From 4e9093d0e5cf8f14ebc2e1fd40d36ed9cb0fefef Mon Sep 17 00:00:00 2001
From: Brian Wuchner <brian.wuchner@gmail.com>
Date: Fri, 21 Jan 2022 15:11:17 -0500
Subject: [PATCH 1/3] Update SaltStackConfig.psm1

In the previous version of Connect-SscServer, we assumed that the SaltStack Config master node has an SSL certificate from an authority trusted by the powershell client and that the client supports the same TLS version as the server.  However, this may not be the case.  Therefore this commit adds support for a switch parameter named SkipCertificateCheck which ignores untrusted certificates and sets support for various TLS versions.  All SSC servers I've tested with have only supported Tls12, but lower levels were added to this function for backwards compatibility.

Signed-off-by: Brian Wuchner <brian.wuchner@gmail.com>
---
 Modules/SaltStackConfig/SaltStackConfig.psm1 | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/Modules/SaltStackConfig/SaltStackConfig.psm1 b/Modules/SaltStackConfig/SaltStackConfig.psm1
index cf2d5f8..f714f4e 100644
--- a/Modules/SaltStackConfig/SaltStackConfig.psm1
+++ b/Modules/SaltStackConfig/SaltStackConfig.psm1
@@ -35,7 +35,8 @@ Function Connect-SscServer {
     [Parameter(Mandatory=$true, ParameterSetName='PlainText', Position=1)][string]$username,
     [Parameter(Mandatory=$true, ParameterSetName='PlainText', Position=2)][ValidateNotNullOrEmpty()][string]$password,
     [Parameter(Mandatory=$false, Position=3)][string]$AuthSource='internal',
-    [Parameter(Mandatory=$false, ParameterSetName='Credential')][PSCredential]$Credential
+    [Parameter(Mandatory=$false, ParameterSetName='Credential')][PSCredential]$Credential,
+    [Parameter(Mandatory=$false)][Switch]$SkipCertificateCheck
   )
 
   if ($PSCmdlet.ParameterSetName -eq 'Credential' -AND $Credential -eq $null) { $Credential = Get-Credential}
@@ -43,6 +44,23 @@ Function Connect-SscServer {
     $username = $Credential.GetNetworkCredential().username
     $password = $Credential.GetNetworkCredential().password
   }
+
+  if ($SkipCertificateCheck) {
+    # This if statement is using example code from https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
+    add-type @"
+    using System.Net;
+    using System.Security.Cryptography.X509Certificates;
+    public class TrustAllCertsPolicy : ICertificatePolicy {
+        public bool CheckValidationResult(
+            ServicePoint srvPoint, X509Certificate certificate,
+            WebRequest request, int certificateProblem) {
+            return true;
+        }
+    }
+"@
+    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'
+    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
+  } # end if SkipCertificate Check
   
   $loginBody = @{'username'=$username; 'password'=$password; 'config_name'=$AuthSource}
   try {

From c46d3522bd8aa29883f395f22fab0b35c92141d1 Mon Sep 17 00:00:00 2001
From: Brian Wuchner <brian.wuchner@gmail.com>
Date: Mon, 24 Jan 2022 14:48:21 -0500
Subject: [PATCH 2/3] Updates to SSC Module -- provide better SSL support for
 Connect-SscServer

Moving the code to set SslProtocol to a separate parameter instead of hiding it under SkipCertificateCheck.
Updating Module Version to denote this minor change.

Signed-off-by: Brian Wuchner <brian.wuchner@gmail.com>
---
 Modules/SaltStackConfig/SaltStackConfig.psd1 | 2 +-
 Modules/SaltStackConfig/SaltStackConfig.psm1 | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/Modules/SaltStackConfig/SaltStackConfig.psd1 b/Modules/SaltStackConfig/SaltStackConfig.psd1
index 6c4f3f3..1394171 100644
--- a/Modules/SaltStackConfig/SaltStackConfig.psd1
+++ b/Modules/SaltStackConfig/SaltStackConfig.psd1
@@ -17,7 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause
 RootModule = 'SaltStackConfig.psm1'
 
 # Version number of this module.
-ModuleVersion = '0.0.5'
+ModuleVersion = '0.0.6'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
diff --git a/Modules/SaltStackConfig/SaltStackConfig.psm1 b/Modules/SaltStackConfig/SaltStackConfig.psm1
index f714f4e..0d7ce48 100644
--- a/Modules/SaltStackConfig/SaltStackConfig.psm1
+++ b/Modules/SaltStackConfig/SaltStackConfig.psm1
@@ -36,7 +36,8 @@ Function Connect-SscServer {
     [Parameter(Mandatory=$true, ParameterSetName='PlainText', Position=2)][ValidateNotNullOrEmpty()][string]$password,
     [Parameter(Mandatory=$false, Position=3)][string]$AuthSource='internal',
     [Parameter(Mandatory=$false, ParameterSetName='Credential')][PSCredential]$Credential,
-    [Parameter(Mandatory=$false)][Switch]$SkipCertificateCheck
+    [Parameter(Mandatory=$false)][Switch]$SkipCertificateCheck,
+    [Parameter(Mandatory=$false)][ValidateSet('Tls13','Tls12','Tls11','Tls','SystemDefault')]$SslProtocol
   )
 
   if ($PSCmdlet.ParameterSetName -eq 'Credential' -AND $Credential -eq $null) { $Credential = Get-Credential}
@@ -58,10 +59,13 @@ Function Connect-SscServer {
         }
     }
 "@
-    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'
     [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
   } # end if SkipCertificate Check
   
+  if ($SslProtocol) {
+    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]$SslProtocol
+  }
+
   $loginBody = @{'username'=$username; 'password'=$password; 'config_name'=$AuthSource}
   try {
     $webRequest = Invoke-WebRequest -Uri "https://$server/account/login" -SessionVariable ws

From de1772949405bffed0b130442267bd39a12403cd Mon Sep 17 00:00:00 2001
From: Brian Wuchner <brian.wuchner@gmail.com>
Date: Tue, 25 Jan 2022 09:59:05 -0500
Subject: [PATCH 3/3] Update SaltStackConfig.psm1

Changing SslProtocol parameter from static validateset list to proper type.

Signed-off-by: Brian Wuchner <brian.wuchner@gmail.com>
---
 Modules/SaltStackConfig/SaltStackConfig.psm1 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Modules/SaltStackConfig/SaltStackConfig.psm1 b/Modules/SaltStackConfig/SaltStackConfig.psm1
index 0d7ce48..510ad29 100644
--- a/Modules/SaltStackConfig/SaltStackConfig.psm1
+++ b/Modules/SaltStackConfig/SaltStackConfig.psm1
@@ -37,7 +37,7 @@ Function Connect-SscServer {
     [Parameter(Mandatory=$false, Position=3)][string]$AuthSource='internal',
     [Parameter(Mandatory=$false, ParameterSetName='Credential')][PSCredential]$Credential,
     [Parameter(Mandatory=$false)][Switch]$SkipCertificateCheck,
-    [Parameter(Mandatory=$false)][ValidateSet('Tls13','Tls12','Tls11','Tls','SystemDefault')]$SslProtocol
+    [Parameter(Mandatory=$false)][System.Net.SecurityProtocolType]$SslProtocol
   )
 
   if ($PSCmdlet.ParameterSetName -eq 'Credential' -AND $Credential -eq $null) { $Credential = Get-Credential}
@@ -63,7 +63,7 @@ Function Connect-SscServer {
   } # end if SkipCertificate Check
   
   if ($SslProtocol) {
-    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]$SslProtocol
+    [System.Net.ServicePointManager]::SecurityProtocol = $SslProtocol
   }
 
   $loginBody = @{'username'=$username; 'password'=$password; 'config_name'=$AuthSource}