DomainManagement

1.7.145

internal/functions/groupPolicy/Test-GPPermissionFilter.ps1

                                function Test-GPPermissionFilter {

    <#

        .SYNOPSIS

            Tests, whether a GP Permission Filter applies to a specific GPO.

        .DESCRIPTION

            Tests, whether a GP Permission Filter applies to a specific GPO.

            Used primarily by Test-DMGPPermission to resolve applicable permissions that have target selection through filters.

        .PARAMETER GpoName

            The name of the GPO that is tested against.

        .PARAMETER Filter

            The filter string the represents the condition on which it applies.

        .PARAMETER Conditions

            The list of filter conditions contained in the filter-string.

            These are processed/parsed out when registering the filter using Register-DMGPPermissionFilter.

        .PARAMETER FilterHash

            The hashtable mapping filter to list of GPOs that the filter applies to.

        .EXAMPLE

            PS C:\> Test-GPPermissionFilter -GpoName $permissionObject.Name -Filter $_.Filter -Conditions $_.FilterConditions -FilterHash $filterToGPOMapping

            Tests, whether a GP Permission Filter applies to the specified GPO.

    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')]

    [OutputType([System.Boolean])]

    [CmdletBinding()]

    param (

        [Parameter(Mandatory = $true)]

        [string]

        $GpoName,

        [Parameter(Mandatory = $true)]

        [AllowNull()]

        [AllowEmptyString()]

        [string]

        $Filter,

        [Parameter(Mandatory = $true)]

        [AllowNull()]

        [AllowEmptyString()]

        [string[]]

        $Conditions,

        [Parameter(Mandatory = $true)]

        [hashtable]

        $FilterHash

    )

    if (-not $Filter.Trim()) { return $false }

    $testResults = @{ }

    foreach ($condition in $Conditions) {

        $testResults[$condition] = $FilterHash[$condition].DisplayName -contains $GpoName

    }

    $predicate = {

        param (

            $MatchInfo

        )

        "`$testResults['$($MatchInfo.Value)']"

    }

    $pattern = $Conditions -join "|"

    $resolvedFilter = [regex]::Replace($Filter, $pattern, $predicate)

    <#

    This is actually a safe operation:

    - The filter condition is tokenized and parsed for a very limited set of legal tokens (logical operators, parenthesis and filter names)

    - The filter names are constrained so that only letters, numbers and underscores can be used, making them safe for regex and injection purposes.

    These safety measures have been implemented in the parameter validations of Register-DMGPPermission and Register-DMGPPermissionFilter

    #>

    Invoke-Expression $resolvedFilter

}