search

jpsider / RestPS

Simple ReST Framework for Powershell
MIT License
114 stars 30 forks source link

Using the Module with Certificates / Token #26

Closed robesmithjr closed 4 years ago

robesmithjr commented 5 years ago

Hi,

First off, thanks for putting this module together. I am trying to enable authentication and would love to see some examples of using an SSL certificate or token for authentication.

I would be happy to try and help out with documentation or other needed items in return.

Thanks again,

Rob

jpsider commented 5 years ago

Awesome!

Yes I have examples! Sadly I’ve not published them yet and they all use self signed certs. Do you have a cart? Or need me to include that too?

I will gladly take any help!

robesmithjr commented 5 years ago

Hi Justin,

A little backround for the usage case:

I work for a university, I designed a Smartcard Reader/Verification system that is used within Machine shops to verify Students training for Safety courses, course rosters,etc.

If you wish to contact me directly, my work email is robsmithceeemyou.edu

Thanks! Rob

On Thu, Sep 13, 2018 at 9:28 PM Justin Sider notifications@github.com wrote:

Awesome!

Yes I have examples! Sadly I’ve not published them yet and they all use self signed certs. Do you have a cart? Or need me to include that too?

I will gladly take any help!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jpsider/RestPS/issues/26#issuecomment-421201939, or mute the thread https://github.com/notifications/unsubscribe-auth/AafEjVVDoIu4_bZOOnpWjGd_yRp8QAXDks5uawZRgaJpZM4WnWUB .

jpsider commented 5 years ago

That's a very interesting use case! I'm hoping we can get this working for you, and confident we can! I've updated the 'Readme' with a lot more information and created a blog post on creating a local Certificate hierarchy. https://invoke-automation.blog/2018/09/16/creating-a-local-ssl-certificate-hierarchy-with-windows-powershell/

Thanks for pushing me to actually update the documentation, it was well over due! Please let me know if it helps or if you think I should provide additional information.

robesmithjr commented 5 years ago

Hello,

I was able to get the Self Signed Rest Endpoint communicating with the client. When using Self Signed Certs, it is important to use the invoke-sslignore function from the module, you also have to disable SSL checks from the client side as well. Here is the function that I used for this:

function Ignore-SSLCertificates #ignore certificate errors { $Provider = New-Object Microsoft.CSharp.CSharpCodeProvider $Compiler = $Provider.CreateCompiler() $Params = New-Object System.CodeDom.Compiler.CompilerParameters $Params.GenerateExecutable = $false $Params.GenerateInMemory = $true $Params.IncludeDebugInformation = $false $Params.ReferencedAssemblies.Add("System.DLL") > $null $TASource=@' namespace Local.ToolkitExtensions.Net.CertificatePolicy { public class TrustAll : System.Net.ICertificatePolicy { public bool CheckValidationResult(System.Net.ServicePoint sp,System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Net.WebRequest req, int problem) { return true; } } } '@ $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource) $TAAssembly=$TAResults.CompiledAssembly

We create an instance of TrustAll and attach it to the ServicePointManager

$TrustAll = $TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
[System.Net.ServicePointManager]::CertificatePolicy = $TrustAll

}

Use cases may vary, but this is what I had to do to get self signed certs working across two separate nodes (one hosting the Rest Endpoint and one or more clients. I had tried using several other methods for ignoring certs, there may be an easier way, but this worked well.

In addition, it is important to note that if the client will be not be running as administrator, the CurrentUser\My certificate store should be used. I exported the Server and Client Certs with the Private Keys and included all certificates in the chain, in order to get the Self Signed CA added to the Trusted Root store.

robesmithjr commented 5 years ago

Hi Justin,

I am going to be wrapping several different REST endpoints through the Webproxy that I am writing. Sometimes there are quite a few parameters that need to be passed. I modified your code that splits the GET parameters to store them within a pscustomobject, making the code reusable.

For processing more numerous parameter sets (using GET), take a look at this piece of code:

<# .DESCRIPTION This script will return the body passed to the RestEndpoint. .EXAMPLE Invoke-GetProcess.ps1 -RequestArgs "Name=PowerShell&MainWindowTitle=RestPS" .NOTES This will return a json object, through the REST Endpoint, or a pscustomobject that can be used for additional calls.

>

param( $RequestArgs )

$requestobj=[pscustomobject]@{} if ($RequestArgs -like "&") {

$ArgumentPairs = $RequestArgs.split("&")

For ($i=0; $i -le $ArgumentPairs.count; $i++)

{
    $Property, $value = $ArgumentPairs[$i].split("=")
    $requestobj|Add-Member -MemberType NoteProperty -Name $property -value $value
}

additional code here that will leverage the pscustomobject

}

jpsider commented 5 years ago

I think I would make a slight change to the loop, but I completely agree with your logic!

$ArgumentPairs = $RequestArgs.split('&')
foreach ($ArgumentPair in $ArgumentPairs) {
    $Property, $Value = $ArgumentPair.split('=')
    $RequestObj | Add-Member -MemberType NoteProperty -Name $Property -value $Value
}
robesmithjr commented 5 years ago

Hi Justin,

My implementation is going well, I have the certificates working for authentication to the service. I have the Rest endpoint connecting to several other services and populating a database with the results. Thank you for all of your great work and suggestions!

My next step is to log the incoming requests for debugging.

jpsider commented 5 years ago

That’s awesome!! I do want to implement standard logging! You may beat me to it! So we can compare notes. I’m hoping to use my logging module, but that may take me a week or two. I’m excited it’s all working for you!

robesmithjr commented 5 years ago

Justin,

Seems like the place to implement the logging would be inside the listener, correct?

I would love to contribute, I’ll fork it and adding some logging and will check it back in if you want to use it. I look forward to seeing your logging module.

I am using nssm and am running the rest endpoint as a service. It seems very stable. I will have maybe 60 or 70 clients accessing it, but the traffic will not be bursty at all. I have it calling several other rest services, adding records to a database, secure LDAP and controlling network based PDU units.

Rob

Sent from my iPhone

On Sep 27, 2018, at 7:06 PM, Justin Sider notifications@github.com wrote:

That’s awesome!! I do want to implement standard logging! You may beat me to it! So we can compare notes. I’m hoping to use my logging module, but that may take me a week or two. I’m excited it’s all working for you!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.