vmware / power-validated-solutions-for-cloud-foundation

PowerShell Module for VMware Validated Solutions
https://vmware.github.io/power-validated-solutions-for-cloud-foundation/
BSD 2-Clause "Simplified" License
45 stars 24 forks source link

Add support for requesting Aria Operations token for service account AD user. #598

Closed bhumitra closed 1 week ago

bhumitra commented 6 months ago

Code of Conduct

VMware Cloud Foundation

5.1

Module Version

2.9

PowerShell Version

7.2

PowerCLI Version

v13.1.0

PowerVCF Version

2.4.1

Guest Operating System

Windows Server 2019

Environment Details

No response

Description

Current implementation of Function Test-vROPSAuthentication which calls Request-vROPSToken uses LOCAL authSource when generating authentication json.

    $body = "{
    `n  `"username`" : `"$username`",
    `n  `"authSource`" : `"LOCAL`",
    `n  `"password`" : `"$password`"
    `n}"

This needs to be parameterized to use vIDMAuthSource as AD user. 

$body = "{
    `n  `"username`" : `"$username`",
    `n  `"authSource`" : `"vIDMAuthSource`",
    `n  `"password`" : `"$password`"
    `n}"

Test-vROPSAuthentication fails if we try to use AD user to authenticate it. e.g. - if username is svc-hrm-vrops@sfo.rainpole.io it wont work with local authsource.

Error or Debug Output

Test-vROPSAuthentication: Unable to obtain access token from VMware Aria Operations (xint-vrops01.rainpole.io), check credentials: PRE_VALIDATION_FAILED

Expected Behavior

User should be able to authenticate.

Actual Behavior

NA

Steps to Reproduce

Run Test-vROPSAuthentication

Log Fragments and Files

No response

Screenshots

No response

References

No response

tenthirtyam commented 6 months ago

Could we do this?

Function Request-vROPSToken {
    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$fqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$username,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$password,
        [Parameter (Mandatory = $false)] [ValidateSet("LOCAL", "vIDMAuthSource")] [String]$authSource = "LOCAL"
    )

    if ( -not $PsBoundParameters.ContainsKey("username") -or ( -not $PsBoundParameters.ContainsKey("password"))) {
        $creds = Get-Credential # Request Credentials
        $username = $creds.UserName.ToString()
        $password = $creds.GetNetworkCredential().password
    }

    Try {
        $Global:vropsAppliance = $fqdn
        $Global:vropsHeaders = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
        $vropsHeaders.Add("Accept", "application/json")
        $vropsHeaders.Add("Content-Type", "application/json")
        $uri = "https://$vropsAppliance/suite-api/api/auth/token/acquire"
        $body = "{
        `n  `"username`" : `"$username`",
        `n  `"authSource`" : `"$authSource`",
        `n  `"password`" : `"$password`"
        `n}"
        if ($PSEdition -eq 'Core') {
            $vropsResponse = Invoke-RestMethod -Uri $uri -Method 'POST' -Headers $vropsHeaders -Body $body -SkipCertificateCheck # PS Core has -SkipCertificateCheck implemented, PowerShell 5.x does not
        } else {
            $vropsResponse = Invoke-RestMethod -Uri $uri -Method 'POST' -Headers $vropsHeaders -Body $body
        }
        if ($vropsResponse.token) {
            $vropsHeaders.Add("Authorization", "vRealizeOpsToken " + $vropsResponse.token)
            Write-Output "Successfully connected to VMware Aria Operations: $vropsAppliance"
        }
    } Catch {
        Write-Error $_.Exception.Message
    }
}

And then:

Function Test-vROPSAuthentication {
    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $false)] [ValidateSet("LOCAL", "vIDMAuthSource")] [String]$authSource = "LOCAL"
    )

    Remove-Item variable:vropsHeaders -Force -Confirm:$false -ErrorAction Ignore

    Try {
        Request-vROPSToken -fqdn $server -username $user -password $pass -authSource $authSource | Out-Null
        if ($vropsHeaders.Authorization) {
            $vropsAuthentication = $True
            Return $vropsAuthentication
        } else {
            Write-Error "Unable to obtain access token from VMware Aria Operations ($server), check credentials: PRE_VALIDATION_FAILED"
            $vropsAuthentication = $False
            Return $vropsAuthentication
        }
    } Catch {
        # Do Nothing
    }
}

That may address the requirement with no breaking changes.