
$script:resourceModulePath = Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent
$script:modulesFolderPath = Join-Path -Path $script:resourceModulePath -ChildPath 'Modules'
$script:resourceHelperModulePath = Join-Path -Path $script:modulesFolderPath -ChildPath 'SharePointDsc.Util'
Import-Module -Name (Join-Path -Path $script:resourceHelperModulePath -ChildPath 'SharePointDsc.Util.psm1')

function Get-TargetResource
        [Parameter(Mandatory = $true)]


        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]







        [ValidateSet("Windows", "SQL")]

        [ValidateSet("Present", "Absent")]
        $Ensure = "Present",



    Write-Verbose -Message "Getting secure store service application '$Name'"

    $result = Invoke-SPDscCommand -Credential $InstallAccount `
        -Arguments $PSBoundParameters `
        -ScriptBlock {
        $params = $args[0]

        $nullReturn = @{
            Name            = $params.Name
            ApplicationPool = $params.ApplicationPool
            AuditingEnabled = $false
            Ensure          = "Absent"

        $serviceApps = Get-SPServiceApplication -Name $params.Name -ErrorAction SilentlyContinue
        if ($null -eq $serviceApps)
            return $nullReturn
        $serviceApp = $serviceApps | Where-Object -FilterScript {
            $_.GetType().FullName -eq "Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication"

        if ($null -eq $serviceApp)
            return $nullReturn
            $serviceAppProxies = Get-SPServiceApplicationProxy -ErrorAction SilentlyContinue
            if ($null -ne $serviceAppProxies)
                $serviceAppProxy = $serviceAppProxies | Where-Object -FilterScript {
                if ($null -ne $serviceAppProxy)
                    $proxyName = $serviceAppProxy.Name

            $propertyFlags = [System.Reflection.BindingFlags]::Instance `
                -bor [System.Reflection.BindingFlags]::NonPublic

            $propData = $serviceApp.GetType().GetProperties($propertyFlags)

            $dbProp = $propData | Where-Object -FilterScript {
                $_.Name -eq "Database"

            $db = $dbProp.GetValue($serviceApp)

            $auditProp = $propData | Where-Object -FilterScript {
                $_.Name -eq "AuditEnabled"

            $auditEnabled = $auditProp.GetValue($serviceApp)

            return  @{
                Name                   = $serviceApp.DisplayName
                ProxyName              = $proxyName
                AuditingEnabled        = $auditEnabled
                ApplicationPool        = $serviceApp.ApplicationPool.Name
                DatabaseName           = $db.Name
                DatabaseServer         = $db.NormalizedDataSource
                FailoverDatabaseServer = $db.FailoverServer
                InstallAccount         = $params.InstallAccount
                Ensure                 = "Present"
    return $result

function Set-TargetResource
        [Parameter(Mandatory = $true)]


        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]







        [ValidateSet("Windows", "SQL")]

        [ValidateSet("Present", "Absent")]
        $Ensure = "Present",



    Write-Verbose -Message "Setting secure store service application '$Name'"

    $result = Get-TargetResource @PSBoundParameters
    $params = $PSBoundParameters

    if ((($params.ContainsKey("DatabaseAuthenticationType") -eq $true) -and `
            ($params.ContainsKey("DatabaseCredentials") -eq $false)) -or `
        (($params.ContainsKey("DatabaseCredentials") -eq $true) -and `
            ($params.ContainsKey("DatabaseAuthenticationType") -eq $false)))
        throw ("Where DatabaseCredentials are specified you must also specify " + `
                "DatabaseAuthenticationType to identify the type of credentials being passed")

    if ($result.Ensure -eq "Absent" -and $Ensure -eq "Present")
        Write-Verbose -Message "Creating Secure Store Service Application $Name"
        Invoke-SPDscCommand -Credential $InstallAccount `
            -Arguments $params `
            -ScriptBlock {
            $params = $args[0]

            if ($params.ContainsKey("Ensure"))
                $params.Remove("Ensure") | Out-Null
            if ($params.ContainsKey("InstallAccount"))
                $params.Remove("InstallAccount") | Out-Null

            if ($params.ContainsKey("DatabaseAuthenticationType"))
                if ($params.DatabaseAuthenticationType -eq "SQL")
                    $params.Add("DatabaseUsername", $params.DatabaseCredentials.Username)
                    $params.Add("DatabasePassword", $params.DatabaseCredentials.Password)

            $pName = "$($params.Name) Proxy"

            if ($params.ContainsKey("ProxyName") -and $null -ne $params.ProxyName)
                $pName = $params.ProxyName
                $params.Remove("ProxyName") | Out-Null

            New-SPSecureStoreServiceApplication @params | New-SPSecureStoreServiceApplicationProxy -Name $pName

    if ($result.Ensure -eq "Present" -and $Ensure -eq "Present")
        if ($PSBoundParameters.ContainsKey("DatabaseServer") -and `
            ($result.DatabaseServer -ne $DatabaseServer))
            throw ("Specified database server does not match the actual " + `
                    "database server. This resource cannot move the database " + `
                    "to a different SQL instance.")

        if ($PSBoundParameters.ContainsKey("DatabaseName") -and `
            ($result.DatabaseName -ne $DatabaseName))
            throw ("Specified database name does not match the actual " + `
                    "database name. This resource cannot rename the database.")

        if ([string]::IsNullOrEmpty($ApplicationPool) -eq $false `
                -and $ApplicationPool -ne $result.ApplicationPool)
            Write-Verbose -Message "Updating Secure Store Service Application $Name"
            Invoke-SPDscCommand -Credential $InstallAccount `
                -Arguments $PSBoundParameters `
                -ScriptBlock {
                $params = $args[0]

                $serviceApp = Get-SPServiceApplication -Name $params.Name | Where-Object -FilterScript {
                    $_.GetType().FullName -eq "Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication"
                $appPool = Get-SPServiceApplicationPool -Identity $params.ApplicationPool
                Set-SPSecureStoreServiceApplication -Identity $serviceApp -ApplicationPool $appPool

    if ($Ensure -eq "Absent")
        # The service app should not exit
        Write-Verbose -Message "Removing Secure Store Service Application $Name"
        Invoke-SPDscCommand -Credential $InstallAccount `
            -Arguments $PSBoundParameters `
            -ScriptBlock {
            $params = $args[0]

            $serviceApp = Get-SPServiceApplication -Name $params.Name | Where-Object -FilterScript {
                $_.GetType().FullName -eq "Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication"

            # Remove the connected proxy(ies)
            $proxies = Get-SPServiceApplicationProxy
            foreach ($proxyInstance in $proxies)
                if ($serviceApp.IsConnected($proxyInstance))

            Remove-SPServiceApplication $serviceApp -Confirm:$false

function Test-TargetResource
        [Parameter(Mandatory = $true)]


        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]







        [ValidateSet("Windows", "SQL")]

        [ValidateSet("Present", "Absent")]
        $Ensure = "Present",



    Write-Verbose -Message "Testing secure store service application $Name"

    $PSBoundParameters.Ensure = $Ensure

    $CurrentValues = Get-TargetResource @PSBoundParameters

    Write-Verbose -Message "Current Values: $(Convert-SPDscHashtableToString -Hashtable $CurrentValues)"
    Write-Verbose -Message "Target Values: $(Convert-SPDscHashtableToString -Hashtable $PSBoundParameters)"

    if ($PSBoundParameters.ContainsKey("DatabaseServer") -and `
        ($null -ne $CurrentValues.DatabaseServer) -and `
        ($CurrentValues.DatabaseServer -ne $DatabaseServer))
        Write-Verbose -Message ("Specified database server does not match the actual " + `
                "database server. This resource cannot move the database " + `
                "to a different SQL instance.")
        return $false

    if ($PSBoundParameters.ContainsKey("DatabaseName") -and `
        ($null -ne $CurrentValues.DatabaseName) -and `
        ($CurrentValues.DatabaseName -ne $DatabaseName))
        Write-Verbose -Message ("Specified database name does not match the actual " + `
                "database name. This resource cannot rename the database.")
        return $false

    return Test-SPDscParameterState -CurrentValues $CurrentValues `
        -DesiredValues $PSBoundParameters `
        -ValuesToCheck @("ApplicationPool", "Ensure")

Export-ModuleMember -Function *-TargetResource