Merge pull request #1208 from Gijsreyn/gh-1207/main/fix-support-securestring

SteveL-MSFT · web-flow · commit 33d2f649917d · 2025-10-27T17:46:17.000Z
Add support for `[SecureString]` in PowerShell adapter
diff --git a/adapters/powershell/Tests/TestClassResource/0.0.1/TestClassResource.psm1 b/adapters/powershell/Tests/TestClassResource/0.0.1/TestClassResource.psm1
@@ -40,6 +40,9 @@ class TestClassResource : BaseTestClass
     [DscProperty()]
     [Ensure] $Ensure
 
+    [DscProperty()]
+    [SecureString] $SecureStringProp
+
     [string] $NonDscProperty # This property shouldn't be in results data
 
     hidden
diff --git a/adapters/powershell/Tests/powershellgroup.resource.tests.ps1 b/adapters/powershell/Tests/powershellgroup.resource.tests.ps1
@@ -376,4 +376,11 @@ Describe 'PowerShell adapter resource tests' {
         $LASTEXITCODE | Should -Be 7
         Get-Content -Path $TestDrive/error.log | Should -Match 'Resource not found: TestClassResource/TestClassResource 0.0.2'
     }
+
+    It 'Can process SecureString property' {
+        $r = '{"Name":"TestClassResource1","SecureStringProp":"MySecretValue"}' | dsc resource get -r 'TestClassResource/TestClassResource' -f -
+        $LASTEXITCODE | Should -Be 0
+        $res = $r | ConvertFrom-Json
+        $res.actualState.SecureStringProp | Should -Not -BeNullOrEmpty
+    }
 }
diff --git a/adapters/powershell/psDscAdapter/psDscAdapter.psm1 b/adapters/powershell/psDscAdapter/psDscAdapter.psm1
@@ -424,9 +424,9 @@ function Invoke-DscOperation {
                         # set each property of $dscResourceInstance to the value of the property in the $desiredState INPUT object
                         $DesiredState.properties.psobject.properties | ForEach-Object -Process {
                             # handle input objects by converting them to a hash table
+                            $validateProperty = $cachedDscResourceInfo.Properties | Where-Object -Property Name -EQ $_.Name
                             if ($_.Value -is [System.Management.Automation.PSCustomObject]) {
-                                $validateProperty = $cachedDscResourceInfo.Properties | Where-Object -Property Name -EQ $_.Name
-                                if ($validateProperty -and $validateProperty.PropertyType -eq 'PSCredential') {
+                                if ($validateProperty -and $validateProperty.PropertyType -in @('PSCredential', 'System.Management.Automation.PSCredential')) {
                                     if (-not $_.Value.Username -or -not $_.Value.Password) {
                                         "Credential object '$($_.Name)' requires both 'username' and 'password' properties" | Write-DscTrace -Operation Error
                                         exit 1
@@ -438,7 +438,11 @@ function Invoke-DscOperation {
                                 }
                             }
                             else {
-                                $dscResourceInstance.$($_.Name) = $_.Value
+                                if ($validateProperty -and $validateProperty.PropertyType -in @('SecureString', 'System.Security.SecureString') -and -not [string]::IsNullOrEmpty($_.Value)) {
+                                    $dscResourceInstance.$($_.Name) = ConvertTo-SecureString -AsPlainText $_.Value -Force   
+                                } else {
+                                    $dscResourceInstance.$($_.Name) = $_.Value
+                                }
                             }
                         }
                     }

Original file line number	Diff line number	Diff line change
`@@ -376,4 +376,11 @@ Describe 'PowerShell adapter resource tests' {`
`376`	`376`	`$LASTEXITCODE \| Should -Be 7`
`377`	`377`	`Get-Content -Path $TestDrive/error.log \| Should -Match 'Resource not found: TestClassResource/TestClassResource 0.0.2'`
`378`	`378`	`}`
	`379`	`+`
	`380`	`+ It 'Can process SecureString property' {`
	`381`	`+ $r = '{"Name":"TestClassResource1","SecureStringProp":"MySecretValue"}' \| dsc resource get -r 'TestClassResource/TestClassResource' -f -`
	`382`	`+ $LASTEXITCODE \| Should -Be 0`
	`383`	`+ $res = $r \| ConvertFrom-Json`
	`384`	`+ $res.actualState.SecureStringProp \| Should -Not -BeNullOrEmpty`
	`385`	`+ }`
`379`	`386`	`}`
Original file line number	Diff line number	Diff line change
`@@ -424,9 +424,9 @@ function Invoke-DscOperation {`
`424`	`424`	`# set each property of $dscResourceInstance to the value of the property in the $desiredState INPUT object`
`425`	`425`	`$DesiredState.properties.psobject.properties \| ForEach-Object -Process {`
`426`	`426`	`# handle input objects by converting them to a hash table`
	`427`	`+ $validateProperty = $cachedDscResourceInfo.Properties \| Where-Object -Property Name -EQ $_.Name`
`427`	`428`	`if ($_.Value -is [System.Management.Automation.PSCustomObject]) {`
`428`		`- $validateProperty = $cachedDscResourceInfo.Properties \| Where-Object -Property Name -EQ $_.Name`
`429`		`- if ($validateProperty -and $validateProperty.PropertyType -eq 'PSCredential') {`
	`429`	`+ if ($validateProperty -and $validateProperty.PropertyType -in @('PSCredential', 'System.Management.Automation.PSCredential')) {`
`430`	`430`	`if (-not $_.Value.Username -or -not $_.Value.Password) {`
`431`	`431`	`"Credential object '$($_.Name)' requires both 'username' and 'password' properties" \| Write-DscTrace -Operation Error`
`432`	`432`	`exit 1`
`@@ -438,7 +438,11 @@ function Invoke-DscOperation {`
`438`	`438`	`}`
`439`	`439`	`}`
`440`	`440`	`else {`
`441`		`- $dscResourceInstance.$($_.Name) = $_.Value`
	`441`	`+ if ($validateProperty -and $validateProperty.PropertyType -in @('SecureString', 'System.Security.SecureString') -and -not [string]::IsNullOrEmpty($_.Value)) {`
	`442`	`+ $dscResourceInstance.$($_.Name) = ConvertTo-SecureString -AsPlainText $_.Value -Force`
	`443`	`+ } else {`
	`444`	`+ $dscResourceInstance.$($_.Name) = $_.Value`
	`445`	`+ }`
`442`	`446`	`}`
`443`	`447`	`}`
`444`	`448`	`}`