Merge master

CHANGELOG.md

@@ -10,7 +10,12 @@
 
 ### Changed
 
+- Updated pipeline with `Sampler.GitHubTasks` tasks.
 - SecurityPolicyDsc:
+  - AccountPolicy/SecurityOption:
+    - BREAKING: Introduced support for PowerShell v7 (Invoke-DscResource).
+      With this change, we start using Import-PowerShellDataFile, which is only available from PowerShell v5. 
+      This means Windows PowerShell 4 (WMF 4) is no longer supported.
   - Resolved custom Script Analyzer rules that was added to the test framework.
   - Moved change log to CHANGELOG.md.
   - Added support for more SDDL SID constants
@@ -33,6 +38,10 @@
 - UserRightsAssignment:
   - Allow unresolvable SIDs found in local security policy
     [Issue #158](https://github.com/dsccommunity/SecurityPolicyDsc/issues/158)
+- SecurityPolicy:
+  - Ensure `Get` method returns the specified `Name` property.
+- SecurityOption
+  - 'Network_access_Remotely_accessible_registry_paths' and 'Network_access_Remotely_accessible_registry_paths_and_subpaths' use null char as a delimiter
 
 ## [2.10.0.0] - 2019-09-19
 

RequiredModules.psd1

@@ -15,6 +15,7 @@
     ModuleBuilder               = 'latest'
     ChangelogManagement         = 'latest'
     Sampler                     = 'latest'
+    'Sampler.GitHubTasks'       = 'latest'
     MarkdownLinkCheck           = 'latest'
     'DscResource.Test'          = 'latest'
     'DscResource.AnalyzerRules' = 'latest'

Tests/Integration/MSFT_SecurityTemplate.config.ps1

@@ -1,37 +1,37 @@
-
-# create test user and security template
-$userName = "TestUser" + ([guid]::NewGuid().guid).substring(0,6)
-$policy = 'SeTrustedCredManAccessPrivilege'
-$directoryEntry = [ADSI]"WinNT://$env:COMPUTERNAME,Computer"
-$user = $directoryEntry.Create("User", $userName)
-$user.setpassword('P@ssword!QAZ2wsx')
-$user.SetInfo()
-
-$infTemplate =@"
-[Unicode]
-Unicode=yes
-[Privilege Rights]
-$policy = $userName
-[Version]
-signature="`$CHICAGO`$"
-Revision=1
-"@
-
-$tempFile = ([system.IO.Path]::GetTempFileName()).Replace('tmp','inf') 
-Out-File -InputObject $infTemplate -FilePath $tempFile -Encoding unicode
-
-# Integration Test Config Template Version: 1.0.0
-
-configuration MSFT_SecurityTemplate_config {
-
-    Import-DscResource -ModuleName SecurityPolicyDsc
-
-    node localhost {
-
-        SecurityTemplate Integration_Test
-        {
-            Path = $tempFile
-            IsSingleInstance = 'Yes'
-        }
-    }
-}
+
+# create test user and security template
+$userName = "TestUser" + ([guid]::NewGuid().guid).substring(0,6)
+$policy = 'SeTrustedCredManAccessPrivilege'
+$directoryEntry = [ADSI]"WinNT://$env:COMPUTERNAME,Computer"
+$user = $directoryEntry.Create("User", $userName)
+$user.setpassword('P@ssword!QAZ2wsx')
+$user.SetInfo()
+
+$infTemplate =@"
+[Unicode]
+Unicode=yes
+[Privilege Rights]
+$policy = $userName
+[Version]
+signature="`$CHICAGO`$"
+Revision=1
+"@
+
+$tempFile = ([system.IO.Path]::GetTempFileName()).Replace('tmp','inf') 
+Out-File -InputObject $infTemplate -FilePath $tempFile -Encoding unicode
+
+# Integration Test Config Template Version: 1.0.0
+
+configuration MSFT_SecurityTemplate_config {
+
+    Import-DscResource -ModuleName SecurityPolicyDsc
+
+    node localhost {
+
+        SecurityTemplate Integration_Test
+        {
+            Path = $tempFile
+            IsSingleInstance = 'Yes'
+        }
+    }
+}

Tests/Integration/MSFT_UserRightsAssignment.config.ps1

@@ -1,49 +1,49 @@
-$script:DSCResourceName = 'MSFT_UserRightsAssignment'
-
-$resourcePath = (Get-DscResource -Name $script:DSCResourceName).Path
-Import-Module $resourcePath -Force
-
-# S-1-5-6 = NT Authority\Service
-# S-1-5-90-0 = 'window manager\window manager group'
-
-$rule = @{
-    Policy   = 'Access_Credential_Manager_as_a_trusted_caller'
-    Identity = 'builtin\Administrators','*S-1-5-6','S-1-5-90-0'
-}
-
-$removeAll = @{    
-    Policy = 'Act_as_part_of_the_operating_system'
-    Identity = ""
-}
-
-$removeGuests = @{
-    Policy = 'Deny_log_on_locally'
-    Identity = 'Guests'
-}
-
-# Add an identities so we can verify it gets removed
-Set-TargetResource -Policy $removeAll.Policy -Identity 'Administrators' -Ensure 'Present'
-Set-TargetResource -Policy $removeGuests.Policy -Identity 'Guests' -Ensure 'Present'
-
-configuration MSFT_UserRightsAssignment_config {
-    Import-DscResource -ModuleName SecurityPolicyDsc
-
-    UserRightsAssignment AccessCredentialManagerAsaTrustedCaller
-    {
-        Policy   = $rule.Policy
-        Identity = $rule.Identity
-    }
-
-    UserRightsAssignment RemoveAllActAsOS
-    {
-        Policy   = $removeAll.Policy
-        Identity = $removeAll.Identity
-    }
-
-    UserRightsAssignment DenyLogOnLocally
-    {
-        Policy   = $removeGuests.Policy
-        Identity = $removeGuests.Identity
-        Ensure   = 'Absent'
-    }
-}
+$script:DSCResourceName = 'MSFT_UserRightsAssignment'
+
+$resourcePath = (Get-DscResource -Name $script:DSCResourceName).Path
+Import-Module $resourcePath -Force
+
+# S-1-5-6 = NT Authority\Service
+# S-1-5-90-0 = 'window manager\window manager group'
+
+$rule = @{
+    Policy   = 'Access_Credential_Manager_as_a_trusted_caller'
+    Identity = 'builtin\Administrators','*S-1-5-6','S-1-5-90-0'
+}
+
+$removeAll = @{    
+    Policy = 'Act_as_part_of_the_operating_system'
+    Identity = ""
+}
+
+$removeGuests = @{
+    Policy = 'Deny_log_on_locally'
+    Identity = 'Guests'
+}
+
+# Add an identities so we can verify it gets removed
+Set-TargetResource -Policy $removeAll.Policy -Identity 'Administrators' -Ensure 'Present'
+Set-TargetResource -Policy $removeGuests.Policy -Identity 'Guests' -Ensure 'Present'
+
+configuration MSFT_UserRightsAssignment_config {
+    Import-DscResource -ModuleName SecurityPolicyDsc
+
+    UserRightsAssignment AccessCredentialManagerAsaTrustedCaller
+    {
+        Policy   = $rule.Policy
+        Identity = $rule.Identity
+    }
+
+    UserRightsAssignment RemoveAllActAsOS
+    {
+        Policy   = $removeAll.Policy
+        Identity = $removeAll.Identity
+    }
+
+    UserRightsAssignment DenyLogOnLocally
+    {
+        Policy   = $removeGuests.Policy
+        Identity = $removeGuests.Identity
+        Ensure   = 'Absent'
+    }
+}

Tests/Unit/MSFT_AccountPolicy.tests.ps1

@@ -31,7 +31,7 @@ try
     InModuleScope 'MSFT_AccountPolicy' {
         Set-StrictMode -Version 1.0
 
-        $resourceName='AccountPolicy'
+        $resourceName = 'AccountPolicy'
         $dscResourceInfo = Get-DscResource -Name AccountPolicy -Module SecurityPolicyDsc
         $testParameters = @{
             Name                                        = $resourceName
@@ -41,41 +41,6 @@ try
         }
 
         Describe 'SecurityOptionHelperTests' {
-            Context 'Get-AccountPolicyData' {
-                BeforeAll {
-                    $dataFilePath = Join-Path -Path $dscResourceInfo.ParentPath -ChildPath AccountPolicyData.psd1
-                    $accountPolicyData = Get-PolicyOptionData -FilePath $dataFilePath.Normalize()
-                    $accountPolicyPropertyList = $dscResourceInfo.Properties |
-                        Where-Object -FilterScript { $PSItem.Name -match '_' }
-                }
-
-                It 'Should have the same count as property count' {
-                    $accountPolicyDataPropertyCount = $accountPolicyData.Count
-                    $accountPolicyDataPropertyCount | Should -Be $accountPolicyPropertyList.Name.Count
-                }
-
-                foreach ($name in $accountPolicyData.Keys)
-                {
-                    It "Should contain property name: $name" {
-                        $accountPolicyPropertyList.Name -contains $name | Should -BeTrue
-                    }
-                }
-
-                foreach ($option in $accountPolicyData.GetEnumerator())
-                {
-                    Context "$($option.Name)"{
-                        $options = $option.Value.Option
-
-                        foreach ($entry in $options.GetEnumerator())
-                        {
-                            It "$($entry.Name) Should have string as Option type" {
-                                $entry.value | Should -BeOfType System.String
-                            }
-                        }
-                    }
-                }
-            }
-
             Context 'Add-PolicyOption' {
                 It 'Should have [System Access]' {
                     [string[]]$testString = "EnableAdminAccount=1"

Tests/Unit/MSFT_SecurityOption.tests.ps1

@@ -47,38 +47,6 @@ try
         }
 
         Describe 'SecurityOptionHelperTests' {
-            Context 'Get-PolicyOptionData' {
-                $dataFilePath = Join-Path -Path $dscResourceInfo.ParentPath -ChildPath SecurityOptionData.psd1
-                $securityOptionData = Get-PolicyOptionData -FilePath $dataFilePath.Normalize()
-                $securityOptionPropertyList = $dscResourceInfo.Properties | Where-Object -FilterScript { $PSItem.Name -match '_' }
-
-                It 'Should have the same count as property count' {
-                    $securityOptionDataPropertyCount = $securityOptionData.Count
-                    $securityOptionDataPropertyCount | Should Be $securityOptionPropertyList.Name.Count
-                }
-
-                foreach ( $name in $securityOptionData.Keys ) {
-                    It "Should contain property name: $name" {
-                        $securityOptionPropertyList.Name -contains $name | Should Be $true
-                    }
-                }
-
-                $optionData = Get-PolicyOptionData -FilePath $dataFilePath.Normalize()
-
-                foreach ($option in $optionData.GetEnumerator()) {
-                    Context "$($option.Name)" {
-                        $options = $option.Value.Option
-
-                        foreach ($entry in $options.GetEnumerator())
-                        {
-                            It "$($entry.Name) Should have string as Option type" {
-                                $entry.value.GetType().Name -is [string] | Should Be $true
-                            }
-                        }
-                    }
-                }
-            }
-
             Context 'Add-PolicyOption' {
                 It 'Should have [Registry Values]' {
                     [string[]]$testString = "Registry\path"
@@ -199,7 +167,7 @@ try
 
                     $result | Should Be '"O:BAG:BAD:(A;;RC;;;SY)"'
                 }
-                
+
                 It 'Should Create the BEST SDDL string' {
                     $result = Format-RestrictedRemoteSam -SecurityDescriptor $fullDescriptorTestParameters
 

Tests/Unit/SecurityPolicyResourceHelper.tests.ps1

@@ -99,7 +99,7 @@ InModuleScope $script:subModuleName {
         BeforeAll {
             $ini = "$PSScriptRoot\..\TestHelpers\sample.inf"
             $iniPath = Get-Item -Path $ini
-            Mock -CommandName Join-Path -MockWith {$iniPath.FullName}
+            Mock -CommandName Join-Path -MockWith {$iniPath.FullName} -ParameterFilter {$Path -eq "$env:temp"}
             Mock -CommandName Remove-Item
             $securityPolicy = Get-SecurityPolicy -Area 'USER_RIGHTS'
         }

build.yaml

@@ -80,6 +80,10 @@ ModuleBuildTasks:
   # - ModuleName: 'alias to search'
   Sampler:
     - '*.build.Sampler.ib.tasks' # this means: import (dot source) all aliases ending with .ib.tasks exported by sampler module
+  Sampler.GitHubTasks:
+    - '*.ib.tasks'
+  DscResource.DocGenerator:
+    - 'Task.*'
 
 # Invoke-Build Header to be used to 'decorate' the terminal output of the tasks.
 TaskHeader: |

source/DSCResources/MSFT_AccountPolicy/MSFT_AccountPolicy.psm1

@@ -26,17 +26,17 @@ function Get-TargetResource
     }
 
     $currentSecurityPolicy = Get-SecurityPolicy -Area SECURITYPOLICY
-    $accountPolicyData = Get-PolicyOptionData -FilePath $("$PSScriptRoot\AccountPolicyData.psd1").Normalize()
-    $accountPolicyList = Get-PolicyOptionList -ModuleName MSFT_AccountPolicy
+    $policyDataFilePath = Join-Path -Path $PSScriptRoot -ChildPath 'AccountPolicyData.psd1'
+    $accountPolicyData = Import-PowerShellDataFile -Path $policyDataFilePath
 
-    foreach ($accountPolicy in $accountPolicyList)
+    foreach ($accountPolicy in $accountPolicyData.Keys)
     {
         Write-Verbose -Message $accountPolicy
-        $section = $accountPolicyData.$accountPolicy.Section
+        $section = $accountPolicyData[$accountPolicy].Section
         Write-Verbose -Message ($script:localizedData.Section -f $section)
-        $valueName = $accountPolicyData.$accountPolicy.Value
+        $valueName = $accountPolicyData[$accountPolicy].Value
         Write-Verbose -Message ($script:localizedData.Value -f $valueName)
-        $options = $accountPolicyData.$accountPolicy.Option
+        $options = $accountPolicyData[$accountPolicy].Option
         Write-Verbose -Message ($script:localizedData.Option -f $($options -join ','))
         $currentValue = $currentSecurityPolicy.$section.$valueName
         Write-Verbose -Message ($script:localizedData.RawValue -f $($currentValue -join ','))
@@ -158,12 +158,12 @@ function Set-TargetResource
     $kerberosPolicies = @()
     $systemAccessPolicies = @()
     $nonComplaintPolicies = @()
-    $accountPolicyList = Get-PolicyOptionList -ModuleName MSFT_AccountPolicy
-    $accountPolicyData = Get-PolicyOptionData -FilePath $("$PSScriptRoot\AccountPolicyData.psd1").Normalize()
+    $policyDataFilePath = Join-Path -Path $PSScriptRoot -ChildPath 'AccountPolicyData.psd1'
+    $accountPolicyData = Import-PowerShellDataFile -Path $policyDataFilePath
     $script:seceditOutput = "$env:TEMP\Secedit-OutPut.txt"
     $accountPolicyToAddInf = "$env:TEMP\accountPolicyToAdd.inf"
 
-    $desiredPolicies = $PSBoundParameters.GetEnumerator() | Where-Object -FilterScript { $PSItem.key -in $accountPolicyList }
+    $desiredPolicies = $PSBoundParameters.GetEnumerator() | Where-Object -FilterScript {$PSItem.key -in $accountPolicyData.Keys}
 
     foreach ($policy in $desiredPolicies)
     {