search

thycotic-ps / thycotic.secretserver

PowerShell module for automating with Thycotic Secret Server REST API
https://thycotic-ps.github.io/thycotic.secretserver
MIT License
68 stars 22 forks source link

New-TssSecretDependency Errors #322

Closed jbeavers93 closed 1 year ago

jbeavers93 commented 1 year ago

Verified issue does not already exist?

Yes

What error did you receive

When trying to add a dependency to a secret, I'm unable to get the command to work. However, I am able to create it using the REST API. My testing is almost an exact match to the example found in the link below.

https://thycotic-ps.github.io/thycotic.secretserver/commands/secret-dependencies/New-TssSecretDependency.html

When using the sdk command to generate a dependency stub object, I believe there is an error with the object that gets created. Specifically, the $dependentStub.Settings object.

When reviewing the source code for 'New-TssSecretDependency', I do see two potential issues. The first is related to the variables defined. In Line36 of the code, the param gets passed as '$DependencyStub' but in Line50, it gets called as $SecretDependencyStub. I believe this causes the body of the api call to not be populated, to the object is empty. The second issue is on Line50 as well. By default, PowerShell v5.1's ConverTo-Json function only has a default depth of 2. This causes the body of the object to not be fully converted to json if 'RunScript' arguments are passed in the dependency object. In PowerShell v7, the default depth is 1024 so it's not an issue. The code should be probably be updated to account for v5.1 clients since they are supported via the PSGallery page.

The attached errors are related to the unaltered source code.

However, I do receive a completely different error when using an altered version of the source code. When using the altered version of the source code, I create my own dependency stub object due to the errors with $dependentStub.Settings object. When using a custom created [Thycotic.PowerShell.SecretDependencies.Dependency] object, without specifying the 'Settings' field of the object, I do not encounter any issues with object creation. The same script provided will run and create the objects correct but provide a very generic, incorrect error.

C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\0.60.8\parts\ProcessResponse.ps1 : {
  "errorCode": "API_GenericException",
  "message": "Access Denied"
}

Please run the command using -Verbose

VERBOSE: Command invocation: Get-TssSecretDependencyStub -TssSession:TssSessionObject -SecretId:TssSessionObject -ScriptId:TssSessionObject -Type:PowerShell -Verbose:True
VERBOSE: Performing the operation GET https://delinea.delinealab.com/SecretServer/api/v1/secret-dependencies/stub?secretId=38&scriptId=14&typeId=7
VERBOSE: Command invocation: New-TssSecretDependency -TssSession:TssSessionObject -DependencyStub:TssSessionObject -Verbose:True
VERBOSE: Performing the operation POST https://delinea.delinealab.com/SecretServer/api/v1/secret-dependencies with:

VERBOSE: Performing the operation "POST https://delinea.delinealab.com/SecretServer/api/v1/secret-dependencies with " on target "".
C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\0.60.8\parts\ProcessResponse.ps1 :
At C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\0.60.8\functions\secret-dependencies\New-TssSecretDependency.ps1:56 char:33
+                 $restResponse = . $ProcessResponse $apiResponse
+                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (https://delinea...et-dependencies:String) [ProcessResponse.ps1], Exception
    + FullyQualifiedErrorId : ResultError,ProcessResponse.ps1

Provide a test case or steps to reproduce

$token = tss token
$session = New-TssSession -SecretServer https://delinea.delinealab.com/SecretServer/ -AccessToken $token
$dependentStub = Get-TssSecretDependencyStub -TssSession $session -SecretId 38 -ScriptId 14 -Type 'PowerShell' -Verbose
New-TssSecretDependency -TssSession $session -DependencyStub $dependentStub -Verbose
Close-TssSession -TssSession $session

Expected behavior

The expected behavior is a very generic dependency to be created on the secret. I would then use this successful call to generate more detailed calls for production use.

What Edition of Secret Server?

Professional

What version of Secret Server

11.0

What PowerShell host was used when producing this error

Windows PowerShell (powershell)

PowerShell Host Version

Name                           Value
----                           -----
PSVersion                      5.1.17763.316
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.316
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
tylerezimmerman commented 1 year ago

@jbeavers93 we just released a new version of the plug-in, can you confirm if this issue still exists?

jbeavers93 commented 1 year ago

It looks like the issue still exists:

At C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\0.60.9\functions\secret-dependencies\New-TssSecretDependency.ps1:56 char:33
+                 $restResponse = . $ProcessResponse $apiResponse
+                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (https://delinea...et-dependencies:String) [ProcessResponse.ps1], Exception
    + FullyQualifiedErrorId : ResultError,ProcessResponse.ps1

My best guess so far is that the line of code $invokeParams.Body = ($SecretDependencyStub | ConvertTo-Json) is somehow causing issues, found in New-TssSecretDependency.ps1. The default depth of 2 in powershell 5.1 and the $SecretDependencyStub object not matching the param $DependencyStub being passed to function being the likely culprits.

If I update the line to be $invokeParams.Body = ($DependencyStub | ConvertTo-Json -Depth 99), I receive a new error. This one being related to the dependency stub object that is created beforehand. I'm thinking it's not being converted to json correctly. I'm not entirely sure why the .Settings property is causing an issue, so maybe something related to when the object is created?

C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\0.60.9\parts\ProcessResponse.ps1 : {
  "message": "The request is invalid.",
  "modelState": {
    "args.Settings[0].Setting": [
      "An error has occurred."
    ]
  }
}
At C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\0.60.9\functions\secret-dependencies\New-TssSecretDependency.ps1:56 char:33
+                 $restResponse = . $ProcessResponse $apiResponse
+                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (https://delinea...et-dependencies:String) [ProcessResponse.ps1], Exception
    + FullyQualifiedErrorId : ResultError,ProcessResponse.ps1
tylerezimmerman commented 1 year ago

This will be resolved in the next Module release.