search

vmware / PowerCLI-Example-Scripts

http://blogs.vmware.com/powercli
Other
754 stars 603 forks source link

PowerShell Module for managing VMware vSphere SSO Admin functionality #386

Closed dmilov closed 3 years ago

dmilov commented 3 years ago

Testing done:

.\build.ps1 -TestVc 10.23.80.118 -TestVcUser 'administrator@vsphere.local' -TestVcPassword 'Admin!23' [4:02:39 PM] INFO: Test build tools are available [4:02:39 PM] INFO: Build Microsoft (R) Build Engine version 16.7.0+7fb82e5b2 for .NET Copyright (C) Microsoft Corporation. All rights reserved.

Determining projects to restore... All projects are up-to-date for restore. VMware.vSphere.SsoAdmin.Utils -> C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\VMware.vSphere.SsoAdmin.Client\VMware.vSphere.SsoAdmin.Utils\bin\Release\net45\VMware.vSphere.SsoAdmin.Utils.dll VMware.vSphere.LsClient -> C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\VMware.vSphere.SsoAdmin.Client\VMware.vSphere.LsClient\bin\Release\net45\VMware.vSphere.LsClient.dll VMware.vSphere.SsoAdminClient -> C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\VMware.vSphere.SsoAdmin.Client\VMware.vSphere.SsoAdminClient\bin\Release\net45\VMware.vSphere.SsoAdminClient.dll VMware.vSphere.SsoAdmin.Utils -> C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\VMware.vSphere.SsoAdmin.Client\VMware.vSphere.SsoAdmin.Utils\bin\Release\netcoreapp2.0\VMware.vSphere.SsoAdmin.Utils.dll VMware.vSphere.LsClient -> C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\VMware.vSphere.SsoAdmin.Client\VMware.vSphere.LsClient\bin\Release\netcoreapp2.0\VMware.vSphere.LsClient.dll VMware.vSphere.SsoAdminClient -> C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\VMware.vSphere.SsoAdmin.Client\VMware.vSphere.SsoAdminClient\bin\Release\netcoreapp2.0\VMware.vSphere.SsoAdminClient.dll VMware.vSphere.SsoAdminClient.Tests -> C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\VMware.vSphere.SsoAdmin.Client\VMware.vSphere.SsoAdminClient.Tests\bin\Release\netcoreapp3.1\VMware.vSphere.SsoAdminClient.Tests.dll

Build succeeded. 0 Warning(s) 0 Error(s)

Time Elapsed 00:00:06.69 [4:02:47 PM] INFO: Publish binaries to 'C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin' [4:02:47 PM] INFO: Run VC integration tests Executing all tests in 'C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\test'

Executing script C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\test\ConnectDisconnect.Tests.ps1

Describing Connect-SsoAdminServer and Disconnect-SsoAdminServer Tests

Context Connect-SsoAdminServer
  [+] Connect-SsoAdminServer returns SsoAdminServer object and updates DefaultSsoAdminServers variable 1.15s
  [+] Connect-SsoAdminServer throws error on invalid password 253ms
  [+] Connect-SsoAdminServer throws error on invalid Tls Certificate 83ms

Context Disconnect-SsoAdminServer
  [+] Diconnect-SsoAdminServer removes server from DefaultSsoAdminServers and makes the object not connected 297ms
  [+] Disconnects disconnected object 312ms

Executing script C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\test\Group.Tests.ps1

Describing Get-Group Tests

Context Get-Group
  [+] Gets groups without filters 885ms
  [+] Gets groups for default domain 488ms

Executing script C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\test\LockoutPolicy.Tests.ps1

Describing LockoutPolicy Tests

Context Get-LockoutPolicy
  [+] Gets lockout policy 429ms

Context Set-LockoutPolicy
  [+] Updates lockout policy AutoUnlockIntervalSec and MaxFailedAttempts 1.5s

Executing script C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\test\LsClient.Tests.ps1

Describing Lookup Service Client Integration Tests

Context Retrieval of Service API Url
  [+] Gets SsoAdmin API Url 86ms
  [+] Gets STS API Url 47ms

Executing script C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\test\PasswordPolicy.Tests.ps1

Describing PasswordPolicy Tests

Context Get-PasswordPolicy
  [+] Gets password policy 365ms

Context Set-PasswordPolicy
  [+] Updates password policy MaxLength and PasswordLifetimeDays 633ms
  [+] Updates password policy Description and MinUppercaseCount 488ms

Executing script C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\test\PersonUser.Tests.ps1

Describing PersonUser Tests

Context New-PersonUser
  [+] Creates person user with details 1.27s
  [+] Creates person user without details 402ms

Context Get-PersonUser
  [+] Gets person users without filters 353ms
  [+] Gets person users by name (exact match) and domain filters 511ms
  [+] Gets person users by name (* wildcard match) and domain filters 487ms
  [+] Gets person users by name (? wildcard match) and domain filters 560ms
  [+] Gets person users by unexisting name does not return 405ms

Context Set-PersonUser
  [+] Adds person user to group 462ms
  [+] Removes person user from group 478ms
  [+] Resets person user password 406ms
  [+] Unlocks not locked person user 428ms

Context Remove-PersonUser
  [+] Removes person user 450ms

Executing script C:\git-repos\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\src\test\TokenLifetime.Tests.ps1

Describing TokenLifetime Tests

Context Get-TokenLifetime
  [+] Gets token lifetime settings 409ms

Context Set-TokenLifetime
  [+] Updates MaxHoKTokenLifetime and MaxBearerTokenLifetime 815ms

Tests completed in 20.4s Tests Passed: 28, Failed: 0, Skipped: 0, Pending: 0, Inconclusive: 0

kmruddy commented 3 years ago

Couple things I've noticed so far...

Password input is in plaintext: 

PS /Users/kruddy> Connect-VIServer vcsa.fqdn

Specify Credential
Please specify server credential
User: kruddy@prob.local
Password for user kruddy@prob.local: ****************
PS /Users/kruddy> Connect-SsoAdminServer vcsa.fqdn

cmdlet Connect-SsoAdminServer at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
User: kruddy@prob.local
Password: asdfasdfasdfasdf

The Get-Group cmdlet might be a little too generic, as it's referenced 18 times in the PSGallery currently, perhaps look at using Get-SSOGroup?

I'm also finding exceptions when using Get-Group with for both localos and domain based responses: 

PS /Users/kruddy> Get-Group
PropertyNotFoundException: /Users/kruddy/.local/share/powershell/Modules/VMware.vSphere.SsoAdmin/VMware.vSphere.SsoAdmin.psm1:671
Line |
 671 |           if (-not $connection.IsConnected) {
     |               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The property 'IsConnected' cannot be found on this object. Verify that the property exists.

PropertyNotFoundException: /Users/kruddy/.local/share/powershell/Modules/VMware.vSphere.SsoAdmin/VMware.vSphere.SsoAdmin.psm1:676
Line |
 676 |           foreach ($group in $connection.Client.GetGroups(
     |                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The property 'Client' cannot be found on this object. Verify that the property exists.

Name                    Domain
----                    ------
admin                   localos
...
dmilov commented 3 years ago

Couple things I've noticed so far...

Password input is in plaintext:

PS /Users/kruddy> Connect-VIServer vcsa.fqdn

Specify Credential
Please specify server credential
User: kruddy@prob.local
Password for user kruddy@prob.local: ****************
PS /Users/kruddy> Connect-SsoAdminServer vcsa.fqdn

cmdlet Connect-SsoAdminServer at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
User: kruddy@prob.local
Password: asdfasdfasdfasdf

The Get-Group cmdlet might be a little too generic, as it's referenced 18 times in the PSGallery currently, perhaps look at using Get-SSOGroup?

I'm also finding exceptions when using Get-Group with for both localos and domain based responses:

PS /Users/kruddy> Get-Group
PropertyNotFoundException: /Users/kruddy/.local/share/powershell/Modules/VMware.vSphere.SsoAdmin/VMware.vSphere.SsoAdmin.psm1:671
Line |
 671 |           if (-not $connection.IsConnected) {
     |               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The property 'IsConnected' cannot be found on this object. Verify that the property exists.

PropertyNotFoundException: /Users/kruddy/.local/share/powershell/Modules/VMware.vSphere.SsoAdmin/VMware.vSphere.SsoAdmin.psm1:676
Line |
 676 |           foreach ($group in $connection.Client.GetGroups(
     |                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The property 'Client' cannot be found on this object. Verify that the property exists.

Name                    Domain
----                    ------
admin                   localos
...

Thanks Kyle,

  1. I'm going to fix credentials input.
  2. Having prefix for all cmdlets is probably better idea. I'll add 'Sso' prefix to all functions
  3. The errors are related to $defaultSsoAdminServer variable update. By design you Domain in Get-Group function is mandatory but the default is 'localos'. Localos is well known and that's why it is chosen for default value. API doesn't allow to list all the domains, that's why Domain is mandatory.