[powershell]To exclude device from Tufin SecureChange

A real life usage of the device exclusion api.

 Monitoring, on the left panels are a list of your device, focus your mouse
cursor on the panel and type 't' with your keyboard, device id will appear.

This script is just to make exclusion slightly easy, if you do not have powershell ISE, download Postman (https://www.getpostman.com/).
Postman does the same thing as what this script does.
#>

#To ensure the powershell use tls version 1.2.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

#ignore certificate validation
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

#If you use this script the first time you need to create an encrypted password file.
function Obfuscate_Password($username){
    if ((Test-Path .\fwr_s.do) -eq $true) {
    $password = Get-Content ".\fwr_s.do" | ConvertTo-SecureString
    $credential = New-Object System.Management.Automation.PSCredential($username,$password)
    } else {
        Read-Host $username -AsSecureString | ConvertFrom-SecureString | Out-File -NoClobber .\fwr_s.do
        #This is to allow time for the file to be written, otherwise there is a possibility that invoke-restmethod will throw an exception that is really weird.
        #Eg. Invoke-RestMethod : You must write ContentLength bytes to the request stream before calling [Begin]GetResponse.
        Start-Sleep -Seconds 2
        $password = Get-Content ".\fwr_s.do" | ConvertTo-SecureString
        $credential = New-Object System.Management.Automation.PSCredential($username,$password)
        }
    return $credential.GetNetworkCredential().Password
}

#Tufin securechange exclude device API, add on the device id here
#Format is device_id where device_id is the id you saw using the method describe above.
$body = @"

    256
    257
    258
    259
    260
    261
    262
    263
    264
    265
    266
    267
    268
    269
    270
    271
    272
    273
    274
    275
    276
    277
    278
    279
    280
    281
    282
    283
    284
    285
    286
    287
    288
    289
    290
    291
    292
    293
    294
    295
    296
    297
    298
    299
    300
    301
    302
    303
    304
    305
    306
    321
    322
    323
    324
    325
    326
    327
    328
    329
    330
    331
    332
    333
    334
    335
    218
    220
    221
    222
    225
    226
    227
    228
    229
    230
    231
    232
    233
    234
    235
    236
    237
    238
    239
    240
    241
    244
    245
    246
    247
    248
    249
    250
    251
    252
    253
    254
    255
    191
    188
    192
    189
    190
    197
    195
    196
    198

"@

#To prepare the header for API call.
$usr = "admin"
$pwd = Obfuscate_Password($usr)
$cred = "${usr}:${pwd}"
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cred)
$base64 = [System.Convert]::ToBase64String($bytes)
$basicAuthValue = "Basic $base64"
$headers = @{ Authorization = $basicAuthValue }

#Now begins the call to update the exclusion list.
try {
   Invoke-RestMethod -Uri "https://cyruslab.local/securechangeworkflow/api/securechange/devices/excluded" -Method Put -Headers $headers  -ContentType "application/xml" -Body $body

    }
catch [System.Net.WebException] {
    Write-Host "StatusCode:" $_.Exception.Response.StatusCode.value__
    Write-Host "StatusDescription:" $_.Exception.Response.StatusDescription
    }