DSCResources/MSFT_SPWebApplicationExtension/MSFT_SPWebApplicationExtension.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $WebAppUrl,

        [Parameter(Mandatory = $true)]
        [ValidateSet("Default", "Intranet", "Internet", "Extranet", "Custom")]
        [System.String]
        $Zone,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Url,

        [Parameter()]
        [System.String]
        $Port,

        [Parameter()]
        [System.String]
        $HostHeader,

        [Parameter()]
        [System.String]
        $CertificateThumbprint,

        [Parameter()]
        [System.Boolean]
        $UseServerNameIndication,

        [Parameter()]
        [System.Boolean]
        $AllowLegacyEncryption,

        [Parameter()]
        [System.String]
        $Path,

        [Parameter()]
        [System.Boolean]
        $AllowAnonymous,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present"
    )

    Write-Verbose -Message "Getting web application extension '$Name' config"

    $osVersion = Get-SPDscOSVersion
    if ($PSBoundParameters.ContainsKey("AllowLegacyEncryption") -and `
        ($osVersion.Major -ne 10 -or $osVersion.Build -ne 20348))
    {
        Write-Verbose ("You cannot specify the AllowLegacyEncryption parameter when using " + `
                "Windows Server 2019 or earlier.")

        return @{
            WebAppUrl = $WebAppUrl
            Zone      = $Zone
        }
    }

    if ($PSBoundParameters.ContainsKey("CertificateThumbprint") -or `
            $PSBoundParameters.ContainsKey("UseServerNameIndication") -or `
            $PSBoundParameters.ContainsKey("AllowLegacyEncryption"))
    {
        $productVersion = Get-SPDscInstalledProductVersion
        if ($productVersion.FileMajorPart -ne 16 -or `
                $productVersion.FileBuildPart -lt 13000)
        {
            Write-Verbose ("The parameters AllowLegacyEncryption, CertificateThumbprint or " + `
                    "UseServerNameIndication are only supported with SharePoint Server " + `
                    "Subscription Edition.")

            return @{
                WebAppUrl = $WebAppUrl
                Zone      = $Zone
            }
        }
    }

    $result = Invoke-SPDscCommand -Arguments $PSBoundParameters `
        -ScriptBlock {
        $params = $args[0]

        $wa = Get-SPWebApplication -Identity $params.WebAppUrl -ErrorAction SilentlyContinue

        if ($null -eq $wa)
        {
            Write-Verbose -Message "WebApplication $($params.WebAppUrl) does not exist"
            return @{
                WebAppUrl      = $params.WebAppUrl
                Name           = $params.Name
                Url            = $null
                Zone           = $null
                AllowAnonymous = $null
                Ensure         = "Absent"
            }
        }

        $zone = [Microsoft.SharePoint.Administration.SPUrlZone]::$($params.Zone)
        $waExt = $wa.IisSettings[$zone]

        if ($null -eq $waExt)
        {
            return @{
                WebAppUrl      = $params.WebAppUrl
                Name           = $params.Name
                Url            = $params.Url
                Zone           = $params.zone
                AllowAnonymous = $params.AllowAnonymous
                Ensure         = "Absent"
            }
        }

        $publicUrl = (Get-SPAlternateURL -WebApplication $params.WebAppUrl -Zone $params.zone).PublicUrl

        if ($null -ne $waExt.SecureBindings.HostHeader) #default to SSL bindings if present
        {
            $HostHeader = $waExt.SecureBindings.HostHeader
            $Port = $waExt.SecureBindings.Port
        }
        else
        {
            $HostHeader = $waExt.ServerBindings.HostHeader
            $Port = $waExt.ServerBindings.Port
        }

        $waExtPath = $waExt.Path
        if (-not [System.String]::IsNullOrEmpty($waExtPath))
        {
            $waExtPath = $waExtPath.ToString()
        }

        return @{
            WebAppUrl               = $params.WebAppUrl
            Zone                    = $params.zone
            Name                    = $waExt.ServerComment
            Url                     = $PublicURL
            Port                    = $Port
            HostHeader              = $HostHeader
            CertificateThumbprint   = $waExt.SecureBindings[0].Certificate.Thumbprint
            UseServerNameIndication = $waExt.SecureBindings[0].UseServerNameIndication
            AllowLegacyEncryption   = -not $waExt.SecureBindings[0].DisableLegacyTls
            Path                    = $waExtPath
            AllowAnonymous          = $waExt.AllowAnonymous
            Ensure                  = "Present"
        }
    }
    return $result
}


function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $WebAppUrl,

        [Parameter(Mandatory = $true)]
        [ValidateSet("Default", "Intranet", "Internet", "Extranet", "Custom")]
        [System.String]
        $Zone,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Url,

        [Parameter()]
        [System.String]
        $Port,

        [Parameter()]
        [System.String]
        $HostHeader,

        [Parameter()]
        [System.String]
        $CertificateThumbprint,

        [Parameter()]
        [System.Boolean]
        $UseServerNameIndication,

        [Parameter()]
        [System.Boolean]
        $AllowLegacyEncryption,

        [Parameter()]
        [System.String]
        $Path,

        [Parameter()]
        [System.Boolean]
        $AllowAnonymous,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present"
    )

    Write-Verbose -Message "Setting web application extension '$Name' config"

    if ($PSBoundParameters.ContainsKey("Port") -eq $false)
    {
        $PSBoundParameters.Port = (New-Object -TypeName System.Uri $WebAppUrl).Port
    }

    $osVersion = Get-SPDscOSVersion
    if ($PSBoundParameters.ContainsKey("AllowLegacyEncryption") -and `
        ($osVersion.Major -ne 10 -or $osVersion.Build -ne 20348))
    {
        $message = ("You cannot specify the AllowLegacyEncryption parameter when using " + `
                "Windows Server 2019 or earlier.")
        Add-SPDscEvent -Message $message `
            -EntryType 'Error' `
            -EventID 100 `
            -Source $MyInvocation.MyCommand.Source
        throw $message
    }

    if ($PSBoundParameters.ContainsKey("CertificateThumbprint") -or `
            $PSBoundParameters.ContainsKey("UseServerNameIndication") -or `
            $PSBoundParameters.ContainsKey("AllowLegacyEncryption"))
    {
        $productVersion = Get-SPDscInstalledProductVersion
        if ($productVersion.FileMajorPart -ne 16 -or `
                $productVersion.FileBuildPart -lt 13000)
        {
            $message = ("The parameters AllowLegacyEncryption, CertificateThumbprint or " + `
                    "UseServerNameIndication are only supported with SharePoint Server " + `
                    "Subscription Edition.")
            Add-SPDscEvent -Message $message `
                -EntryType 'Error' `
                -EventID 100 `
                -Source $MyInvocation.MyCommand.Source
            throw $message
        }
    }

    if ($Ensure -eq "Present")
    {
        Invoke-SPDscCommand -Arguments @($PSBoundParameters, $MyInvocation.MyCommand.Source) `
            -ScriptBlock {
            $params = $args[0]
            $eventSource = $args[1]

            $wa = Get-SPWebApplication -Identity $params.WebAppUrl -ErrorAction SilentlyContinue
            if ($null -eq $wa)
            {
                $message = "Web Application with URL $($params.WebAppUrl) does not exist"
                Add-SPDscEvent -Message $message `
                    -EntryType 'Error' `
                    -EventID 100 `
                    -Source $eventSource
                throw $message
            }


            $zone = [Microsoft.SharePoint.Administration.SPUrlZone]::$($params.Zone)
            $waExt = $wa.IisSettings[$zone]

            if ($null -eq $waExt)
            {
                $newWebAppExtParams = @{
                    Name = $params.Name
                    Url  = $params.Url
                    Zone = $params.zone
                }

                if ($params.ContainsKey("AllowAnonymous") -eq $true)
                {
                    $newWebAppExtParams.Add("AllowAnonymousAccess", $params.AllowAnonymous)
                }
                if ($params.ContainsKey("CertificateThumbprint") -eq $true)
                {
                    $cert = Get-SPCertificate -Thumbprint $params.CertificateThumbprint -Store "EndEntity"
                    if ($null -eq $cert)
                    {
                        $message = ("No certificate found with the specified thumbprint: " + `
                                "$($params.CertificateThumbprint). Make sure the certificate " + `
                                "is added to Certificate Management first!")
                        Add-SPDscEvent -Message $message `
                            -EntryType 'Error' `
                            -EventID 100 `
                            -Source $eventSource
                        throw $message
                    }
                    $newWebAppExtParams.Add("Certificate", $cert)
                }
                if ($params.ContainsKey("UseServerNameIndication") -eq $true)
                {
                    $newWebAppExtParams.Add("UseServerNameIndication", $params.UseServerNameIndication)
                }
                if ($params.ContainsKey("AllowLegacyEncryption") -eq $true)
                {
                    $newWebAppExtParams.Add("AllowLegacyEncryption", $params.AllowLegacyEncryption)
                }
                if ($params.ContainsKey("HostHeader") -eq $true)
                {
                    $newWebAppExtParams.Add("HostHeader", $params.HostHeader)
                }
                if ($params.ContainsKey("Path") -eq $true)
                {
                    $newWebAppExtParams.Add("Path", $params.Path)
                }
                if ($params.ContainsKey("Port") -eq $true)
                {
                    $newWebAppExtParams.Add("Port", $params.Port)
                }
                if ((New-Object -TypeName System.Uri $params.Url).Scheme -eq "https")
                {
                    $newWebAppExtParams.Add("SecureSocketsLayer", $true)
                }

                $wa | New-SPWebApplicationExtension @newWebAppExtParams | Out-Null
            }
            else
            {
                if ($params.ContainsKey("AllowAnonymous") -eq $true)
                {
                    $waExt.AllowAnonymous = $params.AllowAnonymous
                    $wa.Update()
                }

                $updateWebAppParams = @{
                    Identity = $params.WebAppUrl
                    Zone     = $params.Zone
                }

                if ($params.ContainsKey("CertificateThumbprint") -eq $true)
                {
                    $cert = Get-SPCertificate -Thumbprint $params.CertificateThumbprint -Store "EndEntity"
                    if ($null -eq $cert)
                    {
                        $message = ("No certificate found with the specified thumbprint: " + `
                                "$($params.CertificateThumbprint). Make sure the certificate " + `
                                "is added to Certificate Management first!")
                        Add-SPDscEvent -Message $message `
                            -EntryType 'Error' `
                            -EventID 100 `
                            -Source $eventSource
                        throw $message
                    }
                    $updateWebAppParams.Add("Certificate", $cert)
                }
                if ($params.ContainsKey("UseServerNameIndication") -eq $true)
                {
                    $updateWebAppParams.Add("UseServerNameIndication", $params.UseServerNameIndication)
                }
                if ($params.ContainsKey("AllowLegacyEncryption") -eq $true)
                {
                    $updateWebAppParams.Add("AllowLegacyEncryption", $params.AllowLegacyEncryption)
                }

                if ((New-Object -TypeName System.Uri $params.Url).Scheme -eq "https")
                {
                    $updateWebAppParams.Add("SecureSocketsLayer", $true)
                }

                $productVersion = Get-SPDscInstalledProductVersion
                if ($productVersion.FileMajorPart -eq 16 -and `
                        $productVersion.FileBuildPart -ge 13000)
                {
                    if ($params.ContainsKey("HostHeader") -eq $true)
                    {
                        $updateWebAppParams.Add("HostHeader", $params.HostHeader)
                    }

                    if ($params.ContainsKey("Port") -eq $true)
                    {
                        $updateWebAppParams.Add("Port", $params.Port)
                    }
                }

                Write-Verbose -Message "Updating web application extension with these parameters: $(Convert-SPDscHashtableToString -Hashtable $updateWebAppParams)"
                Set-SPWebApplication @updateWebAppParams | Out-Null
            }
        }
    }

    if ($Ensure -eq "Absent")
    {
        Invoke-SPDscCommand -Arguments @($PSBoundParameters, $MyInvocation.MyCommand.Source) `
            -ScriptBlock {
            $params = $args[0]
            $eventSource = $args[1]

            $wa = Get-SPWebApplication -Identity $params.WebAppUrl -ErrorAction SilentlyContinue
            if ($null -eq $wa)
            {
                $message = "Web Application with URL $($params.WebAppUrl) does not exist"
                Add-SPDscEvent -Message $message `
                    -EntryType 'Error' `
                    -EventID 100 `
                    -Source $eventSource
                throw $message
            }
            if ($null -ne $wa)
            {
                $wa | Remove-SPWebApplication -Zone $params.zone -Confirm:$false -DeleteIISSite
            }
        }
    }
}


function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $WebAppUrl,

        [Parameter(Mandatory = $true)]
        [ValidateSet("Default", "Intranet", "Internet", "Extranet", "Custom")]
        [System.String]
        $Zone,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Url,

        [Parameter()]
        [System.String]
        $Port,

        [Parameter()]
        [System.String]
        $HostHeader,

        [Parameter()]
        [System.String]
        $CertificateThumbprint,

        [Parameter()]
        [System.Boolean]
        $UseServerNameIndication,

        [Parameter()]
        [System.Boolean]
        $AllowLegacyEncryption,

        [Parameter()]
        [System.String]
        $Path,

        [Parameter()]
        [System.Boolean]
        $AllowAnonymous,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present"
    )

    Write-Verbose -Message "Testing for web application extension '$Name'config"

    $PSBoundParameters.Ensure = $Ensure

    $CurrentValues = Get-TargetResource @PSBoundParameters

    Write-Verbose -Message "Current Values: $(Convert-SPDscHashtableToString -Hashtable $CurrentValues)"
    Write-Verbose -Message "Target Values: $(Convert-SPDscHashtableToString -Hashtable $PSBoundParameters)"

    $result = Test-SPDscParameterState -CurrentValues $CurrentValues `
        -Source $($MyInvocation.MyCommand.Source) `
        -DesiredValues $PSBoundParameters `
        -ValuesToCheck @(
        "AllowAnonymous",
        "AllowLegacyEncryption",
        "CertificateThumbprint",
        "Ensure",
        "UseServerNameIndication"
    )

    Write-Verbose -Message "Test-TargetResource returned $result"

    return $result
}

function Export-TargetResource
{
    $VerbosePreference = "SilentlyContinue"
    $ParentModuleBase = Get-Module "SharePointDsc" -ListAvailable | Select-Object -ExpandProperty Modulebase
    $module = Join-Path -Path $ParentModuleBase -ChildPath  "\DSCResources\MSFT_SPWebApplicationExtension\MSFT_SPWebApplicationExtension.psm1" -Resolve
    $Content = ''
    $params = Get-DSCFakeParameters -ModulePath $module
    $zones = @("Default", "Intranet", "Internet", "Extranet", "Custom")
    $webApps = Get-SPWebApplication
    foreach ($wa in $webApps)
    {
        try
        {
            if ($null -ne $wa)
            {
                $params.WebAppUrl = $wa.Url

                for ($i = 0; $i -lt $zones.Length; $i++)
                {
                    if ($null -ne $wa.IisSettings[$zones[$i]])
                    {
                        $params.Zone = $zones[$i]
                        $PartialContent = " SPWebApplicationExtension " + [System.Guid]::NewGuid().toString() + "`r`n"
                        $PartialContent += " {`r`n"
                        $results = Get-TargetResource @params

                        if ("" -eq $results.HostHeader)
                        {
                            $results.Remove("HostHeader")
                        }
                        if ($null -eq $results.AuthenticationProvider)
                        {
                            $results.Remove("AuthenticationProvider")
                        }
                        $results = Repair-Credentials -results $results
                        $results["Path"] = $results["Path"].ToString()
                        $currentBlock = Get-DSCBlock -Params $results -ModulePath $module
                        $currentBlock = Convert-DSCStringParamToVariable -DSCBlock $currentBlock -ParameterName "PsDscRunAsCredential"
                        $PartialContent += $currentBlock
                        $PartialContent += " }`r`n"
                        $Content += $PartialContent
                    }
                }
            }
        }
        catch
        {
            $Global:ErrorLog += "[Web Application Extensions]" + $wa.Url + "`r`n"
            $Global:ErrorLog += "$_`r`n`r`n"
        }
    }
    return $Content
}

Export-ModuleMember -Function *-TargetResource