-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BREAKING CHANGE: CertReq: Improve certificate match selectivity #271
BREAKING CHANGE: CertReq: Improve certificate match selectivity #271
Conversation
…tched on Subject and Issuer
…te matching desired certificate template
Many situations require multiple certificates, for example DSC Encryption + private web server breaking change
An issue with 'GENERATE CONCEPTUAL HELP'; Looks environmental?
|
`"Unable to load shared library 'libmi' or one of its dependencies` Hoping that PSWSMan will satisfy dependency
`"Unable to load shared library 'libmi' or one of its dependencies` This won't be a problem using a Windows image, as per many of the other recently maintained DSC community modules
Codecov Report
@@ Coverage Diff @@
## main #271 +/- ##
===================================
Coverage 84% 84%
===================================
Files 7 7
Lines 929 933 +4
===================================
+ Hits 786 790 +4
Misses 143 143
|
…te FriendlyName comparison occurs This is when Test-TargetResource is run with CertificateTemplate == 'DomainControllerAuthentication' I would expect a DomainController to only have one maintained certificate used for DomainControllerAuthentication, rather than have multiple with distinct friendly names, so it seems fair to maintain this exception and include a specific test for this scenario
When there were other non-SAN certificate extensions, the situation was treated as Current and Desired SANs do not match rather than there being no SANs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @uw-dc - sorry about the delay. Looks great. Just some minor tweaks, nothing major.
Reviewed 2 of 5 files at r1, 1 of 1 files at r2, 3 of 3 files at r3, all commit messages.
Reviewable status: all files reviewed, 6 unresolved discussions (waiting on @uw-dc)
azure-pipelines.yml
line 27 at r3 (raw file):
displayName: 'Package Module' pool: vmImage: 'windows-latest'
We typically use ubuntu-latest for the package step. Not that it matters too much - but if there is a specific need then we should note it here (so I don't revert it later)
CHANGELOG.md
line 8 at r3 (raw file):
## [Unreleased] - CertReq:
Can you move under the ### Changed
section`?
CHANGELOG.md
line 9 at r3 (raw file):
- CertReq: - Made Certificate FriendlyName a mandatory parameter (key) so multiple certificates with same issuer and subject can be configured in the same DSC configuration - Fixes [Issue #269](https://github.com/dsccommunity/CertificateDsc/issues/269)
Can you reduce the line length to less than 100 chars on this line and the next one?
CHANGELOG.md
line 9 at r3 (raw file):
- CertReq: - Made Certificate FriendlyName a mandatory parameter (key) so multiple certificates with same issuer and subject can be configured in the same DSC configuration - Fixes [Issue #269](https://github.com/dsccommunity/CertificateDsc/issues/269)
Can you include BREAKING CHANGE:
at the beginning of these lines? This will tell the pipeline to increase the major version number.
source/DSCResources/DSC_CertReq/DSC_CertReq.psm1
line 202 at r3 (raw file):
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object -FilterScript { (Compare-CertificateSubject -ReferenceSubject $_.Subject -DifferenceSubject $Subject) -and `
FYI: I like the improvement here - nice!
source/DSCResources/DSC_CertReq/en-US/DSC_CertReq.strings.psd1
line 17 at r3 (raw file):
NoValidCertificateMessage = No valid certificate found with Subject '{0}', Issuer '{1}', FriendlyName '{2}' and CertificateTemplate '{3}'. ExpiredCertificateMessage = The certificate found with Subject '{0}', Issuer '{1}', FriendlyName '{2}' and CertificateTemplate '{3}' has expired: {4}. NoExistingSans = The certificate found with Subject '{0}', Issuer '{1}', FriendlyName '{2}' and CertificateTemplate '{3}' has no SANs, yet the following SANs are specified: {4}. Certificate has the Thumbprint '{5}'.
FYI: Consistency - Can you add Message
to the end of the property name to differentiate it? Unless it is an error then add "Error" - not a major thing as we clearly haven't been 100% consistent here.
tests/Unit/DSC_CertReq.Tests.ps1
line 1874 at r3 (raw file):
-MockWith $mock_getCertificateTemplateName_validCertificateTemplate # Mock -CommandName Get-CertificateSubjectAlternativeName `
Can you remove commented out lines here (and throughout)?
tests/Unit/DSC_CertReq.Tests.ps1
line 1878 at r3 (raw file):
It 'Should return true' { Test-TargetResource @paramsStandard -Verbose | Should -Be $true
Can you change to Should -BeTrue
(and Should -BeFalse
) and throughout.
…on Linux The WSMan client libraries libmi.so/libmi.dylib were from the microsoft/omi repository. The OMI project is in maintenance mode and its team has decided to not support PowerShell anymore
Sorry @uw-dc - will get onto this tonight. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 5 of 5 files at r4, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @uw-dc)
CHANGELOG.md
line 9 at r3 (raw file):
Previously, PlagueHO (Daniel Scott-Raynsford) wrote…
Can you reduce the line length to less than 100 chars on this line and the next one?
Thank you! You can also wrap if you want. For example:
- Made Certificate FriendlyName a mandatory parameter (key) so multiple
certificates with same issuer and subject can be configured in the same
DSC configuration - Fixes [Issue #269](https://github.com/dsccommunity/CertificateDsc/issues/269)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status:
complete! all files reviewed, all discussions resolved (waiting on @uw-dc)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for contributing this! We'll leave it in prerelease for a few weeks and then once we'll push it out as a new major version.
Reviewable status:
complete! all files reviewed, all discussions resolved (waiting on @uw-dc)
Pull Request (PR) description
Breaking Change: Support multiple certificates with the same
issuer
andsubject
by makingfriendlyName
a mandatory (key) parameterPrevent existing certificates with non-matching
friendlyName
andtemplate
being considered as existing desired certificates; This resolves problems where an incorrect existing certificate is compared with the desired state andTest-TargetResource
consequentially returns$false
.This Pull Request (PR) fixes the following issues
Fixes Multiple certificates with the same name #121
Fixes CertReq resource cannot request multiple certificates with same subject name #269
Replaces PR CertReq: Add FriendlyName comparison #206
Task list
file CHANGELOG.md. Entry should say what was changed and how that
affects users (if applicable), and reference the issue being resolved
(if applicable).
and comment-based help.
This change is![Reviewable](https://camo.githubusercontent.com/23b05f5fb48215c989e92cc44cf6512512d083132bd3daf689867c8d9d386888/68747470733a2f2f72657669657761626c652e696f2f7265766965775f627574746f6e2e737667)