup)
if (-not $result) {
Write-Error "User '$u' was not removed to the target group. The Server operation result doesn't indicate success"
continue
}
}
}
catch {
Write-Error (FormatError $_.Exception)
}
}
} }

2
Modules/VMware.vSphere.SsoAdmin/VMware.vSphere.SsoAdmin.psd1
View File

@@ -37,7 +37,7 @@ RequiredModules = @(
FunctionsToExport = @( FunctionsToExport = @(
'Connect-SsoAdminServer', 'Disconnect-SsoAdminServer', 'Connect-SsoAdminServer', 'Disconnect-SsoAdminServer',
'New-SsoPersonUser', 'Get-SsoPersonUser', 'Set-SsoPersonUser', 'Remove-SsoPersonUser', 'Set-SsoSelfPersonUserPassword' 'New-SsoPersonUser', 'Get-SsoPersonUser', 'Set-SsoPersonUser', 'Remove-SsoPersonUser', 'Set-SsoSelfPersonUserPassword'
'New-SsoGroup', 'Get-SsoGroup', 'Set-SsoGroup', 'Remove-SsoGroup', 'Add-PrincipalToSsoGroup', 'Remove-PrincipalFromSsoGroup' 'New-SsoGroup', 'Get-SsoGroup', 'Set-SsoGroup', 'Remove-SsoGroup', 'Add-GroupToSsoGroup', 'Remove-GroupFromSsoGroup', 'Add-UserToSsoGroup', 'Remove-UserFromSsoGroup'
'Get-SsoPasswordPolicy', 'Set-SsoPasswordPolicy', 'Get-SsoPasswordPolicy', 'Set-SsoPasswordPolicy',
'Get-SsoLockoutPolicy', 'Set-SsoLockoutPolicy', 'Get-SsoLockoutPolicy', 'Set-SsoLockoutPolicy',
'Get-SsoTokenLifetime', 'Set-SsoTokenLifetime', 'Get-SsoTokenLifetime', 'Set-SsoTokenLifetime',

BIN
Modules/VMware.vSphere.SsoAdmin/net45/VMware.vSphere.SsoAdmin.Utils.dll
View File

Binary file not shown.

BIN
Modules/VMware.vSphere.SsoAdmin/net45/VMware.vSphere.SsoAdminClient.dll
View File

Binary file not shown.

BIN
Modules/VMware.vSphere.SsoAdmin/netcoreapp3.1/VMware.vSphere.SsoAdmin.Utils.dll
View File

Binary file not shown.

BIN
Modules/VMware.vSphere.SsoAdmin/netcoreapp3.1/VMware.vSphere.SsoAdminClient.dll
View File

Binary file not shown.

46
Modules/VMware.vSphere.SsoAdmin/src/VMware.vSphere.SsoAdmin.Client/VMware.vSphere.SsoAdminClient/SsoAdminClient.cs
View File

@@ -487,6 +487,29 @@ namespace VMware.vSphere.SsoAdminClient
group.Name)).Result; group.Name)).Result;
} }
public bool AddGroupToGroup(DataTypes.Group groupToAdd, DataTypes.Group destinationGroup)
{
// Create Authorization Invocation Context
var authorizedInvocationContext =
CreateAuthorizedInvocationContext();
// Invoke SSO Admin AddGroupToLocalGroupAsync operation
return authorizedInvocationContext.
InvokeOperation(() =>
_ssoAdminBindingClient.AddGroupToLocalGroupAsync(
new ManagedObjectReference
{
type = "SsoAdminPrincipalManagementService",
Value = "principalManagementService"
},
new SsoPrincipalId
{
name = groupToAdd.Name,
domain = groupToAdd.Domain
},
destinationGroup.Name)).Result;
}
public bool RemovePersonUserFromGroup(PersonUser user, DataTypes.Group group) public bool RemovePersonUserFromGroup(PersonUser user, DataTypes.Group group)
{ {
// Create Authorization Invocation Context // Create Authorization Invocation Context
@@ -510,6 +533,29 @@ namespace VMware.vSphere.SsoAdminClient
group.Name)).Result; group.Name)).Result;
} }
public bool RemoveGroupFromGroup(DataTypes.Group groupToRemove, DataTypes.Group group)
{
// Create Authorization Invocation Context
var authorizedInvocationContext =
CreateAuthorizedInvocationContext();
// Invoke SSO Admin RemoveFromLocalGroupAsync operation
return authorizedInvocationContext.
InvokeOperation(() =>
_ssoAdminBindingClient.RemoveFromLocalGroupAsync(
new ManagedObjectReference
{
type = "SsoAdminPrincipalManagementService",
Value = "principalManagementService"
},
new SsoPrincipalId
{
name = groupToRemove.Name,
domain = groupToRemove.Domain
},
group.Name)).Result;
}
public void ResetPersonUserPassword(PersonUser user, string newPassword) public void ResetPersonUserPassword(PersonUser user, string newPassword)
{ {
// Create Authorization Invocation Context // Create Authorization Invocation Context

77
Modules/VMware.vSphere.SsoAdmin/src/test/Group.Tests.ps1
View File

@@ -29,6 +29,7 @@ Describe "SsoGroup Tests" {
-SkipCertificateCheck -SkipCertificateCheck
$script:testGroupsToDelete = @() $script:testGroupsToDelete = @()
$script:testUsersToDelete = @()
} }
AfterEach { AfterEach {
@@ -37,6 +38,10 @@ Describe "SsoGroup Tests" {
Remove-SsoGroup -Group $group Remove-SsoGroup -Group $group
} }
foreach ($user in $script:testUsersToDelete) {
Remove-SsoPersonUser -User $user
}
$connectionsToCleanup = $global:DefaultSsoAdminServers.ToArray() $connectionsToCleanup = $global:DefaultSsoAdminServers.ToArray()
foreach ($connection in $connectionsToCleanup) { foreach ($connection in $connectionsToCleanup) {
Disconnect-SsoAdminServer -Server $connection Disconnect-SsoAdminServer -Server $connection
@@ -106,7 +111,7 @@ Describe "SsoGroup Tests" {
$actual = New-SsoGroup -Name $expectedName -Description $expectedDescription $actual = New-SsoGroup -Name $expectedName -Description $expectedDescription
# Assert # Assert
$actual | Should -Not -Be $ $actual | Should -Not -Be $null
$script:testGroupsToDelete += $actual $script:testGroupsToDelete += $actual
$actual.Name | Should -Be $expectedName $actual.Name | Should -Be $expectedName
$actual.Domain | Should -Be 'vsphere.local' $actual.Domain | Should -Be 'vsphere.local'
@@ -144,4 +149,74 @@ Describe "SsoGroup Tests" {
$actual.Description | Should -Be $expectedDescription $actual.Description | Should -Be $expectedDescription
} }
} }
Context "Add-GroupToSsoGroup" {
It 'Should add a newly created SsoGroup to another SsoGroup' {
# Arrange
$groupName = 'TestGroup5'
$groupToAdd = New-SsoGroup -Name $groupName
$script:testGroupsToDelete += $groupToAdd
$targetGroup = Get-SsoGroup -Name 'Administrators' -Domain 'vsphere.local'
# Act
$groupToAdd | Add-GroupToSsoGroup -TargetGroup $targetGroup
# Assert
## TODO: Implement Get Group Members and verify
}
}
Context "Remove-GroupFromSsoGroup" {
It 'Should remove a SsoGroup from another SsoGroup' {
# Arrange
$groupName = 'TestGroup6'
$groupToRemove = New-SsoGroup -Name $groupName
$script:testGroupsToDelete += $groupToRemove
$targetGroup = Get-SsoGroup -Name 'Administrators' -Domain 'vsphere.local'
$groupToRemove | Add-GroupToSsoGroup -TargetGroup $targetGroup
# Act
$groupToRemove | Remove-GroupFromSsoGroup -TargetGroup $targetGroup
# Assert
## TODO: Implement Get Group Members and verify
}
}
Context "Add-UserToSsoGroup" {
It 'Should add a newly created PersonUser to SsoGroup' {
# Arrange
$expectedUser = New-SsoPersonUser -User 'GroupTestUser1' -Password 'MyStrongPa$$w0rd'
$script:testUsersToDelete += $expectedUser
$targetGroup = Get-SsoGroup -Name 'Administrators' -Domain 'vsphere.local'
# Act
$expectedUser | Add-UserToSsoGroup -TargetGroup $targetGroup
# Assert
$actualUsers = $targetGroup | Get-SsoPersonUser
$actualUsers | Where-Object { $_.Name -eq $expectedUser.Name} | Should -Not -Be $null
}
}
Context "Remove-GroupFromSsoGroup" {
It 'Should remove a SsoGroup from another SsoGroup' {
# Arrange
$expectedUser = New-SsoPersonUser -User 'GroupTestUser2' -Password 'MyStrongPa$$w0rd'
$script:testUsersToDelete += $expectedUser
$targetGroup = Get-SsoGroup -Name 'Administrators' -Domain 'vsphere.local'
$expectedUser | Add-UserToSsoGroup -TargetGroup $targetGroup
# Act
$expectedUser | Remove-UserFromSsoGroup -TargetGroup $targetGroup
# Assert
$actualUsers = $targetGroup | Get-SsoPersonUser
$actualUsers | Where-Object { $_.Name -eq $expectedUser.Name} | Should -Be $null
}
}
} }