Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-2615

DSC - Empty Password for "PSCredential" Parameter Causes Crash

    XMLWordPrintable

Details

    Description

      Description

      If a user specifies an empty string in the "PSCredential" hash for the "Password" parameter for the "User" DSC resource the module will crash:

      Notice: Compiled catalog for w2012r2.corp.puppetlabs.net in environment production in 0.39 seconds
      Error: /Stage[main]/Main/Dsc_user[user_test]: Could not evaluate: Execution of 'C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -Command $script:ErrorActionPreference = 'Stop'
      $script:WarningPreference     = 'SilentlyContinue'
       
      function new-pscredential
      {
        [CmdletBinding()]
        param (
          [parameter(Mandatory=$true,
            ValueFromPipelineByPropertyName=$true)]
          [string]
          $user,
       
          [parameter(Mandatory=$true,
            ValueFromPipelineByPropertyName=$true)]
          [string]
          $password
        )
       
        $secpasswd   = ConvertTo-SecureString $password -AsPlainText -Force
        $credentials = New-Object System.Management.Automation.PSCredential ($user, $secpasswd)
        return $credentials
      }
       
      $response = @{
        indesiredstate = $false
        rebootrequired = $false
        errormessage   = ''
      }
       
      $currentState = Get-DscLocalConfigurationManager
       
      if ($currentState.RefreshMode -ne 'Disabled') {
        $response.errormessage = "DSC LCM RefreshMode must be set to Disabled for Puppet to execute DSC Resources! Please run dsc::lcm_config first"
        return ($response | ConvertTo-Json -Compress)
      }
       
      $invokeParams = @{
        Name          = 'User'
        Method        = 'test'
        Property      = @{
          username = 'catsinhats'
          ensure = 'present'
          password = [PSCustomObject]@{'user' = 'incorrect'; 'password' = ''} | new-pscredential
        }
        ModuleName = "PSDesiredStateConfiguration"
      }
       
      try{
          $result = Invoke-DscResource @invokeParams
      }catch{
        $response.errormessage   = $_.Exception.Message
        return ($response | ConvertTo-Json -Compress)
      }
       
      # keep the switch for when Test passes back changed properties
      switch ($invokeParams.Method) {
        'Test' {
          $response.indesiredstate = $result.InDesiredState
          return ($response | ConvertTo-Json -Compress)
        }
        'Set' {
          $response.indesiredstate = $true
          $response.rebootrequired = $result.RebootRequired
          return ($response | ConvertTo-Json -Compress)
        }
      }
      ' returned 1: new-pscredential : Cannot bind argument to parameter 'password' because it is
      an empty string.
      At line:43 char:75
      + ... tomObject]@{'user' = 'incorrect'; 'password' = ''} | new-pscredential
      +                                                          ~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidData: (@{user=incorrect; password=}:PSObj
         ect) [new-pscredential], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAl
         lowed,new-pscredential
      Notice: Applied catalog in 4.09 seconds

      Attachments

      • None

      Repro Steps

      1. Install Puppet Agent on the Windows agent nodes.
      2. Install DSC module from the modules staging Forge on the agent nodes:

        puppet module install puppetlabs-dsc --module_repository https://api-module-staging.puppetlabs.com

      3. Configure LCM refresh mode:

        puppet apply -e "dsc::lcm_config { 'disable_lcm': refresh_mode => 'Disabled' }"

      4. Download the test package onto the SUT.
      5. Apply the following manifest on the SUT:

        dsc_package {'package_test':
          :dsc_ensure   => 'Present',
          :dsc_username => 'unicode',
          :dsc_password => "{'user' => 'unicode', 'password' => ''}"
        }

      Expect

      The Puppet apply should fail with a reasonable error message.

      Actual

      The DSC module crashes:

      Notice: Compiled catalog for w2012r2.corp.puppetlabs.net in environment production in 0.39 seconds
      Error: /Stage[main]/Main/Dsc_user[user_test]: Could not evaluate: Execution of 'C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -Command $script:ErrorActionPreference = 'Stop'
      $script:WarningPreference     = 'SilentlyContinue'
       
      function new-pscredential
      {
        [CmdletBinding()]
        param (
          [parameter(Mandatory=$true,
            ValueFromPipelineByPropertyName=$true)]
          [string]
          $user,
       
          [parameter(Mandatory=$true,
            ValueFromPipelineByPropertyName=$true)]
          [string]
          $password
        )
       
        $secpasswd   = ConvertTo-SecureString $password -AsPlainText -Force
        $credentials = New-Object System.Management.Automation.PSCredential ($user, $secpasswd)
        return $credentials
      }
       
      $response = @{
        indesiredstate = $false
        rebootrequired = $false
        errormessage   = ''
      }
       
      $currentState = Get-DscLocalConfigurationManager
       
      if ($currentState.RefreshMode -ne 'Disabled') {
        $response.errormessage = "DSC LCM RefreshMode must be set to Disabled for Puppet to execute DSC Resources! Please run dsc::lcm_config first"
        return ($response | ConvertTo-Json -Compress)
      }
       
      $invokeParams = @{
        Name          = 'User'
        Method        = 'test'
        Property      = @{
          username = 'catsinhats'
          ensure = 'present'
          password = [PSCustomObject]@{'user' = 'incorrect'; 'password' = ''} | new-pscredential
        }
        ModuleName = "PSDesiredStateConfiguration"
      }
       
      try{
          $result = Invoke-DscResource @invokeParams
      }catch{
        $response.errormessage   = $_.Exception.Message
        return ($response | ConvertTo-Json -Compress)
      }
       
      # keep the switch for when Test passes back changed properties
      switch ($invokeParams.Method) {
        'Test' {
          $response.indesiredstate = $result.InDesiredState
          return ($response | ConvertTo-Json -Compress)
        }
        'Set' {
          $response.indesiredstate = $true
          $response.rebootrequired = $result.RebootRequired
          return ($response | ConvertTo-Json -Compress)
        }
      }
      ' returned 1: new-pscredential : Cannot bind argument to parameter 'password' because it is
      an empty string.
      At line:43 char:75
      + ... tomObject]@{'user' = 'incorrect'; 'password' = ''} | new-pscredential
      +                                                          ~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidData: (@{user=incorrect; password=}:PSObj
         ect) [new-pscredential], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAl
         lowed,new-pscredential
      Notice: Applied catalog in 4.09 seconds

      Attachments

        Issue Links

          Activity

            People

              ryan.gard Ryan Gard
              ryan.gard Ryan Gard
              Ryan Gard Ryan Gard
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support