SecretManagement icon indicating copy to clipboard operation
SecretManagement copied to clipboard
verified publisher icon PowerShell

Extensions should be able to hook into `Register-SecretVault`

Open itfranck opened this issue 5 years ago • 4 comments

Feature request. We have a hook into Unregister thanks to this request.

I would like a way to have my extension perform some validation or other actions before registering the vault.

Use cases relevant to me :

  • Implemented module require some parameters to work properly. Validation could be done in the hook and prevent the registration if mandatory conditions are not met.

Az.keyvault is a good example of this. It requires SubscriptionId and VaultName to identify which Azure keyvault is targeted by the registration.

  • Implemented module require some action to be performed prior the registration.

--

I had such a use case while looking at using SecretManagement for a CMS implementation that require :

  • A mandatory vault parameter (for which I would issue a warning and prevent registration if not provided)
  • The creation of a self-signed certificate and adding that newly created certificate to the user certificates.

A Register-SecretVault hook (before registration) would be complimentary to the recently added Unregister-SecretVault hook and also definitely have valid use cases (Validation & performing any relevant actions ).

Thank you for considering this.

itfranck avatar Nov 15 '20 04:11 itfranck

Thanks @itfranck we have tried to separate the registration of the vault from the loading of it for the best user experience...we believe Test-SecretVault helps to resolve this issue... we do not plan to implement this for the GA of the module but will also leave this open

SydneyhSmith avatar Dec 09 '20 19:12 SydneyhSmith

Usually I won't really use Test-SecretVault unless I am writing a script and / or encounter an issue. I was thinking more in the lines of having the error (eg: missing parameter) disclosed at registration time (through my hook up) rather than waiting upon the next operation in line (eg: Get / Set secret) to throw the error at the user.

It is kind of the same (but opposite) as the Unregister-secret where you now can (through hookup) have the unloading associated with the unregister operation.

But I am all good with the rendered verdict. Regards

itfranck avatar Dec 09 '20 19:12 itfranck

@SydneyhSmith after several vault implementations I'm just calling Test-SecretVault in every single command as the first line basically, it would be nice to be a little less ham-fisted with it.

Vault implementers can implement offline support, either by simply not implementing Register-SecretVault, or supporting offline creation via a vaultparameter, e.g. Register-SecretVault -Name myvault -Module myonlinemodule -VaultParameter @{DontValidate=$true}

JustinGrote avatar Jan 14 '21 23:01 JustinGrote

@SydneyhSmith @PaulHigin FYI, as follow up on this issue, another evidence where the current behavior was confusing to a user because it didn't show any errors until they did something so they assumed it worked. https://github.com/JustinGrote/SecretManagement.KeePass/issues/32#issuecomment-785259286

I still maintain that offline support should be done via vaultparameter rather than a mandated default.

JustinGrote avatar Feb 24 '21 18:02 JustinGrote