Metadata not passed along to Set-Secret Extension.

[Zephyrusg]

I try to write a extension for the SecretManagement. My Set-secret function start with:

function Set-Secret {
    param (
        [string]$Name,
        [object]$Secret,
        [string]$VaultName,
        [hashtable]$AdditionalParameters,
        [hashtable]$Metadata 
    )

But when I run Set-Secret -Name "test" -metadata $test -vault "Testvault" -Secret "test123"

The Metadata variable keeps blank.

[PaulHigin]

I am not able to repro this. Are you sure the $test variable is assigned? This is what I did:

function Set-Secret
{
    param (
        [string] $Name,
        [object] $Secret,
        [string] $VaultName,
        [hashtable] $AdditionalParameters,
        [hashtable] $Metadata
    )

    $filePath = Join-Path -Path (Get-Path $VaultName) -ChildPath "${Name}.xml"
    $Secret | Export-Clixml -Path $filePath -Force

    $verboseEnabled = $AdditionalParameters.ContainsKey('Verbose') -and ($AdditionalParameters['Verbose'] -eq $true)
    Write-Verbose "[TestLocalScript.Extension]:Set-SecretVault successfully called for vault: $VaultName" -Verbose:$verboseEnabled
    Write-Verbose "Metadata: $($Metadata | Out-String)" -Verbose:$verboseEnabled

    return $true
}

$test = @{ Name='hello'; expires=[datetime]::Now }
Set-Secret -Name TLSTest3 -Secret 'hello' -Vault TestLocalScript -Metadata $test -Verbose
VERBOSE: Performing the operation "Write secret to vault and override any existing secret of the same name" on target "TestLocalScript".
VERBOSE: Invoking command Set-Secret on module TestLocalScript.Extension
VERBOSE: [TestLocalScript.Extension]:Set-SecretVault successfully called for vault: TestLocalScript
VERBOSE: Metadata:
Name                           Value
----                           -----
expires                        4/21/2021 10:34:13 AM
Name                           hello

VERBOSE: Secret TLSTest3 was successfully added to vault TestLocalScript.

[Zephyrusg]

Hi Paul,

I tried your steps:

function Set-Secret {
    param (
        [string]$Name,
        [object]$Secret,
        [string]$VaultName,
        [hashtable]$AdditionalParameters,
        [hashtable]$Metadata
    )
    Test-VaultConfiguration $VaultName

    $filePath = Join-Path -Path "C:\temp\$VaultName\" -ChildPath "${Name}.xml"
    $Secret | Export-Clixml -Path $filePath -Force

    $verboseEnabled = $AdditionalParameters.ContainsKey('Verbose') -and ($AdditionalParameters['Verbose'] -eq $true)
    Write-Verbose "[SecretManagement.PWS.Extension]:Set-SecretVault successfully called for vault: $VaultName" -Verbose:$verboseEnabled
    Write-Verbose "Metadata: $($Metadata | Out-String)" -Verbose:$verboseEnabled

    return $true
}

And this was the output:

$test = @{ Name='hello'; expires=[datetime]::Now }
Set-Secret -Name TLSTest3 -Secret 'hello' -Vault PWSTest -Metadata $test -Verbose           

VERBOSE: Performing the operation "Write secret to vault and override any existing secret of the same name" on target "PWSTest".
VERBOSE: Invoking command Set-Secret on module SecretManagement.PWS.Extension
VERBOSE: [SecretManagement.PWS.Extension]:Set-SecretVault successfully called for vault: PWSTest
VERBOSE: Metadata: 
VERBOSE: Invoking command Set-SecretInfo on module SecretManagement.PWS.Extension        
Set-Secret: Cannot store secret TLSTest3. Vault PWSTest does not support secret metadata.
VERBOSE: Invoking command Remove-Secret on module SecretManagement.PWS.Extension
VERBOSE: Secret TLSTest3 was successfully removed from vault PWSTest.

It couldn't add the secret but this also wasn't the real function. But still no Metadata.

Not sure why the module said that Vault PWSTest does not support secret metadata. How does the main module check this?

I'm still a bit puzzled about this. Maybe you know why this happens.

[Zephyrusg]

Ach I see I have not yet implemented a Set-Secretinfo function for the extension. Does this explain that the metadata keeps blank in the Set-secret function?

[PaulHigin]

Hmm, no that should not affect Set-Secret function. I'll need to investigate and see if I can find a repro. Are you using the latest GA (1.0.0) release of SecretManagement? Make sure you uninstall any previous version of SecretManagement.

Also, whenever you make a change to a registered script vault extension module, be sure to start a new instance of PowerShell to test it. This is because SecretManagement doesn't forcefully reload the script module (for a number of reasons), and the changes you make are not reflected in the old instance of PowerShell, but will be in the new instance.

[Zephyrusg]

Yes, I'm using version 1.0.0. I didn't used any previous version of secret Management. When I reload my PS session in vscode the same issue occur.

I tried my tests in PS 5.1 and PS 7.1.3

[PaulHigin]

Is it possible that the modules changes you are making are not in the same path that is registered as the extension vault? Is this path:

Get-SecretVault -Name TestVault | Select-Object ModulePath

the same path where you are making the changes?

I ask because sometimes I build an extension vault module in one location but move it to a different location for testing.

[Zephyrusg]

It did write the set-secretinfo function. And this function gives me the same error.

Set-SecretInfo : Cannot set secret metadata TLSTest4. Vault PWSTest does not support secret metadata.

It seems like the SecretManagement module set some kind of switch on my extension. Somthing like Metadata support = $false. Is there something I need to enable or configure?

[PaulHigin]

Oh. This is set on registration. Try unregistering and the re-registering the extension vault module.

[Zephyrusg]

Oke good to know. Uhhmm with unregistering you mean the vault that use the module?

[PaulHigin]

Yes. Or just force re-register.

Register-SecretVault -Name TestVault -ModuleName ModuleNamePath -AllowClobber

[Zephyrusg]

Somehow it is working now. Thz for all your help.

[PaulHigin]

Yes, I forgot that metadata support is detected on extension vault registration. So, while developing an extension vault you add metadata support to a vault that is already registered, you need to re-register it so that SecretManagement knows metadata is now supported.