Merge community fork package

DSCResources/MSFT_xPackageResource/MSFT_xPackageResource.psm1

@@ -32,6 +32,13 @@ MachineRequiresReboot=The machine requires a reboot
 PackageDoesNotAppearInstalled=The package {0} is not installed
 PackageAppearsInstalled=The package {0} is already installed
 PostValidationError=Package from {0} was installed, but the specified ProductId and/or Name does not match package details
+CheckingFileHash=Checking file '{0}' for expected {2} hash value of {1}
+InvalidFileHash=File '{0}' does not match expected {2} hash value of {1}.
+CheckingFileSignature=Checking file '{0}' for valid digital signature.
+FileHasValidSignature=File '{0}' contains a valid digital signature. Signer Thumbprint: {1}, Subject: {2}
+InvalidFileSignature=File '{0}' does not have a valid Authenticode signature.  Status: {1}
+WrongSignerSubject=File '{0}' was not signed by expected signer subject '{1}'
+WrongSignerThumbprint=File '{0}' was not signed by expected signer certificate thumbprint '{1}'
 '@
 }
 
@@ -273,7 +280,17 @@ function Test-TargetResource
 
         [string] $InstalledCheckRegValueName,
 
-        [string] $InstalledCheckRegValueData
+        [string] $InstalledCheckRegValueData,
+
+        [string] $FileHash,
+
+        [ValidateSet('SHA1','SHA256','SHA384','SHA512','MD5','RIPEMD160')]
+        [string] $HashAlgorithm,
+
+        [string] $SignerSubject,
+        [string] $SignerThumbprint,
+
+        [string] $ServerCertificateValidationCallback
     )
 
     $uri, $identifyingNumber = Validate-StandardArguments $Path $ProductId $Name
@@ -554,7 +571,17 @@ function Set-TargetResource
 
         [string] $InstalledCheckRegValueName,
 
-        [string] $InstalledCheckRegValueData
+        [string] $InstalledCheckRegValueData,
+
+        [string] $FileHash,
+
+        [ValidateSet('SHA1','SHA256','SHA384','SHA512','MD5','RIPEMD160')]
+        [string] $HashAlgorithm,
+
+        [string] $SignerSubject,
+        [string] $SignerThumbprint,
+
+        [string] $ServerCertificateValidationCallback
     )
 
     $ErrorActionPreference = "Stop"
@@ -672,10 +699,11 @@ function Set-TargetResource
                             # default value is MutualAuthRequested, which applies to https scheme
                             $request.AuthenticationLevel = [System.Net.Security.AuthenticationLevel]::None
                         }
-                        if ($scheme -eq "https")
+                        if ($scheme -eq "https" -and -not [string]::IsNullOrEmpty($ServerCertificateValidationCallback))
                         {
-                            Trace-Message "Ignoring bad certificates"
-                            $request.ServerCertificateValidationCallBack = {$true}
+                            Trace-Message "Assigning user-specified certificate verification callback"
+                            $scriptBlock = [scriptblock]::Create($ServerCertificateValidationCallback)
+                            $request.ServerCertificateValidationCallBack = $scriptBlock
                         }
                         Trace-Message "Getting the $scheme response stream"
                         $responseStream = (([System.Net.HttpWebRequest]$request).GetResponse()).GetResponseStream()
@@ -715,10 +743,15 @@ function Set-TargetResource
             }
         }
 
-        #At this point the Path ought to be valid unless it's an MSI uninstall case
-        if(-not (Test-Path -PathType Leaf $Path) -and -not ($Ensure -eq "Absent" -and $fileExtension -eq ".msi"))
+        if (-not ($Ensure -eq "Absent" -and $fileExtension -eq ".msi"))
         {
-            Throw-TerminatingError ($LocalizedData.PathDoesNotExist -f $Path)
+            #At this point the Path ought to be valid unless it's an MSI uninstall case
+            if(-not (Test-Path -PathType Leaf $Path))
+            {
+                Throw-TerminatingError ($LocalizedData.PathDoesNotExist -f $Path)
+            }
+
+            ValidateFile -Path $Path -HashAlgorithm $HashAlgorithm -FileHash $FileHash -SignerSubject $SignerSubject -SignerThumbprint $SignerThumbprint
         }
 
         $startInfo = New-Object System.Diagnostics.ProcessStartInfo
@@ -1208,5 +1241,89 @@ namespace Source
             Add-Type -TypeDefinition $ProgramSource -ReferencedAssemblies "System.ServiceProcess"
 }
 
-Export-ModuleMember -function Get-TargetResource, Set-TargetResource, Test-TargetResource
+function ValidateFile
+{
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory)]
+        [string] $Path,
+
+        [string] $FileHash,
+        [string] $HashAlgorithm,
+        [string] $SignerThumbprint,
+        [string] $SignerSubject
+    )
+
+    if ($FileHash)
+    {
+        ValidateFileHash -Path $Path -Hash $FileHash -Algorithm $HashAlgorithm
+    }
+
+    if ($SignerThumbprint -or $SignerSubject)
+    {
+        ValidateFileSignature -Path $Path -Thumbprint $SignerThumbprint -Subject $SignerSubject
+    }
+}
+
+function ValidateFileHash
+{
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory)]
+        [string] $Path,
+
+        [Parameter(Mandatory)]
+        [string] $Hash,
+
+        [string] $Algorithm
+    )
+
+    if ([string]::IsNullOrEmpty($Algorithm)) { $Algorithm = 'SHA256' }
+
+    Trace-Message ($LocalizedData.CheckingFileHash -f $Path, $Hash, $Algorithm)
+
+    $fileHash = Get-FileHash -LiteralPath $Path -Algorithm $Algorithm -ErrorAction Stop
+
+    if ($fileHash.Hash -ne $Hash)
+    {
+        throw ($LocalizedData.InvalidFileHash -f $Path, $Hash, $Algorithm)
+    }
+}
+
+function ValidateFileSignature
+{
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory)]
+        [string] $Path,
+
+        [string] $Thumbprint,
+
+        [string] $Subject
+    )
+
+    Trace-Message ($LocalizedData.CheckingFileSignature -f $Path)
 
+    $signature = Get-AuthenticodeSignature -LiteralPath $Path -ErrorAction Stop
+
+    if ($signature.Status -ne [System.Management.Automation.SignatureStatus]::Valid)
+    {
+        throw ($LocalizedData.InvalidFileSignature -f $Path, $signature.Status)
+    }
+    else
+    {
+        Trace-Message ($LocalizedData.FileHasValidSignature -f $Path, $signature.SignerCertificate.Thumbprint, $signature.SignerCertificate.Subject)
+    }
+
+    if ($Subject -and ($signature.SignerCertificate.Subject -notlike $Subject))
+    {
+        throw ($LocalizedData.WrongSignerSubject -f $Path, $Subject)
+    }
+
+    if ($Thumbprint -and ($signature.SignerCertificate.Thumbprint -ne $Thumbprint))
+    {
+        throw ($LocalizedData.WrongSignerThumbprint -f $Path, $Thumbprint)
+    }
+}
+
+Export-ModuleMember -function Get-TargetResource, Set-TargetResource, Test-TargetResource

DSCResources/MSFT_xPackageResource/MSFT_xPackageResource.schema.mof

@@ -17,9 +17,15 @@ class MSFT_xPackageResource : OMI_BaseResource
   [read] string Version;
   [read] boolean Installed;
   [write,EmbeddedInstance("MSFT_Credential")] string RunAsCredential;
+  [write] string FileHash;
+  [write,ValueMap{"SHA1","SHA256","SHA384","SHA512","MD5","RIPEMD160"},Values{"SHA1","SHA256","SHA384","SHA512","MD5","RIPEMD160"}] string HashAlgorithm;
+  [write] string SignerSubject;
+  [write] string SignerThumbprint;
+  [write] string ServerCertificateValidationCallback;
   [write] string InstalledCheckRegKey;
   [write] string InstalledCheckRegValueName;
   [write] string InstalledCheckRegValueData;
 };
 
 
+

DSCResources/MSFT_xPackageResource/en-US/MSFT_xPackageResource.psd1

@@ -31,6 +31,13 @@ MachineRequiresReboot=The machine requires a reboot
 PackageDoesNotAppearInstalled=The package {0} is not installed
 PackageAppearsInstalled=The package {0} is already installed
 PostValidationError=Package from {0} was installed, but the specified ProductId and/or Name does not match package details
+CheckingFileHash=Checking file '{0}' for expected {2} hash value of {1}
+InvalidFileHash=File '{0}' does not match expected {2} hash value of {1}.
+CheckingFileSignature=Checking file '{0}' for valid digital signature.
+FileHasValidSignature=File '{0}' contains a valid digital signature. Signer Thumbprint: {1}, Subject: {2}
+InvalidFileSignature=File '{0}' does not have a valid Authenticode signature.  Status: {1}
+WrongSignerSubject=File '{0}' was not signed by expected signer subject '{1}'
+WrongSignerThumbprint=File '{0}' was not signed by expected signer certificate thumbprint '{1}'
 ###PSLOC
 
 '@