search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
287 stars 90 forks source link

Allow expires WebSession error to be catchable #397

Closed jbalcorn closed 2 years ago

jbalcorn commented 2 years ago

Describe the issue For a long running job, knowing if the PASSession is still valid. Get-PASSession doesn't tell you if the session is valid and calling anything with a invalid session causes an uncatchable error.

To Reproduce Steps to reproduce the behavior:

  1. New-PasSession
  2. Wait a while
  3. Call Get-PASAccount, even with -ErrorAction Stop
  4. uncatchable error

Expected behavior

            $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)
            if ($decision -eq 0) {
                try {
                    Write-Host "Checking to see if we can get account"
                    $accttodel = Get-PASAccount -search "$($caacct.address) $($caacct.username)" -ErrorAction Stop
                }
                catch {
                    if ($_.Exception.message -match "Run New-PASSession") {
                        Write-Host "Running New-PasSession"
                        New-PASSession -Credential $adcred -BaseURI "https://nasa54ms.firm.jonesday.net/"
                    }
                    else {
                        throw $_
                    }
                }

Would allow us to recover from a timed out session

Screenshots & Console Output If applicable, add screenshots and/or console output to help explain your problem.

Code is actually as above

.\Check-DisabledServers.ps1

Account_System ServerName \ Administrator Not in AD.
Proceed with Deletion?
[Y] Yes  [N] No  [?] Help (default is "N"): y
Checking to see if we can get account
Invoke-PASRestMethod : [401] The session token is missing, invalid or expired.
At line:183 char:13
+ ...   $result = Invoke-PASRestMethod -Uri $URI -Method GET -WebSession $S ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"ErrorCode":"P...d or expired."}:ErrorRecord) [Invoke-PASRestMethod], Ex
   ception
    + FullyQualifiedErrorId : PASWS006E,Invoke-PASRestMethod

Your Environment Include relevant details about your environment

pspete commented 2 years ago

The message text of the terminating error thrown if the auth token used has expired is "[401] The session token is missing, invalid or expired." $_.Exception.message -match "Run New-PASSession" will never equate to true in this scenario. $_.Exception.message -match "expired" should work? otherwise something similar to the below:

try{
    Get-PASAccount
}
Catch [System.Exception] {
    if($_.FullyQualifiedErrorId -eq "PASWS006E,Invoke-PASRestMethod"){"Token Expired"}else{throw $_}
}
jbalcorn commented 2 years ago

Well, that was dumb. I was absolutely sure that I had tried this multiple times...and yet it appears that I had the right idea it was just a dumb mistake that prevented it from working.

pspete commented 2 years ago

No problems, happens to us all sometimes 😀