search

thycotic-ps / thycotic.secretserver

PowerShell module for automating with Thycotic Secret Server REST API
https://thycotic-ps.github.io/thycotic.secretserver
MIT License
68 stars 22 forks source link

Update-SecretDependency #232

Closed lohash closed 1 year ago

lohash commented 3 years ago

Summarize Functionality

This is much needed as there is no option to edit dependencies in the GUI currently.

Endpoint

POST /secret-dependencies

Additional Details

Very similar to creating a dependency but with some different args. The settings and dependencyTemplate args have tripped me up thus far as to how to successfully POST them as objects

Is there a command that is similiar or close to what you are looking for?

Yes

Technical Details

Not your code obviously but to give you an idea of what I tried, I used the "Create a Secret" example from https://thycotic.force.com/support/s/article/REST-API-PowerShell-Scripts-Getting-Started and modified the endpoint, etc. to try and update an existing dependency to run as a different privileged account:

try
{  
   $site = "https://URL"
   $api = "$site/api/v1"

   $creds = @{
       username = "user"
       password = "password"
       grant_type = "password"
   }

    $token = ""

    $response = Invoke-RestMethod "$site/oauth2/token" -Method Post -Body $creds
    $token = $response.access_token;

    Write-Host $token

    $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
    $headers.Add("Authorization", "Bearer $token")

    #get
    $dependencyId = 13531
    $dependency = Invoke-RestMethod $api"/secret-dependencies/$dependencyId/" -Headers $headers

    #modify
    $timestamp = Get-Date

    $dependency.privilegedAccountSecretId = 1867
    $dependency.secretName = 'privileged account name'

    $dependencyArgs = $dependency | ConvertTo-Json

    #update
    Write-Host ""
    Write-Host "-----Update secret -----"

    $dependency = Invoke-RestMethod $api"/secret-dependencies/$dependencyId/" -Method Put -Body $dependencyArgs -Headers $headers -ContentType "application/json"

    $dependencyUpdate = $dependency | ConvertTo-Json
    Write-Host $dependencyUpdate #>
}
catch [System.Net.WebException]
{
    Write-Host "----- Exception -----"
    Write-Host  $_.Exception
    Write-Host  $_.Exception.Response.StatusCode
    Write-Host  $_.Exception.Response.StatusDescription
    $result = $_.Exception.Response.GetResponseStream()
    $reader = New-Object System.IO.StreamReader($result)
    $reader.BaseStream.Position = 0
    $reader.DiscardBufferedData()
    $responseBody = $reader.ReadToEnd()

    Write-Host $responseBody 
}

But I get the following error-

Invoke-RestMethod : {
  "message": "The request is invalid.",
  "modelState": {
    "args.settings[0].setting": [
      "An error has occurred."
    ],
    "args.dependencyTemplate.dependencyScanItemFields[0]": [
      "An error has occurred."
    ],
    "args.dependencyTemplate.dependencyScanItemFields[1]": [
      "An error has occurred."
    ]
  }
}

I tried also creating a PSobject with only the fields I want to change and just PUT'ing that, which gives Access Denied errors.

wsmelton commented 3 years ago

This is much needed as there is no option to edit dependencies in the GUI currently.

You can fully edit Secret Dependencies via the GUI if you have the proper access/role permission.

lohash commented 3 years ago

I’m an Admin and can’t do anything except Delete, Run, etc. there is no Edit option. Is there a permission missing from the default Admin role?

On Aug 29, 2021 at 4:58 PM, <Shawn Melton @.***)> wrote:

This is much needed as there is no option to edit dependencies in the GUI currently.

You can fully edit Secret Dependencies via the GUI if you have the proper access/role permission.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub (https://github.com/thycotic-ps/thycotic.secretserver/issues/232#issuecomment-907881392), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AQHBRSBS25S4M3IIC7CODKLT7KURLANCNFSM5C3ODDJQ). Triage notifications on the go with GitHub Mobile for iOS (https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or Android (https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub).

wsmelton commented 3 years ago

You have to be editor or owner on the secret or cannot edit any dependency. The RBAC is acknowledged for the REST API as well.

lohash commented 3 years ago

I am an Owner of the secrets in question. Just discovered the 3 dot menu that was hidden before I hovered over it lol So perms aren't an issue on the API end, I'm assuming I just wasn't doing something correctly with those objects

wsmelton commented 3 years ago

A bug has been identified in this endpoint. Pending that being fixed this command will be added. You can verify or test using the codebase in the branch thycotic-ps/thycotic.secretserver:secretpolicy-updatecmd