Add support for [SecureString] in PowerShell adapter

Gijsreyn · Gijsreyn · commit 6ca0a7eee573 · 2025-10-24T10:41:16.000+02:00
diff --git a/adapters/powershell/Tests/TestClassResource/0.0.1/TestClassResource.psm1 b/adapters/powershell/Tests/TestClassResource/0.0.1/TestClassResource.psm1
@@ -40,6 +40,9 @@ class TestClassResource : BaseTestClass
     [DscProperty()]
     [Ensure] $Ensure
 
+    [DscProperty()]
+    [SecureString] $SecureStringProp
+
     [string] $NonDscProperty # This property shouldn't be in results data
 
     hidden
diff --git a/adapters/powershell/Tests/powershellgroup.resource.tests.ps1 b/adapters/powershell/Tests/powershellgroup.resource.tests.ps1
@@ -376,4 +376,11 @@ Describe 'PowerShell adapter resource tests' {
         $LASTEXITCODE | Should -Be 7
         Get-Content -Path $TestDrive/error.log | Should -Match 'Resource not found: TestClassResource/TestClassResource 0.0.2'
     }
+
+    It 'Can process SecureString property' {
+        $r = '{"Name":"TestClassResource1","SecureStringProp":"MySecretValue"}' | dsc resource get -r 'TestClassResource/TestClassResource' -f -
+        $LASTEXITCODE | Should -Be 0
+        $res = $r | ConvertFrom-Json
+        $res.actualState.SecureStringProp | Should -Not -BeNullOrEmpty
+    }
 }
diff --git a/adapters/powershell/psDscAdapter/psDscAdapter.psm1 b/adapters/powershell/psDscAdapter/psDscAdapter.psm1
@@ -424,21 +424,30 @@ function Invoke-DscOperation {
                         # set each property of $dscResourceInstance to the value of the property in the $desiredState INPUT object
                         $DesiredState.properties.psobject.properties | ForEach-Object -Process {
                             # handle input objects by converting them to a hash table
+                            $validateProperty = $cachedDscResourceInfo.Properties | Where-Object -Property Name -EQ $_.Name
                             if ($_.Value -is [System.Management.Automation.PSCustomObject]) {
                                 $validateProperty = $cachedDscResourceInfo.Properties | Where-Object -Property Name -EQ $_.Name
-                                if ($validateProperty -and $validateProperty.PropertyType -eq 'PSCredential') {
+                                if ($validateProperty -and $validateProperty.PropertyType -like "*PSCredential") {
                                     if (-not $_.Value.Username -or -not $_.Value.Password) {
                                         "Credential object '$($_.Name)' requires both 'username' and 'password' properties" | Write-DscTrace -Operation Error
                                         exit 1
                                     }
                                     $dscResourceInstance.$($_.Name) = [System.Management.Automation.PSCredential]::new($_.Value.Username, (ConvertTo-SecureString -AsPlainText $_.Value.Password -Force))
                                 }
+                                elseif ($validateProperty -and $validateProperty.PropertyType -like '*SecureString') {
+                                    
+                                    $dscResourceInstance.$($_.Name) = ConvertTo-SecureString -AsPlainText $_.Value -Force
+                                }
                                 else {
                                     $dscResourceInstance.$($_.Name) = $_.Value.psobject.properties | ForEach-Object -Begin { $propertyHash = @{} } -Process { $propertyHash[$_.Name] = $_.Value } -End { $propertyHash }
                                 }
                             }
                             else {
-                                $dscResourceInstance.$($_.Name) = $_.Value
+                                if ($validateProperty -and $validateProperty.PropertyType -like '*SecureString' -and -not [string]::IsNullOrEmpty($_.Value)) {
+                                    $dscResourceInstance.$($_.Name) = ConvertTo-SecureString -AsPlainText $_.Value -Force   
+                                } else {
+                                    $dscResourceInstance.$($_.Name) = $_.Value
+                                }
                             }
                         }
                     }

Original file line number	Diff line number	Diff line change
`@@ -376,4 +376,11 @@ Describe 'PowerShell adapter resource tests' {`
`376`	`376`	`$LASTEXITCODE \| Should -Be 7`
`377`	`377`	`Get-Content -Path $TestDrive/error.log \| Should -Match 'Resource not found: TestClassResource/TestClassResource 0.0.2'`
`378`	`378`	`}`
	`379`	`+`
	`380`	`+ It 'Can process SecureString property' {`
	`381`	`+ $r = '{"Name":"TestClassResource1","SecureStringProp":"MySecretValue"}' \| dsc resource get -r 'TestClassResource/TestClassResource' -f -`
	`382`	`+ $LASTEXITCODE \| Should -Be 0`
	`383`	`+ $res = $r \| ConvertFrom-Json`
	`384`	`+ $res.actualState.SecureStringProp \| Should -Not -BeNullOrEmpty`
	`385`	`+ }`
`379`	`386`	`}`
Original file line number	Diff line number	Diff line change
`@@ -424,21 +424,30 @@ function Invoke-DscOperation {`
`424`	`424`	`# set each property of $dscResourceInstance to the value of the property in the $desiredState INPUT object`
`425`	`425`	`$DesiredState.properties.psobject.properties \| ForEach-Object -Process {`
`426`	`426`	`# handle input objects by converting them to a hash table`
	`427`	`+ $validateProperty = $cachedDscResourceInfo.Properties \| Where-Object -Property Name -EQ $_.Name`
`427`	`428`	`if ($_.Value -is [System.Management.Automation.PSCustomObject]) {`
`428`	`429`	`$validateProperty = $cachedDscResourceInfo.Properties \| Where-Object -Property Name -EQ $_.Name`
`429`		`- if ($validateProperty -and $validateProperty.PropertyType -eq 'PSCredential') {`
	`430`	`+ if ($validateProperty -and $validateProperty.PropertyType -like "*PSCredential") {`
`430`	`431`	`if (-not $_.Value.Username -or -not $_.Value.Password) {`
`431`	`432`	`"Credential object '$($_.Name)' requires both 'username' and 'password' properties" \| Write-DscTrace -Operation Error`
`432`	`433`	`exit 1`
`433`	`434`	`}`
`434`	`435`	`$dscResourceInstance.$($_.Name) = [System.Management.Automation.PSCredential]::new($_.Value.Username, (ConvertTo-SecureString -AsPlainText $_.Value.Password -Force))`
`435`	`436`	`}`
	`437`	`+ elseif ($validateProperty -and $validateProperty.PropertyType -like '*SecureString') {`
	`438`	`+`
	`439`	`+ $dscResourceInstance.$($_.Name) = ConvertTo-SecureString -AsPlainText $_.Value -Force`
	`440`	`+ }`
`436`	`441`	`else {`
`437`	`442`	`$dscResourceInstance.$($_.Name) = $_.Value.psobject.properties \| ForEach-Object -Begin { $propertyHash = @{} } -Process { $propertyHash[$_.Name] = $_.Value } -End { $propertyHash }`
`438`	`443`	`}`
`439`	`444`	`}`
`440`	`445`	`else {`
`441`		`- $dscResourceInstance.$($_.Name) = $_.Value`
	`446`	`+ if ($validateProperty -and $validateProperty.PropertyType -like '*SecureString' -and -not [string]::IsNullOrEmpty($_.Value)) {`
	`447`	`+ $dscResourceInstance.$($_.Name) = ConvertTo-SecureString -AsPlainText $_.Value -Force`
	`448`	`+ } else {`
	`449`	`+ $dscResourceInstance.$($_.Name) = $_.Value`
	`450`	`+ }`
`442`	`451`	`}`
`443`	`452`	`}`
`444`	`453`	`}`