Merge pull request #1188 from jensotto/enable-trustedrootauthority-pa…

…th-and-thumbprint

SPTrustedRootAuthority: Enable specifying both path and thumbprint

CHANGELOG.md

@@ -30,6 +30,9 @@ resources:
   - Discontinued CrawlEverything, CrawlFirstOnly and null as allowable CrawlSetting
     values for a SharePoint based content source, requiring CrawlVirtualServers or
     CrawlSites
+- SPTrustedRootAuthority
+  - It's now possible to specify both CertificateFilePath and CertificateThumbprint
+    so that the certificate thumbprint can be verified before importing.
 - SPUserProfileServiceApp
   - Changed the MySiteHostLocation parameter to a required parameter
 - SPWebAppAuthentication

SharePointDsc/DSCResources/MSFT_SPTrustedIdentityTokenIssuer/readme.md

@@ -7,7 +7,10 @@ This resource is used to create or remove SPTrustedIdentityTokenIssuer in a
 SharePoint farm.
 
 Either parameter SigningCertificateThumbPrint or SigningCertificateFilePath
-must be set, but not both.
+must be set. If specifying both SigningCertificateThumbPrint and
+SigningCertificateFilePath, the certificate thumbprint will be verified
+with the specified SigningCertificateThumbPrint. If the thumbprints doesn't
+match an exception will be thrown.
 
 The SigningCertificateThumbPrint must be the thumbprint of the signing
 certificate stored in the certificate store LocalMachine\My of the server

SharePointDsc/DSCResources/MSFT_SPTrustedRootAuthority/MSFT_SPTrustedRootAuthority.psm1

@@ -33,23 +33,17 @@ function Get-TargetResource
 
     Write-Verbose "Getting Trusted Root Authority with name '$Name'"
 
-    if ($PSBoundParameters.ContainsKey("CertificateThumbprint") -and `
-            $PSBoundParameters.ContainsKey("CertificateFilePath"))
-    {
-        Write-Verbose -Message ("Cannot use both parameters CertificateThumbprint and " + `
-                "CertificateFilePath at the same time.")
-    }
-
     if (-not ($PSBoundParameters.ContainsKey("CertificateThumbprint")) -and `
             -not($PSBoundParameters.ContainsKey("CertificateFilePath")))
     {
         Write-Verbose -Message ("At least one of the following parameters must be specified: " + `
                 "CertificateThumbprint, CertificateFilePath.")
     }
 
-    if ($PSBoundParameters.ContainsKey("CertificateFilePath"))
+    if ($PSBoundParameters.ContainsKey("CertificateFilePath") -and `
+            -not ($PSBoundParameters.ContainsKey("CertificateThumbprint")))
     {
-        if (-not(Test-Path -Path $CertificateFilePath))
+        if (-not (Test-Path -Path $CertificateFilePath))
         {
             throw ("Specified CertificateFilePath does not exist: $CertificateFilePath")
         }
@@ -118,23 +112,17 @@ function Set-TargetResource
 
     Write-Verbose -Message "Setting SPTrustedRootAuthority '$Name'"
 
-    if ($PSBoundParameters.ContainsKey("CertificateThumbprint") -and `
-            $PSBoundParameters.ContainsKey("CertificateFilePath"))
-    {
-        throw ("Cannot use both parameters CertificateThumbprint and CertificateFilePath " + `
-                "at the same time.")
-    }
-
     if (-not ($PSBoundParameters.ContainsKey("CertificateThumbprint")) -and `
             -not($PSBoundParameters.ContainsKey("CertificateFilePath")))
     {
         throw ("At least one of the following parameters must be specified: " + `
                 "CertificateThumbprint, CertificateFilePath.")
     }
 
-    if ($PSBoundParameters.ContainsKey("CertificateFilePath"))
+    if ($PSBoundParameters.ContainsKey("CertificateFilePath") -and `
+            -not ($PSBoundParameters.ContainsKey("CertificateThumbprint")))
     {
-        if (-not(Test-Path -Path $CertificateFilePath))
+        if (-not (Test-Path -Path $CertificateFilePath))
         {
             throw ("Specified CertificateFilePath does not exist: $CertificateFilePath")
         }
@@ -149,18 +137,6 @@ function Set-TargetResource
             -ScriptBlock {
             $params = $args[0]
 
-            if ($params.ContainsKey("CertificateThumbprint"))
-            {
-                Write-Verbose -Message "Importing certificate from CertificateThumbprint"
-                $cert = Get-Item -Path "CERT:\LocalMachine\My\$($params.CertificateThumbprint)" `
-                    -ErrorAction SilentlyContinue
-
-                if ($null -eq $cert)
-                {
-                    throw "Certificate not found in the local Certificate Store"
-                }
-            }
-
             if ($params.ContainsKey("CertificateFilePath"))
             {
                 Write-Verbose -Message "Importing certificate from CertificateFilePath"
@@ -178,6 +154,25 @@ function Set-TargetResource
                 {
                     throw "Import of certificate failed."
                 }
+
+                if ($params.ContainsKey("CertificateThumbprint"))
+                {
+                    if (-not $params.CertificateThumbprint.Equals($cert.Thumbprint))
+                    {
+                        throw "Imported certificate thumbprint ($($cert.Thumbprint)) does not match expected thumbprint ($($params.CertificateThumbprint))."
+                    }
+                }
+            }
+            else
+            {
+                Write-Verbose -Message "Importing certificate from CertificateThumbprint"
+                $cert = Get-Item -Path "CERT:\LocalMachine\My\$($params.CertificateThumbprint)" `
+                    -ErrorAction SilentlyContinue
+
+                if ($null -eq $cert)
+                {
+                    throw "Certificate not found in the local Certificate Store"
+                }
             }
 
             if ($cert.HasPrivateKey)
@@ -202,18 +197,6 @@ function Set-TargetResource
             -ScriptBlock {
             $params = $args[0]
 
-            if ($params.ContainsKey("CertificateThumbprint"))
-            {
-                Write-Verbose -Message "Importing certificate from CertificateThumbprint"
-                $cert = Get-Item -Path "CERT:\LocalMachine\My\$($params.CertificateThumbprint)" `
-                    -ErrorAction SilentlyContinue
-
-                if ($null -eq $cert)
-                {
-                    throw "Certificate not found in the local Certificate Store"
-                }
-            }
-
             if ($params.ContainsKey("CertificateFilePath"))
             {
                 Write-Verbose -Message "Importing certificate from CertificateFilePath"
@@ -231,6 +214,25 @@ function Set-TargetResource
                 {
                     throw "Import of certificate failed."
                 }
+
+                if ($params.ContainsKey("CertificateThumbprint"))
+                {
+                    if (-not $params.CertificateThumbprint.Equals($cert.Thumbprint))
+                    {
+                        throw "Imported certificate thumbprint ($($cert.Thumbprint)) does not match expected thumbprint ($($params.CertificateThumbprint))."
+                    }
+                }
+            }
+            else
+            {
+                Write-Verbose -Message "Importing certificate from CertificateThumbprint"
+                $cert = Get-Item -Path "CERT:\LocalMachine\My\$($params.CertificateThumbprint)" `
+                    -ErrorAction SilentlyContinue
+
+                if ($null -eq $cert)
+                {
+                    throw "Certificate not found in the local Certificate Store"
+                }
             }
 
             if ($cert.HasPrivateKey)
@@ -289,26 +291,29 @@ function Test-TargetResource
 
     Write-Verbose -Message "Testing SPTrustedRootAuthority '$Name'"
 
-    if ($PSBoundParameters.ContainsKey("CertificateThumbprint") -and `
-            $PSBoundParameters.ContainsKey("CertificateFilePath"))
-    {
-        throw ("Cannot use both parameters CertificateThumbprint and CertificateFilePath " + `
-                "at the same time.")
-    }
-
     if (-not ($PSBoundParameters.ContainsKey("CertificateThumbprint")) -and `
             -not($PSBoundParameters.ContainsKey("CertificateFilePath")))
     {
         throw ("At least one of the following parameters must be specified: " + `
                 "CertificateThumbprint, CertificateFilePath.")
     }
 
+    if ($PSBoundParameters.ContainsKey("CertificateFilePath") -and `
+            -not ($PSBoundParameters.ContainsKey("CertificateThumbprint")))
+    {
+        if (-not (Test-Path -Path $CertificateFilePath))
+        {
+            throw ("Specified CertificateFilePath does not exist: $CertificateFilePath")
+        }
+    }
+
     $CurrentValues = Get-TargetResource @PSBoundParameters
 
     Write-Verbose -Message "Current Values: $(Convert-SPDscHashtableToString -Hashtable $CurrentValues)"
     Write-Verbose -Message "Target Values: $(Convert-SPDscHashtableToString -Hashtable $PSBoundParameters)"
 
-    if ($PSBoundParameters.ContainsKey("CertificateFilePath"))
+    if ($PSBoundParameters.ContainsKey("CertificateFilePath") -and `
+            -not ($PSBoundParameters.ContainsKey("CertificateThumbprint")))
     {
         Write-Verbose "Retrieving thumbprint of CertificateFilePath"
         $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2