manage-local-admin-password
186 строк · 4.9 Кб
1param (
2# Адрес сервера Vault в формате https://vault.acme.corp
3[Parameter(Mandatory = $True)]
4[string]$VaultAddr,
5[Parameter(Mandatory = $True)]
6[string]$RoleID,
7[Parameter(Mandatory = $True)]
8[string]$SecretID,
9[Parameter(Mandatory = $True)]
10[string]$PasswordPolicyName,
11[Parameter(Mandatory = $True)]
12[string]$SecretsStoreName,
13[Parameter(Mandatory = $True)]
14[string]$Username,
15[Parameter()]
16[string]$SecretsBasePath = "",
17[Parameter()]
18[string]$Hostname = $env:computername.ToLower()
19
20)
21
22$LOG_FILE = 'c:\windows\debug\password-auto-rotate.log'
23$AppRoleLoginUri = "$VaultAddr/v1/auth/approle/login"
24$GetPasswordUri = "$VaultAddr/v1/sys/policies/password/$PasswordPolicyName/generate"
25$SecretUri1 = "$VaultAddr/v1/$SecretsStoreName/data/$Hostname/$Username"
26$SecretUri2 = "$VaultAddr/v1/$SecretsStoreName/data/$SecretsBasePath/$Hostname/$Username"
27
28if (-not [System.Diagnostics.EventLog]::SourceExists("PasswordAutoRotate")) {
29New-EventLog -LogName Application -Source PasswordAutoRotate
30}
31
32function WriteLog {
33[CmdletBinding()]
34Param(
35[Parameter(Mandatory = $False)]
36[ValidateSet("INFO", "WARN", "ERROR", "FATAL", "DEBUG")]
37[String]
38$Level = "INFO",
39
40[Parameter(Mandatory = $True)]
41[string]
42$Message
43)
44$DateTime = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
45$LogMessage = "$Datetime $Level $Message"
46Add-content $LOG_FILE -value $LogMessage
47}
48
49function WriteEventLog {
50[CmdletBinding()]
51Param(
52[Parameter(Mandatory = $False)]
53[ValidateSet("INFO", "WARN", "ERROR")]
54[String]
55$Level = "INFO",
56
57[Parameter(Mandatory = $True)]
58[string]
59$Message
60)
61$typ = $null
62switch ($Level) {
63"INFO" { $typ = "Information" }
64"WARN" { $typ = "Warning" }
65"ERROR" { $typ = "Error" }
66}
67Write-EventLog -LogName "Application" -Source "PasswordAutoRotate" `
68-EventID 1 -EntryType $typ -Message $Message
69}
70
71if (-not (Get-LocalUser $Username)) {
72$msg = "User with $Username does not exists"
73WriteLog ERROR $msg
74WriteEventLog ERROR $msg
75throw "User with $Username does not exists"
76}
77
78[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
79# Allow the use of self-signed SSL certificates.
80[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
81$msg = "Started password update for user $Username"
82WriteEventLog INFO $msg
83WriteLog INFO $msg
84
85$data = @{
86"role_id" = $RoleID
87"secret_id" = $SecretID
88}
89$body = $data | ConvertTo-Json
90
91# get vault token
92try {
93$resp = Invoke-RestMethod -Method POST -ContentType "application/json" `
94-Body $body -Uri $AppRoleLoginUri
95}
96catch {
97$s = "Error getting vault token. Request uri=$AppRoleLoginUri. Response body: $resp"
98WriteLog ERROR $s
99WriteEventLog ERROR $s
100throw $_
101}
102
103$vaultAccessToken = $resp.auth.client_token
104if (-not $vaultAccessToken) {
105$s = "Can not get Vault access token from response"
106WriteLog ERROR $s
107$msg = $resp | ConvertTo-Json
108WriteLog ERROR "Response data $msg"
109WriteEventLog ERROR $s
110throw $s
111}
112
113$headers = @{
114'Content-Type' = 'application/json'
115'X-Vault-Token' = $vaultAccessToken
116}
117# get new password
118$resp = $null
119try {
120$resp = Invoke-RestMethod -Method Get `
121-Headers $headers -Uri $GetPasswordUri
122}
123catch {
124$s = "Can not get new password from vault. uri: $GetPasswordUri"
125$msg = $resp | ConvertTo-Json
126WriteEventLog ERROR $s
127WriteLog ERROR $s
128WriteLog ERROR $_
129WriteLog INFO $msg
130throw $_
131}
132$newPwd = $resp.data.password
133
134if (-not $newPwd) {
135$s = "Can not get new password from Vault's response"
136WriteLog ERROR $s
137$msg = $resp | ConvertTo-Json
138WriteLog ERROR "Response data $msg"
139WriteEventLog ERROR $s
140throw $s
141}
142# write new pwd to Vault
143$uri = $null
144if ($SecretsBasePath -eq "") {
145$uri = $SecretUri1
146}
147else {
148$uri = $SecretUri2
149}
150
151$data = @{
152"data" = @{
153"username" = $Username
154"password" = $newPwd
155}
156}
157$body = $data | ConvertTo-Json
158$resp = $null
159try {
160$resp = Invoke-RestMethod -Method Post `
161-Headers $headers -Uri $uri -Body $body
162}
163catch {
164$s = "Can save new password to vault. uri: $uri"
165WriteEventLog ERROR $s
166WriteLog ERROR $s
167WriteLog ERROR $_
168throw $_
169}
170
171# update pwd
172try {
173$SecurePwd = ConvertTo-SecureString $newPwd -AsPlainText -Force
174$UserAccount = Get-LocalUser -name $Username
175$UserAccount | Set-LocalUser -Password $SecurePwd
176$msg = "Password for user $Username was stored in Vault and updated locally."
177WriteLog INFO $msg
178WriteEventLog INFO $msg
179}
180catch {
181$msg = "Password for user $Username was stored in Vault but *not* updated locally."
182WriteEventLog ERROR $msg
183WriteLog ERROR $msg
184WriteLog ERROR $_
185throw $_
186}
187