diff --git a/CHANGELOG.md b/CHANGELOG.md index fb0593fc8..3c5e95c7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -85,6 +85,9 @@ - Minor change to the unit tests that did not correct assert the localized string when an account is not found. - Changes to ADDomainTrust + - BREAKING CHANGE: Renamed the parameter `TargetDomainAdministratorCredential` + to `TargetCredential` to better indicate that it is possible to impersonate + any credential with enough permission to perform the task ([issue #269](https://github.com/PowerShell/ActiveDirectoryDsc/issues/269)). - Refactored the resource to enable unit tests, and at the same time changed it to use the same code pattern as the resource xADObjectEnabledState. - Added unit tests ([issue #324](https://github.com/PowerShell/ActiveDirectoryDsc/issues/324)). diff --git a/DSCResources/MSFT_ADDomainTrust/MSFT_ADDomainTrust.psm1 b/DSCResources/MSFT_ADDomainTrust/MSFT_ADDomainTrust.psm1 index 67a8766e5..51252549c 100644 --- a/DSCResources/MSFT_ADDomainTrust/MSFT_ADDomainTrust.psm1 +++ b/DSCResources/MSFT_ADDomainTrust/MSFT_ADDomainTrust.psm1 @@ -17,7 +17,7 @@ $script:localizedData = Get-LocalizedData -ResourceName 'MSFT_ADDomainTrust' .PARAMETER TargetDomainName Specifies the name of the Active Directory domain that is being trusted. - .PARAMETER TargetDomainAdministratorCredential + .PARAMETER TargetCredential Specifies the credentials to authenticate to the target domain. .PARAMETER TrustType @@ -43,7 +43,7 @@ function Get-TargetResource [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] - $TargetDomainAdministratorCredential, + $TargetCredential, [Parameter(Mandatory = $true)] [ValidateSet('External', 'Forest')] @@ -57,19 +57,19 @@ function Get-TargetResource ) # Return a credential object without the password. - $cimCredentialInstance = New-CimCredentialInstance -Credential $TargetDomainAdministratorCredential + $cimCredentialInstance = New-CimCredentialInstance -Credential $TargetCredential $returnValue = @{ - SourceDomainName = $SourceDomainName - TargetDomainName = $TargetDomainName - TargetDomainAdministratorCredential = $cimCredentialInstance + SourceDomainName = $SourceDomainName + TargetDomainName = $TargetDomainName + TargetCredential = $cimCredentialInstance } $getTrustTargetAndSourceObject = @{ - SourceDomainName = $SourceDomainName - TargetDomainName = $TargetDomainName - TargetDomainAdministratorCredential = $TargetDomainAdministratorCredential - TrustType = $TrustType + SourceDomainName = $SourceDomainName + TargetDomainName = $TargetDomainName + TargetCredential = $TargetCredential + TrustType = $TrustType } $trustSource, $trustTarget = Get-TrustSourceAndTargetObject @getTrustTargetAndSourceObject @@ -114,7 +114,7 @@ function Get-TargetResource .PARAMETER TargetDomainName Specifies the name of the Active Directory domain that is being trusted. - .PARAMETER TargetDomainAdministratorCredential + .PARAMETER TargetCredential Specifies the credentials to authenticate to the target domain. .PARAMETER TrustType @@ -143,7 +143,7 @@ function Set-TargetResource [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] - $TargetDomainAdministratorCredential, + $TargetCredential, [Parameter(Mandatory = $true)] [ValidateSet('External', 'Forest')] @@ -162,10 +162,10 @@ function Set-TargetResource ) $getTrustTargetAndSourceObject = @{ - SourceDomainName = $SourceDomainName - TargetDomainName = $TargetDomainName - TargetDomainAdministratorCredential = $TargetDomainAdministratorCredential - TrustType = $TrustType + SourceDomainName = $SourceDomainName + TargetDomainName = $TargetDomainName + TargetCredential = $TargetCredential + TrustType = $TrustType } $trustSource, $trustTarget = Get-TrustSourceAndTargetObject @getTrustTargetAndSourceObject @@ -283,7 +283,7 @@ function Set-TargetResource .PARAMETER TargetDomainName Specifies the name of the Active Directory domain that is being trusted. - .PARAMETER TargetDomainAdministratorCredential + .PARAMETER TargetCredential Specifies the credentials to authenticate to the target domain. .PARAMETER TrustType @@ -313,7 +313,7 @@ function Test-TargetResource [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] - $TargetDomainAdministratorCredential, + $TargetCredential, [Parameter(Mandatory = $true)] [ValidateSet('External', 'Forest')] @@ -369,7 +369,7 @@ function Test-TargetResource .PARAMETER TargetDomainName Specifies the name of the Active Directory domain that is being trusted. - .PARAMETER TargetDomainAdministratorCredential + .PARAMETER TargetCredential Specifies the credentials to authenticate to the target domain. .PARAMETER TrustType @@ -398,7 +398,7 @@ function Compare-TargetResourceState [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] - $TargetDomainAdministratorCredential, + $TargetCredential, [Parameter(Mandatory = $true)] [ValidateSet('External', 'Forest')] @@ -417,11 +417,11 @@ function Compare-TargetResourceState ) $getTargetResourceParameters = @{ - SourceDomainName = $SourceDomainName - TargetDomainName = $TargetDomainName - TargetDomainAdministratorCredential = $TargetDomainAdministratorCredential - TrustType = $TrustType - TrustDirection = $TrustDirection + SourceDomainName = $SourceDomainName + TargetDomainName = $TargetDomainName + TargetCredential = $TargetCredential + TrustType = $TrustType + TrustDirection = $TrustDirection } $getTargetResourceResult = Get-TargetResource @getTargetResourceParameters @@ -604,7 +604,7 @@ function ConvertFrom-DirectoryContextType .PARAMETER TargetDomainName Specifies the name of the Active Directory domain that is being trusted. - .PARAMETER TargetDomainAdministratorCredential + .PARAMETER TargetCredential Specifies the credentials to authenticate to the target domain. .PARAMETER TrustType @@ -632,7 +632,7 @@ function Get-TrustSourceAndTargetObject [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] - $TargetDomainAdministratorCredential, + $TargetCredential, [Parameter(Mandatory = $true)] [ValidateSet('External', 'Forest')] @@ -646,7 +646,7 @@ function Get-TrustSourceAndTargetObject $getADDirectoryContextParameters = @{ DirectoryContextType = $directoryContextType Name = $TargetDomainName - Credential = $TargetDomainAdministratorCredential + Credential = $TargetCredential } $targetDirectoryContext = Get-ADDirectoryContext @getADDirectoryContextParameters diff --git a/DSCResources/MSFT_ADDomainTrust/MSFT_ADDomainTrust.schema.mof b/DSCResources/MSFT_ADDomainTrust/MSFT_ADDomainTrust.schema.mof index a67e340dc..0e6fd0b7e 100644 --- a/DSCResources/MSFT_ADDomainTrust/MSFT_ADDomainTrust.schema.mof +++ b/DSCResources/MSFT_ADDomainTrust/MSFT_ADDomainTrust.schema.mof @@ -2,7 +2,7 @@ class MSFT_ADDomainTrust : OMI_BaseResource { [Write, Description("Specifies whether the computer account is present or absent. Default value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; - [Required, Description("Specifies the credentials to authenticate to the target domain."), EmbeddedInstance("MSFT_Credential")] String TargetDomainAdministratorCredential; + [Required, Description("Specifies the credentials to authenticate to the target domain."), EmbeddedInstance("MSFT_Credential")] String TargetCredential; [Key, Description("Specifies the name of the Active Directory domain that is being trusted.")] String TargetDomainName; [Required, Description("Specifies the type of trust. The value 'External' means the context Domain, while the value 'Forest' means the context 'Forest'."), ValueMap{"External","Forest"}, Values{"External","Forest"}] String TrustType; [Required, Description("Specifies the direction of the trust."), ValueMap{"Bidirectional","Inbound","Outbound"}, Values{"Bidirectional","Inbound","Outbound"}] String TrustDirection; diff --git a/DSCResources/MSFT_ADDomainTrust/en-US/about_ADDomainTrust.help.txt b/DSCResources/MSFT_ADDomainTrust/en-US/about_ADDomainTrust.help.txt index c81b563ab..faecf47d0 100644 --- a/DSCResources/MSFT_ADDomainTrust/en-US/about_ADDomainTrust.help.txt +++ b/DSCResources/MSFT_ADDomainTrust/en-US/about_ADDomainTrust.help.txt @@ -13,7 +13,7 @@ Allowed values: Present, Absent Specifies whether the computer account is present or absent. Default value is 'Present'. -.PARAMETER TargetDomainAdministratorCredential +.PARAMETER TargetCredential Required - String Specifies the credentials to authenticate to the target domain. @@ -63,12 +63,12 @@ Configuration NewOneWayTrust_Config { ADDomainTrust 'Trust' { - Ensure = 'Present' - SourceDomainName = $SourceDomain - TargetDomainName = $TargetDomain - TargetDomainAdministratorCredential = $TargetDomainAdminCred - TrustDirection = 'Inbound' - TrustType = 'External' + Ensure = 'Present' + SourceDomainName = $SourceDomain + TargetDomainName = $TargetDomain + TargetCredential = $TargetDomainAdminCred + TrustDirection = 'Inbound' + TrustType = 'External' } } } diff --git a/Examples/Resources/ADDomainTrust/1-NewOneWayTrust_Config.ps1 b/Examples/Resources/ADDomainTrust/1-NewOneWayTrust_Config.ps1 index 678698e5a..41cf579a4 100644 --- a/Examples/Resources/ADDomainTrust/1-NewOneWayTrust_Config.ps1 +++ b/Examples/Resources/ADDomainTrust/1-NewOneWayTrust_Config.ps1 @@ -45,12 +45,12 @@ Configuration NewOneWayTrust_Config { ADDomainTrust 'Trust' { - Ensure = 'Present' - SourceDomainName = $SourceDomain - TargetDomainName = $TargetDomain - TargetDomainAdministratorCredential = $TargetDomainAdminCred - TrustDirection = 'Inbound' - TrustType = 'External' + Ensure = 'Present' + SourceDomainName = $SourceDomain + TargetDomainName = $TargetDomain + TargetCredential = $TargetDomainAdminCred + TrustDirection = 'Inbound' + TrustType = 'External' } } } diff --git a/Tests/Integration/MSFT_ADDomainTrust.Integration.Tests.ps1 b/Tests/Integration/MSFT_ADDomainTrust.Integration.Tests.ps1 index 552cf53a7..ea56fc1a8 100644 --- a/Tests/Integration/MSFT_ADDomainTrust.Integration.Tests.ps1 +++ b/Tests/Integration/MSFT_ADDomainTrust.Integration.Tests.ps1 @@ -75,7 +75,7 @@ try $resourceCurrentState.Ensure | Should -Be 'Present' $resourceCurrentState.SourceDomainName | Should -Be $configurationData.AllNodes.SourceDomain $resourceCurrentState.TargetDomainName | Should -Be $configurationData.AllNodes.TargetDomain - $resourceCurrentState.TargetDomainAdministratorCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName + $resourceCurrentState.TargetCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName $resourceCurrentState.TrustType | Should -Be 'External' $resourceCurrentState.TrustDirection | Should -Be 'Outbound' } @@ -126,7 +126,7 @@ try $resourceCurrentState.Ensure | Should -Be 'Present' $resourceCurrentState.SourceDomainName | Should -Be $configurationData.AllNodes.SourceDomain $resourceCurrentState.TargetDomainName | Should -Be $configurationData.AllNodes.TargetDomain - $resourceCurrentState.TargetDomainAdministratorCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName + $resourceCurrentState.TargetCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName $resourceCurrentState.TrustType | Should -Be 'External' $resourceCurrentState.TrustDirection | Should -Be 'Inbound' } @@ -177,7 +177,7 @@ try $resourceCurrentState.Ensure | Should -Be 'Absent' $resourceCurrentState.SourceDomainName | Should -Be $configurationData.AllNodes.SourceDomain $resourceCurrentState.TargetDomainName | Should -Be $configurationData.AllNodes.TargetDomain - $resourceCurrentState.TargetDomainAdministratorCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName + $resourceCurrentState.TargetCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName $resourceCurrentState.TrustType | Should -BeNullOrEmpty $resourceCurrentState.TrustDirection | Should -BeNullOrEmpty } @@ -228,7 +228,7 @@ try $resourceCurrentState.Ensure | Should -Be 'Present' $resourceCurrentState.SourceDomainName | Should -Be $configurationData.AllNodes.SourceForest $resourceCurrentState.TargetDomainName | Should -Be $configurationData.AllNodes.TargetForest - $resourceCurrentState.TargetDomainAdministratorCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName + $resourceCurrentState.TargetCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName $resourceCurrentState.TrustType | Should -Be 'Forest' $resourceCurrentState.TrustDirection | Should -Be 'Outbound' } @@ -279,7 +279,7 @@ try $resourceCurrentState.Ensure | Should -Be 'Present' $resourceCurrentState.SourceDomainName | Should -Be $configurationData.AllNodes.SourceForest $resourceCurrentState.TargetDomainName | Should -Be $configurationData.AllNodes.TargetForest - $resourceCurrentState.TargetDomainAdministratorCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName + $resourceCurrentState.TargetCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName $resourceCurrentState.TrustType | Should -Be 'Forest' $resourceCurrentState.TrustDirection | Should -Be 'Inbound' } @@ -330,7 +330,7 @@ try $resourceCurrentState.Ensure | Should -Be 'Absent' $resourceCurrentState.SourceDomainName | Should -Be $configurationData.AllNodes.SourceForest $resourceCurrentState.TargetDomainName | Should -Be $configurationData.AllNodes.TargetForest - $resourceCurrentState.TargetDomainAdministratorCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName + $resourceCurrentState.TargetCredential.UserName | Should -Be $configurationData.AllNodes.TargetUserName $resourceCurrentState.TrustType | Should -BeNullOrEmpty $resourceCurrentState.TrustDirection | Should -BeNullOrEmpty } diff --git a/Tests/Integration/MSFT_ADDomainTrust.config.ps1 b/Tests/Integration/MSFT_ADDomainTrust.config.ps1 index 7a97c395a..b530e2fa8 100644 --- a/Tests/Integration/MSFT_ADDomainTrust.config.ps1 +++ b/Tests/Integration/MSFT_ADDomainTrust.config.ps1 @@ -59,11 +59,11 @@ Configuration MSFT_ADDomainTrust_CreateDomainTrust_Config { ADDomainTrust 'Integration_Test' { - SourceDomainName = $Node.SourceDomain - TargetDomainName = $Node.TargetDomain - TrustType = 'External' - TrustDirection = 'Outbound' - TargetDomainAdministratorCredential = New-Object ` + SourceDomainName = $Node.SourceDomain + TargetDomainName = $Node.TargetDomain + TrustType = 'External' + TrustDirection = 'Outbound' + TargetCredential = New-Object ` -TypeName System.Management.Automation.PSCredential ` -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force)) @@ -83,11 +83,11 @@ Configuration MSFT_ADDomainTrust_ChangeDomainTrustDirection_Config { ADDomainTrust 'Integration_Test' { - SourceDomainName = $Node.SourceDomain - TargetDomainName = $Node.TargetDomain - TrustType = 'External' - TrustDirection = 'Inbound' - TargetDomainAdministratorCredential = New-Object ` + SourceDomainName = $Node.SourceDomain + TargetDomainName = $Node.TargetDomain + TrustType = 'External' + TrustDirection = 'Inbound' + TargetCredential = New-Object ` -TypeName System.Management.Automation.PSCredential ` -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force)) @@ -107,12 +107,12 @@ Configuration MSFT_ADDomainTrust_RemoveDomainTrust_Config { ADDomainTrust 'Integration_Test' { - Ensure = 'Absent' - SourceDomainName = $Node.SourceDomain - TargetDomainName = $Node.TargetDomain - TrustType = 'External' - TrustDirection = 'Bidirectional' - TargetDomainAdministratorCredential = New-Object ` + Ensure = 'Absent' + SourceDomainName = $Node.SourceDomain + TargetDomainName = $Node.TargetDomain + TrustType = 'External' + TrustDirection = 'Bidirectional' + TargetCredential = New-Object ` -TypeName System.Management.Automation.PSCredential ` -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force)) @@ -132,11 +132,11 @@ Configuration MSFT_ADDomainTrust_CreateForestTrust_Config { ADDomainTrust 'Integration_Test' { - SourceDomainName = $Node.SourceForest - TargetDomainName = $Node.TargetForest - TrustType = 'Forest' - TrustDirection = 'Outbound' - TargetDomainAdministratorCredential = New-Object ` + SourceDomainName = $Node.SourceForest + TargetDomainName = $Node.TargetForest + TrustType = 'Forest' + TrustDirection = 'Outbound' + TargetCredential = New-Object ` -TypeName System.Management.Automation.PSCredential ` -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force)) @@ -156,11 +156,11 @@ Configuration MSFT_ADDomainTrust_ChangeForestTrustDirection_Config { ADDomainTrust 'Integration_Test' { - SourceDomainName = $Node.SourceForest - TargetDomainName = $Node.TargetForest - TrustType = 'Forest' - TrustDirection = 'Inbound' - TargetDomainAdministratorCredential = New-Object ` + SourceDomainName = $Node.SourceForest + TargetDomainName = $Node.TargetForest + TrustType = 'Forest' + TrustDirection = 'Inbound' + TargetCredential = New-Object ` -TypeName System.Management.Automation.PSCredential ` -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force)) @@ -180,12 +180,12 @@ Configuration MSFT_ADDomainTrust_RemoveForestTrust_Config { ADDomainTrust 'Integration_Test' { - Ensure = 'Absent' - SourceDomainName = $Node.SourceForest - TargetDomainName = $Node.TargetForest - TrustType = 'Forest' - TrustDirection = 'Bidirectional' - TargetDomainAdministratorCredential = New-Object ` + Ensure = 'Absent' + SourceDomainName = $Node.SourceForest + TargetDomainName = $Node.TargetForest + TrustType = 'Forest' + TrustDirection = 'Bidirectional' + TargetCredential = New-Object ` -TypeName System.Management.Automation.PSCredential ` -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force)) diff --git a/Tests/Unit/MSFT_ADDomainTrust.Tests.ps1 b/Tests/Unit/MSFT_ADDomainTrust.Tests.ps1 index 54857f42f..42c5f585e 100644 --- a/Tests/Unit/MSFT_ADDomainTrust.Tests.ps1 +++ b/Tests/Unit/MSFT_ADDomainTrust.Tests.ps1 @@ -50,7 +50,7 @@ try $mockDefaultParameters = @{ SourceDomainName = $mockSourceDomainName TargetDomainName = $mockTargetDomainName - TargetDomainAdministratorCredential = $mockCredential + TargetCredential = $mockCredential TrustDirection = 'Outbound' Verbose = $true } @@ -99,7 +99,7 @@ try $getTargetResourceResult = Get-TargetResource @mockGetTargetResourceParameters $getTargetResourceResult.SourceDomainName | Should -Be $mockGetTargetResourceParameters.SourceDomainName $getTargetResourceResult.TargetDomainName | Should -Be $mockGetTargetResourceParameters.TargetDomainName - $getTargetResourceResult.TargetDomainAdministratorCredential.UserName | Should -Be $mockCredential.UserName + $getTargetResourceResult.TargetCredential.UserName | Should -Be $mockCredential.UserName } It 'Should return the correct values for the other properties' { @@ -150,7 +150,7 @@ try $getTargetResourceResult = Get-TargetResource @mockGetTargetResourceParameters $getTargetResourceResult.SourceDomainName | Should -Be $mockGetTargetResourceParameters.SourceDomainName $getTargetResourceResult.TargetDomainName | Should -Be $mockGetTargetResourceParameters.TargetDomainName - $getTargetResourceResult.TargetDomainAdministratorCredential.UserName | Should -Be $mockCredential.UserName + $getTargetResourceResult.TargetCredential.UserName | Should -Be $mockCredential.UserName } It 'Should return the correct values for the other properties' { @@ -199,7 +199,7 @@ try $getTargetResourceResult = Get-TargetResource @mockGetTargetResourceParameters $getTargetResourceResult.SourceDomainName | Should -Be $mockGetTargetResourceParameters.SourceDomainName $getTargetResourceResult.TargetDomainName | Should -Be $mockGetTargetResourceParameters.TargetDomainName - $getTargetResourceResult.TargetDomainAdministratorCredential.UserName | Should -Be $mockCredential.UserName + $getTargetResourceResult.TargetCredential.UserName | Should -Be $mockCredential.UserName } It 'Should return the correct values for the other properties' { @@ -217,7 +217,7 @@ try $mockDefaultParameters = @{ SourceDomainName = $mockSourceDomainName TargetDomainName = $mockTargetDomainName - TargetDomainAdministratorCredential = $mockCredential + TargetCredential = $mockCredential Verbose = $true } } @@ -362,7 +362,7 @@ try $mockDefaultParameters = @{ SourceDomainName = $mockSourceDomainName TargetDomainName = $mockTargetDomainName - TargetDomainAdministratorCredential = $mockCredential + TargetCredential = $mockCredential Verbose = $true } @@ -371,7 +371,7 @@ try Ensure = 'Absent' SourceDomainName = $mockSourceDomainName TargetDomainName = $mockTargetDomainName - TargetDomainAdministratorCredential = $mockCredential + TargetCredential = $mockCredential TrustDirection = $null TrustType = $null } @@ -382,7 +382,7 @@ try Ensure = 'Present' SourceDomainName = $mockSourceDomainName TargetDomainName = $mockTargetDomainName - TargetDomainAdministratorCredential = $mockCredential + TargetCredential = $mockCredential TrustDirection = 'Outbound' TrustType = 'External' } @@ -583,7 +583,7 @@ try $mockDefaultParameters = @{ SourceDomainName = $mockSourceDomainName TargetDomainName = $mockTargetDomainName - TargetDomainAdministratorCredential = $mockCredential + TargetCredential = $mockCredential TrustDirection = 'Outbound' Verbose = $true } @@ -961,7 +961,7 @@ try $testParameters = @{ SourceDomainName = $mockSourceDomainName TargetDomainName = $mockTargetDomainName - TargetDomainAdministratorCredential = $mockCredential + TargetCredential = $mockCredential TrustType = $TrustType Verbose = $true }