PowerCommander

Keeper-Security · May 18, 2022 · ca5b352 · ca5b352
1 parent 9e6ce84
commit ca5b352
Show file tree

Hide file tree

Showing 9 changed files with 162 additions and 19 deletions.
diff --git a/KeeperSdk/enterprise/EnterpriseDataManagement.cs b/KeeperSdk/enterprise/EnterpriseDataManagement.cs
@@ -74,6 +74,7 @@ public async Task DeleteUser(EnterpriseUser user)
             };
 
             await Enterprise.Auth.ExecuteAuthCommand(rq);
+            await Enterprise.Load();
         }
 
         /// <inheritdoc/>
@@ -288,6 +289,7 @@ await this.PopulateUserPublicKeys(keys, (error) =>
             }
 
             await Enterprise.Auth.ExecuteAuthCommand(tdRq);
+            await Enterprise.Load();
 
             return new AccountTransferResult
             {

diff --git a/KeeperSdk/vault/VaultOnline.cs b/KeeperSdk/vault/VaultOnline.cs
@@ -159,6 +159,15 @@ public void AuditLogRecordOpen(string recordUid)
             });
         }
 
+        /// <inheritdoc/>
+        public void AuditLogRecordCopyPassword(string recordUid)
+        {
+            _ = Task.Run(async () =>
+            {
+                await Auth.AuditEventLogging("copy_password", new AuditEventInput { RecordUid = recordUid });
+            });
+        }
+
 
         /// <inheritdoc/>
         public Task<KeeperRecord> CreateRecord(KeeperRecord record, string folderUid = null)

diff --git a/KeeperSdk/vault/VaultTypes.cs b/KeeperSdk/vault/VaultTypes.cs
@@ -225,6 +225,12 @@ public interface IVault : IVaultData
         /// <param name="recordUid"></param>
         void AuditLogRecordOpen(string recordUid);
 
+        /// <summary>
+        /// Records "copy_password" audit event for enterprise accounts
+        /// </summary>
+        /// <param name="recordUid"></param>
+        void AuditLogRecordCopyPassword(string recordUid);
+
         /// <summary>
         /// Creates a password record.
         /// </summary>

diff --git a/PowerCommander/Enterprise.ps1 b/PowerCommander/Enterprise.ps1
@@ -11,9 +11,10 @@ function getEnterprise {
         $enterprise = New-Object Enterprise
 
         $enterprise.enterpriseData = New-Object KeeperSecurity.Enterprise.EnterpriseData
+        $enterprise.roleData = New-Object KeeperSecurity.Enterprise.RoleData
         $enterprise.mspData = New-Object KeeperSecurity.Enterprise.ManagedCompanyData
 
-        [KeeperSecurity.Enterprise.EnterpriseDataPlugin[]] $plugins = $enterprise.enterpriseData, $enterprise.mspData
+        [KeeperSecurity.Enterprise.EnterpriseDataPlugin[]] $plugins = $enterprise.enterpriseData, $enterprise.roleData, $enterprise.mspData
 
         $enterprise.loader = New-Object KeeperSecurity.Enterprise.EnterpriseLoader($auth, $plugins, $null)
         $enterprise.loader.Load().GetAwaiter().GetResult() | Out-Null
@@ -99,7 +100,7 @@ function Lock-KeeperEnterpriseUser {
     }
 }
 Register-ArgumentCompleter -CommandName Lock-KeeperEnterpriseUser -ParameterName User -ScriptBlock $Keeper_ActiveUserCompleter
-New-Alias -Name keul -Value Lock-KeeperEnterpriseUser
+New-Alias -Name lock-user -Value Lock-KeeperEnterpriseUser
 
 $Keeper_LockedUserCompleter = {
 	param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
@@ -149,8 +150,126 @@ function Unlock-KeeperEnterpriseUser {
     }
 }
 Register-ArgumentCompleter -CommandName Unlock-KeeperEnterpriseUser -ParameterName User -ScriptBlock $Keeper_LockedUserCompleter
-New-Alias -Name keuu -Value Unlock-KeeperEnterpriseUser
+New-Alias -Name unlock-user -Value Unlock-KeeperEnterpriseUser
 
+$Keeper_EnterpriseUserCompleter = {
+	param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+
+	$result = @()
+    [Enterprise]$enterprise = $Script:Context.Enterprise
+    if (-not $enterprise) {
+        return $null
+    }
+    if ($wordToComplete) {
+        $to_complete = '*' + $wordToComplete + '*'
+    } else {
+        $to_complete = '*'
+    }
+    foreach($user in $enterprise.enterpriseData.Users) {
+        if ($user.Email -like $to_complete) {
+            $result += $user.Email
+        }
+    }
+	if ($result.Count -gt 0) {
+		return $result
+	} else {
+		return $null
+	}
+}
+
+function Move-KeeperEnterpriseUser {
+    <#
+        .Synopsis
+    	Transfers enterprise user account to another user
+    	
+        .Parameter FromUser
+	    email or user ID to transfer vault from user
+        
+        .Parameter TargetUser
+	    email or user ID to transfer vault to user
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Position = 0, Mandatory = $true)]$FromUser,
+        [Parameter(Position = 1, Mandatory = $true)]$TargetUser,
+        [Switch] $Force
+    )
+
+    [Enterprise]$enterprise = getEnterprise
+
+    $fromUserObject = resolveUser $enterprise.enterpriseData $FromUser
+    if (-not $fromUserObject) {
+        return
+    }
+    $targetUserObject = resolveUser $enterprise.enterpriseData $TargetUser
+    if (-not $targetUserObject) {
+        return
+    }
+    if (-not $Force.IsPresent) {
+        Write-Host "This action cannot be undone.`n"
+        $answer = Read-Host -Prompt "Do you want to proceed with transferring $($fromUserObject.Email) account (Yes/No)? > "
+        if ($answer -ne 'yes' -and $answer -ne 'y') {
+            return
+        }
+    }
+    $transferResult = $enterprise.enterpriseData.TransferUserAccount($enterprise.roleData, $fromUserObject, $targetUserObject).GetAwaiter().GetResult()
+    if ($transferResult) {
+        Write-Information "Successfully Transfered:" 
+        Write-Information "        Records: $($transferResult.RecordsTransfered)"
+        Write-Information " Shared Folders: $($transferResult.SharedFoldersTransfered)"
+        Write-Information "           Team: $($transferResult.TeamsTransfered)"
+        if ($transferResult.RecordsCorrupted -gt 0 -or $transferResult.SharedFoldersCorrupted -gt 0 -or $transferResult.TeamsCorrupted -gt 0) {
+            Write-Information "Failed to Transfer:"
+            if ($transferResult.RecordsCorrupted -gt 0) {
+                Write-Information "        Records: $($transferResult.RecordsCorrupted)"
+            }
+            if ($transferResult.SharedFoldersCorrupted -gt 0) {
+                Write-Information " Shared Folders: $($transferResult.SharedFoldersCorrupted)"
+            }
+            if ($transferResult.TeamsCorrupted -gt 0) {
+                Write-Information "           Team: $($transferResult.TeamsCorrupted)"
+            }
+        }
+    }
+}
+Register-ArgumentCompleter -CommandName Move-KeeperEnterpriseUser -ParameterName FromUser -ScriptBlock $Keeper_LockedUserCompleter
+Register-ArgumentCompleter -CommandName Move-KeeperEnterpriseUser -ParameterName TargetUser -ScriptBlock $Keeper_ActiveUserCompleter
+New-Alias -Name transfer-user -Value Move-KeeperEnterpriseUser
+
+function Remove-KeeperEnterpriseUser {
+    <#
+        .Synopsis
+    	Removes Enterprise User
+    	
+        .Parameter User
+	    User email, enterprise Id, or instance.
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Position = 0, Mandatory = $true)]$User,
+        [Switch] $Force
+    )
+
+    [Enterprise]$enterprise = getEnterprise
+    $userObject = resolveUser $enterprise.enterpriseData $User
+    if ($userObject) {
+        if (-not $Force.IsPresent) {
+            Write-Host  "Deleting a user will also delete any records owned and shared by this user.`n" +
+                        "Before you delete this user, we strongly recommend you lock their account`n" +
+                        "and transfer any important records to other user.`n" +
+                        "This action cannot be undone."
+            $answer = Read-Host -Prompt "Do you want to proceed with deleting $($userObject.Email) account (Yes/No)? > "
+            if ($answer -ne 'yes' -and $answer -ne 'y') {
+                return
+            }
+        }
+
+        $enterprise.enterpriseData.DeleteUser($userObject).GetAwaiter().GetResult() | Out-Null
+        Write-Host "User $($userObject.Email) has been deleted"
+    }
+}
+Register-ArgumentCompleter -CommandName Remove-KeeperEnterpriseUser -ParameterName User -ScriptBlock $Keeper_EnterpriseUserCompleter
+New-Alias -Name delete-user -Value Remove-KeeperEnterpriseUser
 
 function resolveUser {
     Param (
@@ -198,7 +317,7 @@ function Get-KeeperMspLicenses {
     [Enterprise]$enterprise = getMspEnterprise
     $enterprise.enterpriseData.EnterpriseLicense.MspPool
 }
-New-Alias -Name kmspl -Value Get-KeeperMspLicenses
+New-Alias -Name msp-license -Value Get-KeeperMspLicenses
 
 function Get-KeeperManagedCompanies {
     <#

diff --git a/PowerCommander/KeeperSdk.dll b/PowerCommander/KeeperSdk.dll
diff --git a/PowerCommander/PowerCommander.psd1 b/PowerCommander/PowerCommander.psd1
diff --git a/PowerCommander/PowerCommander.psm1 b/PowerCommander/PowerCommander.psm1
@@ -3,6 +3,7 @@
 Class Enterprise {
     [KeeperSecurity.Enterprise.EnterpriseLoader] $loader
     [KeeperSecurity.Enterprise.EnterpriseData] $enterpriseData
+    [KeeperSecurity.Enterprise.RoleData] $roleData
     [KeeperSecurity.Enterprise.ManagedCompanyData] $mspData
 }
 
@@ -35,12 +36,13 @@ Export-ModuleMember -Function Add-KeeperFolder, Remove-KeeperFolder
 Export-ModuleMember -Alias kmkdir, krmdir
 
 Export-ModuleMember -Function Sync-KeeperEnterprise, Get-KeeperEnterpriseUsers, Get-KeeperEnterpriseNodes,
-                              Get-KeeperNodeName, Lock-KeeperEnterpriseUser, Unlock-KeeperEnterpriseUser
-Export-ModuleMember -Alias ked, keu, ken, keul, keuu
+                              Get-KeeperNodeName, Lock-KeeperEnterpriseUser, Unlock-KeeperEnterpriseUser,
+                              Move-KeeperEnterpriseUser, Remove-KeeperEnterpriseUser
+Export-ModuleMember -Alias ked, keu, ken, lock-user, unlock-user, transfer-user, delete-user
 
 Export-ModuleMember -Function Get-KeeperMspLicenses, Get-KeeperManagedCompanies, New-KeeperManagedCompany, 
                               Remove-KeeperManagedCompany, Edit-KeeperManagedCompany
-Export-ModuleMember -Alias kmspl, kmc, kamc, krmc, kemc
+Export-ModuleMember -Alias msp-license, kmc, kamc, krmc, kemc
 
 Export-ModuleMember -Function Show-KeeperRecordShares, Grant-KeeperRecordAccess, Revoke-KeeperRecordAccess, 
                               Grant-KeeperSharedFolderAccess, Revoke-KeeperSharedFolderAccess

diff --git a/PowerCommander/README.md b/PowerCommander/README.md
@@ -34,18 +34,20 @@ To install the PowerCommander module copy PowerCommander\ directory to
 | Revoke-KeeperSharedFolderAccess| kushf  | Adds a user or team to a shared foler
 
 ### Enterprise Cmdlets
-| Cmdlet name                    | Alias  | Description
-|--------------------------------|--------|----------------------------
-| Sync-KeeperEnterprise          | ked    | Sync Keeper enterprise information
-| Get-KeeperEnterpriseNodes      | ken    | Enumerate all enterprise nodes
-| Get-KeeperEnterpriseUsers      | keu    | Enumerate all enterprise users
-| Lock-KeeperEnterpriseUser      | keul   | Locks Enterprise User
-| Unlock-KeeperEnterpriseUser    | keuu   | Unlocks Enterprise User
-| Get-KeeperMspLicenses          | kmspl  | Returns MSP licenses
-| Get-KeeperManagedCompanies     | kmc    | Enumerate all enterprise managed companies
-| New-KeeperManagedCompany       | kamc   | Create Managed Company
-| Remove-KeeperManagedCompany    | krmc   | Remove Managed Company
-| Edit-KeeperManagedCompany      | kemc   | Edit Managed Company
+| Cmdlet name                    | Alias       | Description
+|--------------------------------|-------------|----------------------------
+| Sync-KeeperEnterprise          | ked         | Sync Keeper enterprise information
+| Get-KeeperEnterpriseNodes      | ken         | Enumerate all enterprise nodes
+| Get-KeeperEnterpriseUsers      | keu         | Enumerate all enterprise users
+| Lock-KeeperEnterpriseUser      | lock-user   | Locks Enterprise User
+| Unlock-KeeperEnterpriseUser    | unlock-user | Unlocks Enterprise User
+| Move-KeeperEnterpriseUser      |transfer-user| Transfers user account to another user
+| Remove-KeeperEnterpriseUser    | delete-user | Deletes Enterprise User
+| Get-KeeperMspLicenses          | msp-license | Returns MSP licenses
+| Get-KeeperManagedCompanies     | kmc         | Enumerate all enterprise managed companies
+| New-KeeperManagedCompany       | kamc        | Create Managed Company
+| Remove-KeeperManagedCompany    | krmc        | Remove Managed Company
+| Edit-KeeperManagedCompany      | kemc        | Edit Managed Company
 
 
 #### Examples

diff --git a/PowerCommander/RecordCommands.ps1 b/PowerCommander/RecordCommands.ps1
@@ -113,6 +113,9 @@ function Copy-KeeperToClipboard {
 
 				if ($value) {
 					Set-Clipboard -Value $value
+					if ($Field -eq 'Password') {
+						$vault.AuditLogRecordCopyPassword($rec.Uid)
+					}
 					Write-Host "Copied to clipboard: $Field for $($rec.Title)"
 				} else {
 					Write-Host "Record $($rec.Title) has no $Field"