DSCResources/DSC_xPSSessionConfiguration/DSC_xPSSessionConfiguration.psm1

$errorActionPreference = 'Stop'
Set-StrictMode -Version 'Latest'

$modulePath = Join-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -ChildPath 'Modules'

# Import the shared modules
Import-Module -Name (Join-Path -Path $modulePath `
    -ChildPath (Join-Path -Path 'xPSDesiredStateConfiguration.Common' `
        -ChildPath 'xPSDesiredStateConfiguration.Common.psm1'))

Import-Module -Name (Join-Path -Path $modulePath -ChildPath 'DscResource.Common')

# Import Localization Strings
$script:localizedData = Get-LocalizedData -DefaultUICulture 'en-US'

<#
    .SYNOPSIS
        Returns the current state of the specified PSSessionConfiguration
 
    .PARAMETER Name
        Specifies the name of the session configuration.
#>

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $Name
    )

    Write-Verbose -Message ($script:localizedData.GetTargetResourceStartMessage -f $Name)

    # Try getting the specified endpoint
    $endpoint = Get-PSSessionConfiguration -Name $Name -ErrorAction SilentlyContinue -Verbose:$false

    # If endpoint is null, it is absent
    if ($null -eq $endpoint)
    {
        $ensure = 'Absent'
    }
    # If endpoint is present, check other properties
    else
    {
        $ensure = 'Present'

        # If runAsUser is specified, return only the username in the credential property
        if ($endpoint.RunAsUser)
        {
            $newCimInstanceParams = @{
                ClassName  = 'MSFT_Credential'

                Property   = @{
                    Username = [System.String] $endpoint.RunAsUser
                    Password = [System.String] $null
                }

                Namespace  = 'root/microsoft/windows/desiredstateconfiguration'
                ClientOnly = $true
            }

            $convertToCimCredential = New-CimInstance @newCimInstanceParams
        }

        $accessMode = Get-EndpointAccessMode -Endpoint $endpoint
    }

    @{
        Name                   = $Name
        RunAsCredential        = [Microsoft.Management.Infrastructure.CimInstance] $convertToCimCredential
        SecurityDescriptorSDDL = $endpoint.Permission
        StartupScript          = $endpoint.StartupScript
        AccessMode             = $accessMode
        Ensure                 = $ensure
    }

    Write-Verbose -Message ($script:localizedData.GetTargetResourceEndMessage -f $Name)
}

<#
    .SYNOPSIS
        Ensures the specified PSSessionConfiguration is in its desired state
 
    .PARAMETER Name
        Specifies the name of the session configuration.
 
    .PARAMETER StartupScript
        Specifies the startup script for the configuration.
        Enter the fully qualified path of a Windows PowerShell script.
 
    .PARAMETER RunAsCredential
        Specifies the credential for commands of this session configuration. By default, commands
        run with the permissions of the current user.
 
    .PARAMETER SecurityDescriptorSDDL
        Specifies the Security Descriptor Definition Language (SDDL) string for the configuration.
        This string determines the permissions that are required to use the new session configuration.
        To use a session configuration in a session, users must have at least Execute(Invoke)
        permission for the configuration.
 
    .PARAMETER AccessMode
        Enables and disables the session configuration and determines whether it can be used for
        remote or local sessions on the computer. The default value is 'Remote'.
 
    .PARAMETER Ensure
        Indicates if the session configuration should exist. The default value is 'Present'.
#>

function Set-TargetResource
{
    [CmdletBinding(SupportsShouldProcess = $true)]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $Name,

        [Parameter()]
        [AllowEmptyString()]
        [System.String]
        $StartupScript,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $RunAsCredential,

        [Parameter()]
        [System.String]
        $SecurityDescriptorSDDL,

        [Parameter()]
        [ValidateSet('Local', 'Remote', 'Disabled')]
        [System.String]
        $AccessMode = 'Remote',

        [Parameter()]
        [ValidateSet('Present', 'Absent')]
        [System.String]
        $Ensure = 'Present'
    )

    Write-Verbose -Message ($script:localizedData.SetTargetResourceStartMessage -f $Name)

    # Check if the session configuration exists
    Write-Verbose -Message ($script:localizedData.CheckEndpointMessage -f $Name)

    # Try to get a named session configuration
    $endpoint = Get-PSSessionConfiguration -Name $Name -ErrorAction SilentlyContinue -Verbose:$false

    if ($PSCmdlet.ShouldProcess(($script:localizedData.EnsureSessionConfigurationMessage -f $Ensure)))
    {
        # If endpoint is present, set ensure correctly
        if ($endpoint)
        {
            Write-Verbose -Message ($script:localizedData.EndpointNameMessage -f $Name, 'present')

            # If the endpoint should be absent, delete the endpoint
            if ($Ensure -eq 'Absent')
            {
                try
                {
                    <#
                        Set the following preference so the functions inside Unregister-PSSessionConfig
                        doesn't get these settings
                    #>

                    $oldDebugPrefernce = $DebugPreference
                    $oldVerbosePreference = $VerbosePreference
                    $DebugPreference = $VerbosePreference = "SilentlyContinue"

                    $unregisterPSSessionConfigParams = @{
                        Name             = $Name
                        Force            = $true
                        NoServiceRestart = $true
                        ErrorAction      = 'Stop'
                    }

                    $null = Unregister-PSSessionConfiguration @unregisterPSSessionConfigParams

                    # Reset the following preference to older values
                    $DebugPreference = $oldDebugPrefernce
                    $VerbosePreference = $oldVerbosePreference

                    Write-Verbose -Message ($script:localizedData.EndpointNameMessage -f $Name, 'absent')

                    $restartNeeded = $true
                }
                catch
                {
                    $invokeThrowErrorHelperParams = @{
                        ErrorId       = 'UnregisterPSSessionConfigurationFailed'
                        ErrorMessage  = $_.Exception
                        ErrorCategory = 'InvalidOperation'
                    }

                    Invoke-ThrowErrorHelper @invokeThrowErrorHelperParams
                }

            }

            # else validate endpoint properties and return the result
            else
            {
                # Remove Name and Ensure from the bound Parameters for splatting
                if ($PSBoundParameters.ContainsKey('Name'))
                {
                    $null = $PSBoundParameters.Remove('Name')
                }

                if ($PSBoundParameters.ContainsKey('Ensure'))
                {
                    $null = $PSBoundParameters.Remove('Ensure')
                }

                [System.Collections.Hashtable] $validatedProperties = (
                    Get-ValidatedResourcePropertyTable -Endpoint $endpoint @PSBoundParameters -Apply
                )
                $null = $validatedProperties.Add('Name', $Name)

                # If the $validatedProperties contain more than 1 key, something needs to be changed
                if ($validatedProperties.count -gt 1)
                {
                    try
                    {
                        $setPSSessionConfigurationParams = $validatedProperties.psobject.Copy()
                        $setPSSessionConfigurationParams['Force'] = $true
                        $setPSSessionConfigurationParams['NoServiceRestart'] = $true
                        $setPSSessionConfigurationParams['Verbose'] = $false
                        $null = Set-PSSessionConfiguration @setPSSessionConfigurationParams
                        $restartNeeded = $true

                        # Write verbose message for all the properties, except Name, that are changing
                        Write-EndpointMessage -Parameters $validatedProperties -keysToSkip 'Name'
                    }
                    catch
                    {
                        $invokeThrowErrorHelperParams = @{
                            ErrorId       = 'SetPSSessionConfigurationFailed'
                            ErrorMessage  = $_.Exception
                            ErrorCategory = 'InvalidOperation'
                        }

                        Invoke-ThrowErrorHelper @invokeThrowErrorHelperParams
                    }
                }
            }
        }
        else
        {
            # Named session configuration is absent
            Write-Verbose -Message ($script:localizedData.EndpointNameMessage -f $Name, 'absent')

            # If the endpoint should have been present, create it
            if ($Ensure -eq 'Present')
            {
                # Remove Ensure,Verbose,Debug from the bound Parameters for splatting
                foreach ($key in @('Ensure', 'Verbose', 'Debug'))
                {
                    if ($PSBoundParameters.ContainsKey($key))
                    {
                        $null = $PSBoundParameters.Remove($key)
                    }
                }

                # Register the endpoint with specified properties
                try
                {
                    <#
                        Set the following preference so the functions inside
                        Unregister-PSSessionConfig doesn't get these settings
                    #>

                    $oldDebugPrefernce = $DebugPreference
                    $oldVerbosePreference = $VerbosePreference
                    $DebugPreference = $VerbosePreference = "SilentlyContinue"

                    $null = Register-PSSessionConfiguration @PSBoundParameters -Force -NoServiceRestart

                    # Reset the following preference to older values
                    $DebugPreference = $oldDebugPrefernce
                    $VerbosePreference = $oldVerbosePreference

                    # If access mode is specified, set it on the endpoint
                    if ($PSBoundParameters.ContainsKey('AccessMode') -and $AccessMode -ne 'Remote')
                    {
                        $setPSSessionConfigurationParams = @{
                            Name             = $Name
                            AccessMode       = $AccessMode
                            Force            = $true
                            NoServiceRestart = $true
                            Verbose          = $false
                        }

                        $null = Set-PSSessionConfiguration @setPSSessionConfigurationParams
                    }

                    $restartNeeded = $true

                    Write-Verbose -Message ($script:localizedData.EndpointNameMessage -f $Name, 'present')
                }
                catch
                {
                    $invokeThrowErrorHelperParams = @{
                        ErrorId       = 'RegisterOrSetPSSessionConfigurationFailed'
                        ErrorMessage  = $_.Exception
                        ErrorCategory = 'InvalidOperation'
                    }

                    Invoke-ThrowErrorHelper @invokeThrowErrorHelperParams
                }
            }
        }

        <#
            Any change to existing endpoint or creating new endpoint requires WinRM restart.
            Since DSC(CIM) uses WSMan as well it will stop responding.
            Hence telling the DSC Engine to restart the machine
        #>

        if ($restartNeeded)
        {
            Set-DscMachineRebootRequired
        }
    }

    Write-Verbose -Message ($script:localizedData.SetTargetResourceEndMessage -f $Name)
}

<#
    .SYNOPSIS
        Tests if the specified PSSessionConfiguration is in its desired state
 
    .PARAMETER Name
        Specifies the name of the session configuration.
 
    .PARAMETER StartupScript
        Specifies the startup script for the configuration.
        Enter the fully qualified path of a Windows PowerShell script.
 
    .PARAMETER RunAsCredential
        Specifies the credential for commands of this session configuration. By default, commands
        run with the permissions of the current user.
 
    .PARAMETER SecurityDescriptorSDDL
        Specifies the Security Descriptor Definition Language (SDDL) string for the configuration.
        This string determines the permissions that are required to use the new session configuration.
        To use a session configuration in a session, users must have at least Execute(Invoke)
        permission for the configuration.
 
    .PARAMETER AccessMode
        Enables and disables the session configuration and determines whether it can be used for
        remote or local sessions on the computer. The default value is 'Remote'.
 
    .PARAMETER Ensure
        Indicates if the session configuration should exist. The default value is 'Present'.
#>

function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $Name,

        [Parameter()]
        [AllowEmptyString()]
        [System.String]
        $StartupScript,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $RunAsCredential,

        [Parameter()]
        [System.String]
        $SecurityDescriptorSDDL,

        [Parameter()]
        [ValidateSet('Local', 'Remote', 'Disabled')]
        [System.String]
        $AccessMode = 'Remote',

        [Parameter()]
        [ValidateSet('Present', 'Absent')]
        [System.String]
        $Ensure = 'Present'
    )

    Write-Verbose -Message ($script:localizedData.TestTargetResourceStartMessage -f $Name)

    #region Input Validation
    # Check if the endpoint name is blank/whitespaced string
    if ([System.String]::IsNullOrWhiteSpace($Name))
    {
        $invokeThrowErrorHelperParams = @{
            ErrorId       = 'BlankString'
            ErrorMessage  = $script:localizedData.WhitespacedStringMessage -f 'name'
            ErrorCategory = 'SyntaxError'
        }

        Invoke-ThrowErrorHelper @invokeThrowErrorHelperParams
    }

    # Check for Startup script path and extension
    if ($PSBoundParameters.ContainsKey('StartupScript'))
    {
        # Check if startup script path is valid
        if (!(Test-Path -Path $StartupScript))
        {
            $invokeThrowErrorHelperParams = @{
                ErrorId       = 'PathNotFound'
                ErrorMessage  = $script:localizedData.StartupPathNotFoundMessage -f $StartupScript
                ErrorCategory = 'ObjectNotFound'
            }

            Invoke-ThrowErrorHelper @invokeThrowErrorHelperParams
        }

        # Check the startup script extension
        $startupScriptFileExtension = $StartupScript.Split('.')[-1]

        if ($startupScriptFileExtension -ne 'ps1')
        {
            $invokeThrowErrorHelperParams = @{
                ErrorId       = 'WrongFileExtension'
                ErrorMessage  =
                $script:localizedData.WrongStartupScriptExtensionMessage -f $startupScriptFileExtension
                ErrorCategory = 'InvalidData'
            }

            Invoke-ThrowErrorHelper @invokeThrowErrorHelperParams
        }
    }

    # Check if SecurityDescriptorSDDL is whitespaced
    if ($PSBoundParameters.ContainsKey('SecurityDescriptorSDDL') -and
        [System.String]::IsNullOrWhiteSpace($SecurityDescriptorSDDL))
    {
        $invokeThrowErrorHelperParams = @{
            ErrorId       = 'BlankString'
            ErrorMessage  = $script:localizedData.WhitespacedStringMessage -f 'securityDescriptorSddl'
            ErrorCategory = 'SyntaxError'
        }

        Invoke-ThrowErrorHelper @invokeThrowErrorHelperParams
    }

    # Check if the RunAsCredential is not empty
    if ($PSBoundParameters.ContainsKey('RunAsCredential') -and
        ($RunAsCredential -eq [System.Management.Automation.PSCredential]::Empty))
    {
        $invokeThrowErrorHelperParams = @{
            ErrorId       = 'EmptyCredential'
            ErrorMessage  = $script:localizedData.EmptyCredentialMessage
            ErrorCategory = 'InvalidArgument'
        }

        Invoke-ThrowErrorHelper @invokeThrowErrorHelperParams
    }
    #endregion

    # Check if the session configuration exists
    Write-Verbose -Message ($script:localizedData.CheckEndpointMessage -f $Name)

    try
    {
        # Try to get a named session configuration
        $endpoint = Get-PSSessionConfiguration -Name $Name -ErrorAction Stop -Verbose:$false

        Write-Verbose -Message ($script:localizedData.EndpointNameMessage -f $Name, 'present')

        # If the endpoint shouldn't be present, return false
        if ($Ensure -eq 'Absent')
        {
            return $false
        }
        # else validate endpoint properties and return the result
        else
        {
            # Remove Name and Ensure from the bound Parameters for splatting
            if ($PSBoundParameters.ContainsKey('Name'))
            {
                $null = $PSBoundParameters.Remove('Name')
            }

            if ($PSBoundParameters.ContainsKey('Ensure'))
            {
                $null = $PSBoundParameters.Remove('Ensure')
            }

            return (Get-ValidatedResourcePropertyTable -Endpoint $endpoint @PSBoundParameters)
        }
    }
    catch [Microsoft.PowerShell.Commands.WriteErrorException]
    {
        Write-Verbose -Message ($script:localizedData.EndpointNameMessage -f $Name, 'absent')

        return ($Ensure -eq 'Absent')
    }

    Write-Verbose -Message ($script:localizedData.TestTargetResourceEndMessage -f $Name)
}

<#
    .SYNOPSIS
        Helper function to translate the endpoint's accessmode
        to the 'Disabled', 'Local', 'Remote' values
 
    .PARAMETER Endpoint
        Specifies a valid session configuration endpoint object
#>

function Get-EndpointAccessMode
{
    [CmdletBinding()]
    [OutputType([System.String])]
    param
    (
        [Parameter(Mandatory = $true)]
        $Endpoint
    )

    if (-not $endpoint.Enabled)
    {
        return 'Disabled'
    }
    elseif ($endpoint.Permission -and
        ($endpoint.Permission).contains('NT AUTHORITY\NETWORK AccessDenied'))
    {
        return 'Local'
    }
    else
    {
        return 'Remote'
    }
}

<#
    .SYNOPSIS
        Helper function to write verbose messages for collection of properties
 
    .PARAMETER Parameters
        Specifies a properties Hashtable.
 
    .PARAMETER KeysToSkip
        Specifies an array of Hashtable keys to ignore.
#>

function Write-EndpointMessage
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.Collections.Hashtable]
        $Parameters,

        [Parameter(Mandatory = $true)]
        [System.String[]]
        $KeysToSkip
    )

    foreach ($key in $Parameters.keys)
    {
        if ($KeysToSkip -notcontains $key)
        {
            Write-Verbose -Message ($script:localizedData.SetPropertyMessage -f $key, $Parameters[$key])
        }
    }
}

<#
    .SYNOPSIS
        Helper function to get a Hashtable of validated endpoint properties
 
    .PARAMETER Endpoint
        Specifies a valid session configuration endpoint.
 
    .PARAMETER StartupScript
        Specifies the startup script for the configuration.
        Enter the fully qualified path of a Windows PowerShell script.
 
    .PARAMETER RunAsCredential
        Specifies the credential for commands of this session configuration.
 
    .PARAMETER SecurityDescriptorSDDL
        Specifies the Security Descriptor Definition Language (SDDL) string for the configuration.
 
    .PARAMETER AccessMode
        Enables and disables the session configuration and determines whether it can be used for
        remote or local sessions on the computer.
 
        The acceptable values for this parameter are:
        - Disabled
        - Local
        - Remote
 
    .PARAMETER Apply
        Indicates that this function should return a hashtable of validated endpoint properties.
        By default, this function returns the value $false.
#>

function Get-ValidatedResourcePropertyTable
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        $Endpoint,

        [Parameter()]
        [System.String]
        $StartupScript,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $RunAsCredential,

        [Parameter()]
        [System.String]
        $SecurityDescriptorSDDL,

        [Parameter()]
        [ValidateSet('Local', 'Remote', 'Disabled')]
        [System.String]
        $AccessMode,

        [Parameter()]
        [System.Management.Automation.SwitchParameter]
        $Apply
    )

    if ($Apply)
    {
        $validatedProperties = @{}
    }

    # Check if the SDDL is same as specified
    if ($PSBoundParameters.ContainsKey('SecurityDescriptorSDDL'))
    {
        Write-Verbose -Message ($script:localizedData.CheckPropertyMessage -f 'SDDL',
            $SecurityDescriptorSDDL)

        # If endpoint SDDL is not same as specified
        if ($endpoint.SecurityDescriptorSddl -and
            ($endpoint.SecurityDescriptorSddl -ne $SecurityDescriptorSDDL))
        {
            $notDesiredSDDLMessage = $script:localizedData.NotDesiredPropertyMessage -f 'SDDL',
            $SecurityDescriptorSDDL, $endpoint.SecurityDescriptorSddl
            Write-Verbose -Message $notDesiredSDDLMessage

            if ($Apply)
            {
                $validatedProperties['SecurityDescriptorSddl'] = $SecurityDescriptorSDDL
            }
            else
            {
                return $false
            }
        }
        # If endpoint SDDL is same as specified
        else
        {
            Write-Verbose -Message ($script:localizedData.DesiredPropertyMessage -f 'SDDL',
                $SecurityDescriptorSDDL)
        }
    }

    # Check the RunAs user is same as specified
    if ($PSBoundParameters.ContainsKey('RunAsCredential'))
    {
        Write-Verbose -Message ($script:localizedData.CheckPropertyMessage -f 'RunAs user',
            $RunAsCredential.UserName)

        # If endpoint RunAsUser is not same as specified
        if ($endpoint.RunAsUser -ne $RunAsCredential.UserName)
        {
            Write-Verbose -Message ($script:localizedData.NotDesiredPropertyMessage -f 'RunAs user',
                $RunAsCredential.UserName, $endpoint.RunAsUser)

            if ($Apply)
            {
                $validatedProperties['RunAsCredential'] = $RunAsCredential
            }
            else
            {
                return $false
            }
        }
        # If endpoint RunAsUser is same as specified
        else
        {
            Write-Verbose -Message ($script:localizedData.DesiredPropertyMessage -f 'RunAs user',
                $RunAsCredential.UserName)
        }
    }

    # Check if the StartupScript is same as specified
    if ($PSBoundParameters.ContainsKey('StartupScript'))
    {
        Write-Verbose -Message ($script:localizedData.CheckPropertyMessage -f 'startup script',
            $StartupScript)

        # If endpoint StartupScript is not same as specified
        if ($endpoint.StartupScript -ne $StartupScript)
        {
            Write-Verbose -Message ($script:localizedData.NotDesiredPropertyMessage -f 'startup script',
                $StartupScript, $endpoint.StartupScript)

            if ($Apply)
            {
                $validatedProperties['StartupScript'] = $StartupScript
            }
            else
            {
                return $false
            }
        }
        # If endpoint StartupScript is same as specified
        else
        {
            Write-Verbose -Message ($script:localizedData.DesiredPropertyMessage -f 'startup script',
                $StartupScript)
        }
    }

    # Check if AccessMode is same as specified
    if ($PSBoundParameters.ContainsKey('AccessMode'))
    {
        Write-Verbose -Message ($script:localizedData.CheckPropertyMessage -f 'acess mode', $AccessMode)

        $curAccessMode = Get-EndpointAccessMode -Endpoint $Endpoint

        # If endpoint access mode is not same as specified
        if ($curAccessMode -ne $AccessMode)
        {
            Write-Verbose -Message ($script:localizedData.NotDesiredPropertyMessage -f 'access mode',
                $AccessMode, $curAccessMode)

            if ($Apply)
            {
                $validatedProperties['AccessMode'] = $AccessMode
            }
            else
            {
                return $false
            }
        }
        # If endpoint access mode is same as specified
        else
        {
            Write-Verbose -Message ($script:localizedData.DesiredPropertyMessage -f 'access mode',
                $AccessMode)
        }
    }

    if ($Apply)
    {
        return $validatedProperties
    }
    else
    {
        return ($Ensure -eq 'Present')
    }
}

<#
    .SYNOPSIS
        Invoke this helper function to throw a terminating error.
 
    .PARAMETER ErrorId
        Specifies a developer-defined identifier of the error.
        This identifier must be a non-localized string for a specific error type.
 
    .PARAMETER ExceptionMessage
        Specifies the message that describes the error.
 
    .PARAMETER ErrorCategory
        Specifies the category of the error.
#>

function Invoke-ThrowErrorHelper
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $ErrorId,

        [Parameter(Mandatory = $true)]
        [System.String]
        $ErrorMessage,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.ErrorCategory]
        $ErrorCategory
    )

    $exception = New-Object System.InvalidOperationException $ErrorMessage
    $errorRecord = New-Object System.Management.Automation.ErrorRecord $exception, $ErrorId,
    $ErrorCategory, $null

    throw $errorRecord
}

Export-ModuleMember -Function Get-TargetResource, Set-TargetResource, Test-TargetResource