search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
293 stars 91 forks source link

Get-PASPlatform does not return full value of a property when the value contains semi-colons #302

Closed aaearon closed 4 years ago

aaearon commented 4 years ago

Your Environment

Expected Behaviour

Get-PASPlatform should return the full value for a property when the value contains semi-colons ;

Current Behaviour

When using Get-PASPlatform and one of the properties that has a value that includes a semi-colon (for example, ConnectionCommand, ChangeCommand, ReconcileCommand for an Oracle platform), the semi-colon and everything afterwards is 'cut off.'

Possible Solution

Steps to Reproduce (for bug reports)

1 . Create an Oracle platform. Set the ChangeCommand, ReconcileCommand, and ConnectionCommand properties to have values that include a semi-colon. For example:

ChangeCommand: alter user %USER% identified by "%NEWPASSWORD%" REPLACE "%OLDPASSWORD%"; ReconcileCommand: alter user %USER% identified by "%NEWPASSWORD%"; ConnectionCommand: Driver={Oracle in Ora12Client};Dbq=%ADDRESS%;Uid=%USER%;Pwd=%LOGONPASSWORD%;

2 . $(Get-PASPlatform -PlatformID example).Details | Select-Object -Property ChangeCommand,ReconcileCommand,ConnectionCommand | Format-List

Sample Output

In PVWA image

via Get-PASPlatform

PS C:\wd> $EU.Details | Select-Object -Property ChangeCommand,ReconcileCommand,ConnectionCommand | Format-List

ChangeCommand     : alter user %USER% identified by "%NEWPASSWORD%" REPLACE "%OLDPASSWORD%"
ReconcileCommand  : alter user %USER% identified by "%NEWPASSWORD%"
ConnectionCommand : Driver={Oracle in Ora12Client}

PS C:\wd>

Context

pspete commented 4 years ago

Hi @aaearon

Thanks for the report. Please try the below to confirm if the missing data is returned when querying for the platform details outside of the psPAS module:

#<After Normal psPAS authentication>
$session = Get-PASSession
$platformName = "Example"
$url = "$($session.BaseURI)/API/Platforms/$platformName"
$data = Invoke-WebRequest -Uri $url -WebSession $session.WebSession -Method GET -UseBasicParsing
$data.content
$data.Content | ConvertFrom-Json | select -ExpandProperty details

Please respond here if it is returned or not.

aaearon commented 4 years ago

Looks like this is a problem with the CyberArk API as I get the same result.

PS C:\wd> $data.Content | ConvertFrom-Json | select -ExpandProperty details

PolicyID                          : Example
PolicyName                        : Example
PolicyType                        : Regular
ImmediateInterval                 : 5
Interval                          : 720
MaxConcurrentConnections          : 3
AllowedSafes                      : .*
MinValidityPeriod                 : 60
ResetOveridesMinValidity          : Yes
ResetOveridesTimeFrame            : Yes
Timeout                           : 30
UnlockIfFail                      : No
UnrecoverableErrors               : 5001,5002,5003,5004,5005,5006,2117
MaximumRetries                    : 20
MinDelayBetweenRetries            : 360
DllName                           : PMODBC.dll
XMLFile                           : Yes
AllowManualChange                 : Yes
PerformPeriodicChange             : Yes
HeadStartInterval                 : 5
FromHour                          : -1
ToHour                            : -1
ChangeNotificationPeriod          : -1
DaysNotifyPriorExpiration         : 7
VFAllowManualVerification         : Yes
VFPerformPeriodicVerification     : Yes
VFFromHour                        : -1
VFToHour                          : -1
RCAllowManualReconciliation       : Yes
RCAutomaticReconcileWhenUnsynched : Yes
RCReconcileReasons                : 2114,2115,2106,2101,2118
RCFromHour                        : -1
RCToHour                          : -1
NFNotifyPriorExpiration           : No
NFPriorExpirationRecipients       :
NFNotifyOnPasswordDisable         : No
NFOnPasswordDisableRecipients     :
NFNotifyOnVerificationErrors      : No
NFOnVerificationErrorsRecipients  :
NFNotifyOnPasswordUsed            : No
NFOnPasswordUsedRecipients        :
PasswordLength                    : 25
MinUpperCase                      : 3
MinLowerCase                      : 3
MinDigit                          : 3
MinSpecial                        : 1
PasswordForbiddenChars            : %"!+'.,;<>?/()=´²³{}|µ@^[]$&\~*-#
Port                              : 1521
ChangeCommand                     : alter user %USER% identified by "%NEWPASSWORD%" REPLACE
                                    "%OLDPASSWORD%"
ReconcileCommand                  : alter user %USER% identified by "%NEWPASSWORD%"
ConnectionCommand                 : Driver={Oracle in Ora12Client}
Debug                             : Yes
ChangePasswordInResetMode         : Yes
CommandForbiddenCharacters        : '\/@".{}() -;|*>~!^#
CommandBlackList                  : delete,drop,exec
OneTimePassword                   : Nein
ExpirationPeriod                  : 30
VFVerificationPeriod              : 1
PasswordLevelRequestTimeframe     : Nein

PS C:\wd>
pspete commented 4 years ago

Reproduced here also (version 11.5). Still a valuable report for the module; additional detail can be added to the psPAS docs relating to this behaviour. Thanks for taking the time to create the issue 👍

Opening a support case with the vendor via your usual channels may help. The API in question: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/GetPlatformDetails.htm

Other api endpoints for getting platform details are available (accessed via different parameters of Get-PASPlatform), but they do not provide the ChangeCommand, ReconcileCommand or ConnectionCommand properties discussed in this thread.

pspete commented 4 years ago

psPAS 4.3 has just been released - the docs & help text now note the behaviour reported in this issue.

pspete commented 4 years ago

Closing as the issue cannot currently be resolved with any changes to psPAS