IISWebAppMgmtV3 - Bypass bindings with duplicate certificates & suppo…

…rt multiple certificates (#1220) * Bypass bindings with duplicate certificates * Bumped task version to 235 sprint * Bumped task version
microsoft · Feb 1, 2024 · f670adb · naillatem · Feb 6, 2024 · f670adb
1 parent b50fe68
commit f670adb
Show file tree

Hide file tree

Showing 9 changed files with 65 additions and 46 deletions.
diff --git a/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppDeploy/IISWebAppDeployV1/task.json b/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppDeploy/IISWebAppDeployV1/task.json
@@ -6,8 +6,8 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 5,
-    "Patch": 6
+    "Minor": 6,
+    "Patch": 0
   },
   "demands": [
   ],

diff --git a/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppDeploy/IISWebAppDeployV2/task.json b/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppDeploy/IISWebAppDeployV2/task.json
@@ -15,8 +15,8 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 2,
-    "Minor": 1,
-    "Patch": 6
+    "Minor": 2,
+    "Patch": 0
   },
   "demands": [
   ],

diff --git a/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV1/task.json b/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV1/task.json
@@ -15,8 +15,8 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 4,
-    "Patch": 6
+    "Minor": 5,
+    "Patch": 0
   },
   "demands": [
   ],

diff --git a/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV2/task.json b/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV2/task.json
@@ -15,8 +15,8 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 2,
-    "Minor": 2,
-    "Patch": 6
+    "Minor": 3,
+    "Patch": 0
   },
   "demands": [
   ],

diff --git a/...nsions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV3/AppCmdOnTargetMachines.ps1 b/...nsions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV3/AppCmdOnTargetMachines.ps1
@@ -22,7 +22,7 @@ function Run-Command
     $ErrorActionPreference = 'Stop'
 
     if($failOnErr -and $LASTEXITCODE -ne 0)
-    {
+    {  
         throw $result
     }
 
@@ -208,6 +208,34 @@ function Enable-SNI
     Run-Command -command $command
 }
 
+function ShowCertBinding
+{
+    param(
+        [string]$bindingType,
+        [string]$bindingValue,
+        [string]$port
+    )
+
+    $showCertCmd = "netsh http show sslcert {0}={1}:{2}" -f $bindingType, $bindingValue, $port
+    Write-Verbose "Checking if SslCert binding is already present. Running command : netsh $showCertCmd"
+
+    $netshResult = Run-Command -command $showCertCmd -failOnErr $false
+    return $netshResult
+}
+
+function AddCertBinding
+{
+    param(
+        [string]$bindingType,
+        [string]$bindingValue,
+        [string]$port,
+        [string]$certhash
+    )
+
+    $addCertCmd = "netsh http add sslcert {0}={1}:{2} certhash={3} appid={{{4}}} certstorename=MY" -f $bindingType, $bindingValue, $port, $certhash, [System.Guid]::NewGuid().toString()
+    Run-Command -command $addCertCmd
+}
+
 function Add-SslCert
 {
     param(
@@ -230,42 +258,33 @@ function Add-SslCert
         $ipAddress = "0.0.0.0"
     }
 
-    $result = $null
-    $isItSameBinding = $false
-    $addCertCmd = [string]::Empty
-
-    #SNI is supported IIS 8 and above. To enable SNI hostnameport option should be used
-    if($sni -eq "true" -and $iisVersion -ge 8 -and -not [string]::IsNullOrWhiteSpace($hostname))
-    {
-        $showCertCmd = [string]::Format("netsh http show sslcert hostnameport={0}:{1}", $hostname, $port)
-        Write-Verbose "Checking if SslCert binding is already present. Running command : $showCertCmd"
-
-        $result = Run-Command -command $showCertCmd -failOnErr $false
-        $isItSameBinding = $result.Get(4).Contains([string]::Format("{0}:{1}", $hostname, $port))
+    $isSniEnabled = $sni -eq "true" -and $iisVersion -ge 8 -and -not [string]::IsNullOrWhiteSpace($hostname)
+    $bindingType = if ($isSniEnabled) { "hostnameport" } else { "ipport" }
+    $bindingParsedType = if ($bindingType -eq "ipport") {"IP:port"} Else {"Hostname:port"}
+    Write-Verbose ("Binding type" + $bindingType)
+    $bindingValue = if ($isSniEnabled) { $hostname } else { $ipAddress }
+    Write-Verbose ("BindingValue" + $bindingValue)
+    $netshResult= ShowCertBinding -bindingType $bindingType -bindingValue $bindingValue -port $port
+    $matchingBinding = $netshResult | Where-Object { $_.Trim().StartsWith("{0}" -f $bindingParsedType ) -and $_.Trim().EndsWith("{0}:{1}") -f $bindingValue, $port }
+
 
-        $addCertCmd = [string]::Format("netsh http add sslcert hostnameport={0}:{1} certhash={2} appid={{{3}}} certstorename=MY", $hostname, $port, $certhash, [System.Guid]::NewGuid().toString())
-    }
-    else
+    if($matchingBinding) # A certificate with the same binding is found
     {
-        $showCertCmd = [string]::Format("netsh http show sslcert ipport={0}:{1}", $ipAddress, $port)
-        Write-Verbose "Checking if SslCert binding is already present. Running command : $showCertCmd"
-
-        $result = Run-Command -command $showCertCmd -failOnErr $false
-        $isItSameBinding = $result.Get(4).Contains([string]::Format("{0}:{1}", $ipAddress, $port))
-
-        $addCertCmd = [string]::Format("netsh http add sslcert ipport={0}:{1} certhash={2} appid={{{3}}} certstorename=MY", $ipAddress, $port, $certhash, [System.Guid]::NewGuid().toString())
-    }
-
-    $isItSameCert = $result.Get(5).ToLower().Contains($certhash.ToLower())
+
+        $matchingBindingIndex = $netshResult.IndexOf($matchingBinding)
+
+        $isItSameCert = $netshResult[$matchingBindingIndex + 1].ToLower().Contains($certhash.ToLower()) # The certificate hash is on the next line
 
-    if($isItSameBinding -and $isItSameCert)
-    {
-        Write-Verbose "SSL cert binding is already present. Returning"
-        return
+        if($isItSameCert)
+        {
+
+            Write-Verbose "SSL cert binding is already present. Returning"
+            return
+        }
     }
 
     Write-Verbose "Setting SslCert for website."
-    Run-Command -command $addCertCmd
+    AddCertBinding -bindingType $bindingType -bindingValue $bindingValue -port $port -certhash $certhash
 }
 
 function Add-Website

diff --git a/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV3/task.json b/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV3/task.json
@@ -15,8 +15,8 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 3,
-    "Minor": 1,
-    "Patch": 6
+    "Minor": 2,
+    "Patch": 0
   },
   "demands": [
   ],

diff --git a/Extensions/IISWebAppDeploy/Src/Tasks/SqlDacpacDeploy/SqlDacpacDeployV1/task.json b/Extensions/IISWebAppDeploy/Src/Tasks/SqlDacpacDeploy/SqlDacpacDeployV1/task.json
@@ -15,8 +15,8 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 4,
-    "Patch": 7
+    "Minor": 5,
+    "Patch": 0
   },
   "demands": [
   ],

diff --git a/Extensions/IISWebAppDeploy/Src/Tasks/SqlDacpacDeploy/SqlDacpacDeployV2/task.json b/Extensions/IISWebAppDeploy/Src/Tasks/SqlDacpacDeploy/SqlDacpacDeployV2/task.json
@@ -15,8 +15,8 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 2,
-    "Minor": 1,
-    "Patch": 7
+    "Minor": 2,
+    "Patch": 0
   },
   "demands": [
   ],

diff --git a/Extensions/IISWebAppDeploy/Src/vss-extension.json b/Extensions/IISWebAppDeploy/Src/vss-extension.json
@@ -2,7 +2,7 @@
   "manifestVersion": 1,
   "extensionId": "iiswebapp",
   "name": "IIS Web App Deployment Using WinRM",
-  "version": "1.6.8",
+  "version": "1.7.0",
   "publisher": "ms-vscs-rm",
   "description": "Using WinRM connect to the host Computer, to deploy a Web project using Web Deploy or a SQL DB using sqlpackage.exe.",
   "public": true,