DSCResources/DSC_PfxImport/DSC_PfxImport.psm1

#Requires -Version 4.0

$modulePath = Join-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -ChildPath 'Modules'

# Import the Certificate Resource Common Module.
Import-Module -Name (Join-Path -Path $modulePath `
        -ChildPath (Join-Path -Path 'CertificateDsc.Common' `
            -ChildPath 'CertificateDsc.Common.psm1'))

Import-Module -Name (Join-Path -Path $modulePath -ChildPath 'DscResource.Common')

# Import Localization Strings.
$script:localizedData = Get-LocalizedData -DefaultUICulture 'en-US'

<#
    .SYNOPSIS
        Returns the current state of the PFX Certificte file that should be imported.
 
    .PARAMETER Thumbprint
        The thumbprint (unique identifier) of the PFX file you're importing.
 
    .PARAMETER Path
        The path to the PFX file you want to import.
        This parameter is ignored.
 
    .PARAMETER Location
        The Windows Certificate Store Location to import the PFX file to.
 
    .PARAMETER Store
        The Windows Certificate Store Name to import the PFX file to.
 
    .PARAMETER Exportable
        Determines whether the private key is exportable from the machine after
        it has been imported.
        This parameter is ignored.
 
    .PARAMETER Credential
        A `PSCredential` object that is used to decrypt the PFX file. Only the
        password is used, so any user name is valid.
        This parameter is ignored.
 
    .PARAMETER Ensure
        Specifies whether the PFX file should be present or absent.
        This parameter is ignored.
 
    .PARAMETER FriendlyName
        The friendly name of the certificate to set in the Windows Certificate Store.
        This parameter is ignored.
#>

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateScript( { $_ | Test-Thumbprint } )]
        [System.String]
        $Thumbprint,

        [Parameter()]
        [System.String]
        $Path,

        [Parameter(Mandatory = $true)]
        [ValidateSet('CurrentUser', 'LocalMachine')]
        [System.String]
        $Location,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $Store,

        [Parameter()]
        [System.Boolean]
        $Exportable = $false,

        [Parameter()]
        [PSCredential]
        $Credential,

        [Parameter()]
        [ValidateSet('Present', 'Absent')]
        [System.String]
        $Ensure = 'Present',

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $FriendlyName
    )

    Write-Verbose -Message ( @(
            "$($MyInvocation.MyCommand): "
            $($script:localizedData.GettingPfxStatusMessage -f $Thumbprint, $Location, $Store)
        ) -join '' )

    $certificate = Get-CertificateFromCertificateStore `
        -Thumbprint $Thumbprint `
        -Location $Location `
        -Store $Store

    if ($certificate)
    {
        if ($certificate.HasPrivateKey)
        {
            # If the certificate is found and has a private key then consider it Present
            Write-Verbose -Message ( @(
                    "$($MyInvocation.MyCommand): "
                    $($script:localizedData.CertificateInstalledMessage -f $Thumbprint, $Location, $Store)
                ) -join '' )

            $Ensure = 'Present'
        }
        else
        {
            # The certificate is found but the private key is missing so it is Absent
            Write-Verbose -Message ( @(
                    "$($MyInvocation.MyCommand): "
                    $($script:localizedData.CertificateInstalledNoPrivateKeyMessage -f $Thumbprint, $Location, $Store)
                ) -join '' )

            $Ensure = 'Absent'
        }
    }
    else
    {
        # The certificate is not found
        Write-Verbose -Message ( @(
                "$($MyInvocation.MyCommand): "
                $($script:localizedData.CertificateNotInstalledMessage -f $Thumbprint, $Location, $Store)
            ) -join '' )

        $Ensure = 'Absent'
    }

    return @{
        Thumbprint   = $Thumbprint
        Path         = $Path
        Location     = $Location
        Store        = $Store
        Exportable   = $Exportable
        Credential   = $Credential
        Ensure       = $Ensure
        FriendlyName = $certificate.FriendlyName
    }
} # end function Get-TargetResource

<#
    .SYNOPSIS
        Tests if the PFX Certificate file needs to be imported or removed.
 
    .PARAMETER Thumbprint
        The thumbprint (unique identifier) of the PFX file you're importing.
 
    .PARAMETER Path
        The path to the PFX file you want to import.
 
    .PARAMETER Location
        The Windows Certificate Store Location to import the PFX file to.
 
    .PARAMETER Store
        The Windows Certificate Store Name to import the PFX file to.
 
    .PARAMETER Exportable
        Determines whether the private key is exportable from the machine after
        it has been imported.
 
    .PARAMETER Credential
        A `PSCredential` object that is used to decrypt the PFX file. Only the
        password is used, so any user name is valid.
 
    .PARAMETER Ensure
        Specifies whether the PFX file should be present or absent.
 
    .PARAMETER FriendlyName
        The friendly name of the certificate to set in the Windows Certificate Store.
#>

function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateScript( { $_ | Test-Thumbprint } )]
        [System.String]
        $Thumbprint,

        [Parameter()]
        [System.String]
        $Path,

        [Parameter(Mandatory = $true)]
        [ValidateSet('CurrentUser', 'LocalMachine')]
        [System.String]
        $Location,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $Store,

        [Parameter()]
        [System.Boolean]
        $Exportable = $false,

        [Parameter()]
        [PSCredential]
        $Credential,

        [Parameter()]
        [ValidateSet('Present', 'Absent')]
        [System.String]
        $Ensure = 'Present',

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $FriendlyName
    )

    Write-Verbose -Message ( @(
            "$($MyInvocation.MyCommand): "
            $($script:localizedData.TestingPfxStatusMessage -f $Thumbprint, $Location, $Store)
        ) -join '' )

    $currentState = Get-TargetResource @PSBoundParameters

    if ($Ensure -ne $currentState.Ensure)
    {
        return $false
    }

    if ($PSBoundParameters.ContainsKey('FriendlyName') `
            -and $Ensure -eq 'Present' `
            -and $currentState.FriendlyName -ne $FriendlyName)
    {
        # The friendly name of the certificate does not match
        Write-Verbose -Message ( @(
            "$($MyInvocation.MyCommand): "
            $($script:localizedData.CertificateFriendlyNameMismatchMessage -f $Thumbprint, $Location, $Store, $CurrentState.FriendlyName, $FriendlyName)
        ) -join '' )

        return $false
    }

    return $true
} # end function Test-TargetResource

<#
    .SYNOPSIS
        Imports or removes the specified PFX Certifiicate file.
 
    .PARAMETER Thumbprint
        The thumbprint (unique identifier) of the PFX file you're importing.
 
    .PARAMETER Path
        The path to the PFX file you want to import.
 
    .PARAMETER Location
        The Windows Certificate Store Location to import the PFX file to.
 
    .PARAMETER Store
        The Windows Certificate Store Name to import the PFX file to.
 
    .PARAMETER Exportable
        Determines whether the private key is exportable from the machine after
        it has been imported.
 
    .PARAMETER Credential
        A `PSCredential` object that is used to decrypt the PFX file. Only the
        password is used, so any user name is valid.
 
    .PARAMETER Ensure
        Specifies whether the PFX file should be present or absent.
 
    .PARAMETER FriendlyName
        The friendly name of the certificate to set in the Windows Certificate Store.
#>

function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateScript( { $_ | Test-Thumbprint } )]
        [System.String]
        $Thumbprint,

        [Parameter()]
        [System.String]
        $Path,

        [Parameter(Mandatory = $true)]
        [ValidateSet('CurrentUser', 'LocalMachine')]
        [System.String]
        $Location,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $Store,

        [Parameter()]
        [System.Boolean]
        $Exportable = $false,

        [Parameter()]
        [PSCredential]
        $Credential,

        [Parameter()]
        [ValidateSet('Present', 'Absent')]
        [System.String]
        $Ensure = 'Present',

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $FriendlyName
    )

    Write-Verbose -Message ( @(
            "$($MyInvocation.MyCommand): "
            $($script:localizedData.SettingPfxStatusMessage -f $Thumbprint, $Location, $Store)
        ) -join '' )

    if ($Ensure -ieq 'Present')
    {
        $currentState = Get-TargetResource @PSBoundParameters

        if ($currentState.Ensure -eq 'Absent')
        {
            # Import the certificate into the Store
            Write-Verbose -Message ( @(
                    "$($MyInvocation.MyCommand): "
                    $($script:localizedData.ImportingPfxMessage -f $Path, $Location, $Store)
                ) -join '' )

            # Check that the certificate PFX file exists before trying to import
            if (-not (Test-Path -Path $Path))
            {
                New-InvalidArgumentException `
                    -Message ($script:localizedData.CertificatePfxFileNotFoundError -f $Path) `
                    -ArgumentName 'Path'
            }

            $getCertificateStorePathParameters = @{
                Location = $Location
                Store    = $Store
            }
            $certificateStore = Get-CertificateStorePath @getCertificateStorePathParameters

            $importPfxCertificateParameters = @{
                Exportable        = $Exportable
                CertStoreLocation = $certificateStore
                FilePath          = $Path
                Verbose           = $VerbosePreference
            }

            if ($Credential)
            {
                $importPfxCertificateParameters['Password'] = $Credential.Password
            }

            # If the built in PKI cmdlet exists then use that, otherwise command in Common module.
            if (Test-CommandExists -Name 'Import-PfxCertificate')
            {
                Import-PfxCertificate @importPfxCertificateParameters
            }
            else
            {
                Import-PfxCertificateEx @importPfxCertificateParameters
            }
        }

        if ($PSBoundParameters.ContainsKey('FriendlyName') `
                -and $currentState.FriendlyName -ne $FriendlyName)
        {
            Write-Verbose -Message ( @(
                    "$($MyInvocation.MyCommand): "
                    $($script:localizedData.SettingCertficateFriendlyNameMessage -f $Path, $Location, $Store, $FriendlyName)
                ) -join '' )

            $setCertificateFriendlyNameInCertificateStoreParameters = @{
                Thumbprint   = $Thumbprint
                Location     = $Location
                Store        = $Store
                FriendlyName = $FriendlyName
            }

            Set-CertificateFriendlyNameInCertificateStore @setCertificateFriendlyNameInCertificateStoreParameters
        }
    }
    else
    {
        Write-Verbose -Message ( @(
                "$($MyInvocation.MyCommand): "
                $($script:localizedData.RemovingCertficateMessage -f $Thumbprint, $Location, $Store)
            ) -join '' )

        Remove-CertificateFromCertificateStore `
            -Thumbprint $Thumbprint `
            -Location $Location `
            -Store $Store
    }
} # end function Set-TargetResource

Export-ModuleMember -Function *-TargetResource