Add tests for password retrieval and udpate

petrsnd · petrsnd · commit aa58b28430a4 · 2026-04-24T15:15:42.000-06:00
diff --git a/TestFramework/SafeguardTestFramework.psm1 b/TestFramework/SafeguardTestFramework.psm1
@@ -519,10 +519,11 @@ function Invoke-SgJSafeguardSessions {
 function Invoke-SgJSafeguardA2a {
     <#
     .SYNOPSIS
-        Convenience wrapper for listing A2A retrievable accounts via SafeguardJavaTool.
+        Convenience wrapper for A2A operations via SafeguardJavaTool.
     .DESCRIPTION
-        Creates an A2A context using a client certificate and retrieves retrievable accounts,
-        optionally applying a server-side SCIM filter.
+        Creates an A2A context using a client certificate and performs one of:
+        listing retrievable accounts (with optional SCIM filter), retrieving
+        a password, or setting a password.
     #>
     [CmdletBinding()]
     param(
@@ -538,26 +539,63 @@ function Invoke-SgJSafeguardA2a {
         [Parameter()]
         [string]$Filter,
 
+        [Parameter()]
+        [string]$ApiKey,
+
+        [Parameter()]
+        [switch]$RetrievePassword,
+
+        [Parameter()]
+        [switch]$SetPassword,
+
+        [Parameter()]
+        [string]$NewPassword,
+
         [Parameter()]
         [bool]$ParseJson = $true
     )
 
     if (-not $Context) { $Context = Get-SgJTestContext }
 
-    $toolArgs = "-a $($Context.Appliance) -x --retrievable-accounts -c `"$CertificateFile`""
+    $stdinLines = @()
 
-    if ($CertificatePassword) {
-        $toolArgs += " -p"
+    if ($RetrievePassword) {
+        if (-not $ApiKey) { throw "Invoke-SgJSafeguardA2a: -ApiKey is required for -RetrievePassword" }
+        $toolArgs = "-a $($Context.Appliance) -x --retrieve-password --api-key `"$ApiKey`" -c `"$CertificateFile`""
+        if ($CertificatePassword) {
+            $toolArgs += " -p"
+            $stdinLines += $CertificatePassword
+        }
+        Write-Verbose "Invoke-SgJSafeguardA2a: retrieve-password"
+        $stdinLine = if ($stdinLines.Count -gt 0) { $stdinLines -join "`n" } else { $null }
+        return Invoke-SgJSafeguardTool -Arguments $toolArgs -StdinLine $stdinLine -ParseJson $false
     }
-
-    if ($Filter) {
-        $toolArgs += " --filter `"$Filter`""
+    elseif ($SetPassword) {
+        if (-not $ApiKey) { throw "Invoke-SgJSafeguardA2a: -ApiKey is required for -SetPassword" }
+        if (-not $NewPassword) { throw "Invoke-SgJSafeguardA2a: -NewPassword is required for -SetPassword" }
+        $toolArgs = "-a $($Context.Appliance) -x --set-password --api-key `"$ApiKey`" -c `"$CertificateFile`""
+        if ($CertificatePassword) {
+            $toolArgs += " -p"
+            $stdinLines += $CertificatePassword
+        }
+        $stdinLines += $NewPassword
+        Write-Verbose "Invoke-SgJSafeguardA2a: set-password"
+        $stdinLine = $stdinLines -join "`n"
+        return Invoke-SgJSafeguardTool -Arguments $toolArgs -StdinLine $stdinLine -ParseJson $false
+    }
+    else {
+        $toolArgs = "-a $($Context.Appliance) -x --retrievable-accounts -c `"$CertificateFile`""
+        if ($CertificatePassword) {
+            $toolArgs += " -p"
+            $stdinLines += $CertificatePassword
+        }
+        if ($Filter) {
+            $toolArgs += " --filter `"$Filter`""
+        }
+        Write-Verbose "Invoke-SgJSafeguardA2a: retrievable-accounts"
+        $stdinLine = if ($stdinLines.Count -gt 0) { $stdinLines -join "`n" } else { $null }
+        return Invoke-SgJSafeguardTool -Arguments $toolArgs -StdinLine $stdinLine -ParseJson $ParseJson
     }
-
-    Write-Verbose "Invoke-SgJSafeguardA2a: $toolArgs"
-
-    $stdinLine = if ($CertificatePassword) { $CertificatePassword } else { $null }
-    return Invoke-SgJSafeguardTool -Arguments $toolArgs -StdinLine $stdinLine -ParseJson $ParseJson
 }
 
 function Test-SgJSpsConfigured {
diff --git a/TestFramework/Suites/Suite-A2ARetrievableAccounts.ps1 b/TestFramework/Suites/Suite-A2ARetrievableAccounts.ps1
@@ -164,6 +164,7 @@
             -RelativeUrl "AssetAccounts/$($account.Id)/Password" `
             -Username $adminUser -Password $adminPassword `
             -Body "'TestA2aPassword123!'" -ParseJson $false
+        $Context.SuiteData["AccountPassword"] = "TestA2aPassword123!"
 
         # 9. Create A2A registration linked to certificate user
         Write-Host "    Creating A2A registration '$regName'..." -ForegroundColor DarkGray
@@ -224,11 +225,16 @@
             Test-SgJSkip "Filter with no matches returns empty list" "Test certificates not found"
             Test-SgJSkip "Invalid filter property gives useful error" "Test certificates not found"
             Test-SgJSkip "Malformed filter expression gives useful error" "Test certificates not found"
+            Test-SgJSkip "A2A retrieve password via PFX" "Test certificates not found"
+            Test-SgJSkip "A2A set password via PFX and verify" "Test certificates not found"
+            Test-SgJSkip "A2A retrieve password with bad API key fails" "Test certificates not found"
             return
         }
 
         $accountName = $Context.SuiteData["AccountName"]
         $accountId = $Context.SuiteData["AccountId"]
+        $apiKey = $Context.SuiteData["ApiKey"]
+        $originalPassword = $Context.SuiteData["AccountPassword"]
 
         # --- Unfiltered listing ---
 
@@ -301,6 +307,44 @@
             }
             $threw
         }
+
+        # --- Credential retrieval ---
+
+        Test-SgJAssert "A2A retrieve password via PFX" {
+            $result = Invoke-SgJSafeguardA2a -Context $Context `
+                -CertificateFile $Context.UserPfx -CertificatePassword "a" `
+                -ApiKey $apiKey -RetrievePassword
+            $result.Trim() -eq $originalPassword
+        }
+
+        Test-SgJAssert "A2A set password via PFX and verify" {
+            $updatedPassword = "UpdatedA2aPass456!@#"
+            Invoke-SgJSafeguardA2a -Context $Context `
+                -CertificateFile $Context.UserPfx -CertificatePassword "a" `
+                -ApiKey $apiKey -SetPassword -NewPassword $updatedPassword
+            $retrieved = Invoke-SgJSafeguardA2a -Context $Context `
+                -CertificateFile $Context.UserPfx -CertificatePassword "a" `
+                -ApiKey $apiKey -RetrievePassword
+            $retrieved.Trim() -eq $updatedPassword
+        }
+
+        Test-SgJAssert "A2A retrieve password with bad API key fails" {
+            $threw = $false
+            try {
+                Invoke-SgJSafeguardA2a -Context $Context `
+                    -CertificateFile $Context.UserPfx -CertificatePassword "a" `
+                    -ApiKey "00000000-0000-0000-0000-000000000000" -RetrievePassword
+            }
+            catch {
+                $threw = ($_.Exception.Message -match "404" -or
+                          $_.Exception.Message -match "NotFound" -or
+                          $_.Exception.Message -match "not found" -or
+                          $_.Exception.Message -match "403" -or
+                          $_.Exception.Message -match "Forbidden" -or
+                          $_.Exception.Message -match "Error")
+            }
+            $threw
+        }
     }
 
     Cleanup = {
diff --git a/tests/safeguardjavaclient/src/main/java/com/oneidentity/safeguard/safeguardclient/SafeguardJavaClient.java b/tests/safeguardjavaclient/src/main/java/com/oneidentity/safeguard/safeguardclient/SafeguardJavaClient.java
@@ -67,8 +67,8 @@ public static void main(String[] args) {
                 return;
             }
 
-            if (opts.retrievableAccounts) {
-                handleRetrievableAccounts(opts);
+            if (opts.retrievableAccounts || opts.retrievePassword || opts.setPassword) {
+                handleA2aOperation(opts);
                 System.exit(0);
                 return;
             }
@@ -178,35 +178,55 @@ private static String handleStreamingRequest(ToolOptions opts, ISafeguardConnect
         }
     }
 
-    private static void handleRetrievableAccounts(ToolOptions opts) throws Exception {
-        char[] password = null;
+    private static void handleA2aOperation(ToolOptions opts) throws Exception {
+        Scanner stdinScanner = new Scanner(System.in);
+
+        char[] certPassword = null;
         if (opts.readPassword) {
             System.err.print("Password: ");
-            password = new Scanner(System.in).nextLine().toCharArray();
+            certPassword = stdinScanner.nextLine().toCharArray();
         }
 
         ISafeguardA2AContext a2aContext;
         if (opts.certificateFile != null) {
             System.err.println("Creating A2A context for " + opts.appliance + " with certificate file " + opts.certificateFile);
-            a2aContext = Safeguard.A2A.getContext(opts.appliance, opts.certificateFile, password, null, opts.insecure);
+            a2aContext = Safeguard.A2A.getContext(opts.appliance, opts.certificateFile, certPassword, null, opts.insecure);
         } else if (opts.thumbprint != null) {
             System.err.println("Creating A2A context for " + opts.appliance + " with thumbprint " + opts.thumbprint);
             a2aContext = Safeguard.A2A.getContext(opts.appliance, opts.thumbprint, null, opts.insecure);
         } else {
             throw new IllegalArgumentException(
-                    "--retrievable-accounts requires a certificate (-c or -t).");
+                    "A2A operations require a certificate (-c or -t).");
         }
 
         try {
-            List<IA2ARetrievableAccount> accounts;
-            if (opts.filter != null && opts.filter.length() > 0) {
-                System.err.println("Retrieving accounts with filter: " + opts.filter);
-                accounts = a2aContext.getRetrievableAccounts(opts.filter);
-            } else {
-                System.err.println("Retrieving all accounts");
-                accounts = a2aContext.getRetrievableAccounts();
+            if (opts.retrievableAccounts) {
+                List<IA2ARetrievableAccount> accounts;
+                if (opts.filter != null && opts.filter.length() > 0) {
+                    System.err.println("Retrieving accounts with filter: " + opts.filter);
+                    accounts = a2aContext.getRetrievableAccounts(opts.filter);
+                } else {
+                    System.err.println("Retrieving all accounts");
+                    accounts = a2aContext.getRetrievableAccounts();
+                }
+                System.out.println(mapper.writeValueAsString(accounts));
+            } else if (opts.retrievePassword) {
+                if (opts.apiKey == null || opts.apiKey.length() == 0) {
+                    throw new IllegalArgumentException("--retrieve-password requires --api-key");
+                }
+                System.err.println("Retrieving password via A2A");
+                char[] password = a2aContext.retrievePassword(opts.apiKey.toCharArray());
+                System.out.println(new String(password));
+            } else if (opts.setPassword) {
+                if (opts.apiKey == null || opts.apiKey.length() == 0) {
+                    throw new IllegalArgumentException("--set-password requires --api-key");
+                }
+                System.err.print("New password: ");
+                char[] newPassword = stdinScanner.nextLine().toCharArray();
+                System.err.println("Setting password via A2A");
+                a2aContext.SetPassword(opts.apiKey.toCharArray(), newPassword);
+                System.out.println("OK");
             }
-            System.out.println(mapper.writeValueAsString(accounts));
         } finally {
             a2aContext.dispose();
         }
diff --git a/tests/safeguardjavaclient/src/main/java/com/oneidentity/safeguard/safeguardclient/ToolOptions.java b/tests/safeguardjavaclient/src/main/java/com/oneidentity/safeguard/safeguardclient/ToolOptions.java
@@ -111,6 +111,18 @@ public class ToolOptions {
         description = "SCIM-style filter for A2A retrievable accounts (e.g. \"AccountName eq 'admin'\")")
     String filter;
 
+    @Option(names = {"--retrieve-password"}, defaultValue = "false",
+        description = "Retrieve a password via A2A (requires -c or -t, and --api-key)")
+    boolean retrievePassword;
+
+    @Option(names = {"--set-password"}, defaultValue = "false",
+        description = "Set a password via A2A (requires -c or -t, --api-key, and --new-password via stdin)")
+    boolean setPassword;
+
+    @Option(names = {"--api-key"},
+        description = "A2A API key for credential retrieval or set operations")
+    String apiKey;
+
     @Option(names = {"--sps"}, defaultValue = "false",
         description = "Connect to Safeguard for Privileged Sessions (SPS) instead of SPP")
     boolean sps;
