dsccommunity / jeadsc Goto Github PK
View Code? Open in Web Editor NEWThis project forked from powershell/jea
Just Enough Administration
Home Page: http://aka.ms/JEAdocs
License: MIT License
This project forked from powershell/jea
Just Enough Administration
Home Page: http://aka.ms/JEAdocs
License: MIT License
When applying environment variables on JeaRoleCapabilities, the test is always false, no matter how I try and pass the variables.
Minimal reproduction, version 0.6.5:
$params =@{
Path = "C:\Program Files\WindowsPowerShell\Modules\TestJEADSC\RoleCapabilities\test.psrc"
VisibleCmdlets = @(
'Get-Command',
'Measure-Object'
)
EnvironmentVariables = @("@{'Test' = 'test'}")
}
Invoke-DscResource -Name JeaRoleCapabilities -Property $params -Method set -ModuleName JEADSC -Verbose
Invoke-DscResource -Name JeaRoleCapabilities -Property $params -Method test -ModuleName JEADSC -Verbose
Expectation : Test passes
Actual result:
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourceset,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/D
esiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer COMPUTER with user sid <removed>.
VERBOSE: [COMPUTER]: LCM: [ Start Set ] [[JeaRoleCapabilities]DirectResourceAccess]
VERBOSE: [COMPUTER]: LCM: [ End Set ] [[JeaRoleCapabilities]DirectResourceAccess] in 0.0160 seconds.
VERBOSE: [COMPUTER]: LCM: [ End Set ] in 0.0310 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
RebootRequired
--------------
False
VERBOSE: Time taken for configuration job to complete is 0.094 seconds
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourcetest,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/
DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer COMPUTER with user sid <removed>.
VERBOSE: [COMPUTER]: LCM: [ Start Test ] [[JeaRoleCapabilities]DirectResourceAccess]
VERBOSE: [COMPUTER]: [[JeaRoleCapabilities]DirectResourceAccess] Validating Path: C:\Program Files\WindowsPowerShell\Modules\TestJEADSC\RoleCapabilities\test.
psrc
VERBOSE: [COMPUTER]: [[JeaRoleCapabilities]DirectResourceAccess] Checking file extension is psrc for: C:\Program Files\WindowsPowerShell\Modules\TestJEADSC\Ro
leCapabilities\test.psrc
VERBOSE: [COMPUTER]: [[JeaRoleCapabilities]DirectResourceAccess] Checking parent forlder is RoleCapabilities for: C:\Program Files\WindowsPowerShell\Modules\T
estJEADSC\RoleCapabilities\test.psrc
VERBOSE: [COMPUTER]: [[JeaRoleCapabilities]DirectResourceAccess] Checking Folder is in PSModulePath is psrc for: C:\Program Files\WindowsPowerShell\Modules\Te
stJEADSC\RoleCapabilities\test.psrc
VERBOSE: [COMPUTER]: [[JeaRoleCapabilities]DirectResourceAccess] Path is a valid psrc path. Returning true.
VERBOSE: [COMPUTER]: [[JeaRoleCapabilities]DirectResourceAccess] Existing Configuration: {
"EnvironmentVariables": [
"System.Collections.Hashtable"
],
"Path": "C:\\Program Files\\WindowsPowerShell\\Modules\\TestJEADSC\\RoleCapabilities\\test.psrc",
"VisibleCmdlets": [
"Get-Command",
"Measure-Object"
]
}
VERBOSE: [COMPUTER]: [[JeaRoleCapabilities]DirectResourceAccess] New COnfiguration: {
"EnvironmentVariables": [
"@{\u0027Test\u0027 = \u0027test\u0027}"
],
"Path": "C:\\Program Files\\WindowsPowerShell\\Modules\\TestJEADSC\\RoleCapabilities\\test.psrc",
"VisibleCmdlets": [
"Get-Command",
"Measure-Object"
]
}
VERBOSE: [COMPUTER]: LCM: [ End Test ] [[JeaRoleCapabilities]DirectResourceAccess] False in 0.0470 seconds.
VERBOSE: [COMPUTER]: LCM: [ End Set ] in 0.0630 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
InDesiredState : False
VERBOSE: Time taken for configuration job to complete is 0.116 seconds
Also the case when setting /testing from MOF. I have tried many different formats of the arg and cannot get it to work. I did notice that JeaSessionConfiguration implements 'EnvironmentVariables' differently and the comparison does work in that resource. Apologies if I am missing something obvious.
For more security we should be using FQMN for all commands.
I am trying to create a Role Capabilities with the JeaRoleCapabilities resource. The resource's test method seems to return $false even if the Role Capabilities file exist with the requires settings. Can you repro this as well or is it me doing something wrong? I have put already a bit of time into this and should have a fix available soon if it is an issue with the code.
configuration JeaConfig1
{
Import-DscResource -ModuleName JeaDsc
node 'localhost'
{
JeaRoleCapabilities DscDiagnosticsRead
{
Path = 'C:\Program Files\WindowsPowerShell\Modules\JeaDsc\RoleCapabilities\DscDiagnosticsRead.psrc'
VisibleCmdlets = "@{ Name = 'Get-DscLocalConfigurationManager'; Parameters = @{ Name = '*' } }"
FunctionDefinitions = "@{ Name = 'Test'; ScriptBlock = { Test-DscConfiguration -Detailed } }", "@{ Name = 'GD'; ScriptBlock = { Get-Date } }"
VisibleFunctions = 'GD', 'Test'
}
}
}
JeaConfig1 -OutputPath c:\JeaTest
Start-DscConfiguration -Path C:\JeaTest -Verbose -Wait -Force
localhost.mof
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/
Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer RAANDREE0 with user sid S-1-5-21-3110595715-3530629690-4267244086-1001.
VERBOSE: [RAANDREE0]: LCM: [ Start Set ]
VERBOSE: [RAANDREE0]: LCM: [ Start Resource ] [[JeaRoleCapabilities]DscDiagnosticsRead]
VERBOSE: [RAANDREE0]: LCM: [ Start Test ] [[JeaRoleCapabilities]DscDiagnosticsRead]
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]DscDiagnosticsRead] Validating Path: C:\Program Files\WindowsPowerShell\Modules\JeaDsc\RoleCapabilities\DscDiagn
osticsRead.psrc
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]DscDiagnosticsRead] Checking file extension is psrc for: C:\Program Files\WindowsPowerShell\Modules\JeaDsc\RoleC
apabilities\DscDiagnosticsRead.psrc
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]DscDiagnosticsRead] Checking parent forlder is RoleCapabilities for: C:\Program Files\WindowsPowerShell\Modules\
JeaDsc\RoleCapabilities\DscDiagnosticsRead.psrc
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]DscDiagnosticsRead] Checking Folder is in PSModulePath is psrc for: C:\Program Files\WindowsPowerShell\Modules\J
eaDsc\RoleCapabilities\DscDiagnosticsRead.psrc
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]DscDiagnosticsRead] Path is a valid psrc path. Returning true.
VERBOSE: [RAANDREE0]: LCM: [ End Test ] [[JeaRoleCapabilities]DscDiagnosticsRead] in 0.0330 seconds.
VERBOSE: [RAANDREE0]: LCM: [ Start Set ] [[JeaRoleCapabilities]DscDiagnosticsRead]
VERBOSE: [RAANDREE0]: LCM: [ End Set ] [[JeaRoleCapabilities]DscDiagnosticsRead] in 0.0410 seconds.
VERBOSE: [RAANDREE0]: LCM: [ End Resource ] [[JeaRoleCapabilities]DscDiagnosticsRead]
VERBOSE: [RAANDREE0]: LCM: [ End Set ]
VERBOSE: [RAANDREE0]: LCM: [ End Set ] in 0.2200 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.315 seconds
I have used the config from #25 and just added FunctionDefinitions.
Configuration Test1
{
Import-DscResource -Module JeaDsc
JeaRoleCapabilities TechnicianRoleCapability
{
Path = 'C:\Program Files\WindowsPowerShell\Modules\JeaDsc\RoleCapabilities\Technician.psrc'
VisibleCmdlets = 'Get-WinEvent','Get-Service'
FunctionDefinitions = "@{ Name = 'Test'; ScriptBlock = { Get-Date } }"
}
}
Test1 -OutputPath d:\dsc
Start-DscConfiguration -Path d:\dsc -Wait -Verbose -Force
This results in the following error:
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]TechnicianRoleCapability] Checking file extension is psrc for: C:\Program Files\WindowsPowerShell\Modules\JeaDsc
\RoleCapabilities\Technician.psrc
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]TechnicianRoleCapability] Checking parent forlder is RoleCapabilities for: C:\Program Files\WindowsPowerShell\Mo
dules\JeaDsc\RoleCapabilities\Technician.psrc
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]TechnicianRoleCapability] Checking Folder is in PSModulePath is psrc for: C:\Program Files\WindowsPowerShell\Mod
ules\JeaDsc\RoleCapabilities\Technician.psrc
VERBOSE: [RAANDREE0]: [[JeaRoleCapabilities]TechnicianRoleCapability] Path is a valid psrc path. Returning true.
You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : InvokeMethodOnNull,Compare-JeaConfiguration
+ PSComputerName : localhost
VERBOSE: [RAANDREE0]: LCM: [ End Test ] [[JeaRoleCapabilities]TechnicianRoleCapability] in 0.1290 seconds.
The PowerShell DSC resource '[JeaRoleCapabilities]TechnicianRoleCapability' with SourceInfo '::6::5::JeaRoleCapabilities' threw one or more non-terminating errors while running the
Test functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
VERBOSE: [RAANDREE0]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.289 seconds
When using JeaEndpoint to create a new endpoint, ScriptBlockLogging is activated.
First, it's not correctly implemented as the registry key property is not tested. So it may become 'not compliant' but will not be detected by DSC. Also, even if you remove the endpoint, registry value will not be restored.
ScriptBlockLogging is an interesting feature. But I think we have to let users choosing whether they want to enable it or not. In my recent experience, enabling scriptblock logging disclosed some private information as poorly designed scripts handled sensitive data with clear text parameters :-/
I suggest removing this part of the Set function and let users activate the logging with a Registry resource.
Work need to be done to convert this repository to use the new CI pipeline.
https://dsccommunity.org/blog/convert-a-module-for-continuous-delivery/
The initial consistency check in Azure Automation State Config comes back as compliant. The Jea endpoint functions as expect but it is finding issue with the JeaSessionConfiguration during subsequent consistency checks. These checks come back as failed.
The error in Azure is also same as Output of Test-DscConfiguration ran on same node
The term 'Convert-StringToArrayOfObject' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Convert-StringToArrayOfObject:) [], CimException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : localhost
The PowerShell DSC resource '[JeaSessionConfiguration]JeaEndpoint' with SourceInfo '::13::5::JeaSessionConfiguration'
threw one or more non-terminating errors while running the Test functionality. These errors are logged to the ETW
channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
my dsc config
Configuration JEAConfig
{
Import-DscResource -Module JeaDsc
JeaRoleCapabilities TechnicianRoleCapability
{
Path = 'C:\Program Files\WindowsPowerShell\Modules\JeaDsc\RoleCapabilities\Technician.psrc'
VisibleCmdlets = 'Get-WinEvent','Get-Service'
}
JeaSessionConfiguration JeaEndpoint
{
EndpointName = "JeaEndpoint"
RoleDefinitions = "@{ 'Contoso\Infrastructure Support' = @{ RoleCapabilities = 'Technician' }; }"
TranscriptDirectory = 'C:\ProgramData\JeaEndpoint\Transcripts'
DependsOn = '[JeaRoleCapabilities]TechnicianRoleCapability'
}
}
The ComplexObjectsEqual sometimes generate a false positive in detecting differences where there is not.
It occurs mainly when adding new user/group to an existing endpoint.
The problem is that order of keys in a hashtable is not garanteed. And the ComplexObjectsEqual only use ConvertTo-Json to compare 2 hashtables.
There are 2 fix proposals for this issue:
I'm not sure if this is by design and just an omission in the demo but in here you give an example passing in a hash table to define the visible cmdlets.
when I try this I get an error:
ConvertTo-MOFInstance : System.ArgumentException error processing property 'VisibleCmdlets' OF TYPE 'JeaRoleCapabilities': Value of type 'System.Object[]' is not allowed in hashtable. Supported types : [String], [Char], [Int64],
[UInt64], [Double], [Bool] ,[DateTime] and [ScriptBlock].
The only way I can get this to work along side other cmdlets is to pass an array of strings as such:
JeaRoleCapabilities RoleCapability
{
Path = 'C:\Program Files\WindowsPowerShell\Modules\JeaRc\RoleCapabilities\MyJea.psrc'
VisibleCmdlets = @(
'Get-Command',
'Measure-Object',
'Where-Object',
'Select-Object',
'Enter-PSSession',
'Out-Default',
'Exit-PSSession',
'Out-String',
'Out-Null',
'Set-Variable',
'Invoke-CimMethod',
'Set-StrictMode',
'Write-Output',
'Remove-Item',
"@{Name = 'New-Item'; Parameters = @(@{Name = 'ItemType'; ValidateSet = 'Directory'}, @{Name = 'Path'}, @{Name = 'Name'})}"
)
}
Is this expected? The demo indicates it should be possible but perhaps its just out of date.
Take the same approach as the JeaSessionConfiguration and convert to hashtables at runtime. Split those functions into a shared module to make it more reusable.
When adding two environment variables to a config, only the first one is added to the psrc file
The config is:
Configuration Test1
{
Import-DscResource -Module JeaDsc
JeaRoleCapabilities TechnicianRoleCapability
{
Path = 'C:\Program Files\WindowsPowerShell\Modules\JeaDsc\RoleCapabilities\Technician.psrc'
VisibleCmdlets = 'Get-WinEvent','Get-Service'
EnvironmentVariables = "@{ V1 = 'test1' }; @{ V2 = 'test2' }"
VisibleProviders = 'FileSystem', 'Environment'
}
JeaSessionConfiguration JeaEndpoint
{
EndpointName = "JeaEndpoint"
RoleDefinitions = "@{ 'Everyone' = @{ RoleCapabilities = 'Technician' }; }"
TranscriptDirectory = 'C:\ProgramData\JeaEndpoint\Transcripts'
DependsOn = '[JeaRoleCapabilities]TechnicianRoleCapability'
}
}
Test1 -OutputPath d:\dsc
Start-DscConfiguration -Path d:\dsc -Wait -Verbose -Force
The psrc looks like this:
# Environment variables to define when applied to a session
EnvironmentVariables = @{
'V1' = 'test1' }
# Type files (.ps1xml) to load when applied to a session
# TypesToProcess = 'C:\ConfigData\MyTypes.ps1xml', 'C:\ConfigData\OtherTypes.ps1xml'
Test-DscConfiguration always returns false, I guess due to the same issue in #19.
JeaSessionConfiguration can't be removed after it's added as setting [Ensure]::Absent doesn't do anything in the Set block.
Based on the discussion in this issue and the problems caused by this bug, should we be flagging the machine for a reboot as part of registering a session configuration rather than restarting the WinRM service?
In a test environment I've been effected by that bug even though I haven't changed the Path while testing the SessionConfiguration resource, rebooting the machine feels cleaner and doesn't completely stop the rest of a DSC configuration from applying if the LCM is flagged to not reboot automatically.
We should remove these two excluded tags so the examples' HQRM tests run. The examples do need to be tweaked so they can run.
Lines 77 to 78 in 7608302
Currently we're splitting on a comma and then converting to hashtables (if it looks like one) but this won't work if you've got a nested array of hashtables.
So if we've got a string like this:
'DnsServer\\*','Get-*','ActiveDirectory\Set-*','Invoke-Cmdlet1', @{ Name = 'Invoke-Cmdlet2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } }
Then it'll get converted into this:
Name Value
---- -----
Name Invoke-Cmdlet2
Parameters {Name, ValidateSet}
'Item2' }
Name Parameter2
ValidatePattern L*
If we use the Convert-StringToArrayOfHashtable instead then we end up with:
Name Value
---- -----
Name Invoke-Cmdlet2
Parameters {Name, ValidateSet}
Name Parameter1
ValidateSet Item1
'Item2' }
Name Parameter2
ValidatePattern L*
Neither option is good enough for what we want as it's broken the nested hashtables that are under Parameters.
We could make use of Invoke-Expression
or [Scriptblock]::Create().Invoke()
to easily turn them into the correct objects. But that's a horrible security issue since this resource will almost always be running as SYSTEM, and doing arbitrary code execution using a user provided string is a really bad idea and against exactly what the resource is trying to achieve.
We could try to detect if the string is going to try to do something malicious, possibly by regex'ing for $ and [ as a start (since that'll catch subexpressions and type declarations) but I'm sure there's more ways to abuse this.
Edit: We need to check for & (invocation operator) and . (dot sourcing operator) as well since those will let you execute arbitrary code.
There was a conflict of the JeaDsc version of Test-DscParameterState with the one provided with the module DscResource.Common. For this Test-DscParameterState was renamed to Test-DscParameterState2 in JeaDsc. The rename happend in #36 and #35.
After the improvements on Test-DscParameterState have been added to DscResource.Common, Test-DscParameterState2 in JeaDsc should be removed.
N/A
Test-DscParameterState2 in JeaDsc should be removed finally.
N/A
N/A
N/A
N/A
I think we should rename the local one to something else in the meantime so they are not confused, e.g. Test-JeaDscParameterState
.
Originally posted by @johlju in #34 (comment)
Readme is unchanged from the MS-official repo. This is the only JEA DSC resource on powershell gallery, and it's been updated recently, so that's what I'm attempting to use. Where's the official "JustEnoughAdministration" module? How stable/used is this one? Etc.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.