BREAKING CHANGE: CertReq: Improve certificate match selectivity

[uw-dc]

Pull Request (PR) description

Breaking Change: Support multiple certificates with the same issuer and subject by making friendlyName a mandatory (key) parameter

Prevent existing certificates with non-matching friendlyName and template being considered as existing desired certificates; This resolves problems where an incorrect existing certificate is compared with the desired state and Test-TargetResource consequentially returns $false.

This Pull Request (PR) fixes the following issues

• Fixes Multiple certificates with the same name #121

• Fixes CertReq resource cannot request multiple certificates with same subject name #269

• Replaces PR CertReq: Add FriendlyName comparison #206

Task list

• Added an entry to the change log under the Unreleased section of the
  file CHANGELOG.md. Entry should say what was changed and how that
  affects users (if applicable), and reference the issue being resolved
  (if applicable).
• Resource documentation added/updated in README.md.
• Resource parameter descriptions added/updated in README.md, schema.mof
  and comment-based help.
• Comment-based help added/updated.
• Localization strings added/updated in all localization files as appropriate.
• Examples appropriately added/updated.
• Unit tests added/updated. See DSC Community Testing Guidelines.
• Integration tests added/updated (where possible). See DSC Community Testing Guidelines.
• New/changed code adheres to DSC Community Style Guidelines.

---

This change is 

[uw-dc]

An issue with 'GENERATE CONCEPTUAL HELP'; Looks environmental?

ERROR: Failed to import classes from file /home/vsts/work/1/s/source/DSCResources/DSC_CertificateExport/DSC_CertificateExport.schema.mof. Error Exception calling "ImportClasses" with "3" argument(s): "Unable to load shared library 'libmi' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: liblibmi: cannot open shared object file: No such file or directory"
At /home/vsts/work/1/s/output/RequiredModules/DscResource.DocGenerator/0.11.1/DscResource.DocGenerator.psm1:1486 char:9
+         throw "Failed to import classes from file $FileName. Error $_ …
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"Unable to load shared library 'libmi' or one of its dependencies

[codecov]

Codecov Report

Merging #271 (f94fb00) into main (137a69f) will increase coverage by 0%.
The diff coverage is 100%.

@@         Coverage Diff         @@
##           main   #271   +/-   ##
===================================
  Coverage    84%    84%           
===================================
  Files         7      7           
  Lines       929    933    +4     
===================================
+ Hits        786    790    +4     
  Misses      143    143           

Impacted Files	Coverage Δ
source/DSCResources/DSC_CertReq/DSC_CertReq.psm1	100% <100%> (ø)

[uw-dc]

@PlagueHO

Is it possible please to get a review on this?
It would be really good for us to resolve the issues this PR covers as issue #121 is affecting our production hosts.

Thank you.

[PlagueHO]

Hi @uw-dc - sorry about the delay. Looks great. Just some minor tweaks, nothing major.

Reviewed 2 of 5 files at r1, 1 of 1 files at r2, 3 of 3 files at r3, all commit messages.
Reviewable status: all files reviewed, 6 unresolved discussions (waiting on @uw-dc)

---

azure-pipelines.yml line 27 at r3 (raw file):

        displayName: 'Package Module'
        pool:
          vmImage: 'windows-latest'

We typically use ubuntu-latest for the package step. Not that it matters too much - but if there is a specific need then we should note it here (so I don't revert it later)

---

CHANGELOG.md line 8 at r3 (raw file):

## [Unreleased]

- CertReq:

Can you move under the ### Changed section`?

---

CHANGELOG.md line 9 at r3 (raw file):

- CertReq:
  - Made Certificate FriendlyName a mandatory parameter (key) so multiple certificates with same issuer and subject can be configured in the same DSC configuration - Fixes [Issue #269](https://github.com/dsccommunity/CertificateDsc/issues/269)

Can you reduce the line length to less than 100 chars on this line and the next one?

---

CHANGELOG.md line 9 at r3 (raw file):

- CertReq:
  - Made Certificate FriendlyName a mandatory parameter (key) so multiple certificates with same issuer and subject can be configured in the same DSC configuration - Fixes [Issue #269](https://github.com/dsccommunity/CertificateDsc/issues/269)

Can you include BREAKING CHANGE: at the beginning of these lines? This will tell the pipeline to increase the major version number.

---

source/DSCResources/DSC_CertReq/DSC_CertReq.psm1 line 202 at r3 (raw file):

    $cert = Get-ChildItem -Path Cert:\LocalMachine\My |
        Where-Object -FilterScript {
            (Compare-CertificateSubject -ReferenceSubject $_.Subject -DifferenceSubject $Subject) -and `

FYI: I like the improvement here - nice!

---

source/DSCResources/DSC_CertReq/en-US/DSC_CertReq.strings.psd1 line 17 at r3 (raw file):

    NoValidCertificateMessage = No valid certificate found with Subject '{0}', Issuer '{1}', FriendlyName '{2}' and CertificateTemplate '{3}'.
    ExpiredCertificateMessage = The certificate found with Subject '{0}', Issuer '{1}', FriendlyName '{2}' and CertificateTemplate '{3}' has expired: {4}.
    NoExistingSans = The certificate found with Subject '{0}', Issuer '{1}', FriendlyName '{2}' and CertificateTemplate '{3}' has no SANs, yet the following SANs are specified: {4}. Certificate has the Thumbprint '{5}'.

FYI: Consistency - Can you add Message to the end of the property name to differentiate it? Unless it is an error then add "Error" - not a major thing as we clearly haven't been 100% consistent here.

---

tests/Unit/DSC_CertReq.Tests.ps1 line 1874 at r3 (raw file):

                    -MockWith $mock_getCertificateTemplateName_validCertificateTemplate

                # Mock -CommandName Get-CertificateSubjectAlternativeName `

Can you remove commented out lines here (and throughout)?

---

tests/Unit/DSC_CertReq.Tests.ps1 line 1878 at r3 (raw file):

                It 'Should return true' {
                    Test-TargetResource @paramsStandard -Verbose | Should -Be $true

Can you change to Should -BeTrue (and Should -BeFalse) and throughout.

[PlagueHO]

Sorry @uw-dc - will get onto this tonight.

[PlagueHO]

Reviewed 5 of 5 files at r4, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @uw-dc)

---

CHANGELOG.md line 9 at r3 (raw file):

Previously, PlagueHO (Daniel Scott-Raynsford) wrote…

Can you reduce the line length to less than 100 chars on this line and the next one?

Thank you! You can also wrap if you want. For example:

 - Made Certificate FriendlyName a mandatory parameter (key) so multiple
   certificates with same issuer and subject can be configured in the same
   DSC configuration - Fixes [Issue #269](https://github.com/dsccommunity/CertificateDsc/issues/269)

[PlagueHO]

Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @uw-dc)

[PlagueHO]

Thank you for contributing this! We'll leave it in prerelease for a few weeks and then once we'll push it out as a new major version.

Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @uw-dc)