acl_add always skipped due to only_if

[ruicovelo]

Hi!

I was trying to add permission to my certificate key file using this:
windows_certificate certificate_thumbprint do private_key_acl ['NT AUTHORITY\NETWORK SERVICE'] action :acl_add end

The permissions were never added. I noticed in the log that the action to set permissions was being skipped due to only_if.

I am new to ruby and new to chef but in action :acl_add do this does not seem right:
code_script = guard_script = ''

if your then setting guard_script like this:
guard_script << cert_exists_script(hash)

Actually I also don't understand how only_if guard_script could possibly work. I would love to fix this myself but as I said I am not sure what I am doing.

As a workaround from myself I am removing only_if altogether

[mwrock]

Here is what that resource does: if certificate_thumbprint is an existing file path:
if ::File.exist?(new_resource.source)
It creates an X509Certificate and adds it to the node's certificate store
code_script = guard_script = cert_script(false)
If it is not an existing file, it is assumed to be a thumbprint of an existing certificate and the guard script then just ensures that the cert is present:

def cert_exists_script(hash)
  <<-EOH
$hash = #{hash}
Test-Path "Cert:\\#{@location}\\#{new_resource.store_name}\\$hash"
EOH
end

I'm betting that your issue is related to the fact that you are missing a store_name attribute. So it looks in the root where I'm pretty sure it will never find them.

Try adding the store_name and if things still do not work try validating on the node by running:

Test-Path Cert:\LocalMachine\<store name>\<thumbprint>

If things work, I'd say the bug here is bad (no) error messaging. And the fix would be to add some more validation and useful messaging.

So report back and I'd be happy to point you in the right direction to add that if you were interested or make sure it happens on my end.

[ruicovelo]

I validated all powershell scripts and they all return what is expected.

Actually if you do this in this sequence (which is what happens when you specify a thumbprint)
code_script = guard_script = ''
code_script << acl_script(hash
guard_script << cert_exists_script(hash)

Because of that first assignment, guard_script will be a concatenation of '' + acl_script + code_exists_script.

Also I don't know how only_if will work anyway... Shouldn't it be ruby code there?

[mwrock]

That's actually the code that runs if a file path is given and not a thumbprint. Guards can have different interpreters and powershell is the default interpreter for the powershell_script resource.

If you are passing a thumbprint, the guard will not coverage the resource if it can't find the cert in the store.

[ruicovelo]

Thanks for the explanation!

I reverted back my workaround and I can no longer reproduce the issue. I am puzzled by I see no point in keeping this issue.

Thanks again!

[ruicovelo]

I got to reproduce the problem again when I ran the recipe with chef-client version 11.16.4. I cannot reproduce it with chef-client 12.3.0.

I still think code_script = guard_script = '' should not be used because, event thou it works, this makes the guard_script a concatenation of both code_script and what the guard_script should be. Therefore code_script is being executed twice. Can I propose a fix?

[mwrock]

You can absolutely propose a fix, but is that related to this issue? Do you think that is why your acl_add is incorrectly being skipped? I thought you were using a thumbprint.

[ruicovelo]

No. It's something I found during debugging this issue but it is not related to this issue. Closed!