update

2026-04-15 15:45:50 -05:00
commit 1d304511b8
613 changed files with 140998 additions and 0 deletions
@@ -0,0 +1,89 @@
+Set-PSUAuthenticationMethod -Type "Form" -ScriptBlock {
+    param(
+        [PSCredential]$Credential
+    )
+
+    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+
+    # is this a UPN?
+    if ( $Credential.UserName.IndexOf('@') -gt -1 ) {
+
+        # juggle back and forth from SID to get NTAccount format
+        $NTAccountName = ([System.Security.Principal.NTAccount]$Credential.UserName).Translate([System.Security.Principal.SecurityIdentifier]).Translate([System.Security.Principal.NTAccount]).Value
+
+    }
+    elseif ( $Credential.UserName.IndexOf('\') -gt -1 ) {
+
+        # already NTAccount format
+        $NTAccountName = $Credential.UserName
+
+    }
+    else {
+
+        # someone didn't enter their domain...
+        $NTAccountName = "NDGOV\" + $Credential.GetNetworkCredential().UserName
+
+    }
+
+    # split domain and username
+    $DomainName, $UserName = $NTAccountName.Split('\', 2)
+
+    # perform auth with AD
+    $PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext( 'Domain', $DomainName )
+    $Authenticated = $PrincipalContext.ValidateCredentials( $UserName, $Credential.GetNetworkCredential().Password, 'Negotiate, Sealing' )
+
+    if ( $Authenticated ) {
+
+        # discover the user principal, needed for the user DN
+        $UserPrincipal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName, $NTAccountName )
+
+        # get the user's domain
+        $UserDomainContext = [System.DirectoryServices.ActiveDirectory.DirectoryContext]::new( 'Domain', $DomainName, $Credential.UserName, $Credential.GetNetworkCredential().Password )
+        $UserDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $UserDomainContext )
+
+        # get the computer's domain
+        #$ComputerDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
+
+        # hold all the user groups
+        [System.Collections.Generic.List[hashtable]]$Groups = @()
+
+        # get groups from user's domain
+        #[adsisearcher]::new( $UserDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($UserPrincipal.DistinguishedName)))", @('name') ).FindAll().ForEach({
+        [adsisearcher]::new( $UserDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($UserPrincipal.DistinguishedName))(name=ITD-PSUniversal-*))", @('name') ).FindAll().ForEach({
+                $Groups.Add(@{
+                        Type   = 'Group'
+                        Value  = $_.Properties['name'][0]
+                        Issuer = $UserDomain.Name
+                    })
+            })
+        <#
+    # get groups from the computer's domain (if different)
+    if ( $UserDomain.Name -ne $ComputerDomain.Name ) {
+
+        # lookup the user's foreign security principal in the computer's domain
+        $ForeignSecurityPrincipal = [adsisearcher]::new( $ComputerDomain.GetDirectoryEntry(), "(&(objectCategory=foreignSecurityPrincipal)(objectClass=foreignSecurityPrincipal)(name=$($UserPrincipal.Sid)))", @('distinguishedName') ).FindOne().Properties['distinguishedName'][0]
+
+        # find all the group memberships
+        [adsisearcher]::new( $ComputerDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$ForeignSecurityPrincipal))", @('name') ).FindAll().ForEach({
+
+            $Groups.Add(@{
+                Type = 'Group'
+                Value = $_.Properties['name'][0]
+                Issuer = $ComputerDomain.Name
+            })
+
+        })
+
+    }
+        #>
+        New-PSUAuthenticationResult -Success -UserName $UserPrincipal.UserPrincipalName -Claims {
+            $Groups | ForEach-Object { New-PSUAuthorizationClaim @_ }
+        }
+
+    }
+    else {
+
+        New-PSUAuthenticationResult -ErrorMessage 'Bad username or password :)'
+
+    }
+}
@@ -0,0 +1,75 @@
+New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -Policy {
+    param(
+        [Security.ClaimsPrincipal]$User
+    )
+
+    <#
+  Policies should return $true or $false to determine whether the user has the particular
+  claim that require them for that role.
+#>
+
+    $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
+    $Roles -contains 'ITD-PSUniversal-Admin'
+} 
+New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy {
+    param(
+        [Security.ClaimsPrincipal]$User
+    )
+        
+    <# 
+  Policies should return $true or $false to determine whether the user has the particular 
+  claim that require them for that role.
+#>
+
+    $false
+} 
+New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy {
+    param(
+        [Security.ClaimsPrincipal]$User
+    )
+        
+    <# 
+  Policies should return $true or $false to determine whether the user has the particular 
+  claim that require them for that role.
+#>
+
+    $false
+} 
+New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy {
+    param(
+        [Security.ClaimsPrincipal]$User
+    )
+        
+    <# 
+  Policies should return $true or $false to determine whether the user has the particular 
+  claim that require them for that role.
+#>
+
+    $true #default $false
+} 
+New-PSURole -Name "Team-Windows" -Policy {
+    param(
+        [Security.ClaimsPrincipal]$User
+    )
+        
+    <# 
+  Policies should return $true or $false to determine whether the user has the particular 
+  claim that require them for that role.
+#>
+
+    #$false
+    $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
+    $Roles -contains "ITD-PSUniversal-Team-Windows"
+} 
+New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy {
+    param(
+        [Security.ClaimsPrincipal]$User
+    )
+        
+    <# 
+  Policies should return $true or $false to determine whether the user has the particular 
+  claim that require them for that role.
+#>
+
+    $false
+}
@@ -0,0 +1,4 @@
+New-PSUScript -Name "Get-HelloWorld.ps1" -Description "Get-HelloWorld.ps1" -Path "ZM-Test\Get-HelloWorld.ps1" 
+New-PSUScript -Name "NewITDVMwareVMSnapshotTask.ps1" -Description "NewITDVMwareVMSnapshotTask.ps1" -Path "Infra-VMware.Snapshot\NewITDVMwareVMSnapshotTask.ps1" 
+New-PSUScript -Name "Remove_ITDVmwareVMSnapshotExpired.ps1" -Description "Remove_ITDVmwareVMSnapshotExpired.ps1" -Path "Infra-VMware.Snapshot\Remove_ITDVmwareVMSnapshotExpired.ps1" 
+New-PSUScript -Name "Update-ITDVMwareVMSnapshotStatus.ps1" -Description "Update-ITDVMwareVMSnapshotStatus.ps1" -Path "Infra-VMware.Snapshot\Update-ITDVMwareVMSnapshotStatus.ps1"
@@ -0,0 +1,5 @@
+$Parameters = @{
+	EnhancedAppTokenSecurity = $true
+	ApiSecurityModel = "Medium"
+}
+Set-PSUSetting @Parameters
@@ -0,0 +1,2 @@
+New-PSUVariable -Name "ndgov_svcitdiaasauto" -Vault "Database" -Type "PSCredential" 
+New-PSUVariable -Name "ndgov_svcitdvmsnapmgr" -Vault "Database" -Type "PSCredential"