From 10e74569e34ff401e605489dc0e877c3fe5de73a Mon Sep 17 00:00:00 2001 From: Michael Zanatta Date: Sat, 25 Sep 2021 14:45:34 +1000 Subject: [PATCH 1/8] Adding AccessControl to Configuration --- .../Classes/1.SessionConfigurationUtility.ps1 | 200 +++++++++--------- source/Classes/JeaSessionConfiguration.ps1 | 30 ++- 2 files changed, 132 insertions(+), 98 deletions(-) diff --git a/source/Classes/1.SessionConfigurationUtility.ps1 b/source/Classes/1.SessionConfigurationUtility.ps1 index 60457ab..66f2a8e 100644 --- a/source/Classes/1.SessionConfigurationUtility.ps1 +++ b/source/Classes/1.SessionConfigurationUtility.ps1 @@ -28,146 +28,154 @@ class SessionConfigurationUtility return $true } + hidden [bool] TestWinRMService() { + # Fetch the Service State + $winRMService = Get-Service -Name 'WinRM' -ErrorAction SilentlyContinue + # If the ServiceExists and the Status is running + if ($winRMService -and $winRMService.Status -eq 'Running') { + return $true + } else { + return $false + } + } + ## Get a PS Session Configuration based on its name hidden [object] GetPSSessionConfiguration($Name) { - $winRMService = Get-Service -Name 'WinRM' - if ($winRMService -and $winRMService.Status -eq 'Running') - { - # Temporary disabling Verbose as xxx-PSSessionConfiguration methods verbose messages are useless for DSC debugging - $verbosePreferenceBackup = $Global:VerbosePreference - $Global:VerbosePreference = 'SilentlyContinue' - $psSessionConfiguration = Get-PSSessionConfiguration -Name $Name -ErrorAction SilentlyContinue - $Global:VerbosePreference = $verbosePreferenceBackup - if ($psSessionConfiguration) - { - return $psSessionConfiguration - } - else - { - return $null - } + # Ensure that the WinRMService is running. + if (-not($this.TestWinRMService())) { + Write-Verbose -Message $script:localizedDataSession.WinRMNotRunningGetPsSession + return $null + } + + # Temporary disabling Verbose as xxx-PSSessionConfiguration methods verbose messages are useless for DSC debugging + $verbosePreferenceBackup = $Global:VerbosePreference + $Global:VerbosePreference = 'SilentlyContinue' + $psSessionConfiguration = Get-PSSessionConfiguration -Name $Name -ErrorAction SilentlyContinue + $Global:VerbosePreference = $verbosePreferenceBackup + + if ($psSessionConfiguration) + { + return $psSessionConfiguration } else { - Write-Verbose -Message $script:localizedDataSession.WinRMNotRunningGetPsSession return $null } + } ## Unregister a PS Session Configuration based on its name hidden [void] UnregisterPSSessionConfiguration($Name) { - $winRMService = Get-Service -Name 'WinRM' - if ($winRMService -and $winRMService.Status -eq 'Running') - { - # Temporary disabling Verbose as xxx-PSSessionConfiguration methods verbose messages are useless for DSC debugging - $verbosePreferenceBackup = $Global:VerbosePreference - $Global:VerbosePreference = 'SilentlyContinue' - $null = Unregister-PSSessionConfiguration -Name $Name -Force -WarningAction 'SilentlyContinue' - $Global:VerbosePreference = $verbosePreferenceBackup - } - else - { + + # Ensure that the WinRMService is running. + if (-not($this.TestWinRMService())) { throw ($script:localizedDataSession.WinRMNotRunningUnRegisterPsSession -f $Name) } + + # Temporary disabling Verbose as xxx-PSSessionConfiguration methods verbose messages are useless for DSC debugging + $verbosePreferenceBackup = $Global:VerbosePreference + $Global:VerbosePreference = 'SilentlyContinue' + $null = Unregister-PSSessionConfiguration -Name $Name -Force -WarningAction 'SilentlyContinue' + $Global:VerbosePreference = $verbosePreferenceBackup + } ## Register a PS Session Configuration and handle a WinRM hanging situation - hidden [Void] RegisterPSSessionConfiguration($Name, $Path, $Timeout) + hidden [Void] RegisterPSSessionConfiguration($Name, $Path, $Timeout, $AccessMode) { - $winRMService = Get-Service -Name 'WinRM' - if ($winRMService -and $winRMService.Status -eq 'Running') + + # Ensure that the WinRMService is running. + if (-not($this.TestWinRMService())) { + throw ($script:localizedDataSession.WinRMNotRunningRegisterPsSession -f $Name) + } + + Write-Verbose -Message ($script:localizedDataSession.RegisterPSSessionConfiguration -f $Name,$Path,$Timeout) + # Register-PSSessionConfiguration has been hanging because the WinRM service is stuck in Stopping state + # therefore we need to run Register-PSSessionConfiguration within a job to allow us to handle a hanging WinRM service + + # Save the list of services sharing the same process as WinRM in case we have to restart them + $processId = Get-CimInstance -ClassName 'Win32_Service' -Filter "Name LIKE 'WinRM'" | Select-Object -ExpandProperty ProcessId + $serviceList = Get-CimInstance -ClassName 'Win32_Service' -Filter "ProcessId=$processId" | Select-Object -ExpandProperty Name + foreach ($service in $serviceList.clone()) { - Write-Verbose -Message ($script:localizedDataSession.RegisterPSSessionConfiguration -f $Name,$Path,$Timeout) - # Register-PSSessionConfiguration has been hanging because the WinRM service is stuck in Stopping state - # therefore we need to run Register-PSSessionConfiguration within a job to allow us to handle a hanging WinRM service - - # Save the list of services sharing the same process as WinRM in case we have to restart them - $processId = Get-CimInstance -ClassName 'Win32_Service' -Filter "Name LIKE 'WinRM'" | Select-Object -ExpandProperty ProcessId - $serviceList = Get-CimInstance -ClassName 'Win32_Service' -Filter "ProcessId=$processId" | Select-Object -ExpandProperty Name - foreach ($service in $serviceList.clone()) + $dependentServiceList = Get-Service -Name $service | ForEach-Object { $_.DependentServices } + foreach ($dependentService in $dependentServiceList) { - $dependentServiceList = Get-Service -Name $service | ForEach-Object { $_.DependentServices } - foreach ($dependentService in $dependentServiceList) + if ($dependentService.Status -eq 'Running' -and $serviceList -notcontains $dependentService.Name) { - if ($dependentService.Status -eq 'Running' -and $serviceList -notcontains $dependentService.Name) - { - $serviceList += $dependentService.Name - } + $serviceList += $dependentService.Name } } + } - if ($Path) - { - $registerString = "`$null = Register-PSSessionConfiguration -Name '$Name' -Path '$Path' -NoServiceRestart -Force -ErrorAction 'Stop' -WarningAction 'SilentlyContinue'" - } - else - { - $registerString = "`$null = Register-PSSessionConfiguration -Name '$Name' -NoServiceRestart -Force -ErrorAction 'Stop' -WarningAction 'SilentlyContinue'" - } + if ($Path) + { + $registerString = "`$null = Register-PSSessionConfiguration -Name '$Name' -Path '$Path' -AccessMode '$AccessMode' -NoServiceRestart -Force -ErrorAction 'Stop' -WarningAction 'SilentlyContinue'" + } + else + { + $registerString = "`$null = Register-PSSessionConfiguration -Name '$Name' -AccessMode '$AccessMode' -NoServiceRestart -Force -ErrorAction 'Stop' -WarningAction 'SilentlyContinue'" + } - $registerScriptBlock = [scriptblock]::Create($registerString) + $registerScriptBlock = [scriptblock]::Create($registerString) - if ($Timeout -gt 0) + if ($Timeout -gt 0) + { + $job = Start-Job -ScriptBlock $registerScriptBlock + Wait-Job -Job $job -Timeout $Timeout + Receive-Job -Job $job + Remove-Job -Job $job -Force -ErrorAction 'SilentlyContinue' + + # If WinRM is still Stopping after the job has completed / exceeded $Timeout, force kill the underlying WinRM process + $winRMService = Get-Service -Name 'WinRM' + if ($winRMService -and $winRMService.Status -eq 'StopPending') { - $job = Start-Job -ScriptBlock $registerScriptBlock - Wait-Job -Job $job -Timeout $Timeout - Receive-Job -Job $job - Remove-Job -Job $job -Force -ErrorAction 'SilentlyContinue' - - # If WinRM is still Stopping after the job has completed / exceeded $Timeout, force kill the underlying WinRM process - $winRMService = Get-Service -Name 'WinRM' - if ($winRMService -and $winRMService.Status -eq 'StopPending') + $processId = Get-CimInstance -ClassName 'Win32_Service' -Filter "Name LIKE 'WinRM'" | Select-Object -ExpandProperty ProcessId + Write-Verbose -Message ($script:localizedDataSession.ForcingProcessToStop -f $processId) + $failureList = @() + try { - $processId = Get-CimInstance -ClassName 'Win32_Service' -Filter "Name LIKE 'WinRM'" | Select-Object -ExpandProperty ProcessId - Write-Verbose -Message ($script:localizedDataSession.ForcingProcessToStop -f $processId) - $failureList = @() - try + # Kill the process hosting WinRM service + Stop-Process -Id $processId -Force + Start-Sleep -Seconds 5 + Write-Verbose -Message ($script:localizedDataSession.RegisterPSSessionConfiguration -f $($serviceList -join ', ')) + # Then restart all services previously identified + foreach ($service in $serviceList) { - # Kill the process hosting WinRM service - Stop-Process -Id $processId -Force - Start-Sleep -Seconds 5 - Write-Verbose -Message ($script:localizedDataSession.RegisterPSSessionConfiguration -f $($serviceList -join ', ')) - # Then restart all services previously identified - foreach ($service in $serviceList) + try { - try - { - Start-Service -Name $service - } - catch - { - $failureList += $script:localizedDataSession.FailureListStartService -f $service - } + Start-Service -Name $service + } + catch + { + $failureList += $script:localizedDataSession.FailureListStartService -f $service } } - catch - { - $failureList += $script:localizedDataSession.FailureListKillWinRMProcess - } - - if ($failureList) - { - Write-Verbose -Message ($script:localizedDataSession.FailureListKillWinRMProcess -f $($failureList -join ', ')) - } } - elseif ($winRMService -and $winRMService.Status -eq 'Stopped') + catch + { + $failureList += $script:localizedDataSession.FailureListKillWinRMProcess + } + + if ($failureList) { - Write-Verbose -Message $script:localizedDataSession.RestartWinRM - Start-Service -Name 'WinRM' + Write-Verbose -Message ($script:localizedDataSession.FailureListKillWinRMProcess -f $($failureList -join ', ')) } } - else + elseif ($winRMService -and $winRMService.Status -eq 'Stopped') { - Invoke-Command -ScriptBlock $registerScriptBlock + Write-Verbose -Message $script:localizedDataSession.RestartWinRM + Start-Service -Name 'WinRM' } } else { - throw ($script:localizedDataSession.WinRMNotRunningRegisterPsSession -f $Name) + Invoke-Command -ScriptBlock $registerScriptBlock } + } } diff --git a/source/Classes/JeaSessionConfiguration.ps1 b/source/Classes/JeaSessionConfiguration.ps1 index fc74941..ef52525 100644 --- a/source/Classes/JeaSessionConfiguration.ps1 +++ b/source/Classes/JeaSessionConfiguration.ps1 @@ -125,6 +125,11 @@ class JeaSessionConfiguration:SessionConfigurationUtility [Dscproperty()] [string[]] $AssembliesToLoad + ## Enables and disables the session configuration and determines whether it can be used for remote or local sessions on the computer. + ## Values can be: Disabled, Local, Remote (Default) + [Dscproperty()] + [Bool] $AccessMode = 'Remote' + ## The optional number of seconds to wait for registering the endpoint to complete. ## 0 for no timeout [Dscproperty()] @@ -162,7 +167,7 @@ class JeaSessionConfiguration:SessionConfigurationUtility $breakTheGlassName = 'Microsoft.PowerShell.Restricted' if (-not ($this.GetPSSessionConfiguration($breakTheGlassName))) { - $this.RegisterPSSessionConfiguration($breakTheGlassName, $null, $this.HungRegistrationTimeout) + $this.RegisterPSSessionConfiguration($breakTheGlassName, $null, $this.HungRegistrationTimeout, $this.AccessMode) } } @@ -180,7 +185,7 @@ class JeaSessionConfiguration:SessionConfigurationUtility New-PSSessionConfigurationFile @desiredState ## Register the configuration file - $this.RegisterPSSessionConfiguration($this.Name, $psscPath, $this.HungRegistrationTimeout) + $this.RegisterPSSessionConfiguration($this.Name, $psscPath, $this.HungRegistrationTimeout, $this.AccessMode) } } catch @@ -250,6 +255,21 @@ class JeaSessionConfiguration:SessionConfigurationUtility $CurrentState.Ensure = [Ensure]::Present $sessionConfiguration = $this.GetPSSessionConfiguration($this.Name) + + # + # Determine the AccessMode for the Session Configuration + + # If the Session Configuration is Disabled, then it's disabled. + if (-not($sessionConfiguration.Enabled)) { + $currentState.AccessMode = 'Disabled' + # If the Session Configuration is Enabled and has a 'NT AUTHORITY\NETWORK AccessDenied' SDDL. Then it's local. + } elseif (($sessionConfiguration.Permission -split ', ').Where{$_ -eq 'NT AUTHORITY\NETWORK AccessDenied'}.Count -eq 1) { + $currentState.AccessMode = 'Local' + # Otherwise if enabled, it's then Remote. + } else { + $currentState.AccessMode = 'Remote' + } + if (-not $sessionConfiguration -or -not $sessionConfiguration.ConfigFilePath) { $currentState.Ensure = [Ensure]::Absent @@ -297,6 +317,9 @@ class JeaSessionConfiguration:SessionConfigurationUtility } } + # + # PSSessionConfigurationFile Processing + # Compare current and desired state to add reasons $valuesToCheck = $this.psobject.Properties.Name.Where({$_ -notin 'Name','Reasons'}) @@ -329,6 +352,9 @@ class JeaSessionConfiguration:SessionConfigurationUtility } } + + + return $currentState } } From b6151740f0cfc3b67793250918eb94759fde8108 Mon Sep 17 00:00:00 2001 From: Michael Zanatta Date: Sat, 25 Sep 2021 16:36:30 +1000 Subject: [PATCH 2/8] Adding to ChangeLog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b396a36..5b43038 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- Adding AccessMode to PSSessionConfiguration. - Adding herited classes that contains helper methods. - Adding Reason class. - Adding Reasons property in JeaSessionConfiguration and JeaRoleCapabilities resources. From 0cb24caef29d9d37414c58fc4cd56312685b440c Mon Sep 17 00:00:00 2001 From: Michael Zanatta Date: Sat, 25 Sep 2021 16:45:37 +1000 Subject: [PATCH 3/8] Fixing Linting --- .../Classes/1.SessionConfigurationUtility.ps1 | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/source/Classes/1.SessionConfigurationUtility.ps1 b/source/Classes/1.SessionConfigurationUtility.ps1 index 66f2a8e..2e66f46 100644 --- a/source/Classes/1.SessionConfigurationUtility.ps1 +++ b/source/Classes/1.SessionConfigurationUtility.ps1 @@ -28,13 +28,17 @@ class SessionConfigurationUtility return $true } - hidden [bool] TestWinRMService() { + hidden [bool] TestWinRMService() + { # Fetch the Service State $winRMService = Get-Service -Name 'WinRM' -ErrorAction SilentlyContinue # If the ServiceExists and the Status is running - if ($winRMService -and $winRMService.Status -eq 'Running') { + if ($winRMService -and $winRMService.Status -eq 'Running') + { return $true - } else { + } + else + { return $false } } @@ -42,9 +46,9 @@ class SessionConfigurationUtility ## Get a PS Session Configuration based on its name hidden [object] GetPSSessionConfiguration($Name) { - # Ensure that the WinRMService is running. - if (-not($this.TestWinRMService())) { + if (-not($this.TestWinRMService())) + { Write-Verbose -Message $script:localizedDataSession.WinRMNotRunningGetPsSession return $null } @@ -69,9 +73,9 @@ class SessionConfigurationUtility ## Unregister a PS Session Configuration based on its name hidden [void] UnregisterPSSessionConfiguration($Name) { - # Ensure that the WinRMService is running. - if (-not($this.TestWinRMService())) { + if (-not($this.TestWinRMService())) + { throw ($script:localizedDataSession.WinRMNotRunningUnRegisterPsSession -f $Name) } @@ -86,9 +90,9 @@ class SessionConfigurationUtility ## Register a PS Session Configuration and handle a WinRM hanging situation hidden [Void] RegisterPSSessionConfiguration($Name, $Path, $Timeout, $AccessMode) { - # Ensure that the WinRMService is running. - if (-not($this.TestWinRMService())) { + if (-not($this.TestWinRMService())) + { throw ($script:localizedDataSession.WinRMNotRunningRegisterPsSession -f $Name) } From c27e4d40f22ca07654d8422e099f291fe80a085d Mon Sep 17 00:00:00 2001 From: Michael Zanatta Date: Sat, 25 Sep 2021 17:10:46 +1000 Subject: [PATCH 4/8] Fixing Linting --- source/Classes/JeaSessionConfiguration.ps1 | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/source/Classes/JeaSessionConfiguration.ps1 b/source/Classes/JeaSessionConfiguration.ps1 index ef52525..b8e58d4 100644 --- a/source/Classes/JeaSessionConfiguration.ps1 +++ b/source/Classes/JeaSessionConfiguration.ps1 @@ -128,7 +128,7 @@ class JeaSessionConfiguration:SessionConfigurationUtility ## Enables and disables the session configuration and determines whether it can be used for remote or local sessions on the computer. ## Values can be: Disabled, Local, Remote (Default) [Dscproperty()] - [Bool] $AccessMode = 'Remote' + [String] $AccessMode = 'Remote' ## The optional number of seconds to wait for registering the endpoint to complete. ## 0 for no timeout @@ -259,14 +259,19 @@ class JeaSessionConfiguration:SessionConfigurationUtility # # Determine the AccessMode for the Session Configuration - # If the Session Configuration is Disabled, then it's disabled. - if (-not($sessionConfiguration.Enabled)) { + if (-not($sessionConfiguration.Enabled)) + { + # If the Session Configuration is Disabled, then it's disabled. $currentState.AccessMode = 'Disabled' - # If the Session Configuration is Enabled and has a 'NT AUTHORITY\NETWORK AccessDenied' SDDL. Then it's local. - } elseif (($sessionConfiguration.Permission -split ', ').Where{$_ -eq 'NT AUTHORITY\NETWORK AccessDenied'}.Count -eq 1) { + } + elseif (($sessionConfiguration.Permission -split ', ').Where{$_ -eq 'NT AUTHORITY\NETWORK AccessDenied'}.Count -eq 1) + { + # If the Session Configuration is Enabled and has a 'NT AUTHORITY\NETWORK AccessDenied' SDDL. Then it's local. $currentState.AccessMode = 'Local' - # Otherwise if enabled, it's then Remote. - } else { + } + else + { + # Otherwise if enabled, it's then Remote. $currentState.AccessMode = 'Remote' } From 9f133caf69275c457182d270790a6191bc3b9df4 Mon Sep 17 00:00:00 2001 From: Michael Zanatta Date: Sat, 25 Sep 2021 17:11:55 +1000 Subject: [PATCH 5/8] Fixing Spacing --- source/Classes/JeaSessionConfiguration.ps1 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/source/Classes/JeaSessionConfiguration.ps1 b/source/Classes/JeaSessionConfiguration.ps1 index b8e58d4..466be12 100644 --- a/source/Classes/JeaSessionConfiguration.ps1 +++ b/source/Classes/JeaSessionConfiguration.ps1 @@ -357,9 +357,7 @@ class JeaSessionConfiguration:SessionConfigurationUtility } } - - - return $currentState + } } From e1e74c1638175a1c196b0cfc5b8e26e80d7f9e33 Mon Sep 17 00:00:00 2001 From: Michael Zanatta Date: Sat, 2 Oct 2021 08:00:36 +1000 Subject: [PATCH 6/8] Implemented AccessMode Initial Testing Completed --- .../Classes/1.SessionConfigurationUtility.ps1 | 2 +- source/Classes/JeaSessionConfiguration.ps1 | 17 +++++++++++++++-- .../en-US/JeaSessionConfiguration.strings.psd1 | 2 +- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/source/Classes/1.SessionConfigurationUtility.ps1 b/source/Classes/1.SessionConfigurationUtility.ps1 index 2e66f46..c0d64eb 100644 --- a/source/Classes/1.SessionConfigurationUtility.ps1 +++ b/source/Classes/1.SessionConfigurationUtility.ps1 @@ -96,7 +96,7 @@ class SessionConfigurationUtility throw ($script:localizedDataSession.WinRMNotRunningRegisterPsSession -f $Name) } - Write-Verbose -Message ($script:localizedDataSession.RegisterPSSessionConfiguration -f $Name,$Path,$Timeout) + Write-Verbose -Message ($script:localizedDataSession.RegisterPSSessionConfiguration -f $Name,$Path,$AccessMode,$Timeout) # Register-PSSessionConfiguration has been hanging because the WinRM service is stuck in Stopping state # therefore we need to run Register-PSSessionConfiguration within a job to allow us to handle a hanging WinRM service diff --git a/source/Classes/JeaSessionConfiguration.ps1 b/source/Classes/JeaSessionConfiguration.ps1 index 466be12..2117fe1 100644 --- a/source/Classes/JeaSessionConfiguration.ps1 +++ b/source/Classes/JeaSessionConfiguration.ps1 @@ -158,6 +158,8 @@ class JeaSessionConfiguration:SessionConfigurationUtility } } + Write-Verbose ("Set(): AccessMode: {0}" -f $this.AccessMode) + ## Register the endpoint try { @@ -226,6 +228,12 @@ class JeaSessionConfiguration:SessionConfigurationUtility return $false } + # If the AccessMode is not within desired state. + if ($currentState.AccessMode -ne $desiredState.AccessMode) + { + return $false + } + $cmdlet = Get-Command -Name New-PSSessionConfigurationFile $desiredState = Sync-Parameter -Command $cmdlet -Parameters $desiredState $currentState = Sync-Parameter -Command $cmdlet -Parameters $currentState @@ -264,14 +272,19 @@ class JeaSessionConfiguration:SessionConfigurationUtility # If the Session Configuration is Disabled, then it's disabled. $currentState.AccessMode = 'Disabled' } - elseif (($sessionConfiguration.Permission -split ', ').Where{$_ -eq 'NT AUTHORITY\NETWORK AccessDenied'}.Count -eq 1) + elseif (($sessionConfiguration.Permission -split ', ') -contains 'NT AUTHORITY\NETWORK AccessDenied') { # If the Session Configuration is Enabled and has a 'NT AUTHORITY\NETWORK AccessDenied' SDDL. Then it's local. $currentState.AccessMode = 'Local' } + elseif ([String]::IsNullOrEmpty($sessionConfiguration.Permission)) + { + # It's not configured + $currentState.AccessMode = 'NotConfigured' + } else { - # Otherwise if enabled, it's then Remote. + # If permissions are present then it's Remote. $currentState.AccessMode = 'Remote' } diff --git a/source/en-US/JeaSessionConfiguration.strings.psd1 b/source/en-US/JeaSessionConfiguration.strings.psd1 index c9e7538..59a64dd 100644 --- a/source/en-US/JeaSessionConfiguration.strings.psd1 +++ b/source/en-US/JeaSessionConfiguration.strings.psd1 @@ -5,7 +5,7 @@ ConvertFrom-StringData @' WinRMNotRunningUnRegisterPsSession = WinRM service is not running. Cannot unregister PS Session Configuration '{0}'. (JSC0004) WinRMNotRunningRegisterPsSession = WinRM service is not running. Cannot register PS Session Configuration '{0}'. (JSC0005) NotDefinedGMSaAndVirtualAccount = 'GroupManagedServiceAccount' and 'RunAsVirtualAccount' are not defined, setting 'RunAsVirtualAccount' to 'true'. (JSC0006) - RegisterPSSessionConfiguration = Will register PSSessionConfiguration with argument: Name = '{0}', Path = '{1}' and Timeout = '{2}' (JSC0007) + RegisterPSSessionConfiguration = Will register PSSessionConfiguration with argument: Name = '{0}', Path = '{1}', AccessMode = '{2}' and Timeout = '{3}' (JSC0007) ForcingProcessToStop = WinRM seems hanging in Stopping state. Forcing process {0} to stop. (JSC0008) RestartingServices = "Restarting services: {0} (JSC0009) FailureListStartService = Start service {0} (JSC0010) From 3e5e8651a5d7ca4b556496f1c01a63eb57b091ed Mon Sep 17 00:00:00 2001 From: Michael Zanatta Date: Tue, 19 Oct 2021 09:12:57 +1000 Subject: [PATCH 7/8] Added AccessMode Unit Tests Fixed Bug with PSSessionConfiguration --- source/Classes/JeaSessionConfiguration.ps1 | 2 +- ...PSSessionConfigurationAccessMode.Tests.ps1 | 90 +++++++++++++++++++ .../Integration/JeaRoleCapabilities.Tests.ps1 | 2 +- 3 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 tests/Integration/JeaPSSessionConfigurationAccessMode.Tests.ps1 diff --git a/source/Classes/JeaSessionConfiguration.ps1 b/source/Classes/JeaSessionConfiguration.ps1 index 2117fe1..6f75fdc 100644 --- a/source/Classes/JeaSessionConfiguration.ps1 +++ b/source/Classes/JeaSessionConfiguration.ps1 @@ -267,7 +267,7 @@ class JeaSessionConfiguration:SessionConfigurationUtility # # Determine the AccessMode for the Session Configuration - if (-not($sessionConfiguration.Enabled)) + if ($sessionConfiguration.Enabled -eq $false) { # If the Session Configuration is Disabled, then it's disabled. $currentState.AccessMode = 'Disabled' diff --git a/tests/Integration/JeaPSSessionConfigurationAccessMode.Tests.ps1 b/tests/Integration/JeaPSSessionConfigurationAccessMode.Tests.ps1 new file mode 100644 index 0000000..a6ed05a --- /dev/null +++ b/tests/Integration/JeaPSSessionConfigurationAccessMode.Tests.ps1 @@ -0,0 +1,90 @@ +#Import-Module -Name (Join-Path -Path $PSScriptRoot -ChildPath ..\..\output\JeaDsc) + +$script:dscModuleName = 'JeaDsc' +$script:dscResourceName = 'JeaRoleCapabilities' +$script:dscPSSessionConfigurationName = 'PS_IntergrationSessionConfiguration' + +try +{ + Import-Module -Name DscResource.Test -Force -ErrorAction 'Stop' +} +catch [System.IO.FileNotFoundException] +{ + throw 'DscResource.Test module dependency not found. Please run ".\build.ps1 -Tasks build" first.' +} + +$global:testEnvironment = Initialize-TestEnvironment ` + -DSCModuleName $script:dscModuleName ` + -DSCResourceName $script:dscResourceName ` + -ResourceType Mof ` + -TestType Integration + +Import-Module -Name (Join-Path -Path $PSScriptRoot -ChildPath '..\TestHelpers\CommonTestHelper.psm1') + +InModuleScope JeaDsc { + + Describe 'Integration testing JeaSessionConfiguration AccessModes' -Tag Integration { + + Context "Testing Get Method with AccessMode" { + + BeforeAll { + $params = @{ + Path = 'TestDrive:\PS_IntergrationSessionConfiguration.pssc' + } + New-PSSessionConfigurationFile @params + } + + BeforeEach { + $class = [JeaSessionConfiguration]::New() + $class.Name = 'PS_IntergrationSessionConfiguration' + + $sessionConfigurationParams = @{ + Name = 'PS_IntergrationSessionConfiguration' + Path = 'TestDrive:\PS_IntergrationSessionConfiguration.pssc' + } + + } + + AfterEach { + Unregister-PSSessionConfiguration -Name 'PS_IntergrationSessionConfiguration' -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + } + + AfterAll { + Remove-Item -Path 'TestDrive:\PS_IntergrationSessionConfiguration.pssc' + } + + It 'Should return an AccessMode of "Remote"' { + + $sessionConfigurationParams.AccessMode = 'Remote' + Register-PSSessionConfiguration @sessionConfigurationParams -WarningAction SilentlyContinue + + $result = $class.Get() + $result.AccessMode | Should -be 'Remote' + + } + + It 'Should return an AccessMode of "Disabled"' { + + $sessionConfigurationParams.AccessMode = 'Disabled' + Register-PSSessionConfiguration @sessionConfigurationParams -WarningAction SilentlyContinue + + $result = $class.Get() + $result.AccessMode | Should -be 'Disabled' + + } + + It 'Should return an AccessMode of "Local"' { + + $sessionConfigurationParams.AccessMode = 'Local' + Register-PSSessionConfiguration @sessionConfigurationParams -WarningAction SilentlyContinue + + $result = $class.Get() + $result.AccessMode | Should -be 'Local' + + } + + } + + } + +} diff --git a/tests/Integration/JeaRoleCapabilities.Tests.ps1 b/tests/Integration/JeaRoleCapabilities.Tests.ps1 index 59217bb..e860b9e 100644 --- a/tests/Integration/JeaRoleCapabilities.Tests.ps1 +++ b/tests/Integration/JeaRoleCapabilities.Tests.ps1 @@ -30,7 +30,7 @@ InModuleScope JeaDsc { $class.Path = 'TestDrive:\ModuleFolder\RoleCapabilities\ExampleRole.psrc' } - Context 'Testing Get method when Ensure is Present' { + Context 'Testing Get method when Ensure is Present' { It 'Should return an object of JeaRoleCapabilities type' { $null = New-Item -Path $class.Path -Force From bfd0eb42bef942ff2727024e58491e2660669d37 Mon Sep 17 00:00:00 2001 From: Michael Zanatta Date: Tue, 19 Oct 2021 09:20:46 +1000 Subject: [PATCH 8/8] Updated ChangeLog Added Example --- CHANGELOG.md | 3 ++- .../Disable Default PowerShell Session Config.ps1 | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 Samples/Disable Default PowerShell Session Config.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b43038..af712bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,9 +5,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +- Adding AccessMode to PSSessionConfiguration. + ### Added -- Adding AccessMode to PSSessionConfiguration. - Adding herited classes that contains helper methods. - Adding Reason class. - Adding Reasons property in JeaSessionConfiguration and JeaRoleCapabilities resources. diff --git a/Samples/Disable Default PowerShell Session Config.ps1 b/Samples/Disable Default PowerShell Session Config.ps1 new file mode 100644 index 0000000..f39b6d0 --- /dev/null +++ b/Samples/Disable Default PowerShell Session Config.ps1 @@ -0,0 +1,15 @@ +Configuration DisableDefaultPowerShell +{ + Import-DscResource -Module JeaDsc + + JeaSessionConfiguration DnsManagementEndpoint + { + Name = 'microsoft.powershell' + AccessMode = 'Disabled' + } +} + +Remove-Item -Path C:\DscTest\* -ErrorAction SilentlyContinue +DisableDefaultPowerShell -OutputPath C:\DscTest -Verbose + +Start-DscConfiguration -Path C:\DscTest -Wait -Verbose -Force