Tests/Unit/RegistryAccessEntry.Tests.ps1
#requires -Version 4.0 -Modules Pester #requires -RunAsAdministrator #region Setup for tests $DSCResourceName = 'RegistryAccessEntry' Import-Module "$($PSScriptRoot)\..\..\DSCResources\$($DSCResourceName)\$($DSCResourceName).psm1" -Force Import-Module "$($PSScriptRoot)\..\TestHelper.psm1" -Force #endregion Describe "$DSCResourceName\Get-TargetResource" { Context "Permissions should exist" { $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Absent $pathName = "HKCU:\TestKey" $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Notify', 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'FullControl', 'None', 'None', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules $GetResult = & "$($DSCResourceName)\Get-TargetResource" @ContextParams It 'Should return Ensure set as empty' { $GetResult.AccessControl.AccessControlEntry.Ensure | Should Be $null } It "Should return $false from GetReturn.Force" { $GetResult.Force | Should Be $false } It 'Should return Path' { $GetResult.Path | Should Be $ContextParams.Path } It 'Should return Principal' { $GetResult.Principal | Should Be $ContextParams.Principal } It 'Should return AccessControlEntries' { $GetResult.AccessControlList.AccessControlEntry.Count | Should Be $TempAccessRules.Count } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'No permissions exist' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } Set-NewTempRegKeyAcl -Path $PathName $GetResult = Get-TargetResource @ContextParams It 'Should return Ensure set as empty' { $GetResult.AccessControl.AccessControlEntry.Ensure | Should Be $null } It 'Should return Path' { $GetResult.Path | Should Be $ContextParams.Path } It 'Should return Principal' { $GetResult.Principal | Should Be $ContextParams.Principal } It 'Should return empty AccessControlInformation' { $GetResult.AccessControlInformation.Count | Should Be 0 } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } } Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absent" { Context 'AccessControlInformation is specified, no permissions exist' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } Set-NewTempRegKeyAcl -Path $PathName It 'Should return True' { Test-TargetResource @ContextParams | Should Be $true } } Context 'AccessControlInformation is specified, no matching permissions exist' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'QueryValues', 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Delete', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateSubkey', 'CreateLink'), 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should return True' { Test-TargetResource @ContextParams | Should Be $true } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, matching permissions exist' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'FullControl', 'None', 'None', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should return False' { Test-TargetResource @ContextParams | Should Be $false } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is not specified' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'FullControl', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'TakeOwnership', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should Throw When Test-TargetResource is run' { { Test-TargetResource @ContextParams }| Should Throw } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } } Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Present" { Context 'AccessControlInformation is specified, no permissions exist' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'KeySubkeys' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } Set-NewTempRegKeyAcl -Path $PathName It 'Should return False' { Test-TargetResource @ContextParams | Should Be $false } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, desired permissions exist, other permissions exist and ForcePrincipal is set to true' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $True -AccessControlType Allow -RegistryRights @('CreateLink', 'CreateSubkey') -Inheritance 'Key' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should return False' { Test-TargetResource @ContextParams | Should Be $false } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, correct permissions exist and ForcePrincipal is set to true' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $True -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Subkeys' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'FullControl', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should return True' { Test-TargetResource @ContextParams | Should Be $true } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, desired permissions exist, other permissions exist and ForcePrincipal is set to false' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights @('CreateLink', 'CreateSubkey') -Inheritance 'Key' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should return True' { Test-TargetResource @ContextParams | Should Be $true } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is not specified' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -Inheritance 'Key' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should Throw When Test-TargetResource is run' { { Test-TargetResource @ContextParams }| Should Throw } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } } Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent" { Context 'AccessControlInformation is not specified' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should Throw When Set-TargetResource is run' { { Set-TargetResource @ContextParams }| Should Throw } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, matching permissions exist, ForcePrincipal is set to false' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights EnumerateSubKeys -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Delete', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should remove matching permissions' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $TempAcl.Principal} ).Count | Should Be $TempAccessRules.Count Test-TargetResource @ContextParams | Should Be $false Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be ($TempAccessRules.Count - $ContextParams.AccessControlList.AccessControlEntry.Count) } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, no matching permissions exist, ForcePrincipal is set to false' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'KeySubKeys' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Delete', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should not change any of the permissions' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $TempAcl.Principal} ).Count | Should Be $TempAccessRules.Count Test-TargetResource @ContextParams | Should Be $true Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be ($TempAccessRules.Count) } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, matching permissions exist, ForcePrincipal is set to true' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $true -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'FullControl', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Delete', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should Remove Principal from Access Control List' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $TempAcl.Principal} ).Count | Should Be $TempAccessRules.Count Test-TargetResource @ContextParams | Should Be $false Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be 0 } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, no matching permissions exist, ForcePrincipal is set to true' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $true -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Absent $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should Remove Principal from Access Control List' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $TempAcl.Principal} ).Count | Should Be $TempAccessRules.Count Test-TargetResource @ContextParams | Should Be $false Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be 0 } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } } Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Present" { Context 'AccessControlInformation is not specified' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -Inheritance 'Key' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey'), 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should Throw When Set-TargetResource is run' { { Set-TargetResource @ContextParams }| Should Throw } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, no permissions exist' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } Set-NewTempRegKeyAcl -Path $PathName It 'Should add the desired permissions' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be 0 Test-TargetResource @ContextParams | Should Be $false Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be $ContextParams.AccessControlList.AccessControlEntry.Count } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, desired permissions exist, other permissions exist, ForcePrincipal is set to true' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $True -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Subkeys' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, @('CreateLink', 'CreateSubkey', 'Delete'), 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'FullControl', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should remove other permissions' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be $TempAccessRules.Count Test-TargetResource @ContextParams | Should Be $false Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be $ContextParams.AccessControlList.AccessControlEntry.Count } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, desired permissions exist, other permissions exist, ForcePrincipal is set to false' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights CreateSubkey -Inheritance 'Key' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'ChangePermissions', 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should Keep all the permissions' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be $TempAccessRules.Count Test-TargetResource @ContextParams | Should Be $true Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be $TempAccessRules.Count } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, desired permissions do not exist, other permissions exist, ForcePrincipal is set to true' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $true -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'ChangePermissions', 'ContainerInherit', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should remove other permissions and add Desired Access Control Entry' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be $TempAccessRules.Count Test-TargetResource @ContextParams | Should Be $false Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).RegistryRights | Should Be "FullControl" } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context 'AccessControlInformation is specified, desired permissions do not exist, other permissions exist, ForcePrincipal is set to false' { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights Delete -Inheritance 'KeySubKeys' -Ensure Present $ContextParams = @{ Path = $pathName AccessControlList = $TempAcl } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'ChangePermissions', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'EnumerateSubKeys', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules It 'Should add Desired Access Control Entry and leave existing Entries' { (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be $TempAccessRules.Count Test-TargetResource @ContextParams | Should Be $false Set-TargetResource @ContextParams Test-TargetResource @ContextParams | Should Be $true (Get-Acl -Path $ContextParams.Path).Access.Where( {$_.IsInherited -eq $false -and $_.IdentityReference -eq $ContextParams.AccessControlList.Principal} ).Count | Should Be ($TempAccessRules.Count + $ContextParams.AccessControlList.AccessControlEntry.Count) } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } } Describe "$DSCResourceName\Get-RegistryRuleInheritenceFlag" { Context "Inheritance Names" { It "Should return 0-0" { $InheritanceFlags = Get-RegistryRuleInheritenceFlag -Inheritance "Key" $InheritanceFlags.InheritanceFlag | Should be 0 $InheritanceFlags.PropagationFlag | Should be 0 } It "Should return 1-0" { $InheritanceFlags = Get-RegistryRuleInheritenceFlag -Inheritance "KeySubkeys" $InheritanceFlags.InheritanceFlag | Should be 1 $InheritanceFlags.PropagationFlag | Should be 0 } It "Should return 1-2" { $InheritanceFlags = Get-RegistryRuleInheritenceFlag -Inheritance "Subkeys" $InheritanceFlags.InheritanceFlag | Should be 1 $InheritanceFlags.PropagationFlag | Should be 2 } It "Should return null when abnormal Inheritance is passed" { $InheritanceFlags = Get-RegistryRuleInheritenceFlag -Inheritance "The files are 'in' the computer." $InheritanceFlags.InheritanceFlag | Should be $null $InheritanceFlags.PropagationFlag | Should be $null } } } Describe "$DSCResourceName\Get-RegistryRuleInheritenceName" { Context "Inheritance and Propagation Flags" { It "Should return Key" { $InheritanceName = Get-RegistryRuleInheritenceName -InheritanceFlag 0 -PropagationFlag 0 $InheritanceName | Should be "This Key Only" } It "Should return KeySubkeys" { $InheritanceName = Get-RegistryRuleInheritenceName -InheritanceFlag 1 -PropagationFlag 0 $InheritanceName | Should be "This Key and Subkeys" } It "Should return Subkeys" { $InheritanceName = Get-RegistryRuleInheritenceName -InheritanceFlag 1 -PropagationFlag 2 $InheritanceName | Should be "Subkeys Only" } It "Should return none if abnormal Inheritance and Propagation Flags are passed" { $InheritanceName = Get-RegistryRuleInheritenceName -InheritanceFlag 4 -PropagationFlag 4 $InheritanceName | Should be "none" } } } Describe "$DSCResourceName\ConvertTo-RegistryAccessRule" { Context "Should convert to a valid Registry Key Access Rule" { It "Should return a FilseSystemAccessRule Object" { $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Absent $FileSystemAccessRule = ConvertTo-RegistryAccessRule -AccessControlList $TempAcl -IdentityRef $TempAcl.Principal $FileSystemAccessRule.Rules | Should BeOfType System.Security.AccessControl.RegistryAccessRule } It "Should return expected values" { $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights FullControl -Inheritance 'Key' -Ensure Present $FileSystemAccessRule = ConvertTo-RegistryAccessRule -AccessControlList $TempAcl -IdentityRef $TempAcl.Principal $FileSystemAccessRule.Rules.RegistryRights | Should Be "FullControl" $FileSystemAccessRule.Rules.AccessControlType | Should Be "Allow" $FileSystemAccessRule.Rules.IdentityReference | Should Be "Everyone" $FileSystemAccessRule.Rules.IsInherited | Should Be "False" $FileSystemAccessRule.Rules.InheritanceFlags | Should Be "None" $FileSystemAccessRule.Rules.PropagationFlags | Should Be "None" } } } Describe "$DSCResourceName\Compare-RegistryRule" { Context "Compare-RegistryRule with Ensure set to Absent with no matching rules" { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights EnumerateSubKeys -Inheritance 'Key' -Ensure Absent $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Delete', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules $Principal = $TempAcl.Principal $Identity = Resolve-Identity -Identity $Principal $IdentityRef = [System.Security.Principal.NTAccount]::new($Identity.Name) $ACLRules += ConvertTo-RegistryAccessRule -AccessControlList $TempAcl -IdentityRef $IdentityRef $currentACL = Get-Acl -Path $pathName $actualAce = $currentAcl.Access.Where({$_.IdentityReference -eq $Identity.Name}) It "Should not have any Rules to be removed" { $testComparison = Compare-RegistryRule -Expected $ACLRules -Actual $actualAce $testComparison.ToBeRemoved.Rule.Count | Should be $actualAce.Count $testComparison.Absent | Should Be $null } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context "Compare-NtfsRule with Ensure set to Absent with matching rules" { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights Delete -Inheritance 'Key' -Ensure Absent $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Delete', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'CreateSubkey', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules $Principal = $TempAcl.Principal $Identity = Resolve-Identity -Identity $Principal $IdentityRef = [System.Security.Principal.NTAccount]::new($Identity.Name) $ACLRules += ConvertTo-RegistryAccessRule -AccessControlList $TempAcl -IdentityRef $IdentityRef $currentACL = Get-Acl -Path $pathName $actualAce = $currentAcl.Access.Where({$_.IdentityReference -eq $Identity.Name}) It "Should have matching rule to be removed" { $testComparison = Compare-RegistryRule -Expected $ACLRules -Actual $actualAce $testComparison.ToBeRemoved.Rule.Count | Should be ($actualAce.Count - $TempAcl.AccessControlEntry.Count) $testComparison.Absent.Count | Should Be $TempAcl.AccessControlEntry.Count } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context "Compare-NtfsRule with Ensure set to Present with no matching rules" { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights CreateSubkey -Inheritance 'KeySubKeys' -Ensure Present $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Delete', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'ChangePermissions', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules $Principal = $TempAcl.Principal $Identity = Resolve-Identity -Identity $Principal $IdentityRef = [System.Security.Principal.NTAccount]::new($Identity.Name) $ACLRules += ConvertTo-RegistryAccessRule -AccessControlList $TempAcl -IdentityRef $IdentityRef $currentACL = Get-Acl -Path $pathName $actualAce = $currentAcl.Access.Where({$_.IdentityReference -eq $Identity.Name}) It "Should have new rule to add" { $testComparison = Compare-RegistryRule -Expected $ACLRules -Actual $actualAce $testComparison.ToBeRemoved.Rule.Count | Should be $TempAccessRules.Count $testComparison.Rules.Count | Should be $TempAcl.AccessControlEntry.Count } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } Context "Compare-NtfsRule with matching rules and Ensure set to Present" { $pathName = "HKCU:\TestKey" $TempAcl = New-RegistryAccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -RegistryRights Delete -Inheritance 'Key' -Ensure Present $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'Delete', 'None', 'None', 'Allow' ) New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( $TempAcl.Principal, 'ChangePermissions', 'ContainerInherit', 'InheritOnly', 'Allow' ) ) Set-NewTempRegKeyAcl -Path $PathName -AccessRulesToAdd $TempAccessRules $Principal = $TempAcl.Principal $Identity = Resolve-Identity -Identity $Principal $IdentityRef = [System.Security.Principal.NTAccount]::new($Identity.Name) $ACLRules += ConvertTo-RegistryAccessRule -AccessControlList $TempAcl -IdentityRef $IdentityRef $currentACL = Get-Acl -Path $pathName $actualAce = $currentAcl.Access.Where({$_.IdentityReference -eq $Identity.Name}) It "Should return matching rules" { $testComparison = Compare-RegistryRule -Expected $ACLRules -Actual $actualAce $testComparison.ToBeRemoved.Rule.Count | Should be ($TempAccessRules.Count - $TempAcl.AccessControlEntry.Count) $testComparison.Rules.Count | Should be $TempAcl.AccessControlEntry.Count $testComparison.Rules.Match | Should be $true } if ($false -ne (Test-Path $pathName)) { Remove-Item -Path $pathName } } } Describe "$DSCResourceName\ResourceHelper\Resolve-Identity" { Context "Resolve Username" { It "Should resolve when input is a username" { $Identity = Resolve-Identity -Identity "Local" $Identity.Name | Should be "LOCAL" $Identity.SID | Should be "S-1-2-0" } It "Should resolve when input is an SID" { $Identity = Resolve-Identity -Identity "S-1-2-0" $Identity.Name | Should be "LOCAL" $Identity.SID | Should be "S-1-2-0" } } Context "Username does not exist." { It "Should fail when it cannot resolve a username" { { Resolve-Identity -Identity "Anorak" -ErrorAction Stop} | Should Throw } } } Describe "$DSCResourceName\ResourceHelper\ConvertTo-SID" { Context "Identity will contain a '\' e.g. BUILTIN\Users" { It "Should return a proper SID" { $SID = ConvertTo-SID -IdentityReference "BUILTIN\Users" $SID.Value | Should be "S-1-5-32-545" } } } Describe "$DSCResourceName\ConvertTo-SidIdentityRegistryAccessRule" { Context "RegistryAccessRule IdentityReference to convert is 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES'" { It "Should convert 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' to S-1-15-2-1 within the RegistryAccessRule" { $TempRegistryAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES', 'ReadKey', 'None', 'None', 'Allow' ) $ConvertedRegistryRule = ConvertTo-SidIdentityRegistryAccessRule -Rule $TempRegistryAccessRule $ConvertedRegistryRule.RegistryRights | Should be 'ReadKey' $ConvertedRegistryRule.AccessControlType | Should be 'Allow' $ConvertedRegistryRule.IdentityReference | Should be 'S-1-15-2-1' $ConvertedRegistryRule.IsInherited | Should be $false $ConvertedRegistryRule.InheritanceFlags | Should be 'None' $ConvertedRegistryRule.PropagationFlags | Should be 'None' } } Context "RegistryAccessRule IdentityReference to convert is 'ALL APPLICATION PACKAGES'" { It "Should convert 'ALL APPLICATION PACKAGES' to S-1-15-2-1 within the RegistryAccessRule" { $TempRegistryAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule ` -ArgumentList @( 'ALL APPLICATION PACKAGES', 'ReadKey', 'None', 'None', 'Allow' ) $ConvertedRegistryRule = ConvertTo-SidIdentityRegistryAccessRule -Rule $TempRegistryAccessRule $ConvertedRegistryRule.RegistryRights | Should be 'ReadKey' $ConvertedRegistryRule.AccessControlType | Should be 'Allow' $ConvertedRegistryRule.IdentityReference | Should be 'S-1-15-2-1' $ConvertedRegistryRule.IsInherited | Should be $false $ConvertedRegistryRule.InheritanceFlags | Should be 'None' $ConvertedRegistryRule.PropagationFlags | Should be 'None' } } } Describe "$DSCResourceName\Set-RegistryRightsAclAllAppPackages" { Context "ALL APPLICATION PACKAGES AccessControlType is 'Allow'" { # Creating temp reg key that will have an invalid Registry Access Rule for ALL APPS PACKAGES used for testing $tempRegKeyBasePath = 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\__Pester__Test__Key__' $tempRegKeyFullPath = $tempRegKeyBasePath + [guid]::NewGuid().Guid $tempRegKeyAcl = New-TempAclItem -Path $tempRegKeyFullPath -DisableInheritance -Force $allAppPackage = 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' It "Should have invalid RegistryAccess Rules for 'ALL APPLICATION PACKAGES'" { $invalidAppAccessRule = $tempRegKeyAcl.Access.Where( { $_.IdentityReference -eq $allAppPackage -and $_.RegistryRights -eq -2147483648 }) $invalidAppAccessRule.RegistryRights | Should Be -2147483648 $invalidAppAccessRule.IdentityReference | Should Be $allAppPackage } It "Should have two 'ALL APPLICATION PACKAGES' Access Rule entries" { $tempRegKeyAcl.Access.Where( {$_.IdentityReference -eq $allAppPackage} ).Count | Should Be 2 } It "Should remove all 'Allow' RegistryAccess Rules for 'ALL APPLICATION PACKAGES' and reapply only valid RegistryRight types" { $validAppRegKeyAcl = $tempRegKeyAcl.Access.Where( {$_.IdentityReference -eq $allAppPackage -and $_.RegistryRights -ne -2147483648} ) $newTempRegKeyAcl = Set-RegistryRightsAclAllAppPackages -AclObject $tempRegKeyAcl $appRegKeyAcl = $newTempRegKeyAcl.Access.Where( {$_.IdentityReference -eq $allAppPackage} ) $appRegKeyAcl.Count | Should Be 1 $appRegKeyAcl.IdentityReference | Should Be $validAppRegKeyAcl.IdentityReference $appRegKeyAcl.RegistryRights | Should Be $validAppRegKeyAcl.RegistryRights $appRegKeyAcl.AccessControlType | Should Be $validAppRegKeyAcl.AccessControlType $newTempRegKeyAcl.Access.Where( {$_.IdentityReference -eq $allAppPackage -and $_.RegistryRights -eq -2147483648} ).Count | Should Be 0 } # Remove temp reg key used for testing Remove-Item -Path $tempRegKeyFullPath } Context "ALL APPLICATION PACKAGES AccessControlType is 'Deny'" { # Creating temp reg key that will have an invalid Registry Access Rule for ALL APPS PACKAGES used for testing $tempRegKeyBasePath = 'HKLM:\Software\__Pester__Test__Key__' $tempRegKeyFullPath = $tempRegKeyBasePath + [guid]::NewGuid().Guid $tempRegKeyAcl = New-TempAclItem -Path $tempRegKeyFullPath -DisableInheritance -Force $allAppPackage = 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' $tempRegAccess = [System.Security.AccessControl.RegistryAccessRule]::New($allAppPackage.Split('\')[1], 'ReadKey', 0, 0, 'Deny') $tempRegKeyAcl.AddAccessRule($tempRegAccess) Set-Acl -Path $tempRegKeyFullPath -AclObject $tempRegKeyAcl $tempRegKeyAcl = Get-Acl -Path $tempRegKeyFullPath It "Should have one 'ALL APPLICATION PACKAGES' Deny Access Rule entry" { $tempRegKeyAcl.Access.Where( {$_.IdentityReference -eq $allAppPackage -and $_.AccessControlType -eq 'Deny'} ).Count | Should Be 1 } It "Should remove all 'Deny' RegistryAccess Rules for 'ALL APPLICATION PACKAGES' and reapply only valid RegistryRight types" { $validAppRegKeyAcl = $tempRegKeyAcl.Access.Where( { $_.IdentityReference -eq $allAppPackage -and $_.RegistryRights -ne -2147483648 -and $_.AccessControlType -eq 'Deny' }) $newTempRegKeyAcl = Set-RegistryRightsAclAllAppPackages -AclObject $tempRegKeyAcl $appRegKeyAcl = $newTempRegKeyAcl.Access.Where( {$_.IdentityReference -eq $allAppPackage -and $_.AccessControlType -eq 'Deny'} ) $appRegKeyAcl.Count | Should Be 1 $appRegKeyAcl.IdentityReference | Should Be $validAppRegKeyAcl.IdentityReference $appRegKeyAcl.RegistryRights | Should Be $validAppRegKeyAcl.RegistryRights $appRegKeyAcl.AccessControlType | Should Be 'Deny' $newTempRegKeyAcl.Access.Where( {$_.IdentityReference -eq $allAppPackage -and $_.RegistryRights -eq -2147483648} ).Count | Should Be 0 } # Remove temp reg key used for testing Remove-Item -Path $tempRegKeyFullPath } } |