Merge pull request #33 from joshcorr/development

Release 2.0.1 Preview

Author: joshcorr

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
       - name: Lint Code Base
-        uses: github/super-linter@v3
+        uses: github/super-linter@v4
         env:
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JSON: false

CHANGELOG.md

@@ -1,10 +1,16 @@
-# Change Log
+# Changelog
 
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [2.0.1] - 2022-01-13
+
+Support skipping certificate varification [#29](https://github.com/joshcorr/SecretManagement.Hashicorp.Vault.KV/issues/29) thanks to [@ryancbutler](https://github.com/ryancbutler)  
+bugfix for DateTime conversion when useing root token [#31](https://github.com/joshcorr/SecretManagement.Hashicorp.Vault.KV/issues/31)  
+bugfix Linter  
+
 ## [1.3.0] - 2021-11-14
 
 Reintroduced PowerShell 5.1 support [#26](https://github.com/joshcorr/SecretManagement.Hashicorp.Vault.KV/issues/26)  
@@ -15,7 +21,7 @@ Backported changes from main branch
 *Powershell 5.1 is no longer a supported version for this extension.  
 version 1.1.1-Preview is the last 5.1 compatible version*
 
-Major re-write of the token management to make it compatible with [Constrained Language Mode](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.1#constrained-language-constrained-language)  
+Major rewrite of the token management to make it compatible with [Constrained Language Mode](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.1#constrained-language-constrained-language)  
 Fixes issues with  `Unlock-SecretVault` [#24](https://github.com/joshcorr/SecretManagement.Hashicorp.Vault.KV/issues/24)  
 Fixes issue using extension from Terminal [#22](https://github.com/joshcorr/SecretManagement.Hashicorp.Vault.KV/issues/22)  
 Updated documentation  
@@ -52,7 +58,7 @@ Update About; remove Preview Tag
 
 ## [0.0.11] - 2021-03-16
 
-More Bug fixes
+More bugfixes
 
 ## [0.0.10] - 2021-03-16
 
@@ -80,11 +86,11 @@ Version Bump
 
 ## [0.0.4] - 2021-03-08
 
-More Github Actions changes
+More GitHub Actions changes
 
 ## [0.0.3] - 2021-03-08
 
-Github Actions changes
+GitHub Actions changes
 
 ## [0.0.2] - 2021-03-08
 

CONTRIBUTING.md

@@ -27,7 +27,7 @@ If this is your first time contributing to an opensource project, welcome! Here
 
 - Look for items marked as "good first issue" (these usually only require a few easy changes)
 - Comment on this issue to let us know you want to work on it
-- Fork the module into your own repo
+- Fork the module into your own repository
 - Create a feature branch off of the development branch
     Call it something like `fix-bad-example-issue43`
 - If you get stuck reach out for help

README.md

@@ -4,7 +4,7 @@
 [![PSGallery][]][PSGalleryLink]
 [![SupportBadge][]][SupportBadge]
 
-A PowerShell SecretManagement extension for Hashicorp Vault Key Value (KV) Engine. This supports version 1, version2, and  cubbyhole (similar to v1). It does not currently support all of the version 2 features like versioned secrets.
+A PowerShell SecretManagement extension for Hashicorp Vault key- value (KV) Engine. This supports version 1, version2, and  cubbyhole (similar to v1). It does not currently support all of the version 2 features like versioned secrets.
 
 | Extension Version | 6.0+ | 5.1 | Constrained Language Mode |
 | ----------------- | ---- | --- | ------------------------- |
@@ -23,6 +23,12 @@ When registering a vault you need to provide at least these options:
 Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name PowerShellTest -VaultParameters @{ VaultServer = 'http://vault.domain.local:8200'; VaultAuthType = 'Token'}
 ```
 
+To disable HTTPS certificate checks (e.g. self-signed certs) use the `VaultSkipVerify` parameter
+
+```PowerShell
+Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name PowerShellTest -VaultParameters @{ VaultServer = 'https://vault.domain.local:8200'; VaultAuthType = 'Token'; VaultSkipVerify = $true}
+```
+
 The vault name should match exactly, as Hashicorp vault is case sensitive. If no VaultParameters are provided the functions will prompt you on the first execution in your session. Additionally you may provide which version of KV you are using when registering. It defaults to version 2 of KV.  
 
 ```PowerShell

SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psd1

@@ -1,5 +1,5 @@
 @{
-    ModuleVersion     = '2.0.0'
+    ModuleVersion     = '2.0.1'
     RootModule        = 'SecretManagement.Hashicorp.Vault.KV.Extension.psm1'
     FunctionsToExport = @('Set-Secret', 'Get-Secret', 'Remove-Secret', 'Get-SecretInfo', 'Test-SecretVault', 'Unlock-SecretVault', 'Unregister-SecretVault')
 }

SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1

@@ -2,8 +2,8 @@
 using namespace System.Collections.ObjectModel
 using namespace System.Collections.Generic
 # enum and Variables setup for use
-$script:HashicorpVaultConfigValues = @('VaultServer', 'VaultAuthType', 'VaultToken', 'VaultAPIVersion', 'KVVersion', 'OutputType', 'Verbose')
-$script:AllVariables = @('VaultServer', 'VaultAuthType', 'VaultToken', 'VaultAPIVersion', 'KVVersion', 'OutputType', 'TokenRenewable', 'TokenLifespan', 'TokenType', 'TokenExpireTime', 'Verbose')
+$script:HashicorpVaultConfigValues = @('VaultServer', 'VaultAuthType', 'VaultToken', 'VaultAPIVersion', 'VaultSkipVerify', 'KVVersion', 'OutputType', 'Verbose')
+$script:AllVariables = @('VaultServer', 'VaultAuthType', 'VaultToken', 'VaultAPIVersion', 'VaultSkipVerify', 'KVVersion', 'OutputType', 'TokenRenewable', 'TokenLifespan', 'TokenType', 'TokenExpireTime', 'Verbose')
 
 enum HashicorpVaultAuthTypes {
     None
@@ -21,7 +21,9 @@ $script:HashicorpAuthTypes = @('None', 'AppRole', 'LDAP', 'userpass', 'Token')
 [string]$script:VaultAPIVersion = 'v1'
 [string]$script:KVVersion = 'v2'
 [string]$script:OutputType = 'Hashtable'
+[bool]$script:VaultSkipVerify = $false
 # Internally used
+[bool]$script:RootToken = $false
 [bool]$script:TokenRenewable
 [double]$script:TokenLifespan
 [string]$script:TokenType
@@ -119,9 +121,10 @@ function Invoke-VaultAPIQuery {
         }
 
         $VaultSplat = @{
-            URI     = $uri
-            Method  = $Method
-            Headers = New-VaultAPIHeader
+            URI                  = $uri
+            Method               = $Method
+            Headers              = New-VaultAPIHeader
+            SkipCertificateCheck = $script:VaultSkipVerify
         }
         if ($null -ne $body) { $VaultSplat['Body'] = $body }
 
@@ -169,7 +172,7 @@ function Invoke-VaultToken {
         Write-Verbose "Retrieving a Token for authenticating to Vault"
         $RenewToken = $false
         #continue
-    } elseif ($Null -ne $script:VaultToken -and $script:TokenExpireTime -lt (Get-date)) {
+    } elseif ($Null -ne $script:VaultToken -and $script:TokenExpireTime -lt (Get-date) -and -not $script:RootToken) {
         # Retrieve a new token if expired
         Write-Verbose "Token Expired at $($script:TokenExpireTime). Retieving a new token"
         $script:VaultToken = $null
@@ -248,11 +251,11 @@ function Invoke-VaultToken {
     }
     try {
         if ($script:VaultAuthType -notin @('Token', 'RenewToken')) {
-            $auth = (Invoke-RestMethod -Method POST -Uri $UserLogin -Body $UserPassword -ErrorVariable RestError)
+            $auth = (Invoke-RestMethod -Method POST -Uri $UserLogin -Body $UserPassword -ErrorVariable RestError -SkipCertificateCheck:$script:VaultSkipVerify)
             $auth_info = $auth.auth
             $script:VaultToken = $auth_info.client_token | ConvertTo-SecureString -AsPlainText -Force
         } elseif ($script:VaultAuthType -eq 'RenewToken') {
-            $auth = (Invoke-RestMethod -Method POST -Uri $UserLogin -Headers $headers -ErrorVariable RestError)
+            $auth = (Invoke-RestMethod -Method POST -Uri $UserLogin -Headers $headers -ErrorVariable RestError -SkipCertificateCheck:$script:VaultSkipVerify)
             $auth_info = $auth.auth
             $script:VaultToken = $auth_info.client_token | ConvertTo-SecureString -AsPlainText -Force
         }
@@ -261,13 +264,18 @@ function Invoke-VaultToken {
         $token_uri = "$($script:VaultServer)/$($script:VaultAPIVersion)/auth/token/lookup"
         $token_body = @{'token' = $([PSCredential]::new("token", $($script:VaultToken)).GetNetworkCredential().Password) } | ConvertTo-Json
         $Headers = New-VaultAPIHeader
-        $token_info = (Invoke-RestMethod -Method POST -Uri $token_uri -Body $token_body -Headers $headers -ErrorVariable RestError)
+        $token_info = (Invoke-RestMethod -Method POST -Uri $token_uri -Body $token_body -Headers $headers -ErrorVariable RestError -SkipCertificateCheck:$script:VaultSkipVerify)
 
         # Storing the information for checking before future calls.
+        if ($token_info.data.policies -contains 'root') {
+            $script:RootToken = $true
+        }
         $script:TokenRenewable = $token_info.data.renewable
         $script:TokenType = $token_info.data.type
         $script:TokenLifespan = $token_info.data.ttl
-        $script:TokenExpireTime = $token_info.data.expire_time
+        if (-not $script:RootToken) {
+            $script:TokenExpireTime = $token_info.data.expire_time
+        }
     } catch {
         if ($null -ne $RestError.message) {
             throw "Received an error: $($RestError.message)"
@@ -303,9 +311,10 @@ function New-Vault {
                 $version = '2'
             }
             $VaultSplat = @{
-                URI     = $serverURI
-                Method  = 'POST'
-                Headers = New-VaultAPIHeader
+                URI                  = $serverURI
+                Method               = 'POST'
+                Headers              = New-VaultAPIHeader
+                SkipCertificateCheck = $script:VaultSkipVerify
             }
             $VaultOptions = @{
                 type        = 'kv'
@@ -398,9 +407,10 @@ function Remove-Vault {
             $serverURI = $($script:VaultServer), $($script:VaultAPIVersion), 'sys/mounts', $VaultName -join '/'
             Write-Verbose "Removing $VaultName. $AdditionalParameters['Description']"
             $VaultSplat = @{
-                URI     = $serverURI
-                Method  = 'DELETE'
-                Headers = New-VaultAPIHeader
+                URI                  = $serverURI
+                Method               = 'DELETE'
+                Headers              = New-VaultAPIHeader
+                SkipCertificateCheck = $script:VaultSkipVerify
             }
 
             Invoke-RestMethod @VaultSplat
@@ -476,7 +486,7 @@ function Get-Secret {
         [hashtable] $AdditionalParameters
     )
     process {
-        $VerboseSplat = @{Verbose = $AdditionalParameters['Verbose']}
+        $VerboseSplat = @{Verbose = $AdditionalParameters['Verbose'] }
         $null = Test-SecretVault -VaultName $VaultName -AdditionalParameters $AdditionalParameters
         if ($Name -match '/') {
             $SecretName = $($Name -split '/')[-1]
@@ -549,7 +559,7 @@ function Get-SecretInfo {
         [hashtable] $AdditionalParameters
     )
     process {
-        $VerboseSplat = @{Verbose = $AdditionalParameters['Verbose']}
+        $VerboseSplat = @{Verbose = $AdditionalParameters['Verbose'] }
         $null = Test-SecretVault -VaultName $VaultName -AdditionalParameters $AdditionalParameters
         $Filter = "*$Filter"
         $VaultSecrets = Resolve-VaultSecretPath -VaultName $VaultName @VerboseSplat
@@ -583,7 +593,7 @@ function Remove-Secret {
         [hashtable] $AdditionalParameters
     )
     process {
-        $VerboseSplat = @{Verbose = $AdditionalParameters['Verbose']}
+        $VerboseSplat = @{Verbose = $AdditionalParameters['Verbose'] }
         $null = Test-SecretVault -VaultName $VaultName -AdditionalParameters $AdditionalParameters
         $SecretData = Invoke-VaultAPIQuery -VaultName $VaultName -SecretName $Name @VerboseSplat
 
@@ -609,7 +619,7 @@ function Set-Secret {
         [hashtable] $Metadata
     )
     process {
-        $VerboseSplat = @{Verbose = $AdditionalParameters['Verbose']}
+        $VerboseSplat = @{Verbose = $AdditionalParameters['Verbose'] }
         $null = Test-SecretVault -VaultName $VaultName -AdditionalParameters $AdditionalParameters
         $type = $Secret.GetType()
         switch ($Secret.GetType()) {

SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.psd1

@@ -1,5 +1,5 @@
 @{
-    ModuleVersion        = '2.0.0'
+    ModuleVersion        = '2.0.1'
     CompatiblePSEditions = @('Core')
     GUID                 = '5dbf943d-d9c0-4db5-88a2-1995043a6305'
     Author               = 'Josh Corrick'
@@ -15,7 +15,7 @@
 
         PSData = @{
             # Prerelease string of this module
-            # Prerelease                 = 'Preview'
+            Prerelease                 = 'Preview'
             Tags                       = 'SecretManagement', 'HashiCorp', 'Secret', 'Vault', 'MacOS', 'Linux', 'Windows'
             ExternalModuleDependencies = @('Microsoft.PowerShell.SecretManagement')
             LicenseUri                 = 'https://raw.githubusercontent.com/joshcorr/SecretManagement.Hashicorp.Vault.KV/main/LICENSE'

SecretManagement.Hashicorp.Vault.KV/en-us/about_SecretManagement.Hashicorp.Vault.KV.Extension.Help.txt

@@ -42,6 +42,7 @@ REGISTRATION PARAMETERS
         VaultAuthType - The type of auth you will use to retrieve a token
         VaultToken - The Vault Token you are using. This must be input as ConvertFrom-SecureString output.
         VaultAPIVersion - Defaults to v1
+        VaultSkipVerify - To disable HTTPS certificate checks (e.g. self-signed certs). Defaults as $false
         KVVersion - Defaults to v2
         OutputType - Defaults to Hashtable
         Verbose - Supported by SecretManagement