RE: Question about Salt_Bytes

@steviecoaster said in Question about Salt_Bytes:

Sweet mother Mary, I got it! It was the content type. I was using application/json and it wanted application/x-ww-form-urlencoded

This code works properly to set the password for a user:

function Set-ProGetUserPassword {
    [Cmdletbinding()]
    Param(
        [Parameter(Mandatory)]
        [String]
        $Username,

        [Parameter(Mandatory)]
        [SecureString]
        $OldPassword,

        [Parameter(Mandatory)]
        [SecureString]
        $NewPassword
    )

    begin {
        $confirm = Read-Host "Please re-enter your new password" -AsSecureString

        $identical = Compare-SecureString -SecureString1 $NewPassword -SecureString2 $confirm

        if (-not $identical) {
            Write-Error 'Passwords do not match!'
            break
        }
    }

    end {

        $unmanagedString = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword)
        $plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($unmanagedString)
        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($unmanagedString) # Clean up
        $iterations = 10000
        $saltLength = 10
        $hashLength = 20

        $rfc2898 = [System.Security.Cryptography.Rfc2898DeriveBytes]::new($plainTextPassword, $saltLength, $iterations)
        $passwordBytes = $rfc2898.GetBytes($hashLength)
        $saltBytes = $rfc2898.Salt

        $base64Password = [System.Convert]::ToBase64String($passwordBytes)
        $base64Salt = [System.Convert]::ToBase64String($saltBytes)

        $body = @{
            User_Name = $Username
            Password_Bytes = $base64Password
            Salt_Bytes = $base64Salt
        }

        Write-Verbose $body

        $Params = @{
            Slug     = '/api/json/Users_SetPassword'
            Method   = 'POST'
            Body = $body
            ContentType = 'application/x-www-form-urlencoded'
        }

        Invoke-ProGet @Params
    }
}

Spoke to soon. This code functions and doesn't produce an error. However, the user cannot login with the credential set. More playing to do!

Sweet mother Mary, I got it! It was the content type. I was using application/json and it wanted application/x-ww-form-urlencoded

This code works properly to set the password for a user:

function Set-ProGetUserPassword {
    [Cmdletbinding()]
    Param(
        [Parameter(Mandatory)]
        [String]
        $Username,

        [Parameter(Mandatory)]
        [SecureString]
        $OldPassword,

        [Parameter(Mandatory)]
        [SecureString]
        $NewPassword
    )

    begin {
        $confirm = Read-Host "Please re-enter your new password" -AsSecureString

        $identical = Compare-SecureString -SecureString1 $NewPassword -SecureString2 $confirm

        if (-not $identical) {
            Write-Error 'Passwords do not match!'
            break
        }
    }

    end {

        $unmanagedString = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword)
        $plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($unmanagedString)
        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($unmanagedString) # Clean up
        $iterations = 10000
        $saltLength = 10
        $hashLength = 20

        $rfc2898 = [System.Security.Cryptography.Rfc2898DeriveBytes]::new($plainTextPassword, $saltLength, $iterations)
        $passwordBytes = $rfc2898.GetBytes($hashLength)
        $saltBytes = $rfc2898.Salt

        $base64Password = [System.Convert]::ToBase64String($passwordBytes)
        $base64Salt = [System.Convert]::ToBase64String($saltBytes)

        $body = @{
            User_Name = $Username
            Password_Bytes = $base64Password
            Salt_Bytes = $base64Salt
        }

        Write-Verbose $body

        $Params = @{
            Slug     = '/api/json/Users_SetPassword'
            Method   = 'POST'
            Body = $body
            ContentType = 'application/x-www-form-urlencoded'
        }

        Invoke-ProGet @Params
    }
}

In my playing around yesterday, I did try to convert that to base64 and it still produced the same error. I'm very perplexed! For my use case I really need this functionality so I'm hopeful I can find a solution.

Here's what I'm using currently, but it's complaining about Salt_Bytes. I'm fairly certain this is a PowerShell problem, but more eyes on it never hurt.

function Set-ProGetUserPassword {
    [Cmdletbinding()]
    Param(
        [Parameter(Mandatory)]
        [String]
        $Username,

        [Parameter(Mandatory)]
        [SecureString]
        $OldPassword,

        [Parameter(Mandatory)]
        [SecureString]
        $NewPassword
    )

    begin {
        $confirm = Read-Host "Please re-enter your new password" -AsSecureString

        $identical = Compare-SecureString -SecureString1 $NewPassword -SecureString2 $confirm

        if(-not $identical){
            Write-Error 'Passwords do not match!'
            break
        }
    }

    end {

        $unmanagedString = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword)
        $plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($unmanagedString)
        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($unmanagedString) # Clean up
        $iterations = 10000
        $saltLength = 10
        $hashLength = 20

        $rfc2898 = [System.Security.Cryptography.Rfc2898DeriveBytes]::new($plainTextPassword, $saltLength, $iterations)
        $passwordBytes = $rfc2898.GetBytes($hashLength)
        $saltBytes = $rfc2898.Salt

        $base64Password = [System.Convert]::ToBase64String($passwordBytes)

        $body = @{
            User_Name = $UserName
            Password_Bytes = $base64Password
            Salt_Bytes = $saltBytes
        }

        Write-Verbose ($body | ConvertTo-Json)

        $Params = @{
            Slug = '/api/json/Users_SetPassword'
            Method = 'POST'
            Body = $body
        }

        Invoke-ProGet @Params
    }
}

Re: Reset ProGet Admin Password via API

I've got code using the Native API which creates a user account and works wonders. But as I'm doing this programmatically I need to also generate a random password for the account, and set it. Seems pretty straightforward to do....but I'm unsure about what to do with the Salt_Bytes parameter available on the API. Any pointers would be outstanding.

Are we sure this is a ProGet problem and not a Docker problem? Assuming the asset is outside the container and you're trying to upload it into ProGet inside the container, you may be hitting a setting inside Docker.

@dean-houston thanks for that info! I think that'll do nicely. I'll have to play around with it to be sure, but from what I can tell it looks straightforward to implement. Thank you!

@dean-houston said in API ability to control Feed Access:

I believe it's possible to configure security with the Native API, but obviously not as easy. So I would explore that, it's probably close to what you wnat.

Do you have documentation/guidance on that? Whilst I'm a fan of DevTools in a browser and bending things to my will, I'd much more a fan of using documented non-hacky processes, particularly when I'm going to be potentially work in a customer environment.

This conversation may be best served taken off the forum and into more direct communications. There's a method to my madness here, and it doesn't really have any reason to be hashed out here publicly.

I'm looking to automate the setup and configuration of ProGet as much as I can. I've found the API to be really good so far, and Ive been able to automate 90% of the things that I require (I build a lot of repository instances). One thing that is super important to me is configuring Read-Only access to the feed to a particular user account, and configuring a Chocolatey client to use that credential to authenticate to the source.

There doesn't seem to be an API endpoint exposed to be able to configure local accounts programmatically. I know it's a non-trivial ask, but, could we get one?

I'm not sure the rules on posting links to gists, so if this breaks one, delete it. However, once I got my feet under me with setting ups HTTPS I went ahead and wrote some code so I can automate it. It assumes a few things, and could be improved but for my use case it is flexible where it needs to be. Enjoy!

https://gist.github.com/steviecoaster/0a2c0d4b09988dedf8e1df1844ec6b8a