Merge db517d6 into b0f2d43

Author: rcpokorny

CHANGELOG.md

@@ -1,3 +1,8 @@
+2.6.1
+* documentation updates for the 2.6 release
+* fix a naming typo in the 2.5 migration SQL script
+* update integration-manifest.json
+
 2.6.0
 * Added the ability to run the extension in a Linux environment.  To utilize this change, for each Cert Store Types (WinCert/WinIIS/WinSQL), add ssh to the Custom Field <b>WinRM Protocol</b>.  When using ssh as a protocol, make sure to enter the appropriate ssh port number under WinRM Port.
 * NOTE: For legacy purposes the Display names WinRM Protocol and WinRM Port are maintained although the type of protocols now includes ssh.

IISU/ImplementedStoreTypes/WinIIS/IISBindingInfo.cs

@@ -42,13 +42,22 @@ public IISBindingInfo(Dictionary<string, object> bindingInfo)
 
         private string MigrateSNIFlag(string input)
         {
-            // Check if the input is numeric, if so, just return it as an integer
             if (int.TryParse(input, out int numericValue))
             {
                 return numericValue.ToString();
             }
 
-            if (string.IsNullOrEmpty(input)) { throw new ArgumentNullException("SNI/SSL Flag", "The SNI or SSL Flag flag must not be empty or null."); }
+            if (string.IsNullOrEmpty(input))
+                throw new ArgumentNullException("SNI/SSL Flag", "The SNI or SSL Flag must not be empty or null.");
+
+            // Normalize input
+            var trimmedInput = input.Trim().ToLowerInvariant();
+
+            // Handle boolean values
+            if (trimmedInput == "true")
+                return "1";
+            if (trimmedInput == "false")
+                return "0";
 
             // Handle the string cases
             switch (input.ToLower())

IISU/ImplementedStoreTypes/WinIIS/Inventory.cs

@@ -107,7 +107,7 @@ public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitIn
             {
                 _logger.LogTrace(LogHandler.FlattenException(ex));
 
-                var failureMessage = $"Inventory job failed for Site '{jobConfiguration.CertificateStoreDetails.StorePath}' on server '{jobConfiguration.CertificateStoreDetails.ClientMachine}' with error: '{LogHandler.FlattenException(ex)}'";
+                var failureMessage = $"Inventory job failed for Site '{jobConfiguration.CertificateStoreDetails.StorePath}' on server '{jobConfiguration.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
                 _logger.LogWarning(failureMessage);
 
                 return new JobResult

IISU/ImplementedStoreTypes/WinIIS/Management.cs

@@ -103,13 +103,16 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                 {
                                     string newThumbprint = AddCertificate(certificateContents, privateKeyPassword, cryptoProvider);
                                     _logger.LogTrace($"Completed adding the certificate to the store");
+                                    _logger.LogTrace($"New thumbprint: {newThumbprint}");
 
                                     // Bind Certificate to IIS Site
                                     if (newThumbprint != null)
                                     {
                                         IISBindingInfo bindingInfo = new IISBindingInfo(config.JobProperties);
                                         WinIISBinding.BindCertificate(_psHelper, bindingInfo, newThumbprint, "", _storePath);
 
+                                        _logger.LogTrace("Returned after binding certificate to store");
+
                                         complete = new JobResult
                                         {
                                             Result = OrchestratorJobStatusJobResult.Success,

IISU/ImplementedStoreTypes/WinIIS/WinIISBinding.cs

@@ -49,25 +49,39 @@ public static void BindCertificate(PSHelper psHelper, IISBindingInfo bindingInfo
             // Optional parameters
             if (!string.IsNullOrEmpty(bindingInfo.HostName)) { parameters.Add("HostName", bindingInfo.HostName); }
 
-            _results = psHelper.ExecutePowerShell("New-KFIISSiteBinding", parameters);      // returns true if successful
-            _logger.LogTrace("Returned from executing PS function (New-KFIISSiteBinding)");
-
-            // This should return the thumbprint of the certificate
-            if (_results != null && _results.Count > 0)
+            try
             {
-                bool success = _results[0].BaseObject is bool value && value;
-                if (success)
+                _results = psHelper.ExecutePowerShell("New-KFIISSiteBinding", parameters);      // returns true if successful
+                _logger.LogTrace("Returned from executing PS function (New-KFIISSiteBinding)");
+
+                if (_results != null && _results.Count > 0)
                 {
-                    _logger.LogTrace($"Bound certificate with the thumbprint: '{thumbprint}' to site: '{bindingInfo.SiteName}' successfully.");
-                    return;
+                    var baseObject = _results[0]?.BaseObject;
+                    if (baseObject is bool value)
+                    {
+                        if (value)
+                        {
+                            _logger.LogTrace($"Bound certificate with the thumbprint: '{thumbprint}' to site: '{bindingInfo.SiteName}' successfully.");
+                        }
+                        else
+                        {
+                            _logger.LogTrace("Something happened and the binding failed.");
+                        }
+                    }
+                    else
+                    {
+                        _logger.LogWarning("Unexpected result type returned from script: " + baseObject?.GetType().Name);
+                    }
                 }
                 else
                 {
-                    _logger.LogTrace("Something happened and the binding failed.");
+                    _logger.LogWarning("PowerShell script returned no results.");
                 }
             }
-
-            throw new Exception($"An unknown error occurred while attempting to bind thumbprint: {thumbprint} to site: '{bindingInfo.SiteName}'. \nCheck the UO Logs for more information.");
+            catch (Exception ex)
+            {
+                throw new Exception($"An unknown error occurred while attempting to bind thumbprint: {thumbprint} to site: '{bindingInfo.SiteName}'. \n{ex.Message}");
+            }
         }
 
         public static bool UnBindCertificate(PSHelper psHelper, IISBindingInfo bindingInfo)

IISU/PSHelper.cs

@@ -102,6 +102,8 @@ public PSHelper(string protocol, string port, bool useSPN, string clientMachineN
         public void Initialize()
         {
             _logger.LogTrace("Entered PSHelper.Initialize()");
+            _logger.LogTrace($"PowerShell SDK Location: {typeof(System.Management.Automation.PowerShell).Assembly.Location}");
+            _logger.LogTrace($".NET Runtime Version: {RuntimeInformation.FrameworkDescription}");
 
             PS = PowerShell.Create();
 
@@ -181,20 +183,28 @@ private void InitializeRemoteSession()
             else
             {
                 _logger.LogTrace("Initializing WinRM connection");
-                var pw = new NetworkCredential(serverUserName, serverPassword).SecurePassword;
-                PSCredential myCreds = new PSCredential(serverUserName, pw);
+                try
+                {
+                    var pw = new NetworkCredential(serverUserName, serverPassword).SecurePassword;
+                    PSCredential myCreds = new PSCredential(serverUserName, pw);
 
-                // Create the PSSessionOption object
-                var sessionOption = new PSSessionOption
+                    // Create the PSSessionOption object
+                    var sessionOption = new PSSessionOption
+                    {
+                        IncludePortInSPN = useSPN
+                    };
+
+                    PS.AddCommand("New-PSSession")
+                    .AddParameter("ComputerName", ClientMachineName)
+                    .AddParameter("Port", port)
+                    .AddParameter("Credential", myCreds)
+                    .AddParameter("SessionOption", sessionOption);
+                }
+                catch (Exception)
                 {
-                    IncludePortInSPN = useSPN
-                };
+                    throw new Exception("Problems establishing network credentials.  Please check the User name and Password for the Certificate Store");
+                }
 
-                PS.AddCommand("New-PSSession")
-                .AddParameter("ComputerName", ClientMachineName)
-                .AddParameter("Port", port)
-                .AddParameter("Credential", myCreds)
-                .AddParameter("SessionOption", sessionOption);
             }
 
             using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));

IISU/PowerShellScripts/WinCertScripts.ps1

@@ -311,37 +311,17 @@ function Remove-KFCertificateFromStore {
 
 function New-KFIISSiteBinding{
     param (
-        [Parameter(Mandatory = $True)]   $SiteName,        # The name of the IIS site
-        [Parameter(Mandatory = $True)]   $IPAddress,       # The IP Address for the binding
-        [Parameter(Mandatory = $True)]   $Port,            # The port number for the binding
-        [Parameter(Mandatory = $False)]  $Hostname,        # Host name for the binding (if any)
-        [Parameter(Mandatory = $True)]   $Protocol,        # Protocol (e.g., HTTP, HTTPS)
-        [Parameter(Mandatory = $True)]   $Thumbprint,      # Certificate thumbprint for HTTPS bindings
-        [Parameter(Mandatory = $True)]   $StoreName,       # Certificate store location (e.g., ""My"" for personal certs)
-        [Parameter(Mandatory = $True)]   $SslFlags         # SSL flags (if any)
+        [Parameter(Mandatory = $true)]
+        [string]$SiteName,        # The name of the IIS site
+        $IPAddress,       # The IP Address for the binding
+        $Port,            # The port number for the binding
+        $Hostname,        # Hostname for the binding (if any)
+        $Protocol,        # Protocol (e.g., HTTP, HTTPS)
+        $Thumbprint,      # Certificate thumbprint for HTTPS bindings
+        $StoreName,       # Certificate store location (e.g., ""My"" for personal certs)
+        $SslFlags         # SSL flags (if any)
     )
 
-    Write-Debug "Attempting to import modules WebAdministration and IISAdministration"
-    try {
-        Import-Module WebAdministration -ErrorAction Stop
-    }
-    catch {
-        throw "Failed to load the WebAdministration module. Ensure it is installed and available."
-    }
-
-    # Check if the IISAdministration module is already loaded
-    if (-not (Get-Module -Name IISAdministration )) {
-        try {
-            # Attempt to import the IISAdministration module
-            Import-Module IISAdministration -ErrorAction Stop
-        }
-        catch {
-            throw "Failed to load the IISAdministration module. This function requires IIS Develpment and SCripting tools.  Please ensure these tools have been installed on the IIS Server."
-        }
-    }
-        
-    Write-Debug "Finished importing required modules"
-    
     Write-Verbose "INFO:  Entered New-KFIISSiteBinding."
     Write-Verbose "SiteName: $SiteName"
     Write-Verbose "IPAddress: $IPAddress"
@@ -352,60 +332,90 @@ function New-KFIISSiteBinding{
     Write-Verbose "Store Path: $StoreName"
     Write-Verbose "SslFlags: $SslFlags"
 
-    # Retrieve the existing binding information
-    $myBinding = "${IPAddress}:${Port}:${Hostname}"  #*:443:MyHostName1   :   *:443:ManualHostName
-    Write-Verbose "Formatted binding information: $myBinding"
+    $searchBindings = "${IPAddress}:${Port}:${Hostname}" 
 
-    # Check if the binding exists (NOTE: Bindings always occur using https)
-    try {
-        Write-Verbose "Attempting to get binding information for Site: '$SiteName' with bindings: $myBinding"
-        $existingBinding = Get-IISSiteBinding -Name $SiteName -Protocol $Protocol -BindingInformation $myBinding    
-    }
-    catch {
-        Write-Verbose "Error occurred while attempting to get the bindings for: '$SiteName'"
-        Write-Verbose $_
-        throw $_
-    }
+    if (Ensure-IISDrive) {
+        # Step 1: Get the web binding
+        $sitePath = "IIS:\Sites\$SiteName"
+
+        # Check if the site exists
+        if (Test-Path $sitePath) {
+            try {
+                $site = Get-Item $sitePath
+                $httpsBindings = $site.Bindings.Collection | Where-Object { $_.bindingInformation -eq $searchBindings -and $_.protocol -eq "https" }
+                Write-Verbose $httpsBindings
+            
+                $thisProtocol = $httpsBindings.protocol
+                $thisBindingInformation = $httpsBindings.bindingInformation
+                $thisSslFlags = $httpsBindings.sslFlags
+                $thisIPAddress = $httpsBindings.bindingInformation.IPAddress
+            }
+            catch{
+                Write-Verbose "No bindings found for site $SiteName"
+            }
 
-    if ($null -ne $existingBinding) {
-        Write-Verbose "A binding for: $myBinding was found."
 
-        $currentThumbprint = ($existingBinding.CertificateHash | ForEach-Object { $_.ToString("X2") }) -join ""
-        if ($thumbprint -eq $currentThumbprint)
-        {
-            Write-Verbose "The existing binding's thumbprint matches the new thumbprint - skipping."
-            Write-Information "The thumbprint for this binding is the same as the new one."
-            Write-Information "Since they are the same thumbprint, thins binding will be skipped."
+        } else {
+            Write-Error "Site '$SiteName' not found." -ForegroundColor Red
             return
         }
-        Write-Verbose "Current thumbprint: $currentThumbprint"
-        Write-Verbose "Will remove the existing binding prior to replacing it with new thumbprint."
-        
-        # Remove the existing binding
-        Remove-IISSiteBinding -Name $SiteName -BindingInformation $existingBinding.BindingInformation -Protocol $existingBinding.Protocol -Confirm:$false
-        Write-Verbose "Removed existing binding: $($existingBinding.BindingInformation)"
-    }else{
-        Write-Verbose "No binding was found for: $myBinding."
+
+        # Step 2: Remove existing web binding if exists
+        try {
+            if ($null -ne $thisBindingInformation) {
+                Write-Verbose "Removing existing binding $thisBindingInformation"
+                Remove-WebBinding -Name $SiteName -BindingInformation $thisBindingInformation -Protocol $thisProtocol -Confirm:$false
+            }
+        }
+        catch {
+            Write-Information "Error occurred while attempting to remove bindings: '$existingBinding'"
+            Write-Verbose $_
+            throw $_
+        }
+
+        # Step 3: Add new Web Binding
+        try {
+            Write-Verbose "Attempting to add new web binding"
+            New-WebBinding -Name $SiteName -Protocol $Protocol -IPAddress $IPAddress -Port $Port -HostHeader $Hostname -SslFlags $SslFlags
+        }
+        catch {
+            Write-Information "Error occurred while attempting to add new web binding to $SiteName"
+            Write-Verbose $_
+            throw $_
+        }
+
+        # Step 4: Bind SSL Certificate to site
+        $binding = Get-WebBinding -Name $SiteName -Protocol $Protocol
+        $binding.AddSslCertificate($Thumbprint, $StoreName)
+
+        Write-Verbose "New binding added successfully for $SiteName"
+        return $true
+    }
+}
+
+
+function Ensure-IISDrive {
+    [CmdletBinding()]
+    param ()
+
+    # Try to import the WebAdministration module if not already loaded
+    if (-not (Get-Module -Name WebAdministration)) {
+        try {
+            Import-Module WebAdministration -ErrorAction Stop
+        }
+        catch {
+            Write-Warning "WebAdministration module could not be imported. IIS:\ drive will not be available."
+            return $false
+        }
     }
 
-    # Create the new binding with modified properties
-    try
-    {
-        Write-Verbose "Attempting to add IISSiteBinding"
-        New-IISSiteBinding -Name $SiteName `
-            -BindingInformation $myBinding `
-            -Protocol $Protocol `
-            -CertificateThumbprint $Thumbprint `
-            -CertStoreLocation $StoreName `
-            -SslFlag $SslFlags
-
-        Write-Verbose "New Site Binding for '$SiteName' has been created with bindings: $myBinding and thumbprint: $thumbprint."
+    # Check if IIS drive is available
+    if (-not (Get-PSDrive -Name 'IIS' -ErrorAction SilentlyContinue)) {
+        Write-Warning "IIS:\ drive not available. Ensure IIS is installed and the WebAdministration module is imported."
+        return $false
     }
-    catch {
-        throw $_
-    };
 
-    return $True
+    return $true
 }
 
 function Remove-KFIISSiteBinding{
@@ -785,6 +795,10 @@ function New-CSREnrollment {
         [string]$SAN
     )
 
+    if ([string]::IsNullOrWhiteSpace($ProviderName)) {
+        $ProviderName = "Microsoft Strong Cryptographic Provider"
+    }
+
     # Validate the Crypto Service Provider
     Validate-CryptoProvider -ProviderName $ProviderName
 

IISU/WindowsCertStore.csproj

@@ -3,8 +3,9 @@
   <PropertyGroup>
     <RootNamespace>Keyfactor.Extensions.Orchestrator.WindowsCertStore</RootNamespace>
     <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
-	<TargetFrameworks>NET6.0;NET8.0</TargetFrameworks>
+	<TargetFrameworks>net6.0</TargetFrameworks>
     <PlatformTarget>AnyCPU</PlatformTarget>
+    <Nullable>disable</Nullable>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
@@ -29,13 +30,13 @@
     <Compile Remove="PowerShellCertRequest.cs" />
   </ItemGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
-    <PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="0.7.0" />
-	  
-    <PackageReference Include="Microsoft.PowerShell.SDK" Version="7.2.19" Condition="'$(TargetFramework)' == 'net6.0'" />
-	<PackageReference Include="Microsoft.PowerShell.SDK" Version="7.4.5" Condition="'$(TargetFramework)' == 'net8.0'" />
-  </ItemGroup>
+	<ItemGroup>
+		<PackageReference Include="Cake.Powershell" Version="4.0.0" />
+		<PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
+		<PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="0.7.0" />
+		<PackageReference Include="Microsoft.Management.Infrastructure" Version="3.0.0" Condition="'$(TargetFramework)' == 'net6.0'" />
+		<PackageReference Include="Microsoft.PowerShell.SDK" Version="7.4.5" Condition="'$(TargetFramework)' == 'net8.0'" />
+	</ItemGroup>
 
   <ItemGroup>
     <None Update="manifest.json">