search

Venafi / VenafiPS

Powershell module to fully automate your Venafi TLS Protect Datacenter and Cloud platforms!
https://venafips.readthedocs.io/
Apache License 2.0
18 stars 7 forks source link

Invoke-VenafiRestMethod Struggles #207

Closed HFS-CG closed 1 year ago

HFS-CG commented 1 year ago

I want to create a Check-TppCertificateAssocation function using Invoke-VenafiRestMethod. To start with, I'm trying to perform a simple query for basic info on a certificate - mainly to be sure I'm using Invoke-VenafiRestMethod correctly.

After running New-VenafiSession to authenticate to our TPP implementation, I run Invoke-VenafiRestMethod with what appears to be the correct parameters, with no success thusfar. I've been at this for two days now, and have tried specifying serial=, thumbprint=, CN= and CertificateDN=

Invoke-VenafiRestMethod throws 401 (not authorized) error when using the below code; (note the below does not contain the actual Serial number and TPP server)

PS C:\> $params = @{
>>     VenafiSession = $VenafiSession
>>     Method        = 'Get'
>>     UriLeaf       = "Certificates"
>>     Body          = @{ 'serial '= '1234567890' }
>> }
PS C:\>
PS C:\> Invoke-VenafiRestMethod @params -verbose
VERBOSE: {"ContentType":"application/json","UseBasicParsing":true,"Method":"Get","Uri":"https://MyTPPServer.contoso.com/vedsdk/Certificates","Headers":{"Authorization":"***hidden***"},"Body":{"serial":"1234567890"}}
VERBOSE: Response status code 401
Invoke-WebRequest : {"error":"invalid_token","error_description":"Authorization:Bearer parameter is missing or empty."}
At C:\Program Files\WindowsPowerShell\Modules\VenafiPS\Public\Invoke-VenafiRestMethod.ps1:254 char:40
+ ... put = $($response = Invoke-WebRequest @params -ErrorAction Stop) 4>&1
+                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
PS C:\>

After a good bit of thrashing and a replacement keyboard, I've managed to get Invoke-VenafiRestMethod to complete successfully, however returns nothing (no error, no output, $? shows true);

PS C:\> $params = @{
>>     VenafiSession = $VenafiSession
>>     Method        = 'Get'
>>     UriLeaf       = "Certificates/serial=1234567890"
>> }
PS C:\>
PS C:\> Invoke-VenafiRestMethod @params -verbose
VERBOSE:
{"ContentType":"application/json","Method":"Get","Headers":{"Authorization":"***hidden***"},"UseBasicParsing":true,"Uri":"https://MyTPPServer.contoso.com/vedsdk/Certificates/serial=0123456789"}
VERBOSE: GET https://MyTPPServer.contoso.com/vedsdk/Certificates/serial=1234567890 with 0-byte payload
VERBOSE: received 2-byte response of content type application/json; charset=utf-8
PS C:\>

I've done a lot of searching and reading (cmdlet's help, all "Issues", google, Venafi Warrior community, etc) trying to figure out what I'm doing wrong, but to no avail.

I'm sure I'm missing something important or doing something silly - any light you could shed would be most appreciated!

gdbarron commented 1 year ago

Hi @HFS-CG. After creating a new session, you can call Invoke-VenafiRestMethod -UriLeaf 'certificates/' -Body @{'Serial'='1234567890'}. Get is the default method and VenafiSession will come from the session parameter automatically set so you don't need to provide those directly. Note the trailing slash after certificates.

Why not use Find-VenafiCertificate -SerialNumber '1234567890'?

HFS-CG commented 1 year ago

Thank you! A trailing slash on UriLeaf = "Certificates/" did the trick! :D Figures that something so simple would send me down a days-long rabbit-hole. (Would be super-cool if the Examples in the Help for Invoke-VenafiRestMethod included a "Get Certificates/" example)

gdbarron commented 1 year ago

Invoke-VenafiRestMethod exists for those APIs which don't have dedicated functions so we wouldn't look to add this as an example.

HFS-CG commented 1 year ago

@gdbarron For background ; I want to create a Check-TppCertificateAssociation function using Invoke-VenafiRestMethod because only Add-TppCertificateAssociation & Remove-TppCertificateAssociation exist in the VenafiPS module (so there's a 'gap' in functionallity).

Before I embark on such a task, I first wanted to confirm I knew how to reliably use Invoke-VenafiRestMethod by doing something less impactful than the examples provided in the Help for Invoke-VenafiRestMethod (like a "Get certificate info").

gdbarron commented 1 year ago

No reason why you can't use existing functions in the module within other functions. Better to reuse an existing function than duplicate code. The only thing to keep in mind is you must pass -VenafiSession in case someone doesn't use the session variable.

Also, I'd suggest Test- instead of Check- as the latter isn't an approved verb.