FortiPower · alagoutte · Sep 16, 2024 · Sep 4, 2024 · Sep 5, 2024 · Sep 5, 2024
diff --git a/PowerFGT/Public/cmdb/user/local.ps1 b/PowerFGT/Public/cmdb/user/local.ps1
@@ -15,35 +15,37 @@ function Add-FGTUserLocal {
         Add a FortiGate Local User (Name, Password, MFA)
 
         .EXAMPLE
-        Add-FGTUserLocal -Name FGT -passwd MyFGT -status
+        $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force
+        PS > Add-FGTUserLocal -Name MyFGTUserLocal -passwd $mypassword -status:$false
 
-        Add Local User object name FGT, password MyFGT and enable it
+        Add Local User object name MyFGTUserLocal, password MyFGT and disabled it
 
         .EXAMPLE
         $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force
-        Add-FGTUserLocal -Name FGT -passwd $mypassword -status -two_factor email -email_to [email protected]
+        PS > Add-FGTUserLocal -Name MyFGTUserLocal -passwd $mypassword -status -two_factor email -email_to [email protected]
 
-        Add Local User object name FGT, password mypassword and enable it, with two factor authentication by email
+        Add Local User object name MyFGTUserLocal, password mypassword with two factor authentication by email
 
         .EXAMPLE
         $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force
-        Add-FGTUserLocal -Name FGT -passwd $mypassword -status -two_factor fortitoken -fortitoken XXXXXXXXXXXXXXXX -email_to [email protected]
+        PS > Add-FGTUserLocal -Name MyFGTUserLocal -passwd $mypassword -status -two_factor fortitoken -fortitoken XXXXXXXXXXXXXXXX -email_to [email protected]
 
-        Add Local User object name FGT, password mypassword and enable it, with two factor authentication by fortitoken
+        Add Local User object name MyFGTUserLocal, password mypassword, with two factor authentication by fortitoken
 
         .EXAMPLE
         $data = @{ "sms-phone" = "XXXXXXXXXX" }
-        $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force
-        PS C:\>Add-FGTUserLocal -Name FGT -passwd $mypassword -status -two_factor sms -data $data -email_to [email protected]
-        Add Add Local User object name FGT, password mypassword and enable it, with email and two factor via SMS and SMS Phone via -data parameter
+        PS > $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force
+        PS > Add-FGTUserLocal -Name MyFGTUserLocal -passwd $mypassword -status -two_factor sms -data $data -email_to [email protected]
+
+        Add Local User object name MyFGTUserLocal, password mypassword, with email and two factor via SMS and SMS Phone via -data parameter
     #>
 
     Param(
         [Parameter (Mandatory = $true)]
         [string]$name,
         [Parameter (Mandatory = $false)]
         [switch]$status,
-        [Parameter (Mandatory = $false, ParameterSetName = "local")]
+        [Parameter (Mandatory = $false, ParameterSetName = "password")]
         [SecureString]$passwd,
         <#[Parameter (Mandatory = $false, ParameterSetName = "radius")]
         [string]$radius_server,
@@ -89,7 +91,7 @@ function Add-FGTUserLocal {
         }
 
         if ( Get-FGTUserLocal @invokeParams -name $name -connection $connection) {
-            Throw "Already an Local User object using the same name"
+            Throw "Already a Local User object using the same name"
         }
 
         $uri = "api/v2/cmdb/user/local"
@@ -106,7 +108,7 @@ function Add-FGTUserLocal {
         }
 
         switch ( $PSCmdlet.ParameterSetName ) {
-            "local" {
+            "password" {
                 $local | add-member -name "type" -membertype NoteProperty -Value "password"
                 $local | add-member -name "passwd" -membertype NoteProperty -Value $password
             }
@@ -284,27 +286,28 @@ function Set-FGTUserLocal {
 
         .EXAMPLE
         $MyFGTUserLocal = Get-FGTUserLocal -name MyFGTUserLocal
-        PS C:\>$MyFGTUserLocal | Set-FGTUserLocal -status $false
+        PS > $MyFGTUserLocal | Set-FGTUserLocal -status:$false
 
         Change MyFGTUserLocal to status disable
 
         .EXAMPLE
         $MyFGTUserLocal = Get-FGTUserLocal -name MyFGTUserLocal
         $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force
-        PS C:\>$MyFGTUserLocal | Set-FGTUserLocal -passwd $mypassword
+        PS > $MyFGTUserLocal | Set-FGTUserLocal -passwd $mypassword
 
-        Change MyFGTUserLocal to value (Password) MyFGTUserLocalPassword
+        Change Password for MyFGTUserLocal local user
 
         .EXAMPLE
         $MyFGTUserLocal = Get-FGTUserLocal -name MyFGTUserLocal
-        PS C:\>$MyFGTUserLocal | Set-FGTUserLocal -email_to [email protected]
+        PS > $MyFGTUserLocal | Set-FGTUserLocal -email_to [email protected]
 
         Change MyFGTUserLocal to set email to [email protected]
 
         .EXAMPLE
         $data = @{ "sms-phone" = "XXXXXXXXXX" }
-        PS C:\>$MyFGTUserLocal = Get-FGTUserLocal -name MyFGTUserLocal
-        PS C:\>$MyFGTUserLocal | Set-FGTUserLocal -data $data
+        PS > $MyFGTUserLocal = Get-FGTUserLocal -name MyFGTUserLocal
+        PS > $MyFGTUserLocal | Set-FGTUserLocal -data $data
+
         Change MyFGTUserLocal to set SMS Phone
 
     #>
@@ -318,7 +321,7 @@ function Set-FGTUserLocal {
         [string]$name,
         [Parameter (Mandatory = $false)]
         [switch]$status,
-        [Parameter (Mandatory = $false, ParameterSetName = "local")]
+        [Parameter (Mandatory = $false, ParameterSetName = "password")]
         [SecureString]$passwd,
         <#[Parameter (Mandatory = $false, ParameterSetName = "radius")]
         [string]$radius_server,
@@ -364,22 +367,33 @@ function Set-FGTUserLocal {
         }
 
         if ($PsBoundParameters.ContainsKey('passwd')) {
-            $password = ConvertFrom-SecureString -SecureString $passwd -AsPlainText
+            if ($connection.version -ge "7.4.0") {
+                Throw "Can't change passwd with FortiOS > 7.4.0 (Need to use Set-FGTMonitorUserLocalChangePassword)"
+            }
+            if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) {
+                $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd);
+                $password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr);
+            }
+            else {
+                $password = ConvertFrom-SecureString -SecureString $passwd -AsPlainText
+            }
         }
 
         if ( $PSCmdlet.ParameterSetName -ne "default" -and $userlocal.type -ne $PSCmdlet.ParameterSetName ) {
             throw "User type ($($userlocal.type)) need to be on the same type ($($PSCmdlet.ParameterSetName))"
         }
 
-        if ($status) {
-            $_local  | add-member -name "status" -membertype NoteProperty -Value "enable"
-        }
-        else {
-            $_local  | add-member -name "status" -membertype NoteProperty -Value "disable"
+        if ($PsBoundParameters.ContainsKey('status')) {
+            if ($status) {
+                $_local  | add-member -name "status" -membertype NoteProperty -Value "enable"
+            }
+            else {
+                $_local  | add-member -name "status" -membertype NoteProperty -Value "disable"
+            }
         }
 
         switch ( $PSCmdlet.ParameterSetName ) {
-            "local" {
+            "password" {
                 $_local | add-member -name "passwd" -membertype NoteProperty -Value $password
             }
             <#"radius" {

diff --git a/PowerFGT/Public/monitor/user/local/changepassword.ps1 b/PowerFGT/Public/monitor/user/local/changepassword.ps1
@@ -0,0 +1,78 @@
+#
+# Copyright 2022, Alexis La Goutte <alexis dot lagoutte at gmail dot com>
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+function Set-FGTMonitorUserLocalChangePassword {
+
+    <#
+        .SYNOPSIS
+        Set User Local Change Password
+
+        .DESCRIPTION
+        Set User Local Change Password (For > FortiOS 7.4.X)
+
+        .EXAMPLE
+        $mynewpassword = ConvertTo-SecureString mypassword -AsPlainText -Force
+        PS > Get-FGTUserLocal MyFGTUserLocal | Set-FGTMonitorUserLocalChangePassword -new_password $mynewpassword
+
+        Change password for MyFGTUserLocal
+
+    #>
+
+    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'medium')]
+    Param(
+        [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)]
+        [ValidateScript( { Confirm-FGTUserLocal $_ })]
+        [psobject]$userlocal,
+        [Parameter (Mandatory = $true)]
+        [SecureString]$new_password,
+        [Parameter(Mandatory = $false)]
+        [String[]]$vdom,
+        [Parameter(Mandatory = $false)]
+        [psobject]$connection = $DefaultFGTConnection
+    )
+
+    Begin {
+    }
+
+    Process {
+
+        $invokeParams = @{ }
+        if ( $PsBoundParameters.ContainsKey('vdom') ) {
+            $invokeParams.add( 'vdom', $vdom )
+        }
+
+        $uri = 'api/v2/monitor/user/local/change-password'
+
+        #before 7.4.x, you need to use Set-FGTLocalUser -passwd cmdlet
+        if ($connection.version -lt "7.4.0") {
+            Throw "You need to use Set-FGTLocalUser -passwd..."
+        }
+        else {
+            if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) {
+                $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($new_password);
+                $password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr);
+            }
+            else {
+                $password = ConvertFrom-SecureString -SecureString $new_password -AsPlainText
+            }
+
+            $body = @{
+                "username"     = $userlocal.name
+                "new_password" = $password
+            }
+        }
+
+        if ($PSCmdlet.ShouldProcess($userlocal.name, 'Configure User Local Password')) {
+
+            Invoke-FGTRestMethod -uri $uri -method "POST" -body $body -connection $connection @invokeParams | Out-Null
+
+            Get-FGTUserLocal -connection $connection @invokeParams -name $userlocal.name
+        }
+
+    }
+
+    End {
+    }
+}
diff --git a/Tests/integration/UserLocal.Tests.ps1 b/Tests/integration/UserLocal.Tests.ps1
@@ -34,7 +34,17 @@ Describe "Get User Local" {
         $userlocal.count | Should -Not -Be $NULL
     }
 
-    It "Get User Local with -name $pester_userlocal -meta" {
+    It "Get User Local ($pester_userlocal)" {
+        $userlocal = Get-FGTUserLocal -name $pester_userlocal
+        $userlocal.name | Should -Be $pester_userlocal
+    }
+
+    It "Get User Local ($pester_userlocal) and confirm (via Confirm-FGTUserLocal)" {
+        $userlocal = Get-FGTUserLocal -name $pester_userlocal
+        Confirm-FGTUserLocal ($userlocal) | Should -Be $true
+    }
+
+    It "Get User Local with meta" {
         $userlocal = Get-FGTUserLocal -name $pester_userlocal -meta
         $userlocal.q_ref | Should -Not -BeNullOrEmpty
         $userlocal.q_static | Should -Not -BeNullOrEmpty
@@ -50,16 +60,6 @@ Describe "Get User Local" {
         $userlocal.q_class | Should -Not -BeNullOrEmpty
     }
 
-    It "Get User Local ($pester_userlocal)" {
-        $userlocal = Get-FGTUserLocal -name $pester_userlocal
-        $userlocal.name | Should -Be $pester_userlocal
-    }
-
-    It "Get User Local ($pester_userlocal) and confirm (via Confirm-FGTUserLocal)" {
-        $userlocal = Get-FGTUserLocal -name $pester_userlocal
-        Confirm-FGTUserLocal ($userlocal) | Should -Be $true
-    }
-
     Context "Search" {
 
         It "Search User Local by name ($pester_userlocal)" {
@@ -124,7 +124,7 @@ Describe "Add User Local" {
             #Add first userlocal
             Add-FGTUserLocal -Name $pester_userlocal -status -passwd $pester_userlocalpassword
             #Add Second userlocal with same name
-            { Add-FGTUserLocal -Name $pester_userlocal -status -passwd $pester_userlocalpassword } | Should -Throw "Already an Local User object using the same name"
+            { Add-FGTUserLocal -Name $pester_userlocal -status -passwd $pester_userlocalpassword } | Should -Throw "Already a Local User object using the same name"
         }
 
     }
@@ -139,7 +139,16 @@ Describe "Configure User Local" {
             Add-FGTUserLocal -Name $pester_userlocal -passwd $pester_userlocalpassword
         }
 
-        It "Change status User Local" {
+        It "Change status User Local to disable" {
+            Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status:$false
+            $userlocal = Get-FGTUserLocal -name $pester_userlocal
+            $userlocal.name | Should -Be $pester_userlocal
+            $userlocal.status | Should -Be "disable"
+            $userlocal.'email-to' | Should -BeNullOrEmpty
+            $userlocal.'two-factor' | Should -Be "disable"
+        }
+
+        It "Change status User Local to enable" {
             Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status
             $userlocal = Get-FGTUserLocal -name $pester_userlocal
             $userlocal.name | Should -Be $pester_userlocal
@@ -152,7 +161,7 @@ Describe "Configure User Local" {
             Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -email_to "[email protected]"
             $userlocal = Get-FGTUserLocal -name $pester_userlocal
             $userlocal.name | Should -Be $pester_userlocal
-            $userlocal.status | Should -Be "disable"
+            $userlocal.status | Should -Be "enable"
             $userlocal.'email-to' | Should -Be "[email protected]"
             $userlocal.'two-factor' | Should -Be "disable"
         }
@@ -161,16 +170,39 @@ Describe "Configure User Local" {
             Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -two_factor email
             $userlocal = Get-FGTUserLocal -name $pester_userlocal
             $userlocal.name | Should -Be $pester_userlocal
-            $userlocal.status | Should -Be "disable"
+            $userlocal.status | Should -Be "enable"
+            $userlocal.'email-to' | Should -Be "[email protected]"
+            $userlocal.'two-factor' | Should -Be "email"
+        }
+
+        It "Change Password (With FortiOS > 7.4.0)" -skip:($fgt_version -ge "7.4.0") {
+            Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -passwd $mywrongpassword
+            $userlocal = Get-FGTUserLocal -name $pester_userlocal
+            $userlocal.name | Should -Be $pester_userlocal
+            $userlocal.status | Should -Be "enable"
             $userlocal.'email-to' | Should -Be "[email protected]"
             $userlocal.'two-factor' | Should -Be "email"
         }
 
+        It "Try to Change Password (With FortiOS >= 7.4.0)" -skip:($fgt_version -lt "7.4.0") {
+            { Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -passwd $mywrongpassword } | Should -Throw "Can't change passwd with FortiOS > 7.4.0 (Need to use Set-FGTMonitorUserLocalChangePassword)"
+        }
+
+        It "Change Password (With FortiOS >= 7.4.0) with Set-FGTMonitorUserLocalChangePassword" -skip:($fgt_version -lt "7.4.0") {
+            Get-FGTUserLocal -name $pester_userlocal | Set-FGTMonitorUserLocalChangePassword -new_password $mywrongpassword
+            $userlocal = Get-FGTUserLocal -name $pester_userlocal
+            $userlocal.name | Should -Be $pester_userlocal
+        }
+
+        It "Try to Change Password (with FortiOS < 7.4.0) with Set-FGTMonitorUserLocalChangePassword" -skip:($fgt_version -ge "7.4.0") {
+            { Get-FGTUserLocal -name $pester_userlocal | Set-FGTMonitorUserLocalChangePassword -new_password $mywrongpassword } | Should -Throw "You need to use Set-FGTLocalUser -passwd..."
+        }
+
         It "Change Name" {
             Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -name "pester_userlocal_change"
             $userlocal = Get-FGTUserLocal -name "pester_userlocal_change"
             $userlocal.name | Should -Be "pester_userlocal_change"
-            $userlocal.status | Should -Be "disable"
+            $userlocal.status | Should -Be "enable"
             $userlocal.'email-to' | Should -Be "[email protected]"
             $userlocal.'two-factor' | Should -Be "email"
         }
@@ -180,7 +212,7 @@ Describe "Configure User Local" {
             Get-FGTUserLocal -name "pester_userlocal_change" | Set-FGTUserLocal -data $data
             $userlocal = Get-FGTUserLocal -name "pester_userlocal_change"
             $userlocal.name | Should -Be "pester_userlocal_change"
-            $userlocal.status | Should -Be "disable"
+            $userlocal.status | Should -Be "enable"
             $userlocal.'email-to' | Should -Be "[email protected]"
             $userlocal.'two-factor' | Should -Be "email"
         }