Skip to content

Add support for [SecureString] in PowerShell adapter #1208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add support for [SecureString] in PowerShell adapter #1208

wants to merge 6 commits into from
+17 −3

Conversation

@Gijsreyn
Copy link
Contributor

PR Summary

This pull request adds support for [SecureString] in class-based DSC resources. Small remediation fix if a user uses the fully qualified property name on [PSCredential].

PR Context

Fix #1207.

@Gijsreyn Gijsreyn mentioned this pull request Oct 24, 2025
Open
3 tasks
@Gijsreyn Gijsreyn force-pushed the gh-1207/main/fix-support-securestring branch from a13082c to 5e08a3e Compare October 24, 2025 15:14
SteveL-MSFT
SteveL-MSFT requested changes Oct 24, 2025
View reviewed changes
@SteveL-MSFT SteveL-MSFT requested a review from Copilot October 24, 2025 16:51
Copilot AI reviewed Oct 24, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds support for [SecureString] type properties in PowerShell class-based DSC resources and fixes handling of fully qualified PSCredential property types.

  • Adds conversion logic to handle [SecureString] properties by converting plain text values to secure strings
  • Updates PSCredential type checking to use wildcard matching for fully qualified type names
  • Adds test coverage for SecureString property handling

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
adapters/powershell/psDscAdapter/psDscAdapter.psm1 Implements SecureString conversion logic and updates PSCredential type matching to handle fully qualified names
adapters/powershell/Tests/powershellgroup.resource.tests.ps1 Adds test case to verify SecureString property processing
adapters/powershell/Tests/TestClassResource/0.0.1/TestClassResource.psm1 Adds SecureStringProp property to test resource for validation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

adapters/powershell/psDscAdapter/psDscAdapter.psm1 Outdated
# handle input objects by converting them to a hash table
$validateProperty = $cachedDscResourceInfo.Properties | Where-Object -Property Name -EQ $_.Name
if ($_.Value -is [System.Management.Automation.PSCustomObject]) {
$validateProperty = $cachedDscResourceInfo.Properties | Where-Object -Property Name -EQ $_.Name
Copy link

Copilot AI Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The $validateProperty variable is being assigned twice - once at line 427 and again at line 429 inside the if block. This results in a redundant Where-Object query when the value is a PSCustomObject. Consider removing the duplicate assignment at line 429 since line 427 already retrieves the same value.

Suggested change
$validateProperty = $cachedDscResourceInfo.Properties | Where-Object -Property Name -EQ $_.Name

Copilot uses AI. Check for mistakes.
adapters/powershell/psDscAdapter/psDscAdapter.psm1 Outdated
}
else {
$dscResourceInstance.$($_.Name) = $_.Value
if ($validateProperty -and $validateProperty.PropertyType -like '*SecureString' -and -not [string]::IsNullOrEmpty($_.Value)) {
Copy link

Copilot AI Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The condition checks for non-empty string values, but doesn't verify that $_.Value is actually a string type. If $_.Value is a different type (e.g., an integer or boolean), ConvertTo-SecureString -AsPlainText could fail or produce unexpected results. Consider adding a type check to ensure $_.Value -is [string] before attempting the conversion.

Suggested change
if ($validateProperty -and $validateProperty.PropertyType -like '*SecureString' -and -not [string]::IsNullOrEmpty($_.Value)) {
if ($validateProperty -and $validateProperty.PropertyType -like '*SecureString' -and $_.Value -is [string] -and -not [string]::IsNullOrEmpty($_.Value)) {

Copilot uses AI. Check for mistakes.
@Gijsreyn Gijsreyn force-pushed the gh-1207/main/fix-support-securestring branch from 5e08a3e to cc35c35 Compare October 25, 2025 00:24
@Gijsreyn Gijsreyn requested a review from SteveL-MSFT October 25, 2025 00:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SteveL-MSFT SteveL-MSFT Awaiting requested review from SteveL-MSFT

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PowerShell adapter doesn't support [System.Security.SecureString]

2 participants

@Gijsreyn @SteveL-MSFT