diff --git a/adapters/powershell/Tests/class_ps_resources_secret.dsc.yaml b/adapters/powershell/Tests/class_ps_resources_secret.dsc.yaml new file mode 100644 index 000000000..59f7625ae --- /dev/null +++ b/adapters/powershell/Tests/class_ps_resources_secret.dsc.yaml @@ -0,0 +1,29 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json +parameters: + showSecrets: + type: bool + defaultValue: true + cred: + type: secureObject +metadata: + Microsoft.DSC: + requiredSecurityContext: elevated # this is the default and just used as an example indicating this config works for admins and non-admins +resources: +- name: Working with classic DSC resources + type: Microsoft.DSC/PowerShell + properties: + resources: + - name: Class-resource Info + type: TestClassResource/TestClassResource + properties: + Name: TestClassResource1 + Prop1: ValueForProp1 + Credential: "[parameters('cred')]" +- name: SecureObject + type: Microsoft.DSC.Debug/Echo + properties: + output: "[parameters('cred')]" + showSecrets: "[parameters('showSecrets')]" diff --git a/adapters/powershell/Tests/class_ps_resources_secret.parameters.yaml b/adapters/powershell/Tests/class_ps_resources_secret.parameters.yaml new file mode 100644 index 000000000..3397a1029 --- /dev/null +++ b/adapters/powershell/Tests/class_ps_resources_secret.parameters.yaml @@ -0,0 +1,4 @@ +parameters: + cred: + username: admin + password: {To be Ovveride} \ No newline at end of file diff --git a/adapters/powershell/psDscAdapter/psDscAdapter.psm1 b/adapters/powershell/psDscAdapter/psDscAdapter.psm1 index 1c22fb0b5..b251121e0 100644 --- a/adapters/powershell/psDscAdapter/psDscAdapter.psm1 +++ b/adapters/powershell/psDscAdapter/psDscAdapter.psm1 @@ -467,7 +467,9 @@ function Invoke-DscOperation { "Credential object '$($_.Name)' requires both 'username' and 'password' properties" | Write-DscTrace -Operation Error exit 1 } - $dscResourceInstance.$($_.Name) = [System.Management.Automation.PSCredential]::new($_.Value.Username, (ConvertTo-SecureString -AsPlainText $_.Value.Password -Force)) + $username = $_.Value.secureObject.username + $password = $_.Value.secureObject.password | ConvertTo-SecureString -AsPlainText -Force + $dscResourceInstance.$($_.Name) = [System.Management.Automation.PSCredential]::new($username, $password) } else { $dscResourceInstance.$($_.Name) = $_.Value.psobject.properties | ForEach-Object -Begin { $propertyHash = @{} } -Process { $propertyHash[$_.Name] = $_.Value } -End { $propertyHash } diff --git a/adapters/powershell/psDscAdapter/win_psDscAdapter.psm1 b/adapters/powershell/psDscAdapter/win_psDscAdapter.psm1 index c206d89d9..cf9fff468 100644 --- a/adapters/powershell/psDscAdapter/win_psDscAdapter.psm1 +++ b/adapters/powershell/psDscAdapter/win_psDscAdapter.psm1 @@ -298,6 +298,7 @@ function Get-DscResourceObject { return $desiredState } + # Get the actual state using DSC Get method from any type of DSC resource function Invoke-DscOperation { param( @@ -368,7 +369,11 @@ function Invoke-DscOperation { "Credential object '$($_.Name)' requires both 'username' and 'password' properties" | Write-DscTrace -Operation Error exit 1 } - $property.$($_.Name) = [System.Management.Automation.PSCredential]::new($_.Value.Username, (ConvertTo-SecureString -AsPlainText $_.Value.Password -Force)) + + $username = $_.Value.Username.secureString + $password = $_.Value.Password | ConvertTo-SecureString -AsPlainText -Force + $property.$($_.Name) = [System.Management.Automation.PSCredential]::new($username, $password) + } else { $property.$($_.Name) = $_.Value.psobject.properties | ForEach-Object -Begin { $propertyHash = @{} } -Process { $propertyHash[$_.Name] = $_.Value } -End { $propertyHash } } @@ -418,11 +423,15 @@ function Invoke-DscOperation { $validateProperty = $cachedDscResourceInfo.Properties | Where-Object -Property Name -EQ $_.Name Write-DscTrace -Operation Debug -Message "Property type: $($validateProperty.PropertyType)" if ($validateProperty.PropertyType -eq 'PSCredential') { - if (-not $_.Value.Username -or -not $_.Value.Password) { + if (-not $_.Value.secureObject.Username -or -not $_.Value.secureObject.Password) { "Credential object '$($_.Name)' requires both 'username' and 'password' properties" | Write-DscTrace -Operation Error exit 1 } - $dscResourceInstance.$($_.Name) = [System.Management.Automation.PSCredential]::new($_.Value.Username, (ConvertTo-SecureString -AsPlainText $_.Value.Password -Force)) + + $username = $_.Value.secureObject.username + $password = $_.Value.secureObject.password | ConvertTo-SecureString -AsPlainText -Force + + $dscResourceInstance.$($_.Name) = [System.Management.Automation.PSCredential]::new($username, $password) } else { $dscResourceInstance.$($_.Name) = $_.Value.psobject.properties | ForEach-Object -Begin { $propertyHash = @{} } -Process { $propertyHash[$_.Name] = $_.Value } -End { $propertyHash } }