Correction TLS/SSL pour connexion aux automates Eclypse
- Remplacement de la validation de certificat par ICertificatePolicy avec activation TLS 1.0/1.1/1.2 - ajout d'un fallback curl.exe -k pour les cas ou la négociation TLS .NET échoue
This commit is contained in:
+5
-1
@@ -1,2 +1,6 @@
|
|||||||
plan
|
plan/
|
||||||
.claude
|
.claude
|
||||||
|
.idea/
|
||||||
|
Audit_*/
|
||||||
|
*.csv
|
||||||
|
*.bat
|
||||||
+38
-5
@@ -92,8 +92,10 @@ function Write-Log {
|
|||||||
# FONCTION : Initialize-ApiClient
|
# FONCTION : Initialize-ApiClient
|
||||||
# Force TLS 1.2 et accepte les certificats auto-signes (equivalent curl -k)
|
# Force TLS 1.2 et accepte les certificats auto-signes (equivalent curl -k)
|
||||||
# =====================================================================
|
# =====================================================================
|
||||||
|
$script:CurlAvailable = $false
|
||||||
|
|
||||||
function Initialize-ApiClient {
|
function Initialize-ApiClient {
|
||||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls
|
||||||
|
|
||||||
if (-not ([System.Management.Automation.PSTypeName]'TrustAllCertsPolicy').Type) {
|
if (-not ([System.Management.Automation.PSTypeName]'TrustAllCertsPolicy').Type) {
|
||||||
Add-Type @"
|
Add-Type @"
|
||||||
@@ -109,6 +111,27 @@ public class TrustAllCertsPolicy : ICertificatePolicy {
|
|||||||
"@
|
"@
|
||||||
}
|
}
|
||||||
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
|
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
|
||||||
|
|
||||||
|
$script:CurlAvailable = [bool](Get-Command curl.exe -ErrorAction SilentlyContinue)
|
||||||
|
}
|
||||||
|
|
||||||
|
function Test-SslError {
|
||||||
|
param([System.Exception]$Exception)
|
||||||
|
$msg = $Exception.Message
|
||||||
|
return ($msg -match "SSL" -or $msg -match "TLS" -or $msg -match "confiance" -or $msg -match "trust" -or $msg -match "certificate" -or $msg -match "envoi")
|
||||||
|
}
|
||||||
|
|
||||||
|
function Invoke-CurlGet {
|
||||||
|
param(
|
||||||
|
[string]$Url,
|
||||||
|
[string]$Username,
|
||||||
|
[AllowEmptyString()][string]$Password
|
||||||
|
)
|
||||||
|
$output = & curl.exe -s -k -u "${Username}:${Password}" -H "Accept: text/csv, application/json, text/plain, */*" $Url 2>&1
|
||||||
|
if ($LASTEXITCODE -ne 0) {
|
||||||
|
throw "curl GET erreur (exit code $LASTEXITCODE): $output"
|
||||||
|
}
|
||||||
|
return ($output | Out-String)
|
||||||
}
|
}
|
||||||
|
|
||||||
# =====================================================================
|
# =====================================================================
|
||||||
@@ -202,7 +225,17 @@ function Invoke-AuditLogGet {
|
|||||||
[AllowEmptyString()][string]$Password
|
[AllowEmptyString()][string]$Password
|
||||||
)
|
)
|
||||||
$headers = Get-AuthHeader -Username $Username -Password $Password
|
$headers = Get-AuthHeader -Username $Username -Password $Password
|
||||||
return Invoke-WebRequest -Uri $Url -Method GET -Headers $headers -UseBasicParsing -TimeoutSec 30
|
try {
|
||||||
|
$response = Invoke-WebRequest -Uri $Url -Method GET -Headers $headers -UseBasicParsing -TimeoutSec 30
|
||||||
|
return $response.Content
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
if ((Test-SslError -Exception $_.Exception) -and $script:CurlAvailable) {
|
||||||
|
Write-Log -Message "Bascule sur curl.exe -k (echec TLS .NET)" -Level WARN
|
||||||
|
return Invoke-CurlGet -Url $Url -Username $Username -Password $Password
|
||||||
|
}
|
||||||
|
throw
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# =====================================================================
|
# =====================================================================
|
||||||
@@ -261,17 +294,17 @@ foreach ($automate in $automates) {
|
|||||||
|
|
||||||
Write-Log -Message "[$hostname] GET $url (user: $($creds.Username))" -Level INFO
|
Write-Log -Message "[$hostname] GET $url (user: $($creds.Username))" -Level INFO
|
||||||
|
|
||||||
$response = Invoke-AuditLogGet -Url $url -Username $creds.Username -Password $creds.Password
|
$content = Invoke-AuditLogGet -Url $url -Username $creds.Username -Password $creds.Password
|
||||||
|
|
||||||
if ($OutputFormat -eq "PerAutomate") {
|
if ($OutputFormat -eq "PerAutomate") {
|
||||||
$filePath = Join-Path $outputDir "$ip.csv"
|
$filePath = Join-Path $outputDir "$ip.csv"
|
||||||
Set-Content -Path $filePath -Value $response.Content -Encoding UTF8
|
Set-Content -Path $filePath -Value $content -Encoding UTF8
|
||||||
Write-Log -Message "[$hostname] Journal d'audit ecrit : $filePath" -Level OK
|
Write-Log -Message "[$hostname] Journal d'audit ecrit : $filePath" -Level OK
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
# Suppose une reponse API au format CSV (comme le .bat d'origine qui
|
# Suppose une reponse API au format CSV (comme le .bat d'origine qui
|
||||||
# ecrit directement la reponse brute dans un fichier .csv)
|
# ecrit directement la reponse brute dans un fichier .csv)
|
||||||
$rows = @($response.Content | ConvertFrom-Csv)
|
$rows = @($content | ConvertFrom-Csv)
|
||||||
foreach ($row in $rows) {
|
foreach ($row in $rows) {
|
||||||
$obj = [ordered]@{ Hostname = $hostname; IP = $ip }
|
$obj = [ordered]@{ Hostname = $hostname; IP = $ip }
|
||||||
foreach ($prop in $row.PSObject.Properties) { $obj[$prop.Name] = $prop.Value }
|
foreach ($prop in $row.PSObject.Properties) { $obj[$prop.Name] = $prop.Value }
|
||||||
|
|||||||
Reference in New Issue
Block a user