XMLOps/Remove-AllowElements_Semantic.psm1
function Remove-AllowElements_Semantic { <# .SYNOPSIS A high performance function that removes duplicate <Allow> elements from the <FileRules> node and their corresponding <FileRuleRef> elements from the <FileRulesRef> node of the <ProductSigners> node under each <SigningScenario> node The criteria for removing duplicates is the Hash attribute of the <Allow> elements. If there are multiple <Allow> elements with the same Hash, the function keeps the first element and removes the rest. The function only considers <Allow> elements that are part of the same <SigningScenario> node and have the same Hash attribute as duplicates. After the function completes its operation, the XML file will not have any duplicate <Allow> elements, duplicate <FileRuleRef> elements or any orphan <FileRuleRef> elements. This is according to the CI Schema. .PARAMETER Path The path to the XML file to be modified .INPUTS System.IO.FileInfo .OUTPUTS System.Void #> [CmdletBinding()] [OutputType([System.Void])] param ( [Parameter(Mandatory = $true)][System.IO.FileInfo]$Path ) Begin { . "$([WDACConfig.GlobalVars]::ModuleRootPath)\CoreExt\PSDefaultParameterValues.ps1" # Load the XML file [System.Xml.XmlDocument]$Xml = Get-Content -Path $Path # Define the namespace manager [System.Xml.XmlNamespaceManager]$Ns = New-Object -TypeName System.Xml.XmlNamespaceManager -ArgumentList $Xml.NameTable $Ns.AddNamespace('ns', 'urn:schemas-microsoft-com:sipolicy') # Get all of the <Allow> elements inside the <FileRules> node [System.Xml.XmlNodeList]$AllowElements = $Xml.SelectNodes('//ns:FileRules//ns:Allow', $Ns) # Get the <FileRules> node [System.Xml.XmlElement[]]$FileRulesNode = $Xml.SelectSingleNode('//ns:FileRules', $Ns) # Find the FileRulesRef Nodes inside the ProductSigners Nodes of each Signing Scenario [System.Xml.XmlNodeList]$UMCI_SigningScenario_ProductSigners_FileRulesRef_Node = $Xml.SelectNodes('//ns:SigningScenarios/ns:SigningScenario[@Value="12"]/ns:ProductSigners/ns:FileRulesRef/ns:FileRuleRef', $Ns) [System.Xml.XmlNodeList]$KMCI_SigningScenario_ProductSigners_FileRulesRef_Node = $Xml.SelectNodes('//ns:SigningScenarios/ns:SigningScenario[@Value="131"]/ns:ProductSigners/ns:FileRulesRef/ns:FileRuleRef', $Ns) [System.Xml.XmlNodeList]$UserModeFileRefs = $Xml.SelectNodes('//ns:SigningScenarios/ns:SigningScenario[@Value="12"]/ns:ProductSigners/ns:FileRulesRef', $Ns) [System.Xml.XmlNodeList]$KernelModeFileRefs = $Xml.SelectNodes('//ns:SigningScenarios/ns:SigningScenario[@Value="131"]/ns:ProductSigners/ns:FileRulesRef', $Ns) # Save the IDs of the FileRuleRef elements that are part of the User-Mode and Kernel-Mode signing scenarios as HashSets # These are unique because HashSets don't support duplicate values $UserMode_FileRulesRefIDs_HashSet = [System.Collections.Generic.HashSet[System.String]]$UMCI_SigningScenario_ProductSigners_FileRulesRef_Node.RuleID $KernelMode_FileRulesRefIDs_HashSet = [System.Collections.Generic.HashSet[System.String]]$KMCI_SigningScenario_ProductSigners_FileRulesRef_Node.RuleID # 2 Hashtables for User and Kernel mode <Allow> elements and their corresponding FileRuleRef elements together [System.Collections.Hashtable]$KernelModeHashTable = @{} [System.Collections.Hashtable]$UserModeHashTable = @{} # 2 Arrays to save the <Allow> elements of User and Kernel modes $ArrayOfUserModes = New-Object -TypeName System.Collections.Generic.List[System.Xml.XmlElement] $ArrayOfKernelModes = New-Object -TypeName System.Collections.Generic.List[System.Xml.XmlElement] } Process { # Separating User-Mode and Kernel-Mode <Allow> elements foreach ($AllowElement in $AllowElements) { # Check if the User-Mode <FileRulesRef> node has any elements # And then check if the current <Allow> element ID is part of the User-Mode <FileRulesRef> node if (($Null -ne $UserMode_FileRulesRefIDs_HashSet) -and ($UserMode_FileRulesRefIDs_HashSet.Contains($AllowElement.ID))) { $ArrayOfUserModes.Add($AllowElement) } # Check if the Kernel-Mode <FileRulesRef> node has any elements # And then check if the current <Allow> element ID is part of the Kernel-Mode <FileRulesRef> node elseif (($Null -ne $KernelMode_FileRulesRefIDs_HashSet) -and ($KernelMode_FileRulesRefIDs_HashSet.Contains($AllowElement.ID))) { $ArrayOfKernelModes.Add($AllowElement) } else { Write-Warning -Message "Remove-AllowElements_Semantic: The Allow element with ID $($AllowElement.ID) is not part of any Signing Scenario. It will be ignored." } } # Grouping the <Allow> elements by their Hash value, uniquely, So SHA1 and SHA256 hashes [System.Xml.XmlElement[]]$GroupsUserModes = foreach ($Item in ($ArrayOfUserModes | Group-Object -Property Hash)) { $Item.Group[0] } [System.Xml.XmlElement[]]$GroupsKernelModes = foreach ($Item in ($ArrayOfKernelModes | Group-Object -Property Hash)) { $Item.Group[0] } # Adding the User-Mode <Allow> elements and their corresponding <FileRuleRef> elements to the Hashtables foreach ($UserModeAllowElement in $GroupsUserModes) { # If the current <Allow> element ID is not already in the KernelModeHashTable, add it if (-NOT $UserModeHashTable.ContainsKey($UserModeAllowElement)) { # The key is the <Allow> element, the value is all of the <FileRuleRef> elements with the same RuleID as the Allow element's ID, without deduplication at this point # Cloning is necessary because after clearing the nodes, we would lose the reference to the original elements in those nodes $UserModeHashTable[@($UserModeAllowElement.Clone())] = @($Xml.SelectNodes("//ns:SigningScenarios/ns:SigningScenario[@Value='12']/ns:ProductSigners/ns:FileRulesRef/ns:FileRuleRef[@RuleID=`"$($UserModeAllowElement.ID)`"]", $Ns).Clone()) } } # Adding the Kernel-Mode <Allow> elements and their corresponding <FileRuleRef> elements to the Hashtables foreach ($KernelModeAllowElement in $GroupsKernelModes) { # If the current <Allow> element ID is not already in the KernelModeHashTable, add it if (-NOT $KernelModeHashTable.ContainsKey($KernelModeAllowElement)) { # The key is the <Allow> element, the value is all of the <FileRuleRef> elements with the same RuleID as the Allow element's ID, without deduplication at this point $KernelModeHashTable[@($KernelModeAllowElement.Clone())] = @($Xml.SelectNodes("//ns:SigningScenarios/ns:SigningScenario[@Value='131']/ns:ProductSigners/ns:FileRulesRef/ns:FileRuleRef[@RuleID=`"$($KernelModeAllowElement.ID)`"]", $Ns).Clone()) } } # Select and remove all <Allow> elements from <FileRules> [System.Xml.XmlNodeList]$AllowNodes = $Xml.SelectNodes('//ns:FileRules/ns:Allow', $NS) foreach ($Node in $AllowNodes) { [System.Void]$Node.ParentNode.RemoveChild($Node) } # Select and remove all <FileRuleRef> elements from <FileRulesRef> in each signing scenario [System.Xml.XmlNodeList]$SigningScenarios = $Xml.SelectNodes('//ns:SigningScenario/ns:ProductSigners/ns:FileRulesRef', $NS) foreach ($Scenario in $SigningScenarios) { [System.Xml.XmlNodeList]$FileRuleRefs = $Scenario.SelectNodes('ns:FileRuleRef', $NS) foreach ($FileRuleRef in $FileRuleRefs) { [System.Void]$FileRuleRef.ParentNode.RemoveChild($FileRuleRef) } } # Add Unique <Allow> elements and their corresponding <FileRuleRef> elements back to the XML file for the Kernel-Mode files foreach ($Group in $UserModeHashTable.GetEnumerator()) { # Add the unique <Allow> element [System.Void]$FileRulesNode.AppendChild($Group.Key[0]) # Add the unique <FileRuleRef> element, using [0] index because the key is an array even though it only has 1 element $ToAppend1 = foreach ($Item in ($Group.Value.GetEnumerator() | Group-Object -Property RuleID)) { $Item.Group[0] } [System.Void]$UserModeFileRefs.AppendChild($ToAppend1) } # Add Unique <Allow> elements and their corresponding <FileRuleRef> elements back to the XML file for the Kernel-Mode files foreach ($Group in $KernelModeHashTable.GetEnumerator()) { # Add the unique <Allow> element, using [0] index because the key is an array even though it only has 1 element [System.Void]$FileRulesNode.AppendChild($Group.Key[0]) # Add the unique <FileRuleRef> element $ToAppend2 = foreach ($Item in ($Group.Value.GetEnumerator() | Group-Object -Property RuleID)) { $Item.Group[0] } [System.Void]$KernelModeFileRefs.AppendChild($ToAppend2) } } End { $Xml.Save($Path) } } Export-ModuleMember -Function 'Remove-AllowElements_Semantic' |