AzSKInfo/AzSKInfo.ps1

Set-StrictMode -Version Latest
function Get-AzSKInfo
{
    
    <#
    .SYNOPSIS
    This command would help users to get details of various components of AzSK.
     
    .DESCRIPTION
    This command will fetch details of AzSK components and help user to provide details of different component using single command. Refer https://aka.ms/azskossdocs for more information
     
    .PARAMETER InfoType
        InfoType for which type of information required by user.
    .PARAMETER SubscriptionId
        Subscription id for which the security evaluation has to be performed.
    .PARAMETER ResourceGroupNames
        ResourceGroups for which the security evaluation has to be performed. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription.
    .PARAMETER ResourceType
        Gets only resources of the specified resource type. Wildcards are not permitted. e.g.: Microsoft.KeyVault/vaults. Run command 'Get-AzSKSupportedResourceTypes' to get the list of supported types.
    .PARAMETER ResourceTypeName
        Friendly name of resource type. e.g.: KeyVault. Run command 'Get-AzSKSupportedResourceTypes' to get the list of supported values.
    .PARAMETER ResourceNames
        Gets a resource with the specified name. Comma separated values are supported. Wildcards/like searches are not permitted. By default, the command gets all resources in the subscription.
    .PARAMETER Tag
        The tag filter for Azure resource. The expected format is @{tagName1=$null} or @{tagName = 'tagValue'; tagName2='value1'}.
    .PARAMETER TagName
        The name of the tag to query for Azure resource.
    .PARAMETER TagValue
        The value of the tag to query for Azure resource.
    .PARAMETER FilterTags
        Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc.
    .PARAMETER DoNotOpenOutputFolder
        Switch to specify whether to open output folder containing all security evaluation report or not.
    .PARAMETER UseBaselineControls
        This switch would scan only for baseline controls defined at org level
    .PARAMETER ControlIds
        Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc.
    .PARAMETER ControlSeverity
            Select one of the control severity (Critical, High, Low, Medium)
    .PARAMETER ControlIdContains
            The list of control ids for which fixes should be applied.
 
    .NOTES
    This command helps the application team to verify whether their Azure resources are compliant with the security guidance or not
 
    .LINK
    https://aka.ms/azskossdocs
 
    #>

    Param(
        [Parameter(Mandatory = $false)]
        [ValidateSet("SubscriptionInfo", "ControlInfo", "HostInfo" , "AttestationInfo", "ComplianceInfo","SPNInfo")] 
        [Alias("it")]
        $InfoType,

        [ResourceTypeName]
        [Alias("rtn")]
        $ResourceTypeName = [ResourceTypeName]::All,

        [string]
        [Alias("rt")]
        $ResourceType,

        [string]
        [Alias("cids")]
        $ControlIds,

        [switch]
        [Alias("ubc")]
        $UseBaselineControls,

        [switch]
        [Alias("upbc")]
        $UsePreviewBaselineControls,

        [string]
        [Alias("ft")]
        $FilterTags,

        [string]
        [Alias("sid","s")]
        $SubscriptionId,

        [string]
        [Alias("rgns")]
        $ResourceGroupNames,

        [string]
        [Alias("ResourceName","rns")]
        $ResourceNames,

        [Alias("cs")]
        $ControlSeverity,

        [string]
        [Alias("cidc")]
        $ControlIdContains,

                
        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder.")]
        [Alias("dnof")]
        $DoNotOpenOutputFolder,

        [Parameter(Mandatory = $false)]
        [Alias("xrtn")]
        [ResourceTypeName]
        $ExcludeResourceTypeName = [ResourceTypeName]::All,

        [string]
        [Alias("xrgns")]
        [Parameter(Mandatory = $false)]
        $ExcludeResourceGroupNames,

        [string]
        [Alias("xrns")]
        [Parameter(Mandatory = $false)]
        $ExcludeResourceNames
    )

    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [AzListenerHelper]::RegisterListeners();
    }

    Process
    {
        try 
        {
            if ([string]::IsNullOrEmpty($SubscriptionId))
            {
                if((-not [string]::IsNullOrEmpty($InfoType)) -and ($InfoType.ToString() -eq 'AttestationInfo' -or $InfoType.ToString() -eq 'ComplianceInfo'))
                {
                    $SubscriptionId = Read-Host "SubscriptionId"
                    $SubscriptionId = $SubscriptionId.Trim()
                }
                else
                {
                    $SubscriptionId = [Constants]::BlankSubscriptionId
                }
            }

            if(-not [string]::IsNullOrEmpty($InfoType))
            {
                switch ($InfoType.ToString()) 
                {
                    SubscriptionInfo 
                    {
                        $basicInfo = [BasicInfo]::new($SubscriptionId, $PSCmdlet.MyInvocation);
                        if ($basicInfo) 
                        {
                            return $basicInfo.InvokeFunction($basicInfo.GetBasicInfo);
                        }
                    }
                    ControlInfo 
                    {
                        If($PSCmdlet.MyInvocation.BoundParameters["Verbose"] -and $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent)
                        {
                            $Full = $true
                        }
                        else
                        {
                            $Full = $false
                        }

                        $controlsInfo = [ControlsInfo]::new($SubscriptionId, $PSCmdlet.MyInvocation, $ResourceTypeName, $ResourceType, $ControlIds, $UseBaselineControls, $UsePreviewBaselineControls, $FilterTags, $Full, $ControlSeverity, $ControlIdContains);
                        if ($controlsInfo) 
                        {
                            return $controlsInfo.InvokeFunction($controlsInfo.GetControlDetails);
                        }
                    }
                    HostInfo 
                    {
                        $environmentInfo = [EnvironmentInfo]::new($SubscriptionId, $PSCmdlet.MyInvocation);
                        if ($environmentInfo) 
                        {
                            return $environmentInfo.InvokeFunction($environmentInfo.GetEnvironmentInfo);
                        }
                    }
                    AttestationInfo
                    {
                        if([string]::IsNullOrWhiteSpace($ResourceType) -and [string]::IsNullOrWhiteSpace($ResourceTypeName))
                        {
                            $ResourceTypeName = [ResourceTypeName]::All
                        }
                        $resolver = [SVTResourceResolver]::new($SubscriptionId, $ResourceGroupNames, $ResourceNames, $ResourceType, $ResourceTypeName, $ExcludeResourceTypeName, $ExcludeResourceNames, $ExcludeResourceGroupNames);            

                        $attestationReport = [SVTStatusReport]::new($SubscriptionId, $PSCmdlet.MyInvocation, $resolver);
                        if ($attestationReport) 
                        {
                            $attestationReport.ControlIdString = $ControlIds;

                            [AttestationOptions] $attestationOptions = [AttestationOptions]::new();
                            #$attestationOptions.AttestationStatus = $AttestationStatus
                            $attestationReport.AttestationOptions = $attestationOptions;        
                            return  ([CommandBase]$attestationReport).InvokeFunction($attestationReport.FetchAttestationInfo);    
                        }     
                    }
                    ComplianceInfo
                    {
                        If($PSCmdlet.MyInvocation.BoundParameters["Verbose"] -and $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent)
                        {
                            $Full = $true
                        }
                        else
                        {
                            $Full = $false
                        }
                        $complianceInfo = [ComplianceInfo]::new($SubscriptionId, $PSCmdlet.MyInvocation, $Full);
                        
                            
                        if ($complianceInfo) 
                        {
                                    return $complianceInfo.InvokeFunction($complianceInfo.GetComplianceInfo, @($UseBaselineControls, $UsePreviewBaselineControls));
                        }
                        
                    }
                    SPNInfo 
                    {
                        $SPNInfo = [SPNInfo]::new($SubscriptionId, $PSCmdlet.MyInvocation);
                        if ($SPNInfo) 
                        {
                            return $SPNInfo.InvokeFunction($SPNInfo.GetSPNInfo);
                        }
                    }
                    Default
                    {
                        Write-Host $([Constants]::DefaultInfoCmdMsg)
                    }
                }
            }
            else
            {
                Write-Host $([Constants]::DefaultInfoCmdMsg)
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }  
    }

    End
    {
        [AzListenerHelper]::UnregisterListeners();
    }
}
function Update-AzSKPersistedState 
{    
    <#
    .SYNOPSIS
    This command helps in updating security state stored by DevOps Kit.
 
    .DESCRIPTION
    This command helps in updating security state stored by DevOps Kit.
     
    .PARAMETER SubscriptionId
        Subscription id for which DevOps Kit state has to be updated.
    .PARAMETER StateType
        This represents the specific type of DevOps Kit state that has to be updated.
    .PARAMETER FilePath
        Path to file containing list of controls for which state has to be updated.
    .PARAMETER DoNotOpenOutputFolder
        Switch to specify whether to open output folder containing all security evaluation report or not.
 
    .LINK
    https://aka.ms/azskossdocs
    #>

    Param(

        [string]
        [Parameter(Position = 0, Mandatory = $true, HelpMessage = "Subscription id for which DevOps Kit state has to be updated.", ParameterSetName = "Default")]
        [Parameter(Position = 0, Mandatory = $true, HelpMessage = "Subscription id for which DevOps Kit state has to be updated.", ParameterSetName = "UserComments")]
        [ValidateNotNullOrEmpty()]
        [Alias("sid")]
        $SubscriptionId,

        [string]
        [Parameter(Mandatory = $false, HelpMessage = "Path to file containing list of controls for which state has to be updated.", ParameterSetName = "UserComments")]
        [Alias("sp")]
        $FilePath,

        [ValidateSet("UserComments")]
        [Parameter(Mandatory = $true, HelpMessage = "This represents the specific type of DevOps Kit state that has to be updated.", ParameterSetName = "UserComments")]
        [Alias("st")]
        $StateType,
    
        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.", ParameterSetName = "Default")]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.", ParameterSetName = "UserComments")]
        [Alias("dnof")]
        $DoNotOpenOutputFolder
    )

    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [AzListenerHelper]::RegisterListeners();
    }

    Process
    {
        try 
        {
            $persistedStateInfo = [PersistedStateInfo]::new($SubscriptionId, $PSCmdlet.MyInvocation);
            if ($persistedStateInfo -and $StateType -eq "UserComments") 
            {
                return $persistedStateInfo.InvokeFunction($persistedStateInfo.UpdatePersistedState,@($FilePath));
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }          
    }

    End
    {
        [AzListenerHelper]::UnregisterListeners();
    }
}



function Get-AzSKSecurityRecommendationReport 
{    
    [OutputType([String])]
    Param
    (

        [string]
        [Parameter(Position = 0, Mandatory = $true, HelpMessage="Subscription id for which the security evaluation has to be performed.")]
        [ValidateNotNullOrEmpty()]
        [Alias("sid", "s")]
        $SubscriptionId,

        [string]
        [Parameter(Mandatory = $true, ParameterSetName = "ResourceGroupName")]
        [Alias("rgn")]
        $ResourceGroupName,

        [string[]]        
        [Parameter(Mandatory = $true, ParameterSetName = "Categories")]
        $Categories,
        
        [Parameter(Mandatory = $true, ParameterSetName = "ResourceTypeNames")]
        [ResourceTypeName[]]
        [Alias("rtns")]
        $ResourceTypeNames
    )

    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [AzListenerHelper]::RegisterListeners();
    }

    Process
    {
    try 
        {
            $SecurityRecommendationsReport = [SecurityRecommendationsReport]::new($SubscriptionId, $PSCmdlet.MyInvocation);
            if ($SecurityRecommendationsReport) 
            {
                return $SecurityRecommendationsReport.InvokeFunction($SecurityRecommendationsReport.GenerateReport,@($ResourceGroupName, $ResourceTypeNames,$Categories));
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }  
    }

    End
    {
        [AzListenerHelper]::UnregisterListeners();
    }
}