Merge branch 'bsmall_convertto_pscred_function' into 'master'

ConvertTo-PSCredential & Bugfixes

See merge request Infra/module-vaultutils!4

Author: Ben Small

.gitlab-ci.yml

@@ -1,6 +1,6 @@
 variables:
   ModuleName: 'psVaultUtils'
-  ModuleVersion: '1.3.2'
+  ModuleVersion: '1.4.1'
   DevRepository: 'dev-windows-modules'
   ProdRepository: 'prod-windows-modules'
   Notification: "it-digest"

psVaultUtils/Public/Secrets/Cubbyhole/Get-VaultCubbyholeSecret.ps1

@@ -71,16 +71,9 @@ function Get-VaultCubbyholeSecret {
             throw
         }
 
-        if ($MetaData) {
-            $dataType = 'secret_metadata'
-        }
-        else {
-            $dataType = 'secret_data'
-        }
-
         $formatParams = @{
             InputObject = $result
-            DataType    = $dataType
+            DataType    = 'data' #Cubbyhole secrets do not/cannot have metadata.
             JustData    = $JustData.IsPresent
             OutputType  = $OutputType
         }

psVaultUtils/Public/Secrets/KV/New-VaultKVSecret.ps1

@@ -58,7 +58,7 @@ function New-VaultKVSecret {
     param(
         #Specifies a KV engine to write secrets to.
         [Parameter(
-            Mandatoy = $true,
+            Mandatory = $true,
             Position = 0
         )]
         [String] $Engine,

psVaultUtils/Public/Tools/ConvertFrom-Hashtable.ps1

@@ -0,0 +1,75 @@
+#Credit: https://4sysops.com/archives/convert-json-to-a-powershell-hash-table/
+#This function is the result of reverse engineering ConvertTo-Hashtable, written by Adam Bertram
+
+#BUG: ConvertFrom-Hashtable currently does not support pipeline input; 
+#Sub-hashtables are not successfully converted to pscustomobjects.
+
+function ConvertFrom-Hashtable {
+<#
+.Synopsis
+    Converts a Hashtable into a PSObject.
+
+.DESCRIPTION
+    ConvertFrom-Hashtable converts a Hashtable into a PSObject.
+
+    The function does not currently support pipeline input.
+
+.EXAMPLE
+    PS> $secret = Get-VaultKVSecret -Engine 'KVStore' -SecretsPath 'ServiceAccounts/DSCSvcAccount' -OutputType Hashtable
+
+    PS> ConvertFrom-Hashtable $secret
+
+    renewable      : False
+    data           : @{metadata=; data=}
+    warnings       :
+    wrap_info      :
+    request_id     : e7450e9e-e48c-e17d-8c16-db7d38790d64
+    lease_duration : 0
+    auth           :
+    lease_id       :
+
+    This example demonstrates converting a Hashtable to a PSObject. 
+    The example is impractical because Get-VaultKVSecret supports returning results as PSObjects. 
+
+#>
+    [CmdletBinding()]
+    [OutputType('pscustomobject')]
+    param (
+        [Parameter()]
+        $InputObject
+    )
+ 
+    process {
+        ## Return null if the input is null. This can happen when calling the function
+        ## recursively and a property is null
+        if ($null -eq $InputObject) {
+            return $null
+        }
+ 
+        ## Check if the input is an array or collection. If so, we also need to convert
+        ## those types into psobjects as well. This function will convert all child
+        ## hashtables into psobjects (if applicable)
+        if ($InputObject -is [pscustomobject] -and $InputObject -isnot [string]) {
+            $collection = @(
+                foreach ($object in $InputObject.GetEnumerator()) {
+                    ConvertFrom-Hashtable -InputObject $object
+                }
+            )
+ 
+            ## Return the array but don't enumerate it because the object may be pretty complex
+            Write-Output -NoEnumerate $collection
+        } elseif ($InputObject -is [hashtable]) { ## If the hashtable has properties that need enumeration
+            ## Convert it to its own hash table and return it as an object
+            $hash = @{}
+            foreach ($property in $InputObject.GetEnumerator()) { 
+                $hash[$property.Name] = ConvertFrom-Hashtable -InputObject $property.Value
+            }
+
+            New-Object 'pscustomobject' -Property $hash
+        } else {
+            ## If the object isn't an array, collection, or other object, it's already a psobject
+            ## So just return it.
+            $InputObject
+        }
+    }
+}

psVaultUtils/Public/Tools/ConvertTo-PSCredential.ps1

@@ -0,0 +1,101 @@
+function ConvertTo-PSCredential {
+<#
+.Synopsis
+    Converts the result of Get-VaultKVSecret or Get-VaultCubbyhole into a PSCredential.
+
+.DESCRIPTION
+    ConvertTo-PSCredential consumes the result of Get-VaultKVSecret or Get-VaultCubbyhole and converts the resulting object into a PSCredential.
+
+.EXAMPLE
+    PS> Get-VaultKVSecret -Engine dsc -SecretsPath DSCSvcAccount | ConvertTo-PSCredential
+
+    UserName                                   Password
+    --------                                   --------
+    WAYFAIRDEV\sa_dscadmin System.Security.SecureString
+
+.EXAMPLE
+    PS> ConvertTo-PSCredential -InputObject $(Get-VaultKVSecret -Engine dsc -SecretsPath DSCSvcAccount)
+
+    UserName                                   Password
+    --------                                   --------
+    WAYFAIRDEV\sa_dscadmin System.Security.SecureString
+
+#>
+    [CmdletBinding()]
+    param(
+        #Specifies the Input Object. The input object can be in the form of a Hashtable, PSObject or JSON string.
+        [Parameter(
+            ValueFromPipeline = $true,
+            Position = 0
+        )]
+        $InputObject
+    )
+
+    begin {
+        #Array of supported functions.
+        $supportedFunctions = @(
+            'Get-VaultKVSecret'
+            'Get-VaultCubbyholeSecret'
+        )
+
+        $psCallStack = Get-PSCallStack
+
+        foreach ($funct in $supportedFunctions) {
+            $callStackPosition =  $psCallStack | Where-Object 'Position' -match $funct
+
+            if ($callStackPosition) {
+                break
+            }
+        }
+
+        if ($psCallStack -notmatch "|") {
+            #Pipeline was present.
+            if (-not $callStackPosition) {
+                Write-Error "ConvertTo-PSCredential does not support the specified pipeline input." -ErrorAction 'Stop'
+                return
+            }
+        }
+        #else Pipeline not present.
+        
+    }
+
+    process {
+        if ($InputObject -is [Hashtable]) {
+            Write-verbose 'Input is hashtable'
+            $InputObject = ConvertFrom-Hashtable $([hashtable] $InputObject)
+        }
+        elseif ($InputObject -is [String]) {
+            Write-verbose 'Input is string'
+            try {
+                $InputObject = $InputObject | ConvertFrom-Json
+                Write-verbose 'converted json to psobject'
+            }
+            catch {
+                Write-Error "The specified JSON is malformed and could not be converted to a PSCredential"
+                return
+            }
+        }
+        else {
+            Write-verbose 'Input is psobject'
+        }
+        
+        $result = Format-VaultOutput -InputObject $InputObject -DataType 'secret_data' -OutputType 'Hashtable' -JustData:$true
+
+        if (-not $result) {
+            #If there was no result, the secret could be a Cubbyhole secret; try a different DataType.
+            $result = Format-VaultOutput -InputObject $InputObject -DataType 'data' -OutputType 'Hashtable' -JustData:$true
+        }
+
+        if ($result) {
+            New-Object System.Management.Automation.PSCredential (
+                $result.Keys[0], 
+                (ConvertTo-SecureString ($result.Values[0]) -AsPlainText -Force)
+            )
+        }
+        
+    }
+
+    end {
+
+    }
+}

psVaultUtils/psVaultUtils.psd1

@@ -12,7 +12,7 @@
     RootModule = 'psVaultUtils.psm1'
 
     # Version number of this module.
-    ModuleVersion = '1.3.2'
+    ModuleVersion = '1.4.1'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()
@@ -108,8 +108,10 @@
         'Submit-VaultRootTokenGeneration'
         'Unprotect-VaultRootToken'
 
+        'ConvertFrom-Hashtable'
         'ConvertTo-Hashtable'
         'ConvertTo-Base64'
+        'ConvertTo-PSCredential'
         'Get-VaultRandomBytes'
         'Get-VaultDataHash'