Merge pull request #252 from jakehildreth/main

Syncing testing to main

Author: jakehildreth

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,20 +7,21 @@ assignees: ''
 
 ---
 
-**Describe the Bug**
+## Describe the Bug
 <!-- A clear and concise description of what the bug is. -->
 
-**Steps To Reproduce**
+### Steps To Reproduce
 <!-- Steps to reproduce the behavior: -->
 
-**Expected Behavior**
+### Expected Behavior
 <!-- A clear and concise description of what you expected to happen. -->
 
-**Environment**
- - Locksmith Version: [e.g. 2024.8]
- - OS: [e.g. Windows Server 2019]
- - PowerShell Version: [e.g. Windows PowerShell 5.1 or PowerShell 7.4.5]
- - PowerShell Host: [e.g. Windows Terminal, PowerShell, PowerShell ISE, VS Code Terminal
+### Environment
 
-**Additional Context**
+- Locksmith Version: (e.g. 2024.8)
+- OS: (e.g. Windows Server 2019)
+- PowerShell Version: (e.g. Windows PowerShell 5.1 or PowerShell 7.5.1)
+- PowerShell Host: (e.g. Windows Terminal, PowerShell, PowerShell ISE, VS Code Terminal)
+
+### Additional Context
 <!-- Add any other context or screenshots of the problem here. -->

.github/workflows/mega-linter.yml

@@ -13,7 +13,7 @@ on:
     # branches:
       # - main
       # - testing
-  # workflow_dispatch:
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
@@ -45,7 +45,7 @@ jobs:
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/flavors/
         # The dotnet flavor includes PowerShell, MD, YAML, JSON, spelling, and more.
-        uses: oxsecurity/megalinter/flavors/dotnet@v8.3.0
+        uses: oxsecurity/megalinter/flavors/dotnet@v8.7.0
 
         id: ml
 

CHANGELOG.MD

@@ -1,6 +1,6 @@
 # https://github.com/readthedocs-examples/example-mkdocs-basic/blob/main/docs/requirements.txt
 # requirements.txt
-jinja2==3.1.5  #https://pypi.org/project/Jinja2/
+jinja2==3.1.6  #https://pypi.org/project/Jinja2/
 mkdocs>=1.6.0  #https://github.com/mkdocs/mkdocs
 mkdocs-material==9.5.25  #https://github.com/squidfunk/mkdocs-material
 pygments>=2.18.0  #https://pypi.org/project/Pygments/

Docs/requirements.txt

@@ -2043,7 +2043,7 @@ function Get-CAHostObject {
     [CmdletBinding()]
     param (
         [parameter(
-            Mandatory = $true,
+            Mandatory,
             ValueFromPipeline = $true)]
         [Microsoft.ActiveDirectory.Management.ADEntity[]]$ADCSObjects,
         [System.Management.Automation.PSCredential]$Credential,
@@ -2053,20 +2053,20 @@ function Get-CAHostObject {
         if ($Credential) {
             $ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object {
                 if ($_.CAHostDistinguishedName) {
-                    Get-ADObject $_.CAHostDistinguishedName -Properties * -Server $ForestGC -Credential $Credential 
+                    Get-ADObject $_.CAHostDistinguishedName -Properties * -Server $ForestGC -Credential $Credential
                 }
                 else {
-                    Write-Warning "Get-CAHostObject: Unable to get information from $($_.DisplayName)" 
+                    Write-Warning "Get-CAHostObject: Unable to get information from $($_.DisplayName)"
                 }
             }
         }
         else {
             $ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object {
                 if ($_.CAHostDistinguishedName) {
-                    Get-ADObject -Identity $_.CAHostDistinguishedName -Properties * -Server $ForestGC 
+                    Get-ADObject -Identity $_.CAHostDistinguishedName -Properties * -Server $ForestGC
                 }
                 else {
-                    Write-Warning "Get-CAHostObject: Unable to get information from $($_.DisplayName)" 
+                    Write-Warning "Get-CAHostObject: Unable to get information from $($_.DisplayName)"
                 }
             }
         }
@@ -3029,7 +3029,7 @@ function Set-AdditionalCAProperty {
     [CmdletBinding(SupportsShouldProcess)]
     param (
         [parameter(
-            Mandatory = $true,
+            Mandatory,
             ValueFromPipeline = $true)]
         [Microsoft.ActiveDirectory.Management.ADEntity[]]$ADCSObjects,
         [PSCredential]$Credential,
@@ -3134,10 +3134,10 @@ function Set-AdditionalCAProperty {
                 $CAHostFQDN = (Get-ADObject -Filter { (Name -eq $CAHostName) -and (objectclass -eq 'computer') } -Properties DnsHostname -Server $ForestGC).DnsHostname
             }
             $ping = if ($CAHostFQDN) {
-                Test-Connection -ComputerName $CAHostFQDN -Count 1 -Quiet 
+                Test-Connection -ComputerName $CAHostFQDN -Count 1 -Quiet
             }
             else {
-                Write-Warning "Unable to resolve $($_.Name) Fully Qualified Domain Name (FQDN)" 
+                Write-Warning "Unable to resolve $($_.Name) Fully Qualified Domain Name (FQDN)"
             }
             if ($ping) {
                 try {
@@ -3727,23 +3727,23 @@ function Set-RiskRating {
             switch ($Issue.objectClass) {
                 # Being able to modify Root CA Objects is very bad.
                 'certificationAuthority' {
-                    $RiskValue += 2; $RiskScoring += 'Root Certification Authority bject: +2' 
+                    $RiskValue += 2; $RiskScoring += 'Root Certification Authority bject: +2'
                 }
                 # Being able to modify Issuing CA Objects is also very bad.
                 'pKIEnrollmentService' {
-                    $RiskValue += 2; $RiskScoring += 'Issuing Certification Authority Object: +2' 
+                    $RiskValue += 2; $RiskScoring += 'Issuing Certification Authority Object: +2'
                 }
                 # Being able to modify CA Hosts? Yeah... very bad.
                 'computer' {
-                    $RiskValue += 2; $RiskScoring += 'Certification Authority Host Computer: +2' 
+                    $RiskValue += 2; $RiskScoring += 'Certification Authority Host Computer: +2'
                 }
                 # Being able to modify OIDs could result in ESC13 vulns.
                 'msPKI-Enterprise-Oid' {
-                    $RiskValue += 1; $RiskScoring += 'OID: +1' 
+                    $RiskValue += 1; $RiskScoring += 'OID: +1'
                 }
                 # Being able to modify PKS containers is bad.
                 'container' {
-                    $RiskValue += 1; $RiskScoring += 'Container: +1' 
+                    $RiskValue += 1; $RiskScoring += 'Container: +1'
                 }
             }
         }
@@ -3764,19 +3764,19 @@ function Set-RiskRating {
     # Convert Value to Name
     $RiskName = switch ($RiskValue) {
         { $_ -le 1 } {
-            'Informational' 
+            'Informational'
         }
         2 {
-            'Low' 
+            'Low'
         }
         3 {
-            'Medium' 
+            'Medium'
         }
         4 {
-            'High' 
+            'High'
         }
         { $_ -ge 5 } {
-            'Critical' 
+            'Critical'
         }
     }
 
@@ -4335,7 +4335,7 @@ Set-Acl -Path `$Path -AclObject `$ACL
 "@
             }
             4 {
-                break 
+                break
             }
             5 {
                 $Issue.Fix = @"
@@ -4670,15 +4670,15 @@ Function Write-HostColorized {
     #   * At least for now, we remain PSv2-COMPATIBLE.
     #   * Thus:
     #     * no `[ordered]`, `::new()`, `[pscustomobject]`, ...
-    #     * No implicit Boolean properties in [CmdletBinding()] and [Parameter()] attributes (`Mandatory = $true` instead of just `Mandatory`)
+    #     * No implicit Boolean properties in [CmdletBinding()] and [Parameter()] attributes (`Mandatory` instead of just `Mandatory`)
     # ===
 
     [CmdletBinding(DefaultParameterSetName = 'SingleColor')]
     param(
-        [Parameter(ParameterSetName = 'SingleColor', Position = 0, Mandatory = $True)] [string[]] $Pattern,
+        [Parameter(ParameterSetName = 'SingleColor', Position = 0, Mandatory)] [string[]] $Pattern,
         [Parameter(ParameterSetName = 'SingleColor', Position = 1)] [ConsoleColor] $ForegroundColor = [ConsoleColor]::Yellow,
         [Parameter(ParameterSetName = 'SingleColor', Position = 2)] [ConsoleColor] $BackgroundColor,
-        [Parameter(ParameterSetName = 'PerPatternColor', Position = 0, Mandatory = $True)] [System.Collections.IDictionary] $PatternColorMap,
+        [Parameter(ParameterSetName = 'PerPatternColor', Position = 0, Mandatory)] [System.Collections.IDictionary] $PatternColorMap,
         [Parameter(ValueFromPipeline = $True)] $InputObject,
         [switch] $WholeLine,
         [switch] $SimpleMatch,
@@ -4706,10 +4706,10 @@ Function Write-HostColorized {
             # We precompile them for better performance with many input objects.
             [System.Text.RegularExpressions.RegexOptions] $reOpts =
             if ($CaseSensitive) {
-                'Compiled, ExplicitCapture' 
+                'Compiled, ExplicitCapture'
             }
             else {
-                'Compiled, ExplicitCapture, IgnoreCase' 
+                'Compiled, ExplicitCapture, IgnoreCase'
             }
 
             # Transform the dictionary:
@@ -4731,10 +4731,10 @@ Function Write-HostColorized {
                 }
                 $colorArgs = @{ }
                 if ($fg) {
-                    $colorArgs['ForegroundColor'] = [ConsoleColor] $fg 
+                    $colorArgs['ForegroundColor'] = [ConsoleColor] $fg
                 }
                 if ($bg) {
-                    $colorArgs['BackgroundColor'] = [ConsoleColor] $bg 
+                    $colorArgs['BackgroundColor'] = [ConsoleColor] $bg
                 }
 
                 # Consolidate the patterns into a single pattern with alternation ('|'),
@@ -4753,7 +4753,7 @@ Function Write-HostColorized {
             }
         }
         catch {
-            throw 
+            throw
         }
 
         # Construct the arguments to pass to Out-String.
@@ -4776,7 +4776,7 @@ Function Write-HostColorized {
                     foreach ($m in $entry.Key.Matches($_)) {
                         @{ Index = $m.Index; Text = $m.Value; ColorArgs = $entry.Value }
                         if ($WholeLine) {
-                            break patternLoop 
+                            break patternLoop
                         }
                     }
                 }

Invoke-Locksmith.ps1

@@ -31,7 +31,7 @@
     [CmdletBinding()]
     param (
         [parameter(
-            Mandatory = $true,
+            Mandatory,
             ValueFromPipeline = $true)]
         [Microsoft.ActiveDirectory.Management.ADEntity[]]$ADCSObjects,
         [System.Management.Automation.PSCredential]$Credential,

Private/Get-CAHostObject.ps1

@@ -30,7 +30,7 @@
     [CmdletBinding(SupportsShouldProcess)]
     param (
         [parameter(
-            Mandatory = $true,
+            Mandatory,
             ValueFromPipeline = $true)]
         [Microsoft.ActiveDirectory.Management.ADEntity[]]$ADCSObjects,
         [PSCredential]$Credential,
@@ -40,19 +40,19 @@
     begin {
         if (-not ([System.Management.Automation.PSTypeName]'TrustAllCertsPolicy') ) {
             if ($PSVersionTable.PSEdition -eq 'Desktop') {
-                $code = @"
+                $code = @'
                     using System.Net;
                     using System.Security.Cryptography.X509Certificates;
                     public class TrustAllCertsPolicy : ICertificatePolicy {
                         public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) {
                             return true;
                         }
                     }
-"@
+'@
                 Add-Type -TypeDefinition $code -Language CSharp
                 [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
             } else {
-                Add-Type @"
+                Add-Type @'
                     using System.Net;
                     using System.Security.Cryptography.X509Certificates;
                     using System.Net.Security;
@@ -61,7 +61,7 @@
                             return true;
                         }
                     }
-"@
+'@
                 # Set the ServerCertificateValidationCallback
                 [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [TrustAllCertsPolicy]::TrustAllCerts
             }
@@ -72,7 +72,7 @@
         $ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object {
             $CAEnrollmentEndpoint = @()
             #[array]$CAEnrollmentEndpoint = $_.'msPKI-Enrollment-Servers' | Select-String 'http.*' | ForEach-Object { $_.Matches[0].Value }
-            foreach ($directory in @("certsrv/", "$($_.Name)_CES_Kerberos/service.svc", "$($_.Name)_CES_Kerberos/service.svc/CES", "ADPolicyProvider_CEP_Kerberos/service.svc", "certsrv/mscep/")) {
+            foreach ($directory in @('certsrv/', "$($_.Name)_CES_Kerberos/service.svc", "$($_.Name)_CES_Kerberos/service.svc/CES", 'ADPolicyProvider_CEP_Kerberos/service.svc', 'certsrv/mscep/')) {
                 $URL = "://$($_.dNSHostName)/$directory"
                 try {
                     $Auth = 'NTLM'
@@ -116,6 +116,7 @@
                                 'Auth' = $Auth
                             }
                         } catch {
+                            Write-Debug "There may have been an error or something nothing found. $_"
                         }
                     }
                 }

Private/Set-AdditionalCAProperty.ps1

@@ -28,18 +28,20 @@
         [Microsoft.ActiveDirectory.Management.ADEntity[]]$ADCSObjects
     )
 
-    $ADCSObjects | Where-Object objectClass -match 'pKICertificateTemplate' -PipelineVariable template | ForEach-Object {
-        # Write-Host "[?] Checking if template `"$($template.Name)`" is Enabled on any Certification Authority." -ForegroundColor Blue
-        $Enabled = $false
-        $EnabledOn = @()
-        foreach ($ca in ($ADCSObjects | Where-Object objectClass -eq 'pKIEnrollmentService')) {
-            if ($ca.certificateTemplates -contains $template.Name) {
-                $Enabled = $true
-                $EnabledOn += $ca.Name
-            }
+    process {
+        $ADCSObjects | Where-Object objectClass -Match 'pKICertificateTemplate' -PipelineVariable template | ForEach-Object {
+            # Write-Host "[?] Checking if template `"$($template.Name)`" is Enabled on any Certification Authority." -ForegroundColor Blue
+            $Enabled = $false
+            $EnabledOn = @()
+            foreach ($ca in ($ADCSObjects | Where-Object objectClass -EQ 'pKIEnrollmentService')) {
+                if ($ca.certificateTemplates -contains $template.Name) {
+                    $Enabled = $true
+                    $EnabledOn += $ca.Name
+                }
 
-            $template | Add-Member -NotePropertyName Enabled -NotePropertyValue $Enabled -Force
-            $template | Add-Member -NotePropertyName EnabledOn -NotePropertyValue $EnabledOn -Force
+                $template | Add-Member -NotePropertyName Enabled -NotePropertyValue $Enabled -Force
+                $template | Add-Member -NotePropertyName EnabledOn -NotePropertyValue $EnabledOn -Force
+            }
         }
     }
 }