Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FileSystemAccessRule:Does not work with PowerShell Certificate Paths #25

Open
EmperorArthur opened this issue Dec 9, 2024 · 0 comments
Open

FileSystemAccessRule:Does not work with PowerShell Certificate Paths #25

EmperorArthur opened this issue Dec 9, 2024 · 0 comments

Comments

@EmperorArthur
Copy link

Details of the scenario you tried and the problem that is occurring

I need to allow a machine certificate's private key to be read by certain users in a development environment.

Since Certificates are a PowerShell path, and have access rules, I thought this resource would work.

Currently I am using:

Import-Module GuardedFabricTools
$certificate = Get-ChildItem "Cert:\LocalMachine\${CertStoreLocation}\${CertFingerprint}"
#$certificate.Acl = $certificate.Acl | Add-AccessRule "${UserName}" Read Allow
$acl = $certificate.Acl
$newFileSystemAccessRuleParameters = @{
            TypeName     = 'System.Security.AccessControl.FileSystemAccessRule'
            ArgumentList = @(
                "${UserName}",
                [System.Security.AccessControl.FileSystemRights] @('Read'),
                'None',
                'None',
                'Allow'
            )
}
$fileSystemAccessRule = New-Object @newFileSystemAccessRuleParameters
$acl.SetAccessRule($fileSystemAccessRule)

Verbose logs showing the problem

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 
'GetAccessControl'.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : MethodNotFound
    + PSComputerName        : localhost

Suggested solution to the issue

  1. Depend on GuardedFabricTools
  2. Update the Get-ACLAccess function to also check if .Acl is available if .GetAccessControl('Access') fails, and use that instead.
  3. Handle if System.Security.AccessControl.InheritanceFlags are not valid for an object.

$certificate.Acl is a "System.Security.AccessControl.FileSystemSecurity". Which is the same type as returned by .GetAccessControl('Access').

The DSC configuration that is used to reproduce the issue (as detailed as possible)

FileSystemAccessRule Cert {
            Identity = $ConfigurationData.Credentials.UserName
            Path = "Cert:\LocalMachine\${CertStoreLocation}\${CertFingerprint}"
            Rights = "Read"
            Ensure = [Ensure]::Present
        }

The operating system the target node is running

OsName : Microsoft Windows 10 Enterprise LTSC
OsOperatingSystemSKU : 125
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.19041.5129
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.5129
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

1.1.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@EmperorArthur