DSCResources/MSFT_SPServiceAppSecurity/MSFT_SPServiceAppSecurity.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [parameter(Mandatory = $true)]  
        [System.String] 
        $ServiceAppName,

        [parameter(Mandatory = $true)]  
        [ValidateSet("Administrators","SharingPermissions")] 
        [System.String] 
        $SecurityType,

        [parameter(Mandatory = $false)] 
        [Microsoft.Management.Infrastructure.CimInstance[]] 
        $Members,

        [parameter(Mandatory = $false)] 
        [Microsoft.Management.Infrastructure.CimInstance[]] 
        $MembersToInclude,

        [parameter(Mandatory = $false)] 
        [System.String[]] 
        $MembersToExclude,

        [parameter(Mandatory = $false)] 
        [System.Management.Automation.PSCredential] 
        $InstallAccount
    )

    if ($Members -and (($MembersToInclude) -or ($MembersToExclude))) 
    {
        throw ("Cannot use the Members parameter together with the MembersToInclude or " + `
               "MembersToExclude parameters")
    }

    if (!$Members -and !$MembersToInclude -and !$MembersToExclude) 
    {
        throw ("At least one of the following parameters must be specified: Members, " + `
               "MembersToInclude, MembersToExclude")
    }

    Write-Verbose -Message "Getting all security options for $SecurityType in $ServiceAppName"

    $result = Invoke-SPDSCCommand -Credential $InstallAccount `
                                  -Arguments $PSBoundParameters `
                                  -ScriptBlock {
        $params = $args[0]

        $serviceApp = Get-SPServiceApplication -Name $params.ServiceAppName
        
        if ($null -eq $serviceApp) 
        {
            return @{
                ServiceAppName = ""
                SecurityType = $params.SecurityType
                InstallAccount = $params.InstallAccount
            }
        }
        
        switch ($params.SecurityType) 
        {
            "Administrators" { 
                $security = $serviceApp | Get-SPServiceApplicationSecurity -Admin
             }
            "SharingPermissions" {
                $security = $serviceApp | Get-SPServiceApplicationSecurity
            }
        }
        
        $members = @()
        foreach ($securityEntry in $security.AccessRules) 
        {    
            $user = $securityEntry.Name
            if ($user -like "i:*|*" -or $user -like "c:*|*") 
            {
                $user = (New-SPClaimsPrincipal -Identity $user -IdentityType EncodedClaim).Value
                if ($user -match "^s-1-[0-59]-\d+-\d+-\d+-\d+-\d+")
                {
                    $user = Resolve-SPDscSecurityIdentifier -SID $user
                }
            }

            $accessLevel = $securityEntry.AllowedRights.ToString()
            $accessLevel = $accessLevel.Replace("FullControl", "Full Control")
            $accessLevel = $accessLevel.Replace("ChangePermissions", "Change Permissions")
            $members += @{
                Username    = $user
                AccessLevel = $accessLevel
            }
        }
        
        return @{
            ServiceAppName   = $params.ServiceAppName
            SecurityType     = $params.SecurityType
            Members          = $members
            MembersToInclude = $params.MembersToInclude
            MembersToExclude = $params.MembersToExclude
            InstallAccount   = $params.InstallAccount
        }
    }
    return $result
}


function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [parameter(Mandatory = $true)]  
        [System.String] 
        $ServiceAppName,

        [parameter(Mandatory = $true)]  
        [ValidateSet("Administrators","SharingPermissions")] 
        [System.String] 
        $SecurityType,

        [parameter(Mandatory = $false)] 
        [Microsoft.Management.Infrastructure.CimInstance[]] 
        $Members,

        [parameter(Mandatory = $false)] 
        [Microsoft.Management.Infrastructure.CimInstance[]] 
        $MembersToInclude,

        [parameter(Mandatory = $false)] 
        [System.String[]] 
        $MembersToExclude,

        [parameter(Mandatory = $false)] 
        [System.Management.Automation.PSCredential] 
        $InstallAccount
    )

    Write-Verbose -Message "Setting service app security config"
    
    if ($Members -and (($MembersToInclude) -or ($MembersToExclude))) 
    {
        throw ("Cannot use the Members parameter together with the MembersToInclude or " + `
               "MembersToExclude parameters")
    }

    if (!$Members -and !$MembersToInclude -and !$MembersToExclude) 
    {
        throw ("At least one of the following parameters must be specified: Members, " + `
               "MembersToInclude, MembersToExclude")
    }

    $CurrentValues = Get-TargetResource @PSBoundParameters
    
    if ([System.String]::IsNullOrEmpty($CurrentValues.ServiceAppName) -eq $true) 
    { 
        throw "Unable to locate service application $ServiceAppName"
    }
    
    Invoke-SPDSCCommand -Credential $InstallAccount `
                        -Arguments @($PSBoundParameters, $CurrentValues) `
                        -ScriptBlock {
        $params = $args[0]
        $CurrentValues = $args[1]
        
        $serviceApp = Get-SPServiceApplication -Name $params.ServiceAppName
        switch ($params.SecurityType) 
        {
            "Administrators" { 
                $security = $serviceApp | Get-SPServiceApplicationSecurity -Admin
             }
            "SharingPermissions" {
                $security = $serviceApp | Get-SPServiceApplicationSecurity
            }
        }
         
        if ($params.ContainsKey("Members") -eq $true) 
        {
            foreach($desiredMember in $params.Members) 
            {
                $isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
                if ($isUser -eq $true) 
                {
                    $claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
                                                   -IdentityType WindowsSamAccountName    
                } 
                else 
                {
                    $claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
                                                   -IdentityType WindowsSecurityGroupName
                }
                                
                if ($CurrentValues.Members.Username -contains $desiredMember.Username) 
                {
                    if (($CurrentValues.Members | Where-Object -FilterScript { 
                            $_.Username -eq $desiredMember.Username 
                        } | Select-Object -First 1).AccessLevel -ne $desiredMember.AccessLevel) 
                    {        
                        Revoke-SPObjectSecurity -Identity $security `
                                                -Principal $claim

                        Grant-SPObjectSecurity -Identity $security `
                                               -Principal $claim `
                                               -Rights $desiredMember.AccessLevel
                    }
                } 
                else 
                {
                    Grant-SPObjectSecurity -Identity $security -Principal $claim -Rights $desiredMember.AccessLevel
                }
            }
            
            foreach($currentMember in $CurrentValues.Members) 
            {
                if ($params.Members.Username -notcontains $currentMember.Username) 
                {
                    $isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
                    if ($isUser -eq $true) 
                    {
                        $claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
                                                       -IdentityType WindowsSamAccountName    
                    } 
                    else 
                    {
                        $claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
                                                       -IdentityType WindowsSecurityGroupName
                    }
                    Revoke-SPObjectSecurity -Identity $security -Principal $claim
                }
            }
        }

        if ($params.ContainsKey("MembersToInclude") -eq $true) 
        {
            foreach($desiredMember in $params.MembersToInclude) 
            {
                $isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
                if ($isUser -eq $true) 
                {
                    $claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
                                                   -IdentityType WindowsSamAccountName    
                } 
                else 
                {
                    $claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
                                                   -IdentityType WindowsSecurityGroupName
                }
                if ($CurrentValues.Members.Username -contains $desiredMember.Username) 
                {
                    if (($CurrentValues.Members | Where-Object -FilterScript { 
                            $_.Username -eq $desiredMember.Username 
                        } | Select-Object -First 1).AccessLevel -ne $desiredMember.AccessLevel) 
                    {
                        Revoke-SPObjectSecurity -Identity $security `
                                                -Principal $claim

                        Grant-SPObjectSecurity -Identity $security `
                                               -Principal $claim `
                                               -Rights $desiredMember.AccessLevel
                    }
                } 
                else 
                {
                    Grant-SPObjectSecurity -Identity $security `
                                           -Principal $claim `
                                           -Rights $desiredMember.AccessLevel
                }
            }
        }

        if ($params.ContainsKey("MembersToExclude") -eq $true) 
        {
            foreach($excludeMember in $params.MembersToExclude) 
            {
                if ($CurrentValues.Members.Username -contains $excludeMember) 
                {
                    $isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
                    if ($isUser -eq $true) 
                    {
                        $claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
                                                       -IdentityType WindowsSamAccountName    
                    } 
                    else 
                    {
                        $claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
                                                       -IdentityType WindowsSecurityGroupName
                    }
                    Revoke-SPObjectSecurity -Identity $security -Principal $claim
                }
            }
        }
        
        switch ($params.SecurityType) 
        {
            "Administrators" { 
                $security = $serviceApp | Set-SPServiceApplicationSecurity -ObjectSecurity $security `
                                                                           -Admin
             }
            "SharingPermissions" {
                $security = $serviceApp | Set-SPServiceApplicationSecurity -ObjectSecurity $security
            }
        }
    }
}


function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [parameter(Mandatory = $true)]  
        [System.String] 
        $ServiceAppName,

        [parameter(Mandatory = $true)]  
        [ValidateSet("Administrators","SharingPermissions")] 
        [System.String] 
        $SecurityType,

        [parameter(Mandatory = $false)] 
        [Microsoft.Management.Infrastructure.CimInstance[]] 
        $Members,

        [parameter(Mandatory = $false)] 
        [Microsoft.Management.Infrastructure.CimInstance[]] 
        $MembersToInclude,

        [parameter(Mandatory = $false)] 
        [System.String[]] 
        $MembersToExclude,

        [parameter(Mandatory = $false)] 
        [System.Management.Automation.PSCredential] 
        $InstallAccount
    )

    Write-Verbose -Message "Testing service app security config"

    $CurrentValues = Get-TargetResource @PSBoundParameters

    if ([System.String]::IsNullOrEmpty($CurrentValues.ServiceAppName) -eq $true) 
    { 
        return $false 
    }
    
    if ($Members) 
    {
        Write-Verbose -Message "Processing Members parameter"
        $differences = Compare-Object -ReferenceObject $CurrentValues.Members.Username `
                                      -DifferenceObject $Members.Username

        if ($null -eq $differences) 
        {
            Write-Verbose -Message "Security list matches - checking that permissions match on each object"
            foreach($currentMember in $CurrentValues.Members) 
            {
                if ($currentMember.AccessLevel -ne ($Members | Where-Object -FilterScript { 
                        $_.Username -eq $currentMember.Username 
                    } | Select-Object -First 1).AccessLevel) 
                {
                    Write-Verbose -Message "$($currentMember.Username) has incorrect permission level. Test failed."
                    return $false
                }
            }
            return $true
        } 
        else 
        {
            Write-Verbose -Message "Security list does not match"
            return $false
        }
    }

    $result = $true
    if ($MembersToInclude) 
    {
        Write-Verbose -Message "Processing MembersToInclude parameter"
        foreach ($member in $MembersToInclude) 
        {
            if (-not($CurrentValues.Members.Username -contains $member.Username)) 
            {
                Write-Verbose -Message "$($member.Username) does not have access. Set result to false"
                $result = $false
            } 
            else 
            {
                Write-Verbose -Message "$($member.Username) already has access. Checking permission..."
                if ($member.AccessLevel -ne ($CurrentValues.Members | Where-Object -FilterScript { 
                        $_.Username -eq $member.Username 
                    } | Select-Object -First 1).AccessLevel) 
                {
                    Write-Verbose -Message "$($member.Username) has incorrect permission level. Test failed."
                    return $false
                }
            }
        }
    }

    if ($MembersToExclude) 
    {
        Write-Verbose -Message "Processing MembersToExclude parameter"
        foreach ($member in $MembersToExclude) 
        {
            if ($CurrentValues.Members.Username -contains $member.Username) 
            {
                Write-Verbose -Message "$member already has access. Set result to false"
                $result = $false
            } 
            else 
            {
                Write-Verbose -Message "$member does not have access. Skipping"
            }
        }
    }

    return $result
}

Export-ModuleMember -Function *-TargetResource