Merge pull request #564 from Icinga:fix/securestring_argument_not_wor…

…king_with_rest-api Fix: SecureString arguments not working with REST-Api Fixes checks like MSSQL using arguments of type `SecureString` not being usable with the Icinga for Windows REST-Api
Icinga · Aug 27, 2022 · fa66de0 · fa66de0
2 parents 8dff45c + ab0d391
commit fa66de0
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
@@ -28,6 +28,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 * [#553](https://github.com/Icinga/icinga-powershell-framework/pull/553) Fixes an exception caused by service recovery setting, if the required service was not installed before
 * [#556](https://github.com/Icinga/icinga-powershell-framework/pull/556) Fixes the certificate folder not present during first installation, preventing permissions properly set from the start which might cause issues once required
 * [#562](https://github.com/Icinga/icinga-powershell-framework/pull/562) Fixes corrupt Performance Data, in case plugins were executed inside a JEA context without the REST-Api
+* [#563](https://github.com/Icinga/icinga-powershell-framework/pull/563) Fixes checks like MSSQL using arguments of type `SecureString` not being usable with the Icinga for Windows REST-Api
 
 ### Enhancements
 

diff --git a/lib/core/framework/Invoke-IcingaInternalServiceCall.psm1 b/lib/core/framework/Invoke-IcingaInternalServiceCall.psm1
@@ -46,6 +46,18 @@ function Invoke-IcingaInternalServiceCall()
         $Timeout = $Daemon['Timeout'];
     }
 
+    # In case we are using SecureStrings for credentials, we have to convert them back to regular strings
+    # before pushing them to the REST-Api
+    [array]$CommandArguments = $Arguments.Keys;
+
+    foreach ($arg in $CommandArguments) {
+        $Value = $Arguments[$arg];
+
+        if ($Value -Is [SecureString]) {
+            $Arguments[$arg] = ConvertFrom-IcingaSecureString -SecureString $Value;
+        }
+    }
+
     Set-IcingaTLSVersion;
     Enable-IcingaUntrustedCertificateValidation -SuppressMessages;
 

diff --git a/lib/daemons/modules/ApiChecks/Invoke-IcingaApiChecksRESTCall.psm1 b/lib/daemons/modules/ApiChecks/Invoke-IcingaApiChecksRESTCall.psm1
@@ -71,6 +71,14 @@ function Invoke-IcingaApiChecksRESTCall()
             # Convert our JSON config for checks to a PSCustomObject
             $PSArguments = ConvertFrom-Json -InputObject $CheckConfig;
 
+            # Read the command definition and arguments type, to ensure we properly handle SecureStrings
+            $CommandHelp    = Get-Help -Name $ExecuteCommand -Full;
+            $CommandDetails = @{ };
+
+            foreach ($parameter in $CommandHelp.parameters.parameter) {
+                $CommandDetails.Add($parameter.Name, $parameter.Type.Name);
+            }
+
             # For executing the checks, we will require the data as
             # hashtable, so declare it here
             [hashtable]$Arguments = @{ };
@@ -79,10 +87,17 @@ function Invoke-IcingaApiChecksRESTCall()
             # a valid hashtable, allowing us to parse arguments
             # to our check command
             $PSArguments.PSObject.Properties | ForEach-Object {
+                $CmdArgValue = $_.Value;
+
+                # Ensure we convert strings to SecureString, in case the plugin argument requires it
+                if ($CommandDetails.ContainsKey($_.Name) -And $CommandDetails[$_.Name] -Like 'SecureString') {
+                    $CmdArgValue = ConvertTo-IcingaSecureString -String $_.Value;
+                }
+
                 Add-IcingaHashtableItem `
                     -Hashtable $Arguments `
                     -Key $_.Name `
-                    -Value $_.Value | Out-Null;
+                    -Value $CmdArgValue | Out-Null;
             };
 
             [int]$ExitCode = & $ExecuteCommand @Arguments;