Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How does Get-IssuedRequest -Filter actually work? #222

Open
darkrhyes opened this issue Sep 30, 2024 · 3 comments
Open

How does Get-IssuedRequest -Filter actually work? #222

darkrhyes opened this issue Sep 30, 2024 · 3 comments
Labels
question This is a general question.

Comments

@darkrhyes
Copy link

darkrhyes commented Sep 30, 2024
edited
Loading

I am using Get-IssuedRequest with a Filter switch and it keeps saying the format is invalid in a specific way.

Get-IssuedRequest -Filter "CommonName -notcontains ABCCompany"

Reply:

Line |
  17 |                  throw "Malformed filter: '$line'"
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Malformed filter: 'CommonName -Notcontains ABCCompany'

What exact qualifiers does the Filter switch allow? `

I have only been able to use "NotAfter -gt" and everything else as a filter has thrown an error.

The examples show:
Get-CertificationAuthority -Name MyCA | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer", "CommonName -eq www.company.com"

which is what I am doing with just the Commoname property and -notcontains. Also I did try -ne which gave me the same error.
@Crypt32
Copy link
Collaborator

Crypt32 commented Oct 1, 2024

Did you check cmdlet built-in help?

PS C:\> man Get-IssuedRequest -Parameter Filter

-Filter <String[]>
    Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule con
    sist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the fol
    lowing format: "<RequestProperty> <comparison operator> <value>" where:
    <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CertificationAu
    thorityDbSchema command.
    <comparison operator> - specifies the logical operator of the data-query qualifier for the column.
    <value> - specifies the data query qualifier applied to the certificate request property.

    Possible operators are:
    -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property.
    -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate reque
    st property. See below about operator behavior with string qualifiers.
    -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. S
    ee below about operator behavior with string qualifiers.
    -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate
     request property. See below about operator behavior with string qualifiers.
    -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request prope
    rty. See below about operator behavior with string qualifiers.

    There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifie
    rs. In this case, CA server performs binary comparison between strings (column value and qualifier value). For exam
    ple, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB",
     "ABC" is less than "BRC".
    If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value
    . For example, column value is "a large string" and qualifier value is "a large", then column value is greater than
     qualifier value. In other words, "AA" > "A" and "A" < "AA".

    An example of the filter: Request.RequesterName -eq domain\username
    this filter returnes requests that were requested by 'domain\username' user account. See examples section for more
    filter examples.

    You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that ou
    tput requests must match all filters.

    Note: wildcard characters are not supported.

    Note: if 'RequestID' parameter is specified, all filters are ignored.

    Required?                    false
    Position?                    5
    Default value
    Accept pipeline input?       false
    Accept wildcard characters?  false





PS C:\>

Also, Get-Help Get-IssuedRequest -Online will open you a web version of this help. There you can find allowed operators and how these operators work with string filter qualifiers. Basically, there is no -ne, -contains or -notcontains operators.

@Crypt32 Crypt32 added the question This is a general question. label Oct 1, 2024
@darkrhyes
Copy link
Author

Interesting. Thank you. I didn't realize it might not support "-ne" or "-notcontains".

I ended doing a "-ge" with one of the values than a standard filter against the collected array to remove the values I didn't want.

Thanks again.

@Crypt32
Copy link
Collaborator

Crypt32 commented Oct 1, 2024

I didn't realize it might not support "-ne" or "-notcontains".

This limitation came from underlying DB query engine. Look for SeekOperator parameter that lists supported by underlying query engine operators: https://learn.microsoft.com/en-us/windows/win32/api/certview/nf-certview-icertview-setrestriction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question This is a general question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Crypt32 @darkrhyes