diff --git a/RELEASE.md b/RELEASE.md index ef8c9e77..6a268ccf 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,11 +1,2 @@ -- Add `Set-VcCertificateRequest` to approve requests. Optionally, use `-Wait` for the certificate to be issued and certificate details to be available. -- Add `Initialize-PSSodium -Force` to force installation of the module if it doesn't exist. This is used by the new parameters `Export-VcCertificate -Force`, `Import-VcCertificate -Force`, `New-VcMachine -Force`, `New-VcMachineCommonKeystore -Force`, and `New-VcMachineIis -Force`. -- Update `New-VcCertificate` to retrieve default validity date from the issuing template instead of a set 90 days -- Fix `Find-VdcCertificate -CountOnly` error [#309](https://github.com/Venafi/VenafiPS/issues/309) -- Updates to better facilitate moving certificates/keys between environments. - - Update `Export-VcCertificate -PKCS12` to allow exporting to base64 in addition to a file. - - Add standard names for Format in return objects in TLSPC and TLSPDC. - - Add PrivateKeyPasswordCredential in return objects to keep from having to provide again further down the pipeline -- Add `Invoke-VcGraphQL` for queries and mutations. This isn't used for too much as of now, but the framework is here for when it's needed. -- Update `Get-VcData` to use `Invoke-VcGraphQL` for Application and Team id and names. Quite often we are just converting names into IDs so graphql should give us a performance bump as opposed to the REST api. -- Deprecated `Add-VcCertificateAssociation` +- Update `New-VcCertificate -IssuingTemplate` to allow an alias to be provided, [#313](https://github.com/Venafi/VenafiPS/issues/313). `-IssuingTemplate` is now also optional if the application only has 1 associated template. +- Add `Set-VcCertificateRequest -RejectReason` to specify a reason for rejection. The default is 'Rejection processed by VenafiPS'. \ No newline at end of file diff --git a/VenafiPS/Private/Get-VcData.ps1 b/VenafiPS/Private/Get-VcData.ps1 index 94f5d4d4..a00c9aef 100644 --- a/VenafiPS/Private/Get-VcData.ps1 +++ b/VenafiPS/Private/Get-VcData.ps1 @@ -157,7 +157,7 @@ function Get-VcData { } if ( $FailOnNotFound -and -not $returnObject ) { - throw "'$InputObject' of type $Type not found" + throw "$Type '$InputObject' not found" } switch ($PSCmdlet.ParameterSetName) { diff --git a/VenafiPS/Public/New-VcCertificate.ps1 b/VenafiPS/Public/New-VcCertificate.ps1 index 543f1f4b..861820dc 100644 --- a/VenafiPS/Public/New-VcCertificate.ps1 +++ b/VenafiPS/Public/New-VcCertificate.ps1 @@ -7,11 +7,12 @@ function New-VcCertificate { Create certificate request from automated secure keypair details or CSR .PARAMETER Application - Application name (wildcards supported) or id to associate this certificate. + Application name or id to associate this certificate with. .PARAMETER IssuingTemplate - Issuing template name (wildcards supported) or id to use. - The template must be available with the selected Application. + Issuing template id, name, or alias. + The template must be associated with the provided Application. + If the application has only one template, this parameter is optional. .PARAMETER Csr CSR in PKCS#10 format which conforms to the rules of the issuing template @@ -70,6 +71,11 @@ function New-VcCertificate { Create certificate + .EXAMPLE + New-VcCertificate -Application 'MyApp' -CommonName 'app.mycert.com' + + Create certificate with the template associated with the application + .EXAMPLE New-VcCertificate -Application 'MyApp' -IssuingTemplate 'MSCA - 1 year' -CommonName 'app.mycert.com' -SanIP '1.2.3.4' @@ -103,7 +109,7 @@ function New-VcCertificate { [Parameter(Mandatory)] [String] $Application, - [Parameter(Mandatory)] + [Parameter()] [String] $IssuingTemplate, [Parameter(ParameterSetName = 'Csr', Mandatory)] @@ -175,14 +181,37 @@ function New-VcCertificate { Test-VenafiSession $PSCmdlet.MyInvocation # validation - $thisApp = Get-VcApplication -Application $Application - if ( -not $thisApp ) { - throw "Application $Application does not exist" + $thisApp = Get-VcData -Type Application -InputObject $Application -Object -FailOnNotFound + + if ( $thisApp.issuingTemplate.Count -eq 0 ) { + throw 'No templates associated with this application' } - $thisTemplate = Get-VcIssuingTemplate -IssuingTemplate $IssuingTemplate - if ( -not $thisTemplate ) { - throw "Issuing template $IssuingTemplate does not exist" + if ( -not $IssuingTemplate ) { + # issuing template not provided, see if the app has one + switch ($thisApp.issuingTemplate.Count) { + 1 { + # there is only one template, use it + $thisTemplate = Get-VcData -Type IssuingTemplate -InputObject $thisApp.issuingTemplate[0].issuingTemplateId -Object + break + } + + Default { + throw 'IssuingTemplate is required when the application has more than 1 template associated' + } + } + } + else { + # template provided, check if name or alias or id + if ( $IssuingTemplate -in $thisApp.issuingTemplate.name ) { + # name is an alias, get template + $templateId = $thisApp.issuingTemplate | Where-Object { $_.name -eq $IssuingTemplate } | Select-Object -ExpandProperty issuingTemplateId + $thisTemplate = Get-VcData -Type IssuingTemplate -InputObject $templateId -Object + } + else { + # lookup provided value, name or id + $thisTemplate = Get-VcData -Type IssuingTemplate -InputObject $IssuingTemplate -Object -FailOnNotFound + } } if ( $ValidUntil ) { diff --git a/VenafiPS/Public/Set-VcCertificateRequest.ps1 b/VenafiPS/Public/Set-VcCertificateRequest.ps1 index c5ba177a..c1c9aa1f 100644 --- a/VenafiPS/Public/Set-VcCertificateRequest.ps1 +++ b/VenafiPS/Public/Set-VcCertificateRequest.ps1 @@ -7,12 +7,16 @@ Update details of existing applications. Additional properties will be available in the future. - .PARAMETER CertificateRequestId + .PARAMETER ID The certificate request id to process. .PARAMETER Approve Provide the switch to approve a request + .PARAMETER RejectReason + In the case of rejection, provide a reason. + The default will be 'reject'. + .PARAMETER Wait Wait for the certificate request to either be issued or fail. Depending on the speed of your CA, this could take some time. @@ -42,6 +46,11 @@ Reject a request + .EXAMPLE + Set-VcCertificateRequest -ID 'ca7ff555-88d2-4bfc-9efa-2630ac44c1f2' -Approve:$false -RejectReason 'not needed' + + Reject a request with a specific reason + .EXAMPLE Set-VcCertificateRequest -ID 'ca7ff555-88d2-4bfc-9efa-2630ac44c1f2' -Approve -Wait @@ -71,6 +80,9 @@ [Parameter(Mandatory, ParameterSetName = 'Approval')] [switch] $Approve, + [Parameter(ParameterSetName = 'Approval')] + [string] $RejectReason = 'Rejection processed by VenafiPS', + [Parameter(ParameterSetName = 'Approval')] [switch] $Wait, @@ -96,11 +108,15 @@ UriLeaf = 'certificaterequests/{0}/approval/{1}' -f $ID, $decision } + if ( -not $Approval ) { + $params.Body = @{'reason' = $RejectReason } + } + if ( $PSCmdlet.ShouldProcess($ID, "$decision certificate request") ) { $response = Invoke-VenafiRestMethod @params } - if ( $Wait ) { + if ( $Approve -and $Wait ) { Write-Verbose 'Request approved, waiting for a status of either issued or failed' do { Start-Sleep -Seconds 1 @@ -110,6 +126,7 @@ $response.status -in 'ISSUED', 'FAILED' ) } + if ( $PassThru ) { $response }