Skip to content

FileSystemAccessRule:Does not work with PowerShell Certificate Paths #25

New issue
New issue
Open
Open
FileSystemAccessRule:Does not work with PowerShell Certificate Paths#25
@EmperorArthur

Description

@EmperorArthur
EmperorArthur
opened on Dec 9, 2024

Details of the scenario you tried and the problem that is occurring

I need to allow a machine certificate's private key to be read by certain users in a development environment.

Since Certificates are a PowerShell path, and have access rules, I thought this resource would work.

Currently I am using:

Import-Module GuardedFabricTools
$certificate = Get-ChildItem "Cert:\LocalMachine\${CertStoreLocation}\${CertFingerprint}"
#$certificate.Acl = $certificate.Acl | Add-AccessRule "${UserName}" Read Allow
$acl = $certificate.Acl
$newFileSystemAccessRuleParameters = @{
            TypeName     = 'System.Security.AccessControl.FileSystemAccessRule'
            ArgumentList = @(
                "${UserName}",
                [System.Security.AccessControl.FileSystemRights] @('Read'),
                'None',
                'None',
                'Allow'
            )
}
$fileSystemAccessRule = New-Object @newFileSystemAccessRuleParameters
$acl.SetAccessRule($fileSystemAccessRule)

Verbose logs showing the problem

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 
'GetAccessControl'.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : MethodNotFound
    + PSComputerName        : localhost

Suggested solution to the issue

  1. Depend on GuardedFabricTools
  2. Update the Get-ACLAccess function to also check if .Acl is available if .GetAccessControl('Access') fails, and use that instead.
  3. Handle if System.Security.AccessControl.InheritanceFlags are not valid for an object.

$certificate.Acl is a "System.Security.AccessControl.FileSystemSecurity". Which is the same type as returned by .GetAccessControl('Access').

The DSC configuration that is used to reproduce the issue (as detailed as possible)

FileSystemAccessRule Cert {
            Identity = $ConfigurationData.Credentials.UserName
            Path = "Cert:\LocalMachine\${CertStoreLocation}\${CertFingerprint}"
            Rights = "Read"
            Ensure = [Ensure]::Present
        }

The operating system the target node is running

OsName : Microsoft Windows 10 Enterprise LTSC
OsOperatingSystemSKU : 125
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.19041.5129
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.5129
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

1.1.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions