-
Notifications
You must be signed in to change notification settings - Fork 240
/
Set-BcContainerKeyVaultAadAppAndCertificate.ps1
109 lines (100 loc) · 5.7 KB
/
Set-BcContainerKeyVaultAadAppAndCertificate.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
<#
.Synopsis
Import Certificate for Keyvault access to a BC Container
.Description
Import Certificate for Keyvault access to a BC Container
.Parameter containerName
Name of the container in which you want to import a certificate
.Parameter pfxFile
Path or secure url to the pfx certificate file which gives access to AAD app with clientId
.Parameter pfxPassword
Password for pfx certificate file which gives access to AAD app with clientId
.Parameter clientId
clientId of AAD app with access to Key Vault used in apps
.Parameter enablePublisherValidation
include this switch to disallow access to keyvault when running from VS Code (include for production)
.Parameter doNotRestartServiceTier
set this switch to defer restart of service tier
.Example
Set-BcContainerKeyVaultAadAppAndCertificate -containerName $containerName -pfxFile $pfxFile -pfxPassword $pfxPassword -clientId $clientId
#>
function Set-BcContainerKeyVaultAadAppAndCertificate {
Param(
[string] $containerName = $bcContainerHelperConfig.defaultContainerName,
[Parameter(Mandatory=$true)]
[string] $pfxFile,
[Parameter(Mandatory=$true)]
[SecureString] $pfxPassword,
[Parameter(Mandatory=$true)]
[string] $clientId,
[switch] $enablePublisherValidation,
[switch] $doNotRestartServiceTier
)
$telemetryScope = InitTelemetryScope -name $MyInvocation.InvocationName -parameterValues $PSBoundParameters -includeParameters @()
try {
$sharedPfxFile = Join-Path $bcContainerHelperConfig.hostHelperFolder "Extensions\$containerName\my\$([GUID]::NewGuid().ToString()).pfx"
$removeSharedPfxFile = $true
if ($pfxFile -like "https://*" -or $pfxFile -like "http://*") {
Write-Host "Downloading certificate file to container"
DownloadFileLow -sourceUrl $pfxFile -destinationFile $sharedPfxFile
}
else {
if (Get-BcContainerPath -containerName $containerName -path $pfxFile) {
$sharedPfxFile = $pfxFile
$removeSharedPfxFile = $false
}
else {
Write-Host "Copying certificate file to container"
Copy-Item -Path $pfxFile -Destination $sharedPfxFile -Force
}
}
try {
TestPfxCertificate -pfxFile $sharedPfxFile -pfxPassword $pfxPassword -certkind "KeyVault"
Invoke-ScriptInBcContainer -containerName $containerName -scriptblock { Param($pfxFile, $pfxPassword, $clientId, $enablePublisherValidation, $doNotRestartServiceTier)
# Set AzureKeyVaultAppSecretsPublisherValidationEnabled to false to avoid having to publish with PublisherAzureActiveDirectoryTenantId
Set-NAVServerConfiguration -ServerInstance $serverInstance -KeyName "AzureKeyVaultAppSecretsPublisherValidationEnabled" -KeyValue $enablePublisherValidation.ToString().ToLowerInvariant() -WarningAction SilentlyContinue
$importedPfxCertificate = Import-PfxCertificate -FilePath $pfxFile -Password $pfxPassword -CertStoreLocation Cert:\LocalMachine\My
Write-Host "Keyvault Certificate Thumbprint: $($importedPfxCertificate.Thumbprint)"
# Give SYSTEM permission to use the PFX file's private key
$keyName = $importedPfxCertificate.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$keyName"
if ($PSVersionTable.PSVersion -ge "6.0.0") {
Import-Module Microsoft.PowerShell.Security -Force
$acl = [System.IO.FileSystemAclExtensions]::GetAccessControl([System.IO.DirectoryInfo]::new($keyPath), 'Access')
}
else {
$acl = (Get-Item $keyPath).GetAccessControl('Access')
}
$permission = 'NT AUTHORITY\SYSTEM',"Full","Allow"
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.AddAccessRule($accessRule)
Set-Acl $keyPath $acl
#$acl.Access
Set-NavServerConfiguration -ServerInstance $serverInstance -KeyName AzureKeyVaultClientCertificateStoreLocation -KeyValue "LocalMachine" -WarningAction SilentlyContinue
Set-NavServerConfiguration -ServerInstance $serverInstance -KeyName AzureKeyVaultClientCertificateStoreName -KeyValue "My" -WarningAction SilentlyContinue
Set-NavServerConfiguration -ServerInstance $serverInstance -KeyName AzureKeyVaultClientCertificateThumbprint -KeyValue $importedPfxCertificate.Thumbprint -WarningAction SilentlyContinue
Set-NavServerConfiguration -ServerInstance $serverInstance -KeyName AzureKeyVaultClientId -KeyValue $clientId -WarningAction SilentlyContinue
if (!$doNotRestartServiceTier) {
Write-Host "Restarting Service Tier"
Set-NAVServerInstance -ServerInstance $serverInstance -Restart
while (Get-NavTenant $serverInstance | Where-Object { $_.State -eq "Mounting" }) {
Start-Sleep -Seconds 1
}
}
} -argumentList (Get-BcContainerPath -containerName $containerName -path $sharedPfxFile), $pfxPassword, $clientId, $enablePublisherValidation, $doNotRestartServiceTier
}
finally {
if ($removeSharedPfxFile -and (Test-Path $sharedPfxFile)) {
Remove-Item -Path $sharedPfxFile -Force
}
}
}
catch {
TrackException -telemetryScope $telemetryScope -errorRecord $_
throw
}
finally {
TrackTrace -telemetryScope $telemetryScope
}
}
Export-ModuleMember -Function Set-BcContainerKeyVaultAadAppAndCertificate