Private/Export-PluginArgs.ps1

function Export-PluginArgs {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory,Position=0)]
        [PSTypeName('PoshACME.PAOrder')]$Order,
        [Parameter(Mandatory)]
        [hashtable]$PluginArgs,
        [switch]$IgnoreExisting
    )

    # In this function, we're trying to merge the specified plugin args with the existing set
    # of saved plugin arg data on disk. But some plugins have parameter sets that can
    # end up causing AmbiguousParameterSet errors if we just naively merge all new args.
    # So essentially what we're going to do is this for each specified plugin:
    # - query all supported args
    # - if any $PluginArgs match
    # - check for saved plugin args that match and remove them
    # - add the new args to the saved data
    #
    # This should allow you to do something like add names to an existing cert where the new names
    # utilize a different plugin than the previous ones and only need to specify the new plugin's
    # parameters in $PluginArgs.

    Begin {
        # Make sure we have an account configured
        if (-not ($acct = Get-PAAccount)) {
            throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first."
        }

        function SecureSerialize {
            [CmdletBinding()]
            param(
                [object]$SecVar,
                [hashtable]$EncParam
            )

            if ($SecVar -is [securestring]) {
                return [pscustomobject]@{
                    origType = 'securestring'
                    value = $SecVar | ConvertFrom-SecureString @EncParam
                }
            } elseif ($SecVar -is [pscredential]) {
                return [pscustomobject]@{
                    origType = 'pscredential'
                    user = $SecVar.Username
                    pass = $SecVar.Password | ConvertFrom-SecureString @EncParam
                }
            } elseif ($SecVar -is [array]) {
                $safeArray = foreach ($var in $SecVar) { SecureSerialize $var $EncParam }
                return $safeArray
            } else {
                # for now, assume everything else is safe to auto serialize and just
                # return the original object
                return $SecVar
            }
        }
    }

    Process {
        trap { $PSCmdlet.ThrowTerminatingError($_) }

        Write-Debug "Exporting plugin args for order '$($Order.Name)' with plugins $($Order.Plugin -join ',')"

        $pData = @{}
        if (-not $IgnoreExisting) {
            $pData = $Order | Get-PAPluginArgs
        }

        # define the set of parameter names to ignore
        $ignoreParams = @('RecordName','TxtValue','Url','Body') +
            [Management.Automation.PSCmdlet]::CommonParameters +
            [Management.Automation.PSCmdlet]::OptionalCommonParameters

        # $Order.Plugin will most often come with duplicates after being called from Submit-ChallengeValidation
        # So grab just the unique set.
        $uniquePlugins = @($Order.Plugin | Sort-Object -Unique)

        # Get all of the plugin specific parameter names for the current plugin list
        $paramNames = foreach ($p in $uniquePlugins) {

            Write-Debug "Attempting to load plugin $p"

            $pluginDetail = $script:Plugins.$p
            if (-not $pluginDetail) {
                Write-Error "$p plugin not found or was invalid."
                continue
            }

            # dot source the plugin file
            . $pluginDetail.Path

            # grab a reference to the appropriate Add command
            if ('dns-01' -eq $pluginDetail.ChallengeType) {
                $cmd = Get-Command Add-DnsTxt
            } else {
                $cmd = Get-Command Add-HttpChallenge
            }

            # return the set of non-common param names
            $cmd.Parameters.Keys | Where-Object {
                ($_ -notin $ignoreParams) -and
                ($true -notin $cmd.Parameters[$_].Attributes.ValueFromRemainingArguments)
            }
        }

        # Remove any old args that may conflict with the new ones
        foreach ($key in @($pData.Keys)) {
            if ($key -in $paramNames) {
                Write-Debug "Removing old value for $key"
                $pData.Remove($key)
            }
        }

        # Add new args to the old data
        foreach ($key in ($PluginArgs.Keys | Where-Object { $_ -in $paramNames })) {
            Write-Debug "Adding new value for $key"
            $pData.$key = $PluginArgs.$key
        }

        # Now we need to export the merged object as JSON
        # but we have to pre-serialize things like SecureString and PSCredential
        # first because ConvertTo-Json can't deal with those natively.

        # get the encryption parameter
        $encParam = Get-EncryptionParam -Account $acct -EA Stop

        $pDataSafe = @{}
        foreach ($key in $pData.Keys) {
            $pDataSafe.$key = SecureSerialize $pData.$key $encParam
        }

        # build the path to the existing plugin data file and export it
        $pDataFile = Join-Path $Order.Folder 'pluginargs.json'
        $pDataSafe | ConvertTo-Json -Depth 10 | Out-File $pDataFile -Encoding utf8
    }

}