WmiNamespaceSecurity.Tests.ps1

$nsname = "WmiNamespaceTest"
$nspath = "root\$nsname"
$testuser = "WmiNamespaceUser"
$testuserPassword = "Pa55w0rd!!"

$principal = New-Object Security.Principal.WindowsPrincipal -ArgumentList ([Security.Principal.WindowsIdentity]::GetCurrent())
if (!$principal.IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator)) {
    throw "These tests require an elevated PowerShell session"
}

# used to access the type until types export is supported
Import-Module WmiNamespaceSecurityResource
. (Get-module WmiNamespaceSecurityResource) { set-variable -name wminsclass -value ([type]"WmiNamespaceSecurity") -scope 1 }
. (Get-module WmiNamespaceSecurityResource) { set-variable -name wmiperms -value ([type]"WmiPermission") -scope 1 }

Describe "Set WMI Namespace Security" {
    BeforeAll {
        net user $testuser /delete 2> $null
        net user $testuser $testuserPassword /add 2> $null
        $ns = Get-CimInstance -Namespace root -ClassName __namespace -Filter "Name='$nsname'"
        if ($ns -ne $Null) {
            $ns | Remove-CimInstance
        }
        New-CimInstance -Namespace "root" -ClassName __namespace -Property @{Name=$nsname}
    }

    AfterAll {
        net user $testuser /delete 2> $null
        Get-CimInstance -Namespace root -ClassName __namespace -Filter "Name='$nsname'" | Remove-CimInstance
    }

    It "Add user to namespace ACL" {
        
        Configuration SetTest {
            Import-DscResource -Module WmiNamespaceSecurity
        
            WMINamespaceSecurity namespacetest {
                Path = "$nspath"
                AppliesTo = "self"
                Principal = "$testuser"
                AccessType = "Allow"
                Permission = "Enable", "MethodExecute", "ProviderWrite"
                Ensure = "Present"
            }
        }

        SetTest -OutputPath TestDrive:\dsc
        "TestDrive:\dsc\localhost.mof" | Should Exist

        Start-DscConfiguration -Path "TestDrive:\dsc" -Force -Wait
        $sd = $wminsclass::GetSecurityDescriptor($nspath)
        $ace = $wminsclass::FindAce($sd.DACL, $testuser, "Allow")
        $ace | Should Not BeNullOrEmpty
        $ace.AccessMask | Should BeExactly ([uint32]($wmiperms::Enable + $wmiperms::MethodExecute + $wmiperms::ProviderWrite))
    }

    It "Change user permission in namespace ACL" {
        
        Configuration SetTest {
            Import-DscResource -Module WmiNamespaceSecurity
        
            WMINamespaceSecurity namespacetest {
                Path = "$nspath"
                AppliesTo = "self"
                Principal = "$testuser"
                AccessType = "Allow"
                Permission = "Enable", "ProviderWrite"
                Ensure = "Present"
            }
        }

        SetTest -OutputPath TestDrive:\dsc
        "TestDrive:\dsc\localhost.mof" | Should Exist

        Start-DscConfiguration -Path "TestDrive:\dsc" -Force -Wait
        $sd = $wminsclass::GetSecurityDescriptor($nspath)
        $ace = $wminsclass::FindAce($sd.DACL, $testuser, "Allow")
        $ace | Should Not BeNullOrEmpty
        $ace.AccessMask | Should BeExactly ([uint32]($wmiperms::Enable + $wmiperms::ProviderWrite))
    }

    It "Remove user from namespace ACL" {
        
        Configuration SetTest {
            Import-DscResource -Module WmiNamespaceSecurity
        
            WMINamespaceSecurity namespacetest {
                Path = "$nspath"
                Principal = "$testuser"
                AccessType = "Allow"
                Ensure = "Absent"
            }
        }

        SetTest -OutputPath TestDrive:\dsc
        "TestDrive:\dsc\localhost.mof" | Should Exist

        Start-DscConfiguration -Path "TestDrive:\dsc" -Force -Wait
        $sd = $wminsclass::GetSecurityDescriptor($nspath)
        $ace, $index = $wminsclass::FindAce($sd.DACL, $testuser, "Allow")
        $ace | Should BeNullOrEmpty
        $index | Should BeExactly -1
    }

}