Multi-platform support

[schrolla]

Description

This epic focuses on updating ScubaGear so that it can be run on non-Windows platforms as well as on existing Windows platforms, but using PowerShell 7 rather than native PowerShell (i.e. PowerShell 5.1).

Improvements for this epic include:

• Adding support under PowerShell 7 for ScubaGear
• Expanding use of appropriate platform executable when running OPA Rego
• Making any adjustments in supporting libraries or versions needed to support PS7 and other platforms

Initiative / Goal

The goal is to make the tool function on multiple platforms so that the tool doesn't force a platform choice counter from the one users may have available.

Hypothesis

By making the ScubaGear available to those running on non-Windows platforms, it will be possible to run the tool in environments where it was not previously possible or required setting up additional resources (like a Windows machine). For example, it may allow for execution on non-Windows machines used as lightweight administrative boxes.

Acceptance criteria

Criteria that are considered must have for feature launch and in-scope for this epic include:

• [ ] ScubaGear runs successfully under PowerShell 7 on Windows 10/11 platforms for all products
• [ ] ScubaGear runs successfully under PowerShell 7 on latest Mac OS platform with PowerShell installed for all products
• [ ] ScubaGear runs successfully under PowerShell 7 on current Linux platform with PowerShell installed for all products

Stakeholders / Resources

Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to test platforms (Win/Mac/Linux) to validate functional nature of tool. May be able to use Github runners for some of those.

Timeline

TBD

Associated Tasks

See details in the following issues:

• [ ]

[schrolla]

Additional details on cross-platform compatibility issues:

The following modules do not work as intended in PS6+:

• SharePoint (With user credentials, not service principal not confirmed)
• Power Platform

Per previous comment from @buidav: The graceful solution would be to prevent the user from running the modules we know will error out if their PowerShell version is 6+. That could be enforced with the Orchestrator rather than the manifest.

[schrolla]

While issues remain with compatibility, they are limited and this can be worked with caveats.

[twneale]

I looked into this as I was getting onboarded and have some details to add.

I tried to run on my Mac but couldn't because I have an Apple M2 Pro chip (which is 64 bit ARM) and Microsoft does not offer an ARM64 build of powershell. There is evidently an effort to provide this for Powershell 7, but it requires using a different package manager. This may actually present an obstacle to Chromebook usage since Chromebooks are increasingly using ARM-based processors.

Sidestepping this, I requested an x86_64 ECE ubuntu VM and tried to run ScubaGear natively on Linux using Powershell 7. Here are the results:

Product	Status	Linux/Mac x86_64 status
aad	✅	Works perfectly with certificate based auth.
exo	✅	Thumbprint cert auth fails due to windows dependency. Local cert auth works!
sharepoint		Auth works, but lots of SSL errors running Get-PnPTenant and Get-PnPTenantSite. Seems to not work overall. The SSL errors are related to MITRE's proxy CA cert, apparently.
defender		Write-Error: Error running Connect-IPPSSession. The SSL connection could not be established, see inner exception.
teams		Connect-Tenant: Error establishing a connection with teams. Cannot bind argument to parameter 'Certificate' because it is null.
powerplatform		Connect-Tenant: Error establishing a connection with powerplatform. The 'Add-PowerAppsAccount' command was found in the module 'Microsoft.PowerApps.PowerShell', but the module could not be loaded. For more information, run 'Import-Module Microsoft.PowerApps.PowerShell'.

I'm very interested in the question of cross-platform support for ScubaGear. I'm a bit pessimistic about Powershell because it doesn't truly have cross-platform support yet. Many of the commandlets try to invoke Windows DLLs even for tasks that simply involve interfacing with a rest API. For example, the exo uses a function Connect-ExchangeOnline (iirc) that tries to a use a windows DLL for thumbprint auth, which is just cert-based auth that 100% works from any platform. That particular module just happens to use the DDL because they didn't anticipate non-windows use.

I think the most reliable way to achieve cross-platform support for ScubaGear would be to migrate the Powershell code to a bonafide cross platform language. I don't expect this idea to find much support among the team so I won't elaborate on it unless there is further interest.

[twneale]

There are also potential issues related to filename case sensitivity on windows vs *nix platforms. For example, the Orchestrator currently tries to run ergo tests on "SharePointConfig.rego", but the file name is "SharepointConfig.rego". This is the only example of this issue I have found so far.

[gmatev]

Based on the comments and related issues, seems like there might be some light at the end of the multi-platform tunnel here. Any plans to move this forward?

[schrolla]

May also be impacted by #517 as upgrade to PnP v2.2 requires PS6+.

[schrolla]

Issue #557 is part of this epic.

[petersonjdNIH]

I've made early progress on getting ScubaGear working on macOS. Getting everything in place by brew is a good first step. PowerShell being the main one.

I made it as far as running Import-Module successfully. I'm currently stuck on Initialize-SCuBA:

PS /Users/joel.peterson/Downloads/ScubaGear-1.2.0/PowerShell/ScubaGear> Import-Module -Name ./
WARNING: 
    The required supporting PowerShell modules are not installed with a supported version.
    Run Initialize-SCuBA to install all required dependencies.
    See Get-Help Initialize-SCuBA for more help.
PS /Users/joel.peterson/Downloads/ScubaGear-1.2.0/PowerShell/ScubaGear> Initialize-SCuBA
OperationStopped: The type initializer for 'ScubaConfig' threw an exception.
PS /Users/joel.peterson/Downloads/ScubaGear-1.2.0/PowerShell/ScubaGear>

[tkol2022]

Rationale for migrating to Powershell 7 instead of 5.1

This was created to track known benefits the project could potentially gain from migrating to a newer version of Powershell 7. Note this is specific to Powershell 7 and not directly related to running ScubaGear on multiple platforms (Mac, Linux, etc.).

• The PnP.Powershell module that we are using to acquire configuration fields from Sharepoint is locked to an old version of that module since the newer versions require Powershell 7. The old version of PnP is missing some fields that ScubaGear needs and are now available in the newer PnP.
• Powershell 7 has more robust multi-threading features which we might be able to leverage for design enhancements such as running multiple export providers concurrently to decrease execution time.