PowerShell / SecretStore

MIT License
158 stars 24 forks source link

Set-SecretStoreConfiguration -Authentication None often fails #79

Closed SamLue closed 3 years ago

SamLue commented 3 years ago

If I try to set the Authentication to None the follwing command often fails.

Set-SecretStoreConfiguration -Authentication None -Password $tmpPw -Interaction None

The following error occurs:

Set-SecretStoreConfiguration : 
In Zeile:1 Zeichen:1
+ Set-SecretStoreConfiguration -Authentication None -Interaction None
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power...reConfiguration:SetSecretStoreConfiguration) [Set-SecretStoreConfiguration], PSInvalidOperationException
    + FullyQualifiedErrorId : SecretStoreConfigurationUpdateFailed,Microsoft.PowerShell.SecretStore.SetSecretStoreConfiguration

But after a few attemps (sometimes 2 but often even more) it works.

PaulHigin commented 3 years ago

@SamLue Can you provide more information on the error? If you are running PowerShell 7+ then you can just run Get-Error, which will display details of the last error.

SamLue commented 3 years ago

Hello @PaulHigin

here my complete test to reproduce this issue. Now with PowerShell 7.1.3 and Get-Error

PS C:\Users\PN118> Register-SecretVault -Name $VaultName -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -Confirm:$false
PS C:\Users\PN118> $tmpPw = Read-Host -AsSecureString
********
PS C:\Users\PN118> Reset-SecretStore -Password $tmpPw -Force
WARNING: !!This operation completely removes all SecretStore module secrets and resets configuration settings to new values!!
PS C:\Users\PN118> Set-SecretStoreConfiguration -Authentication None -Password $tmpPw -Interaction None

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Set-SecretStoreConfiguration:
PS C:\Users\PN118> Get-Error

Exception             :
    Type        : System.Management.Automation.PSInvalidOperationException
    ErrorRecord :
        Exception             :
            Type    : System.Management.Automation.ParentContainsErrorRecordException
            HResult : -2146233087
        CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
        FullyQualifiedErrorId : InvalidOperation
    TargetSite  :
        Name          : ThrowTerminatingError
        DeclaringType : System.Management.Automation.MshCommandRuntime, System.Management.Automation, Version=7.1.3.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35
        MemberType    : Method
        Module        : System.Management.Automation.dll
    StackTrace  :
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
    Source      : System.Management.Automation
    HResult     : -2146233079
TargetObject          : Microsoft.PowerShell.SecretStore.SetSecretStoreConfiguration
CategoryInfo          : InvalidOperation: (Microsoft.PowerShel…tStoreConfiguration:SetSecretStoreConfiguration)
[Set-SecretStoreConfiguration], PSInvalidOperationException
FullyQualifiedErrorId :
SecretStoreConfigurationUpdateFailed,Microsoft.PowerShell.SecretStore.SetSecretStoreConfiguration
InvocationInfo        :
    MyCommand        : Set-SecretStoreConfiguration
    ScriptLineNumber : 1
    OffsetInLine     : 1
    HistoryId        : 7
    Line             : Set-SecretStoreConfiguration -Authentication None -Password $tmpPw -Interaction None
    PositionMessage  : At line:1 char:1
                       + Set-SecretStoreConfiguration -Authentication None -Password $tmpPw -I …
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : Set-SecretStoreConfiguration
    CommandOrigin    : Internal
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1

PS C:\Users\PN118>

But it is realy strange that sometimes the command is successful. Have you tried these steps? I can observe this behavior on completly different systems. Server OS with 5.1 but also on my Windows 10 with pwsh 7.1.3 and powershell 5.1

PaulHigin commented 3 years ago

Hmm, the above error does not provide any useful error message. Since it sometimes works, I am wondering if there is trouble writing the configuration file. But we should get a message about that if that is the case.

Can you try assigning the error to a variable and looking to see if there are inner exceptions with more information?

$err = Get-Error
$err.Exception
$err.Exception.InnerException
$err.Exception.InnerException.InnerException
...
# At some point the InnerException property will be null.
SamLue commented 3 years ago

Hello @PaulHigin ,

there is no InnerException. Only an Exception.


PS C:\Users\PN118> Set-SecretStoreConfiguration -Authentication None -Password $tmpPw -Interaction None

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
Set-SecretStoreConfiguration:
PS C:\Users\PN118> $err = Get-Error
PS C:\Users\PN118> $err

Exception             :
    Type        : System.Management.Automation.PSInvalidOperationException
    ErrorRecord :
        Exception             :
            Type    : System.Management.Automation.ParentContainsErrorRecordException
            HResult : -2146233087
        CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
        FullyQualifiedErrorId : InvalidOperation
    TargetSite  :
        Name          : ThrowTerminatingError
        DeclaringType : System.Management.Automation.MshCommandRuntime, System.Management.Automation, Version=7.1.3.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35
        MemberType    : Method
        Module        : System.Management.Automation.dll
    StackTrace  :
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
    Source      : System.Management.Automation
    HResult     : -2146233079
TargetObject          : Microsoft.PowerShell.SecretStore.SetSecretStoreConfiguration
CategoryInfo          : InvalidOperation: (Microsoft.PowerShel…tStoreConfiguration:SetSecretStoreConfiguration)
[Set-SecretStoreConfiguration], PSInvalidOperationException
FullyQualifiedErrorId :
SecretStoreConfigurationUpdateFailed,Microsoft.PowerShell.SecretStore.SetSecretStoreConfiguration
InvocationInfo        :
    MyCommand        : Set-SecretStoreConfiguration
    ScriptLineNumber : 1
    OffsetInLine     : 1
    HistoryId        : 5
    Line             : Set-SecretStoreConfiguration -Authentication None -Password $tmpPw -Interaction None
    PositionMessage  : At line:1 char:1
                       + Set-SecretStoreConfiguration -Authentication None -Password $tmpPw -I …
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : Set-SecretStoreConfiguration
    CommandOrigin    : Internal
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1

PS C:\Users\PN118> $err.Exception

Type           : System.Management.Automation.PSInvalidOperationException
ErrorRecord    : System.Management.Automation.ParentContainsErrorRecordException
TargetSite     : Void ThrowTerminatingError(System.Management.Automation.ErrorRecord)
StackTrace     :    at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
Message        :
Data           : {}
InnerException :
HelpLink       :
Source         : System.Management.Automation
HResult        : -2146233079

PS C:\Users\PN118> $err.Exception.InnerException
PS C:\Users\PN118> $err.Exception.InnerException
PS C:\Users\PN118> $err.Exception.InnerException.InnerException
PS C:\Users\PN118>

But I think you can reproduce this error. Have you tried? Wouldn't that be easier to troubleshoot? But feel free to ask more, if I can help and provide more information.

drats-tech commented 3 years ago

@SamLue I am assuming that your variable "$tmpPw" is an empty/Enter from a user hitting Return/Enter at the console? If so and this was no where to be found in my extensive search, that you need to enter an actual password (I used 12345) and that it is expecting a password to then clear the password!

My results that I got to work:

** Start Snippet **

PS C:> Set-SecretStoreConfiguration -Authentication None -Interaction None

Confirm

Are you sure you want to perform this action? Performing the operation "Changes local store configuration" on target "SecretStore module local store". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): a

Creating a new Microsoft.PowerShell.SecretStore vault. A password is required by the current store configuration. Enter password:


Enter password again for verification:


A password is no longer required for the local store configuration. To complete the change please provide the current password. Enter password:


PS C:> Get-SecretStoreConfiguration

       Scope Authentication PasswordTimeout Interaction
        -----  --------------     ---------------  -----------

CurrentUser None 900 None

** End Snippet **

I was then able to create (set) and retrieve (get) the secret without being prompted for a password. I also ran the "Set-SecretStoreConfiguration -Authentication None -Interaction None" again, and it did not prompt me for a password this time!

Maybe the "Set-SecretStoreConfiguration" could use a "-Force" or "-AllowClobber" feature. :)

PaulHigin commented 3 years ago

I was able to find a repro for this, and it is indeed a race condition. Thanks for reporting this, and I'll get a fix out soon.

PaulHigin commented 3 years ago

Ok, I have a fix for this which will be part of the v1.0.3 release.