Fixed cascading errors on public functions when running with little o…

…r no existing config. (#544)
rmbolger · May 1, 2024 · 92f3fde · 92f3fde
1 parent e7fd90e
commit 92f3fde
Show file tree

Hide file tree

Showing 15 changed files with 127 additions and 102 deletions.
diff --git a/Posh-ACME/Public/Export-PAAccountKey.ps1 b/Posh-ACME/Public/Export-PAAccountKey.ps1
@@ -23,7 +23,7 @@ function Export-PAAccountKey {
     }
 
     Process {
-        trap { $PSCmdlet.ThrowTerminatingError($PSItem) }
+        trap { $PSCmdlet.ThrowTerminatingError($_) }
 
         # throw an error if there's no current account and no ID passed in
         if (-not $ID -and -not ($acct = Get-PAAccount)) {

diff --git a/Posh-ACME/Public/Get-KeyAuthorization.ps1 b/Posh-ACME/Public/Get-KeyAuthorization.ps1
@@ -29,23 +29,20 @@ function Get-KeyAuthorization {
     # strings.
 
     Begin {
+        trap { $PSCmdlet.ThrowTerminatingError($_) }
+
         # make sure any account passed in is actually associated with the current server
         # or if no account was specified, that there's a current account.
         if (-not $Account) {
             if (-not ($Account = Get-PAAccount)) {
-                try { throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
-            }
-        } else {
-            if ($Account.id -notin (Get-PAAccount -List).id) {
-                try { throw "Specified account id $($Account.id) was not found in the current server's account list." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
+                throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first."
             }
+        } elseif ($Account.id -notin (Get-PAAccount -List).id) {
+            throw "Specified account id $($Account.id) was not found in the current server's account list."
         }
         # make sure it's valid
         if ($Account.status -ne 'valid') {
-            try { throw "Account status is $($Account.status)." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
+            throw "Account status is $($Account.status)."
         }
 
         # hydrate the account key

diff --git a/Posh-ACME/Public/Get-PAAuthorization.ps1 b/Posh-ACME/Public/Get-PAAuthorization.ps1
@@ -10,17 +10,18 @@ function Get-PAAuthorization {
     )
 
     Begin {
-        # Make sure there's a valid account
-        if (-not $Account) {
-            if (-not ($Account = Get-PAAccount)) {
-                try { throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
+        try {
+            # Make sure there's a valid account
+            if (-not $Account) {
+                if (-not ($Account = Get-PAAccount)) {
+                    throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first."
+                }
+            }
+            if ($Account.status -ne 'valid') {
+                throw "Account status is $($Account.status)."
             }
         }
-        if ($Account.status -ne 'valid') {
-            try { throw "Account status is $($Account.status)." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
-        }
+        catch { $PSCmdlet.ThrowTerminatingError($_) }
     }
 
     Process {

diff --git a/Posh-ACME/Public/Get-PACertificate.ps1 b/Posh-ACME/Public/Get-PACertificate.ps1
@@ -13,11 +13,13 @@ function Get-PACertificate {
     )
 
     Begin {
-        # Make sure we have an account configured
-        if (-not (Get-PAAccount)) {
-            try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
+        try {
+            # Make sure we have an account configured
+            if (-not (Get-PAAccount)) {
+                throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first."
+            }
         }
+        catch { $PSCmdlet.ThrowTerminatingError($_) }
 
         # prep to calculate SHA1 thumbprints
         $sha1 = [Security.Cryptography.SHA1CryptoServiceProvider]::new()
@@ -27,7 +29,10 @@ function Get-PACertificate {
 
         # since the params in this function are a subset of the params for Get-PAOrder, we're
         # just going to pass them directly to it to get order(s) associated with the certificates
-        Get-PAOrder @PSBoundParameters | ForEach-Object {
+        if (-not ($orders = Get-PAOrder @PSBoundParameters)) {
+            return
+        }
+        $orders | ForEach-Object {
 
             $order = $_
             $certFile = Join-Path $order.Folder 'cert.cer'

diff --git a/Posh-ACME/Public/Get-PAOrder.ps1 b/Posh-ACME/Public/Get-PAOrder.ps1
@@ -13,11 +13,13 @@ function Get-PAOrder {
     )
 
     Begin {
-        # Make sure we have an account configured
-        if (-not ($acct = Get-PAAccount)) {
-            try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
+        try {
+            # Make sure we have an account configured
+            if (-not ($acct = Get-PAAccount)) {
+                throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first."
+            }
         }
+        catch { $PSCmdlet.ThrowTerminatingError($_) }
     }
 
     Process {

diff --git a/Posh-ACME/Public/Get-PAPluginArgs.ps1 b/Posh-ACME/Public/Get-PAPluginArgs.ps1
@@ -10,11 +10,13 @@ function Get-PAPluginArgs {
     )
 
     Begin {
-        # Make sure we have an account configured
-        if (-not ($acct = Get-PAAccount)) {
-            try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
+        try {
+            # Make sure we have an account configured
+            if (-not ($acct = Get-PAAccount)) {
+                throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first."
+            }
         }
+        catch { $PSCmdlet.ThrowTerminatingError($_) }
 
         function SecureDeserialize {
             [CmdletBinding()]

diff --git a/Posh-ACME/Public/Invoke-HttpChallengeListener.ps1 b/Posh-ACME/Public/Invoke-HttpChallengeListener.ps1
@@ -21,11 +21,13 @@ function Invoke-HttpChallengeListener {
 
     Begin {
 
-        # Make sure we have an account configured
-        if (-not ($acct = Get-PAAccount)) {
-            try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
+        try {
+            # Make sure we have an account configured
+            if (-not ($acct = Get-PAAccount)) {
+                throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first."
+            }
         }
+        catch { $PSCmdlet.ThrowTerminatingError($_) }
 
         # account present, lets start
         # if ListenerTimeout is set to zero, write a warning

diff --git a/Posh-ACME/Public/New-PAAuthorization.ps1 b/Posh-ACME/Public/New-PAAuthorization.ps1
@@ -9,23 +9,23 @@ function New-PAAuthorization {
     )
 
     Begin {
-        # Make sure the current server actually supports pre-authorization
-        if (-not $script:Dir.newAuthz) {
-            try { throw "The current ACME server does not support pre-authorization. Use New-PAOrder or New-PACertificate instead." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
-        }
+        try {
+            # Make sure the current server actually supports pre-authorization
+            if (-not $script:Dir.newAuthz) {
+                throw "The current ACME server does not support pre-authorization. Use New-PAOrder or New-PACertificate instead."
+            }
 
-        # Make sure there's a valid account
-        if (-not $Account) {
-            if (-not ($Account = Get-PAAccount)) {
-                try { throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
+            # Make sure there's a valid account
+            if (-not $Account) {
+                if (-not ($Account = Get-PAAccount)) {
+                    throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first."
+                }
+            }
+            if ($Account.status -ne 'valid') {
+                throw "Account status is $($Account.status)."
             }
         }
-        if ($Account.status -ne 'valid') {
-            try { throw "Account status is $($Account.status)." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
-        }
+        catch { $PSCmdlet.ThrowTerminatingError($_) }
 
         # super lazy IPv4 address regex, but we just need to be able to
         # distinguish from an FQDN

diff --git a/Posh-ACME/Public/New-PAOrder.ps1 b/Posh-ACME/Public/New-PAOrder.ps1
@@ -53,11 +53,13 @@ function New-PAOrder {
         [switch]$Force
     )
 
-    # Make sure we have an account configured
-    if (-not ($acct = Get-PAAccount)) {
-        try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
-        catch { $PSCmdlet.ThrowTerminatingError($_) }
+    try {
+        # Make sure we have an account configured
+        if (-not ($acct = Get-PAAccount)) {
+            throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first."
+        }
     }
+    catch { $PSCmdlet.ThrowTerminatingError($_) }
 
     # If using a pre-generated CSR, extract the details so we can generate expected parameters
     if ('FromCSR' -eq $PSCmdlet.ParameterSetName) {

diff --git a/Posh-ACME/Public/Remove-PAOrder.ps1 b/Posh-ACME/Public/Remove-PAOrder.ps1
@@ -11,11 +11,13 @@ function Remove-PAOrder {
     )
 
     Begin {
-        # Make sure we have an account configured
-        if (-not ($acct = Get-PAAccount)) {
-            try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
+        try {
+            # Make sure we have an account configured
+            if (-not ($acct = Get-PAAccount)) {
+                throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first."
+            }
         }
+        catch { $PSCmdlet.ThrowTerminatingError($_) }
     }
 
     Process {

diff --git a/Posh-ACME/Public/Revoke-PAAuthorization.ps1 b/Posh-ACME/Public/Revoke-PAAuthorization.ps1
@@ -11,23 +11,20 @@ function Revoke-PAAuthorization {
     )
 
     Begin {
+        trap { $PSCmdlet.ThrowTerminatingError($_) }
+
         # make sure any account passed in is actually associated with the current server
         # or if no account was specified, that there's a current account.
         if (-not $Account) {
             if (-not ($Account = Get-PAAccount)) {
-                try { throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
-            }
-        } else {
-            if ($Account.id -notin (Get-PAAccount -List).id) {
-                try { throw "Specified account id $($Account.id) was not found in the current server's account list." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
+                throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first."
             }
+        } elseif ($Account.id -notin (Get-PAAccount -List).id) {
+            throw "Specified account id $($Account.id) was not found in the current server's account list."
         }
         # make sure it's valid
         if ($Account.status -ne 'valid') {
-            try { throw "Account status is $($Account.status)." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
+            throw "Account status is $($Account.status)."
         }
 
         # build the header template

diff --git a/Posh-ACME/Public/Revoke-PACertificate.ps1 b/Posh-ACME/Public/Revoke-PACertificate.ps1
@@ -19,8 +19,16 @@ function Revoke-PACertificate {
     )
 
     Begin {
-        # grab a reference to the current account if it exists
-        $acct = Get-PAAccount
+        # make sure we have a server configured
+        if (-not (Get-PAServer)) {
+            try { throw "No ACME server configured. Run Set-PAServer first." }
+            catch { $PSCmdlet.ThrowTerminatingError($_) }
+        }
+
+        try {
+            # grab a reference to the current account if it exists
+            $acct = Get-PAAccount
+        } catch {}
 
         if ($Force){
             $ConfirmPreference = 'None'
@@ -34,31 +42,40 @@ function Revoke-PACertificate {
 
         if ('MainDomain' -eq $PSCmdlet.ParameterSetName) {
 
+            if (-not $acct) {
+                try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
+                catch { $PSCmdlet.ThrowTerminatingError($_) }
+            }
+
+            if (-not $Name -and -not $MainDomain) {
+                try { throw "Please specify either MainDomain or Name parameters." }
+                catch { $PSCmdlet.WriteError($_); return }
+            }
+
             # check for a unique matching order
             if ($Name) {
-                $order = Get-PAOrder -Name $Name
-                if (-not $order) {
-                    Write-Error "No order found matching Name '$Name'."
-                    return
+                if (-not ($order = Get-PAOrder -Name $Name)) {
+                    try { throw "No order found matching Name '$Name'." }
+                    catch { $PSCmdlet.WriteError($_); return }
                 }
             } else {
                 $matchingOrders = @(Get-PAOrder -List | Where-Object { $_.MainDomain -eq $MainDomain })
                 if ($matchingOrders.Count -eq 1) {
                     $order = $matchingOrders
                 } elseif ($matchingOrders.Count -ge 2) {
                     # error because we can't be sure which object to affect
-                    Write-Error "Multiple orders found for MainDomain '$MainDomain'. Please specify Name as well."
-                    return
+                    try { throw "Multiple orders found for MainDomain '$MainDomain'. Please specify Name as well." }
+                    catch { $PSCmdlet.WriteError($_); return }
                 } else {
-                    Write-Error "No order found matching MainDomain '$MainDomain'."
-                    return
+                    try { throw "No order found matching MainDomain '$MainDomain'." }
+                    catch { $PSCmdlet.WriteError($_); return }
                 }
             }
 
             # check for an existing certificate
             if (-not ($paCert = $order | Get-PACertificate)) {
                 try { throw "No existing certificate found for $MainDomain." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
+                catch { $PSCmdlet.WriteError($_); return }
             }
 
             # set the cert file path
@@ -72,10 +89,10 @@ function Revoke-PACertificate {
                 throw "Malformed certificate file: $CertFile"
             }
         }
-        catch { $PSCmdlet.ThrowTerminatingError($_) }
+        catch { $PSCmdlet.WriteError($_); return }
 
         # remove the header/footer and convert to Base64Url as ACME expects
-        $certStr = $certStr.Replace($pemHeader,'').Replace($pemFooter,'') |
+        $certStr = $certStr.Replace($pemHeader,'').Replace($pemFooter,'').Trim() |
             ConvertTo-Base64Url -FromBase64
 
         # Now we need to decide how we're going to sign to request. It can either
@@ -85,8 +102,8 @@ function Revoke-PACertificate {
         # the cert.
         #     https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1
         #
-        # BuyPass currently only implements Account key based revocation, so we
-        # can't just default to using the Cert key when it's available.
+        # BuyPass currently only implements Account key based revocation and throws
+        # an Internal Server Error if you try to revoke via the cert key.
 
         # check the private key
         if ($KeyFile) {
@@ -131,10 +148,6 @@ function Revoke-PACertificate {
             # set the key
             $acmeParams.Key = $certKey
 
-        } elseif (-not $acct) {
-            try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
-
         } else {
             Write-Debug "Attempting to use account key"
 
@@ -159,6 +172,7 @@ function Revoke-PACertificate {
 
         # send the request
         if ($PSCmdlet.ShouldProcess($CertFile)){
+            Write-Verbose "Sending revocation request."
             try {
                 Invoke-ACME @acmeParams | Out-Null
             } catch { $PSCmdlet.ThrowTerminatingError($_) }

diff --git a/Posh-ACME/Public/Send-ChallengeAck.ps1 b/Posh-ACME/Public/Send-ChallengeAck.ps1
@@ -8,23 +8,20 @@ function Send-ChallengeAck {
     )
 
     Begin {
+        trap { $PSCmdlet.ThrowTerminatingError($_) }
+
         # make sure any account passed in is actually associated with the current server
         # or if no account was specified, that there's a current account.
         if (-not $Account) {
             if (-not ($Account = Get-PAAccount)) {
-                try { throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
-            }
-        } else {
-            if ($Account.id -notin (Get-PAAccount -List).id) {
-                try { throw "Specified account id $($Account.id) was not found in the current server's account list." }
-                catch { $PSCmdlet.ThrowTerminatingError($_) }
+                throw "No Account parameter specified and no current account selected. Try running Set-PAAccount first."
             }
+        } elseif ($Account.id -notin (Get-PAAccount -List).id) {
+            throw "Specified account id $($Account.id) was not found in the current server's account list."
         }
         # make sure it's valid
         if ($Account.status -ne 'valid') {
-            try { throw "Account status is $($Account.status)." }
-            catch { $PSCmdlet.ThrowTerminatingError($_) }
+            throw "Account status is $($Account.status)."
         }
     }