adamrushuk/KeePass.ps1

## KeePass.ps1
#Requires -RunAsAdministrator

# Testing KeePass automation against KeePass v2.39.1
# Vars
$masterKeyCredential = New-Object -TypeName 'PSCredential' -ArgumentList ('KPMasterUser', (ConvertTo-SecureString -String 'Passw0rd123!' -AsPlainText -Force))
$repoPath = 'C:\Code\KeePass\KeePassDB'
$databaseName = 'KeePassDatabase'
$databasePath = Join-Path -Path $repoPath -ChildPath "$databaseName.kdbx"
$databaseProfileName = 'KeePassDatabaseProfile01'
$testGroupName = 'TestAccounts'
$domain = 'LAB'
$serviceAccountNames = @(
    'svc_admin'
    'svc_sql'
    'svc_ldap'
)

Install-Module 'PoShKeePass' -Force -Verbose
Import-Module 'PoShKeePass' -Force -Verbose

<#
(Get-Module PoshKeePass).Path
Get-Command -Module PoShKeePass
#>


#region Create new database
New-Item -Path (Split-Path -Path $databasePath) -ItemType Directory -Force -Verbose
# ! This will overwrite an existing Database with same path
$keePassDatabaseParams = @{
    DatabasePath = $databasePath
    # KeyPath = 'C:\Code\KeePass\testKeePassDatabase.key' # not implemented yet
    MasterKey    = $masterKeyCredential
    Verbose      = $true
}
New-KeePassDatabase @keePassDatabaseParams

# Create connection profile in module path, eg C:\Program Files\WindowsPowerShell\Modules\PoShKeePass\2.1.1.8\KeePassConfiguration.xml
# Requires ADMIN rights for this part only
$keePassConnectionParams = @{
    DatabaseProfileName = $databaseProfileName
    DatabasePath        = $databasePath
    UseMasterKey        = $true
    Verbose             = $true
}

$dbConfiguration = Get-KeePassDatabaseConfiguration -DatabaseProfileName $databaseProfileName
if ($null -eq $dbConfiguration) {
    Write-Host "STARTED: Creating new KeePass Database Configuration" -ForegroundColor 'Green'
    New-KeePassDatabaseConfiguration @keePassConnectionParams
} else {
    Write-Host "SKIPPING: KeePass Database Configuration already exists" -ForegroundColor 'Yellow'
}
#endregion


#region Groups
#Create First-level group
$newKeePassGroupSplat = @{
    KeePassGroupName       = $testGroupName
    KeePassGroupParentPath = $databaseName  # this is the DatabaseName for first-level groups
    DatabaseProfileName    = $databaseProfileName
    MasterKey              = $masterKeyCredential
    Verbose                = $true
}
New-KeePassGroup @newKeePassGroupSplat

# Get groups
Get-KeePassGroup -DatabaseProfileName $databaseProfileName -AsPlainText -MasterKey $masterKeyCredential
#endregion


#region Create entries
$keePassNewEntryParams = @{
    UserName              = "$domain\svcAccount01"
    KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path
    KeePassPassword       = $(New-KeePassPassword -upper -lower -digits -length 32)
    Title                 = 'Test Service Account'
    DatabaseProfileName   = $databaseProfileName
    MasterKey             = $masterKeyCredential
    Verbose               = $true
}
New-KeePassEntry @keePassNewEntryParams

$keePassNewEntryParams = @{
    UserName              = "$domain\svcAccount02"
    KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path
    KeePassPassword       = $(New-KeePassPassword -upper -lower -digits -length 32)
    Title                 = 'Test Service Account 02'
    DatabaseProfileName   = $databaseProfileName
    MasterKey             = $masterKeyCredential
    Verbose               = $true
}
New-KeePassEntry @keePassNewEntryParams

# Create entries from Service Account array
foreach ($serviceAccountName in $serviceAccountNames) {
    $keePassNewEntryParams = @{
        UserName              = "$domain\$serviceAccountName"
        KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path
        KeePassPassword       = $(New-KeePassPassword -upper -lower -digits -length 32)
        Title                 = $serviceAccountName
        DatabaseProfileName   = $databaseProfileName
        MasterKey             = $masterKeyCredential
        Verbose               = $true
    }
    New-KeePassEntry @keePassNewEntryParams
}
#endregion


#region Get entries
$keePassGetEntryParams = @{
    DatabaseProfileName = $databaseProfileName
    MasterKey           = $masterKeyCredential
    AsPSCredential      = $true
    Verbose             = $true
}
$entries = Get-KeePassEntry @keePassGetEntryParams
$entries
$entries.Credential
$entries[0] | Get-Member
$entries[0] | Format-List *
$entries[0].Credential | Get-Member
$entries[0].Credential.GetNetworkCredential().password

# Get specific entry
$keePassGetSingleEntryParams = @{
    UserName            = "$domain\svcAccount01"
    DatabaseProfileName = $databaseProfileName
    MasterKey           = $masterKeyCredential
    AsPSCredential      = $true
    AsPlainText         = $true # ! This is insecure and may be deprecated in future versions
    Verbose             = $true
}
$keePassEntryObject = Get-KeePassEntry @keePassGetSingleEntryParams
$keePassEntryObject
#endregion


#region Update entry
$updateKeePassEntryParams = @{
    KeePassEntry          = $keePassEntryObject
    Title                 = 'My New Title'
    KeePassPassword       = $(ConvertTo-SecureString -String 'MyNewPassword' -AsPlainText -Force)
    KeePassEntryGroupPath = "$databaseName/$testGroupName"
    DatabaseProfileName   = $databaseProfileName
    MasterKey             = $masterKeyCredential
    Confirm               = $false
    Verbose               = $true
}
Update-KeePassEntry @updateKeePassEntryParams
#endregion


#region Example usage
# Credential - Old Method (hard-coded)
$adminCredential = New-Object -TypeName 'PSCredential' -ArgumentList ('LAB\svc_admin', (ConvertTo-SecureString -String 'Password1234' -AsPlainText -Force))
$adminCredential


# Credential - New Method (dynamic)
$keePassDefaultParams = @{
    DatabaseProfileName = $databaseProfileName
    MasterKey           = $masterKeyCredential
    AsPSCredential      = $true
    Verbose             = $true
}
$adminCredential2 = (Get-KeePassEntry @keePassDefaultParams -UserName 'LAB\svc_admin').Credential
$adminCredential2


# Credentials - New Method (ConfigData)
$ConfigData = @{
    AllNodes = @(

        # This will be ran on all nodes
        @{
            # LCM
            NodeName                    = '*'
            PSDscAllowPlainTextPassword = $true
            PSDscAllowDomainUser        = $true
        }

        @{
            NodeName = 'dc01'
            # Always wrap in an array for role selection logic
            Role     = @('DomainController')
        }
    )

    # Define role data here to ensure roles and nodes are not tightly coupled
    Role     = @{
        DomainController = @{
            LdapUsername = 'LAB\svc_ldap' # <--- TARGET THIS USERNAME with $ConfigData.Role.DomainController.LdapUsername
        }
    }
}
$ldapCredential = (Get-KeePassEntry @keePassDefaultParams -UserName $ConfigData.Role.DomainController.LdapUsername).Credential
$ldapCredential

# Sometimes we need the plain text password
$ldapCredential.GetNetworkCredential().password
#endregion
	#Requires -RunAsAdministrator

	# Testing KeePass automation against KeePass v2.39.1
	# Vars
	$masterKeyCredential = New-Object -TypeName 'PSCredential' -ArgumentList ('KPMasterUser', (ConvertTo-SecureString -String 'Passw0rd123!' -AsPlainText -Force))
	$repoPath = 'C:\Code\KeePass\KeePassDB'
	$databaseName = 'KeePassDatabase'
	$databasePath = Join-Path -Path $repoPath -ChildPath "$databaseName.kdbx"
	$databaseProfileName = 'KeePassDatabaseProfile01'
	$testGroupName = 'TestAccounts'
	$domain = 'LAB'
	$serviceAccountNames = @(
	'svc_admin'
	'svc_sql'
	'svc_ldap'
	)

	Install-Module 'PoShKeePass' -Force -Verbose
	Import-Module 'PoShKeePass' -Force -Verbose

	<#
	(Get-Module PoshKeePass).Path
	Get-Command -Module PoShKeePass
	#>


	#region Create new database
	New-Item -Path (Split-Path -Path $databasePath) -ItemType Directory -Force -Verbose
	# ! This will overwrite an existing Database with same path
	$keePassDatabaseParams = @{
	DatabasePath = $databasePath
	# KeyPath = 'C:\Code\KeePass\testKeePassDatabase.key' # not implemented yet
	MasterKey = $masterKeyCredential
	Verbose = $true
	}
	New-KeePassDatabase @keePassDatabaseParams

	# Create connection profile in module path, eg C:\Program Files\WindowsPowerShell\Modules\PoShKeePass\2.1.1.8\KeePassConfiguration.xml
	# Requires ADMIN rights for this part only
	$keePassConnectionParams = @{
	DatabaseProfileName = $databaseProfileName
	DatabasePath = $databasePath
	UseMasterKey = $true
	Verbose = $true
	}

	$dbConfiguration = Get-KeePassDatabaseConfiguration -DatabaseProfileName $databaseProfileName
	if ($null -eq $dbConfiguration) {
	Write-Host "STARTED: Creating new KeePass Database Configuration" -ForegroundColor 'Green'
	New-KeePassDatabaseConfiguration @keePassConnectionParams
	} else {
	Write-Host "SKIPPING: KeePass Database Configuration already exists" -ForegroundColor 'Yellow'
	}
	#endregion


	#region Groups
	#Create First-level group
	$newKeePassGroupSplat = @{
	KeePassGroupName = $testGroupName
	KeePassGroupParentPath = $databaseName # this is the DatabaseName for first-level groups
	DatabaseProfileName = $databaseProfileName
	MasterKey = $masterKeyCredential
	Verbose = $true
	}
	New-KeePassGroup @newKeePassGroupSplat

	# Get groups
	Get-KeePassGroup -DatabaseProfileName $databaseProfileName -AsPlainText -MasterKey $masterKeyCredential
	#endregion


	#region Create entries
	$keePassNewEntryParams = @{
	UserName = "$domain\svcAccount01"
	KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path
	KeePassPassword = $(New-KeePassPassword -upper -lower -digits -length 32)
	Title = 'Test Service Account'
	DatabaseProfileName = $databaseProfileName
	MasterKey = $masterKeyCredential
	Verbose = $true
	}
	New-KeePassEntry @keePassNewEntryParams

	$keePassNewEntryParams = @{
	UserName = "$domain\svcAccount02"
	KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path
	KeePassPassword = $(New-KeePassPassword -upper -lower -digits -length 32)
	Title = 'Test Service Account 02'
	DatabaseProfileName = $databaseProfileName
	MasterKey = $masterKeyCredential
	Verbose = $true
	}
	New-KeePassEntry @keePassNewEntryParams

	# Create entries from Service Account array
	foreach ($serviceAccountName in $serviceAccountNames) {
	$keePassNewEntryParams = @{
	UserName = "$domain\$serviceAccountName"
	KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path
	KeePassPassword = $(New-KeePassPassword -upper -lower -digits -length 32)
	Title = $serviceAccountName
	DatabaseProfileName = $databaseProfileName
	MasterKey = $masterKeyCredential
	Verbose = $true
	}
	New-KeePassEntry @keePassNewEntryParams
	}
	#endregion


	#region Get entries
	$keePassGetEntryParams = @{
	DatabaseProfileName = $databaseProfileName
	MasterKey = $masterKeyCredential
	AsPSCredential = $true
	Verbose = $true
	}
	$entries = Get-KeePassEntry @keePassGetEntryParams
	$entries
	$entries.Credential
	$entries[0] \| Get-Member
	$entries[0] \| Format-List *
	$entries[0].Credential \| Get-Member
	$entries[0].Credential.GetNetworkCredential().password

	# Get specific entry
	$keePassGetSingleEntryParams = @{
	UserName = "$domain\svcAccount01"
	DatabaseProfileName = $databaseProfileName
	MasterKey = $masterKeyCredential
	AsPSCredential = $true
	AsPlainText = $true # ! This is insecure and may be deprecated in future versions
	Verbose = $true
	}
	$keePassEntryObject = Get-KeePassEntry @keePassGetSingleEntryParams
	$keePassEntryObject
	#endregion


	#region Update entry
	$updateKeePassEntryParams = @{
	KeePassEntry = $keePassEntryObject
	Title = 'My New Title'
	KeePassPassword = $(ConvertTo-SecureString -String 'MyNewPassword' -AsPlainText -Force)
	KeePassEntryGroupPath = "$databaseName/$testGroupName"
	DatabaseProfileName = $databaseProfileName
	MasterKey = $masterKeyCredential
	Confirm = $false
	Verbose = $true
	}
	Update-KeePassEntry @updateKeePassEntryParams
	#endregion


	#region Example usage
	# Credential - Old Method (hard-coded)
	$adminCredential = New-Object -TypeName 'PSCredential' -ArgumentList ('LAB\svc_admin', (ConvertTo-SecureString -String 'Password1234' -AsPlainText -Force))
	$adminCredential


	# Credential - New Method (dynamic)
	$keePassDefaultParams = @{
	DatabaseProfileName = $databaseProfileName
	MasterKey = $masterKeyCredential
	AsPSCredential = $true
	Verbose = $true
	}
	$adminCredential2 = (Get-KeePassEntry @keePassDefaultParams -UserName 'LAB\svc_admin').Credential
	$adminCredential2


	# Credentials - New Method (ConfigData)
	$ConfigData = @{
	AllNodes = @(

	# This will be ran on all nodes
	@{
	# LCM
	NodeName = '*'
	PSDscAllowPlainTextPassword = $true
	PSDscAllowDomainUser = $true
	}

	@{
	NodeName = 'dc01'
	# Always wrap in an array for role selection logic
	Role = @('DomainController')
	}
	)

	# Define role data here to ensure roles and nodes are not tightly coupled
	Role = @{
	DomainController = @{
	LdapUsername = 'LAB\svc_ldap' # <--- TARGET THIS USERNAME with $ConfigData.Role.DomainController.LdapUsername
	}
	}
	}
	$ldapCredential = (Get-KeePassEntry @keePassDefaultParams -UserName $ConfigData.Role.DomainController.LdapUsername).Credential
	$ldapCredential

	# Sometimes we need the plain text password
	$ldapCredential.GetNetworkCredential().password
	#endregion