My poshbot plugin works inconsistently.

[mgeorgebrown89]

I'm still working on a POC for this, but I'm struggling to get my plugin to work correctly. Right now, all I'm trying to do is create a wrapper of some AD module functions, in this instance the Get-ADOrganizationalUnit function.

Basically, when I run this method through Slack, it only returns some of the OUs. I just tested this further by installing the ActiveDirectory Module as a plugin and running "!Get-ADOrganizationalUnit -filter *" and it only returns 27 OUs, but we have much, much more than that.

I'm wondering now if this is actually something to do with our environment, but I figured I'd ask in case someone else has run into something similar.

I noticed from this blog: http://ramblingcookiemonster.github.io/PoshBot/ that he uses $PSBoundParameters but doesn't really explain why. Is this necessary?

When I run my function directly from the powershell window on the machine hosting Poshbot, it works as expected. This is the function in the plugin.

` function Get-VEC_OrganizationInfo { <# .SYNOPSIS Get customer info .EXAMPLE

>

    [cmdletbinding()]
    [PoshBot.BotCommand(
        CommandName = 'orgInfo',
        Aliases = ('oi'),
        Permissions = 'read'
    )]
    param(
        [string]$name
    )
$results = Get-ADOrganizationalUnit -Filter *|Where-Object {$_.name -like "$name*"}
$o = $results  |Select-Object -Property Name, DistinguishedName|Format-Table -AutoSize -Wrap|Out-String -Width $Width
$count = (Get-ADOrganizationalUnit -Filter *).Count
Write-Output $count

New-PoshBotCardResponse -Type Normal -Text $o -Verbose

}`

[mgeorgebrown89]

Did some more testing...

I have two functions in my plug in. All they do is call AD module functions. function Get-VEC_UserCount { Write-Output ((Get-ADUser -Filter *).count) } This returns the same value in Slack and in PowerShell.

function Get-VEC_ADOUcount { Write-Output ((Get-ADOrganizationalUnit -Filter *).count) }

This returns very different numbers. I can't seem to find what the issue is, but it may be environment related, not PoshBot related.

[mgeorgebrown89]

So I just confirmed that it was something on my end. This issue can be closed.

PoshBot was running as a service, but logging on as the localsystem, which meant it didn't have access to return everything. I was comparing this to my admin account, hence the discrepancy.

Oops.

[devblackops]

Ah. That makes sense. You may try running is as an AD service account but I would recommend not using any kind of privileged user. PoshBot has a way to inject credentials and other types of parameters into functions at runtime. http://docs.poshbot.io/en/latest/tutorials/plugin-development/advanced/config-provided-parameters/

[mgeorgebrown89]

What's the concern with that specifically? If I control access to the bot at the top level with all the builtin RBAC stuff, shouldn't that be okay? If I provide creds in the config file (which I plan to do for API work), those functions are still accessible by whoever has access...

[ChrisLGardner]

I'd always apply a defense in depth approach to these things, especially when something like AD is involved. More so when you're doing things with Set or Update or similar state changing verbs. I'd never want to rely on an end users creds to stop people getting around rbac.

I'd probably even look at implementing JEA to let the bot remote into endpoints and lock down what it can do that way too.

It's probably worth renaming those functions too, it's not a PS convention to use underscores in function names which will make them less discoverable to other users and make it more confusing when you've got those and other functions next to each other.

---

From: Michael G. Brown notifications@github.com Sent: Wednesday, February 6, 2019 2:56:33 PM To: poshbotio/PoshBot Cc: Subscribed Subject: Re: [poshbotio/PoshBot] My poshbot plugin works inconsistently. (#143)

What's the concern with that specifically? If I control access to the bot at the top level with all the builtin RBAC stuff, shouldn't that be okay? If I provide creds in the config file (which I plan to do for API work), those functions are still accessible by whoever has access...

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/poshbotio/PoshBot/issues/143#issuecomment-461052569, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AQDqFlcmRfH334To01KJkawLZfFuJ4S6ks5vKu0hgaJpZM4akNGz.

[mgeorgebrown89]

Yeah, those are good points. I'm going to test the above suggestions today. The thing about conventions though is that we have a few different completely isolated domains in different data centers that my stretch goal involve setting a bot in each one, with the "VEC_" preffix changing depending on the domain. There may be a better way of doing that, but I'm only setting up the one for now.

[ChrisLGardner]

Just drop the _ and it'll be the same and let's you (mostly) maintain that convention..

I'd usually advocate for using the .net method for casing of acronyms too, which is that in anything 3 or longer is done in mixed case, so VEC becomes Vec. It makes things more readable at a glance usually as it's easier to differentiate where the words change.

---

From: Michael G. Brown notifications@github.com Sent: Wednesday, February 6, 2019 3:10:17 PM To: poshbotio/PoshBot Cc: Chris Gardner; Comment Subject: Re: [poshbotio/PoshBot] My poshbot plugin works inconsistently. (#143)

Yeah, those are good points. I'm going to test the above suggestions today. The thing about conventions though is that we have a few different completely isolated domains in different data centers that my stretch goal involve setting a bot in each one, with the "VEC_" preffix changing depending on the domain. There may be a better way of doing that, but I'm only setting up the one for now.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/poshbotio/PoshBot/issues/143#issuecomment-461057711, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AQDqFp_lkT8Qz_u8KuTbr1P95mxWPnO1ks5vKvBZgaJpZM4akNGz.