akamai / akamaipowershell Goto Github PK

When I try to use the Invoke-AkamaiRestMethod to upload a certificate and it's chain, I get

Invoke-RestMethod : {
"type": "https://problems.luna.akamaiapis.net/-/pep-authn/deny",
"title": "Not authorized",
"status": 401,
"detail": "The signature does not match",
....
}

Does this mean that the Invoke-AkamaiRestMethod is creating the signature incorrectly for this large payload? All other calls to the api seem to work fine.

Some operations such as Edge DNS - Create a change list use a POST request with an empty Body. Attempting to do this with Invoke-AkamaiRestMethod currently results in a 401 error complaining that, "The signature does not match".

I tried the following two variations with the same 401 error result.

Invoke-AkamaiRestMethod POST 'config-dns/v2/changelists?zone=example.com&overwrite=stale'
Invoke-AkamaiRestMethod POST 'config-dns/v2/changelists?zone=example.com&overwrite=stale' -Body ''

I also tried a variation with the body set to an empty JSON object that did work. Though, this seems like an unnecessary workaround.

Invoke-AkamaiRestMethod POST 'config-dns/v2/changelists?zone=example.com&overwrite=stale' -Body '{}'

I think the problem revolves around lines 157-183 here:
https://github.com/akamai-contrib/akamaipowershell/blob/e76b8bd26afcc938ffd8df4397d94f09b603a7c7/shared/Invoke-AkamaiRestMethod.ps1#L157-L183

When using POST without a $Body or $InputFile defined, the final 3 tab characters are never added to $SignatureData like they are when other verbs are used.

Importing the module into a PowerShell session will always spit a warning out when there are verbs used on command names that are not part of the approved list from Microsoft/PowerShell team. It is a general practice to stick with the approved verbs that are found via Get-Verb.

A common practice to get around it and ensure the warning messages are not observed by users is to create the command in the module using an approved verb, and add the desired command name as an alias.

Output received:

[2] > ipmo C:\Modules\AkamaiPowershell\
WARNING: The names of some imported commands from the module 'AkamaiPowershell' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.

If a group only hold one property, this property is not listed in the output. Reason is that in line 31 the "$PropertiesToAdd.Count" will not be 1 if there is only one property in that list.
I fixed it for myself with "elseif(($PropertiesToAdd | Measure-Object).Count -eq 1)"

Hi there

Not sure if this issue makes sense here.

Using the PowerShell Module I am able to make Requests (also the one mentioned below).
But because I am in an environment where I should not really use a Module and all the many many functions in there I tried extracting the necessary files (Invoke-AkamaiRestMethod, Crypto, Get-AkamaiCredentials and Sanitize-QueryString)

I am then trying to create a new group in Identity Management with the following body
$Body= @{ groupName = $groupName } | ConvertTo-Json

Analyzing the code everything seems to be working fine. Auth Header is created correctly including the timestamp in UTC format, nonce and signature. I did not change anything in the files mentioned above.

Running $newGroup = Invoke-AkamaiRestMethod -Method POST -EdgeRCFile $EdgeRCFile -Path "/identity-management/v3/user-admin/groups/$parentGroupID" -Body $Body then ends in my 401 error.

Am I missing something? Thank you so much for your assistance.

A feature for consideration: Get all the authentication information from a script level variable that was set from a vault or passed in from the calling application.

Use case:

When using Venafi Trust Protection Platform the administrator wants to update the certificates on the Akamai CPS through script. Venafi TPP can store and retrieve the credentials from it's secret store on any server that has the script installed. The Venafi TPP executable automatically starts a PowerShell process and passes the credentials to the script. The script uses the passed in credentials to invoke Akamai PowerShell commands.

Passing the credential could be as simple as giving a setter function like

New-AkamaiSession -ClientSecret "mysecret..." -Host "server" -AccessToken "Tokenasdfas" -ClientToken "tokenASDFads"

Which would set the $Script:AkamaiSession variable to the variable information or optionally return session variable containing the info. This script wide variable could be used by the Invoke-AkamaiRestMethod instead of the .edgerc file if the EdgeRCFile variable is intentionally left null.
To make the process more flexible, the New-AkamaiSession function could use a -PassThrough that would not set the script scoped variable, but only return a new variable in the right format. Also a function Set-AkamaiSession could be used to switch session context with a variable containing the return of a New-AkamaiSession -Passthrough

New code to be introduced with change

• Function New-AkamaiSession
• Function Set-AkamaiSession
• Variable $Script:AkamaiSession

When Invoke-AkamaiRestMethod throws an error, the detailed reason of the web call failure (the underlying Invoke-RestMethod failure body) is stored in the $_.ErrorDetails object. When the below code is run, there is no way to tell why the call may have failed (if it failed for example because their was no more licenses for enrollments)

Invoke-AkamaiRestMethod -Method GET -Path "$($enrollment.changes[0])/input/info/third-party-csr" -EdgeRCFile ..\TestData\edgerc -AdditionalHeaders @{Accept="application/vnd.akamai.cps.csr.v1+json"} 

Returning the entire error object allows the calling functions to determine why the call failed and respond gracefully to the failure.

• The code for Invoke-AkamaiRestMethod for PS v5.1 already returns the whole error object $_
• The code for Invoke-AkamaiRestMethod for PS v6+ returns only the $_.Exception which will hide the ErrorDetail from the caller
• The code in some of the Akamai specific functions like New-CPSEnrollment also filters the error to just $_.Exception which can confuse the caller as for example 404 not found is used for both a non-existent location and a contract without the correct resources or all the licenses have already been used. This detail is contained in the $_.ErrorDetails object.

Hi

Similar to what we do on line 229 on /shared/Invoke-AkamaiRestMethod.ps1 I would like to have added the following lines or something similar.

if ($null -ne $ENV:proxy_use_default_credentials) { $params.ProxyUseDefaultCredentials = $true }

Problem statement:
As a user who uses proxies, I would like to be able to enable use default credentials similarly to how the enabled use of proxy through environment variables.

Hello,

It seems the PowerShell module doesn't follow best practices when it comes to using proper verbs.

PowerShell provides a list of "approved verbs" that you can find out using:

Get-Verb

Using List-XXX is not on the approved list. While technically PowerShell doesn't care it does give warning on importing PowerShell module.

I'm specifically rereferring to:

• https://github.com/akamai/akamaipowershell/blob/master/edgedns/List-RecordSets.ps1
• https://github.com/akamai/akamaipowershell/blob/master/edgedns/List-TSIGKeys.ps1
• https://github.com/akamai/akamaipowershell/blob/master/edgedns/List-Zones.ps1

Usually you would use Get-RecordSets, but I see there's already Get-RecordSet, so you may need to find something else.

You can find out which commands should be renamed using:

Import-Module AkamaiPowershell -Verbose -Force

To not introduce breaking changes what you can do is rename the functions, but set aliases for them for people who have automation in place using non-approved verbs.

Attempting to use Get-MasterZoneFile currently throws a WebException error due to an HTTP 406 Not Acceptable response by the server. Depending on the PowerShell version, it may also include the JSON response body that gives a better indication of what's wrong.

{
    "type":  "https://problems.luna.akamaiapis.net/authoritative-dns/notAcceptable",
    "title":  "Unable to\r\nrespect Accept header",
    "instance":  "1539501e-fce1-4998-8dc1-2e1a03fcd02a",
    "status":  406,
    "detail":  "The content type you\r\nrequested cannot be produced.",
    "supportedContentTypes":  [
                                  "application/json"
                              ],
    "requestedContentType":  "text/dns"
}

Apparently not all endpoints support sending application/json responses. So Invoke-AkamaiRestMethod needs to be modified to support a configurable Accept header.

I am trying to use the Set-CPReportingGroup cmdlet to add a CP Code to an existing reporting group. Here's how I'm attempting to do this:

I first get the existing reporting group information by running:
$Group = Get-CPReportingGroup -ReportingGroupID 123456

Next, I update the list of CP Codes like this:
$Group.contracts[0].cpcodes += [pscustomobject]@{cpcodeId=7654321;cpcodeName='test.com.search'}

Finally, I submit the changes:
Set-CPReportingGroup -ReportingGroupID 123456 -Body $Group

This results in a generic 400 error with no additional information:
The remote server returned an error: (400) Bad Request.

Unfortunately there isn't any help or other info on how to use these cmdlets, so I'm not sure where to go from here. I've tried other methods of modifying the $Group object but everything I've tried has resulted in a 400. Any ideas or suggestions? Thanks in advance.

As per appsec api documentation : https://techdocs.akamai.com/application-security/reference/get-selectable-hostnames-per-config
this API call should call following path : /appsec/v1/contracts/{contractId}/groups/{groupId}/selectable-hostnames

However the powershell script List-appsecselectablehostnames is calling following path :
$Path = "/appsec/v1/configs/$ConfigID/versions/$VersionNumber/selectable-hostnames"

The goal of this API call is to list the hostnames for a given contract and group that we can add to an existing configuration.

Similar to Terraform, the idea would be to support an extra key in the .edgerc like so:

[a2s]
access_token = xxx
client_secret = xxx
client_token = xxx
host = xxx
account_key = B-C-1ED34DK:1-8BYUX

The value is that we can specify the section and get the switch key for free on the command line.

Thanks!

Hi Team, I just added this new pwsh function to ensure that this API call is handled: https://techdocs.akamai.com/application-security/reference/get-selectable-hostnames-per-config
This function allows to lists the hostnames for a given contract and group.