DSCResources/MSFT_xSPWebAppPolicy/MSFT_xSPWebAppPolicy.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [parameter(Mandatory = $true)]  [System.String] $WebAppUrl,
        [parameter(Mandatory = $true)]  [System.String] $UserName,
        [parameter(Mandatory = $true)]  [ValidateSet("Deny All","Deny Write","Full Read", "Full Control")] [System.String] $PermissionLevel,
        [parameter(Mandatory = $false)] [System.Boolean] $ActAsSystemUser,
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount
    )

    Write-Verbose -Message "Getting web app policy for $UserName at $WebAppUrl"

    $result = Invoke-xSharePointCommand -Credential $InstallAccount -Arguments $PSBoundParameters -ScriptBlock {
        $params = $args[0]

        $wa = Get-SPWebApplication -Identity $params.WebAppUrl -ErrorAction SilentlyContinue

        if ($null -eq $wa) { return $null }
        
        if ($wa.Policies.UserName -contains $params.UserName) {
            $policyObject = $wa.Policies | Where-Object { $_.UserName -eq $params.UserName }
            return @{
                WebAppUrl = $params.WebAppUrl
                UserName = $params.UserName
                PermissionLevel = ($policyObject.PolicyRoleBindings | Select-Object -First 1).Name
                ActAsSystemUser = $policyObject.IsSystemUser
                InstallAccount = $params.InstallAccount
            }
        } else {
            foreach($userName in $wa.Policies.UserName) {
                $claimsPrincipal = New-SPClaimsPrincipal -EncodedClaim $userName -ErrorAction SilentlyContinue
                if (($null -ne $claimsPrincipal) -and ($claimsPrincipal.Value -eq $params.UserName)) {
                    $policyObject = $wa.Policies | Where-Object { $_.UserName -eq $userName }
                    return @{
                        WebAppUrl = $params.WebAppUrl
                        UserName = $claimsPrincipal.Value
                        PermissionLevel = ($policyObject.PolicyRoleBindings | Select-Object -First 1).Name
                        ActAsSystemUser = $policyObject.IsSystemUser
                        InstallAccount = $params.InstallAccount
                    }
                }
            }
            return $null 
        }
    }
    return $result
}


function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [parameter(Mandatory = $true)]  [System.String] $WebAppUrl,
        [parameter(Mandatory = $true)]  [System.String] $UserName,
        [parameter(Mandatory = $true)]  [ValidateSet("Deny All","Deny Write","Full Read", "Full Control")] [System.String] $PermissionLevel,
        [parameter(Mandatory = $false)] [System.Boolean] $ActAsSystemUser,
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount
    )

    Write-Verbose -Message "Setting web app policy for $UserName at $WebAppUrl"

    $result = Invoke-xSharePointCommand -Credential $InstallAccount -Arguments $PSBoundParameters -ScriptBlock {
        $params = $args[0]

        $wa = Get-SPWebApplication -Identity $params.WebAppUrl -ErrorAction SilentlyContinue

        if ($null -eq $wa) { return $null }

        switch($params.PermissionLevel) {
            "Deny All" {
                $newRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::DenyAll)    
            }
            "Deny Write" {
                $newRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::DenyWrite)    
            }
            "Full Control" {
                $newRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)    
            }
            "Full Read" {
                $newRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead)    
            }
        }
        
        if ($wa.Policies.UserName -contains $params.UserName) {
            $policyObject = $wa.Policies | Where-Object { $_.UserName -eq $params.UserName }
        } else {
            foreach($userName in $wa.Policies.UserName) {
                $claimsPrincipal = New-SPClaimsPrincipal -EncodedClaim $userName -ErrorAction SilentlyContinue
                if (($null -ne $claimsPrincipal) -and ($claimsPrincipal.Value -eq $params.UserName)) {
                    $policyObject = $wa.Policies | Where-Object { $_.UserName -eq $userName }
                }
            }
        }

        if ($null -ne $policyObject) {
            if ($params.ContainsKey("ActAsSystemUser") -eq $true) {
                $policyObject.IsSystemUser = $params.ActAsSystemUser
            }
            $policyObject.PolicyRoleBindings.RemoveAll()
            $policyObject.PolicyRoleBindings.Add($newRole)
            
            $wa.Update()
        } else {
            $newPolicy = $wa.Policies.Add($params.UserName, $params.UserName)
            $newPolicy.PolicyRoleBindings.Add($newRole)
            if ($params.ContainsKey("ActAsSystemUser") -eq $true) {
                $newPolicy.IsSystemUser = $params.ActAsSystemUser
            }

            $wa.Update()
        }
    }
}


function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [parameter(Mandatory = $true)]  [System.String] $WebAppUrl,
        [parameter(Mandatory = $true)]  [System.String] $UserName,
        [parameter(Mandatory = $true)]  [ValidateSet("Deny All","Deny Write","Full Read", "Full Control")] [System.String] $PermissionLevel,
        [parameter(Mandatory = $false)] [System.Boolean] $ActAsSystemUser,
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount
    )

    $CurrentValues = Get-TargetResource @PSBoundParameters
    Write-Verbose -Message "Testing web app policy for $UserName at $WebAppUrl"
    if ($null -eq $CurrentValues) { return $false }
    return Test-xSharePointSpecificParameters -CurrentValues $CurrentValues -DesiredValues $PSBoundParameters -ValuesToCheck @("PermissionLevel", "ActAsSystemUser")
}

Export-ModuleMember -Function *-TargetResource