search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
287 stars 90 forks source link

Set-PASSafe replaces non-defined values #395

Closed redboyhun closed 2 years ago

redboyhun commented 2 years ago

Set-PASSafe is overwriting safe parameters which are not defined for the command with empty values

> Get-PASSafe -SafeName MySafe1212

SafeName                    ManagingCPM      NumberOfDaysRetention NumberOfVersionsRetention Description
--------                    -----------      --------------------- ------------------------- -----------
MySafe1212                  CPM1             90                                              MySafe1212

> Set-PASSafe -SafeName MySafe1212 -NumberOfVersionsRetention 15

SafeName                    ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description
--------                    ----------- --------------------- ------------------------- -----------
MySafe1212                                                    15

> Get-PASSafe -SafeName MySafe1212

SafeName                    ManagingCPM      NumberOfDaysRetention NumberOfVersionsRetention Description
--------                    -----------      --------------------- ------------------------- -----------
MySafe1212                  CPM1                                   15                      MySafe1212

> Set-PASSafe -SafeName MySafe1212 -NumberOfVersionsRetention 15 -Description MySafe1212

SafeName                    ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description
--------                    ----------- --------------------- ------------------------- -----------
MySafe1212                                                    15                        MySafe1212

> Set-PASSafe -SafeName MySafe1212 -NumberOfVersionsRetention 15 -Description MySafe1212 -ManagingCPM CPM1

SafeName                    ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description
--------                    ----------- --------------------- ------------------------- -----------
MySafe1212                  CPM1                              15                        MySafe1212

My expectation is that non-defined values won't be replaced by "null" or "whitespace".

Environment:

pspete commented 2 years ago

The Update Safe API uses PUT requests, which would usually require all properties to be specified.

Consider piping the required data in from the existing object:

> Get-PASSafe -SafeName MySafe1212

SafeName                    ManagingCPM      NumberOfDaysRetention NumberOfVersionsRetention Description
--------                    -----------      --------------------- ------------------------- -----------
MySafe1212                  CPM1             90                                              MySafe1212

> Get-PASSafe -SafeName MySafe1212 | Set-PASSafe -NumberOfVersionsRetention 15

SafeName                    ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description
--------                    ----------- --------------------- ------------------------- -----------
MySafe1212                  CPM1                              15                        MySafe1212

You can test the API manually to confirm that the same behaviour is exhibited when not using the module, hence no fix to be applied to the module's code: https://pspas.pspete.dev/docs/troubleshooting/#manual-api-command-testing