-
-
Save rdev5/3ea4fc1f4473864fbfc5d1db2377a0c7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Idempotent method for installing RSA key containers (IIS) by Matt Borja | |
define iis::rsa_install ( | |
$key_container, | |
$key_container_filename, | |
$key_container_content, | |
$grantee = undef, | |
$machine_keys_search_path = "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*" | |
) { | |
$aspnet_regiis_bin = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_regiis.exe" | |
$key_container_filename_ps = regsubst($key_container_filename, '"', '""', 'G') | |
$container_label = basename($key_container_filename) | |
$create_key_container_task = "Create key container (${container_label})" | |
$import_key_container_task = "Import key container (${container_label})" | |
$grant_key_container_task = "Grant key container (${container_label})" | |
$cleanup_key_container_task = "Cleanup key container (${container_label})" | |
$key_container_ps = regsubst($key_container, '"', '""', 'G') | |
$key_container_content_ps = regsubst($key_container_content, '"', '""', 'G') | |
$grantee_ps = regsubst($grantee, '"', '""', 'G') | |
$machine_keys_search_path_ps = regsubst($machine_keys_search_path, '"', '""', 'G') | |
# Enforce empty file with explicit permissions before writing content | |
# TODO: Pair with file scrubbing? | |
file { $key_container_filename: | |
ensure => file, | |
owner => "Administrator", | |
group => "Administrators", | |
mode => "0660", # 0660 enables manual Puppet runs | |
content => "", | |
# checksum => "sha256", | |
# checksum_value => "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", # empty file | |
} | |
exec { $create_key_container_task: | |
provider => "powershell", | |
command => Sensitive.new("Set-Content -Force -Path \"${key_container_filename_ps}\" -Value \"${key_container_content_ps}\""), | |
unless => "if ((Select-String -Path \"${machine_keys_search_path_ps}\" -Pattern \"${key_container_ps}\") -ne \$null) { Exit 0 } else { Exit 1 }", | |
require => File[$key_container_filename], | |
} | |
exec { $import_key_container_task: | |
provider => "powershell", | |
command => "${aspnet_regiis_bin} -pi \"${key_container_ps}\" \"${key_container_filename_ps}\"", | |
refreshonly => true, | |
subscribe => Exec[$create_key_container_task], | |
} | |
# TODO: Refactor with secure file overwrite (https://gallery.technet.microsoft.com/scriptcenter/Secure-File-Remove-by-110adb68) | |
exec { $cleanup_key_container_task: | |
provider => "powershell", | |
command => "Clear-Content -Force \"${key_container_filename_ps}\"", | |
refreshonly => true, | |
subscribe => Exec[$import_key_container_task], | |
} | |
if $grantee != undef { | |
exec { $grant_key_container_task: | |
provider => "powershell", | |
command => "${aspnet_regiis_bin} -pa \"${key_container_ps}\" \"${grantee_ps}\"", | |
refreshonly => true, | |
subscribe => Exec[$import_key_container_task], | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment