diff --git a/CHANGELOG.md b/CHANGELOG.md index e85c160..a8fc0bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,6 +62,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added UDP 1434 to the defaults for the xSCCMPreReqs. - Fixed newline in the CMIniFile resource. - Removed WSUS top level feature. +- Added Security Scopes to CMDistributionGroup Resource ### Removed diff --git a/README.md b/README.md index 045f116..beb775d 100644 --- a/README.md +++ b/README.md @@ -908,6 +908,12 @@ Please check out common DSC Community [contributing guidelines](https://dsccommu Distribution Points to add to the Distribution Group. - **[String] DistributionPointsToExclude[]** _(Write)_: Specifies an array of Distribution Points to remove from the Distribution Group. +- **[String] SecurityScopes[]** _(Write)_: Specifies an array of Security Scopes + to match to the Distribution Group. +- **[String] SecurityScopesToInclude[]** _(Write)_: Specifies an array of + Security Scopes to add to the Distribution Group. +- **[String] SecurityScopesToExclude[]** _(Write)_: Specifies an array of + Security Scopes to remove from the Distribution Group. - **[String] Ensure** _(Write)_: Specifies whether the Distribution Group is present or absent. - Values include: { Present | Absent } diff --git a/source/DSCResources/DSC_CMDistributionGroup/DSC_CMDistributionGroup.psm1 b/source/DSCResources/DSC_CMDistributionGroup/DSC_CMDistributionGroup.psm1 index af6ee12..e427dc6 100644 --- a/source/DSCResources/DSC_CMDistributionGroup/DSC_CMDistributionGroup.psm1 +++ b/source/DSCResources/DSC_CMDistributionGroup/DSC_CMDistributionGroup.psm1 @@ -47,6 +47,13 @@ function Get-TargetResource $dpMembers += $dp.NetworkOSPath.SubString(2) } + $scopeObject = Get-CMObjectSecurityScope -InputObject $groupStatus + + foreach ($item in $scopeObject) + { + [array]$scopes += $item.CategoryName + } + $group = 'Present' } else @@ -58,6 +65,7 @@ function Get-TargetResource SiteCode = $SiteCode DistributionGroup = $DistributionGroup DistributionPoints = $dpMembers + SecurityScopes = $scopes Ensure = $group } } @@ -81,6 +89,15 @@ function Get-TargetResource .PARAMETER DistributionPointsToExclude Specifies an array of Distribution Points to remove from the Distribution Group. + .PARAMETER SecurityScopes + Specifies an array of Security Scopes to match to the Distribution Group. + + .PARAMETER SecurityScopesToInclude + Specifies an array of Security Scopes to add to the Distribution Group. + + .PARAMETER SecurityScopesToExclude + Specifies an array of Security Scopes to remove from the Distribution Group. + .PARAMETER Ensure Specifies if the Distribution Group is to be present or absent. #> @@ -109,6 +126,18 @@ function Set-TargetResource [String[]] $DistributionPointsToExclude, + [Parameter()] + [String[]] + $SecurityScopes, + + [Parameter()] + [String[]] + $SecurityScopesToInclude, + + [Parameter()] + [String[]] + $SecurityScopesToExclude, + [Parameter()] [ValidateSet('Present','Absent')] [String] @@ -137,6 +166,19 @@ function Set-TargetResource } } + if (-not $PSBoundParameters.ContainsKey('SecurityScopes') -and + $PSBoundParameters.ContainsKey('SecurityScopesToInclude') -and + $PSBoundParameters.ContainsKey('SecurityScopesToExclude')) + { + foreach ($item in $SecurityScopesToInclude) + { + if ($SecurityScopesToExclude -contains $item) + { + throw ($script:localizedData.ScopeInEx -f $item) + } + } + } + if ($state.Ensure -eq 'Absent') { Write-Verbose -Message ($script:localizedData.AddGroup -f $DistributionGroup) @@ -156,6 +198,7 @@ function Set-TargetResource if ($distroCompare.Missing) { + $distro = 'Distribution Point' foreach ($add in $distroCompare.Missing) { if (Get-CMDistributionPoint -Name $add) @@ -170,7 +213,7 @@ function Set-TargetResource } else { - $errorMsg += ($script:localizedData.ErrorGroup -f $add) + $errorMsg += ($script:localizedData.ErrorGroup -f $distro, $add) } } } @@ -189,6 +232,47 @@ function Set-TargetResource } } } + + if ($SecurityScopes -or $SecurityScopesToInclude -or $SecurityScopesToExclude) + { + $dgObject = Get-CMDistributionPointGroup -Name $DistributionGroup + + $scopesArray = @{ + Match = $SecurityScopes + Include = $SecurityScopesToInclude + Exclude = $SecurityScopesToExclude + CurrentState = $state.SecurityScopes + } + + $scopesCompare = Compare-MultipleCompares @scopesArray + + if ($scopesCompare.Missing) + { + $scopeError = 'Security Scope' + + foreach ($add in $scopesCompare.Missing) + { + if (Get-CMSecurityScope -Name $add) + { + Write-Verbose -Message ($script:localizedData.AddScope -f $add, $DistributionGroup) + Add-CMObjectSecurityScope -Name $add -InputObject $dgObject + } + else + { + $errorMsg += ($script:localizedData.ErrorGroup -f $scopeError, $add) + } + } + } + + if ($scopesCompare.Remove) + { + foreach ($remove in $scopesCompare.Remove) + { + Write-Verbose -Message ($script:localizedData.RemoveScope -f $remove, $DistributionGroup) + Remove-CMObjectSecurityScope -Name $remove -InputObject $dgObject + } + } + } } elseif ($state.Ensure -eq 'Present') { @@ -230,6 +314,15 @@ function Set-TargetResource .PARAMETER DistributionPointsToExclude Specifies an array of Distribution Points to remove from the Distribution Group. + .PARAMETER SecurityScopes + Specifies an array of Security Scopes to match to the Distribution Group. + + .PARAMETER SecurityScopesToInclude + Specifies an array of Security Scopes to add to the Distribution Group. + + .PARAMETER SecurityScopesToExclude + Specifies an array of Security Scopes to remove from the Distribution Group. + .PARAMETER Ensure Specifies if the Distribution Group is to be present or absent. #> @@ -259,6 +352,18 @@ function Test-TargetResource [String[]] $DistributionPointsToExclude, + [Parameter()] + [String[]] + $SecurityScopes, + + [Parameter()] + [String[]] + $SecurityScopesToInclude, + + [Parameter()] + [String[]] + $SecurityScopesToExclude, + [Parameter()] [ValidateSet('Present','Absent')] [String] @@ -294,32 +399,81 @@ function Test-TargetResource } } + if ($PSBoundParameters.ContainsKey('SecurityScopes')) + { + if ($PSBoundParameters.ContainsKey('SecurityScopesToInclude') -or + $PSBoundParameters.ContainsKey('SecurityScopesToExclude')) + { + Write-Warning -Message $script:localizedData.ParamIgnoreScopes + } + } + elseif (-not $PSBoundParameters.ContainsKey('SecurityScopes') -and + $PSBoundParameters.ContainsKey('SecurityScopesToInclude') -and + $PSBoundParameters.ContainsKey('SecurityScopesToExclude')) + { + foreach ($item in $SecurityScopesToInclude) + { + if ($SecurityScopesToExclude -contains $item) + { + Write-Warning -Message ($script:localizedData.DistroInEx -f $item) + $result = $false + } + } + } + if ($state.Ensure -eq 'Absent') { Write-Verbose -Message ($script:localizedData.GroupMissing -f $DistributionGroup) $result = $false } - elseif ($DistributionPoints -or $DistributionPointsToInclude -or $DistributionPointsToExclude) + else { - $distroArray = @{ - Match = $DistributionPoints - Include = $DistributionPointsToInclude - Exclude = $DistributionPointsToExclude - CurrentState = $state.DistributionPoints - } + if ($DistributionPoints -or $DistributionPointsToInclude -or $DistributionPointsToExclude) + { + $distroArray = @{ + Match = $DistributionPoints + Include = $DistributionPointsToInclude + Exclude = $DistributionPointsToExclude + CurrentState = $state.DistributionPoints + } - $distroCompare = Compare-MultipleCompares @distroArray + $distroCompare = Compare-MultipleCompares @distroArray - if ($distroCompare.Missing) - { - Write-Verbose -Message ($script:localizedData.DistroMissing -f ($distroCompare.Missing | Out-String)) - $result = $false + if ($distroCompare.Missing) + { + Write-Verbose -Message ($script:localizedData.DistroMissing -f ($distroCompare.Missing | Out-String)) + $result = $false + } + + if ($distroCompare.Remove) + { + Write-Verbose -Message ($script:localizedData.DistroRemove -f ($distroCompare.Remove | Out-String)) + $result = $false + } } - if ($distroCompare.Remove) + if ($SecurityScopes -or $SecurityScopesToInclude -or $SecurityScopesToExclude) { - Write-Verbose -Message ($script:localizedData.DistroRemove -f ($distroCompare.Remove | Out-String)) - $result = $false + $scopeArray = @{ + Match = $SecurityScopes + Include = $SecurityScopesToInclude + Exclude = $SecurityScopesToExclude + CurrentState = $state.SecurityScopes + } + + $scopeCompare = Compare-MultipleCompares @scopeArray + + if ($scopeCompare.Missing) + { + Write-Verbose -Message ($script:localizedData.ScopeMissing -f ($scopeCompare.Missing | Out-String)) + $result = $false + } + + if ($scopeCompare.Remove) + { + Write-Verbose -Message ($script:localizedData.ScopeRemove -f ($scopeCompare.Remove | Out-String)) + $result = $false + } } } } diff --git a/source/DSCResources/DSC_CMDistributionGroup/DSC_CMDistributionGroup.schema.mof b/source/DSCResources/DSC_CMDistributionGroup/DSC_CMDistributionGroup.schema.mof index ca5a9b7..153b4b1 100644 --- a/source/DSCResources/DSC_CMDistributionGroup/DSC_CMDistributionGroup.schema.mof +++ b/source/DSCResources/DSC_CMDistributionGroup/DSC_CMDistributionGroup.schema.mof @@ -6,5 +6,8 @@ class DSC_CMDistributionGroup : OMI_BaseResource [Write, Description("Specifies an array of Distribution Points to match to the Distribution Group.")] String DistributionPoints[]; [Write, Description("Specifies an array of Distribution Points to add to the Distribution Group.")] String DistributionPointsToInclude[]; [Write, Description("Specifies an array of Distribution Points to remove from the Distribution Group.")] String DistributionPointsToExclude[]; + [Write, Description("Specifies an array of Security Scopes to match to the Distribution Group.")] String SecurityScopes[]; + [Write, Description("Specifies an array of Security Scopes to add to the Distribution Group.")] String SecurityScopesToInclude[]; + [Write, Description("Specifies an array of Security Scopes to remove from the Distribution Group.")] String SecurityScopesToExclude[]; [Write, Description("Specifies whether the Distribution Group is present or absent."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; }; diff --git a/source/DSCResources/DSC_CMDistributionGroup/en-US/DSC_CMDistributionGroup.strings.psd1 b/source/DSCResources/DSC_CMDistributionGroup/en-US/DSC_CMDistributionGroup.strings.psd1 index 90f8683..d9d1560 100644 --- a/source/DSCResources/DSC_CMDistributionGroup/en-US/DSC_CMDistributionGroup.strings.psd1 +++ b/source/DSCResources/DSC_CMDistributionGroup/en-US/DSC_CMDistributionGroup.strings.psd1 @@ -3,13 +3,19 @@ ConvertFrom-StringData @' GroupMissing = NOTMATCH: {0} Distribution Group is absent expected present. DistroMissing = NOTMATCH: Distribution Group is missing the following Distribution Point: {0}. DistroRemove = NOTMATCH: Distribution Group expected the following Distribution Point to be absent: {0}. + ScopeMissing = NOTMatch: Distribution Group expected the following Scopes: {0}. + ScopeRemove = NOTMATCH: Distribution Group expected the following Scopes to be absent: {0}. ParamIgnore = DistributionPoints was specifed, ignoring DistributionPointsToInclude and DistributionPointsToExclude. + ParamIgnoreScopes = SecurityScopes was specifed, ignoring SecurityScopesToInclude and SecurityScopesToExclude. DistroGroupPresent = NOTMATCH: Distribution Group is present expected absent. TestState = Test-TargetResource compliance check returned: {0}. AddGroup = Adding {0} Distribution Group. AddDistro = Adding {0} Distribution Point to Distribution Group {1}. RemoveDistro = Removing {0} Distribution Point from Distribution Group {1}. + AddScope = Adding {0} Security Scope to Distribution Group {1}. + RemoveScope = Removing {0} Security Scope from Distribution Group {1}. RemoveGroup = Removing {0} Distribution Group. - ErrorGroup = Distribution Point: {0} does not exist. + ErrorGroup = {0}: {1} does not exist. DistroInEx = DistributionPointsToInclude and DistributionPointsToExclude contain to same entry {0}, remove from one of the arrays. + ScopeInEx = SecurityScopesToInclude and SecurityScopesToExclude contain to same entry {0}, remove from one of the arrays. '@ diff --git a/source/Examples/Resources/CMDistributionGroup/CMDistributionGroup_Present.ps1 b/source/Examples/Resources/CMDistributionGroup/CMDistributionGroup_Present.ps1 index f6ed7be..924e8e5 100644 --- a/source/Examples/Resources/CMDistributionGroup/CMDistributionGroup_Present.ps1 +++ b/source/Examples/Resources/CMDistributionGroup/CMDistributionGroup_Present.ps1 @@ -20,6 +20,7 @@ Configuration Example SiteCode = 'Lab' DistributionGroup = 'DistroGroup2' DistributionPoints = 'DP01.contoso.com','DP02.contoso.com' + SecurityScopes = 'Scope1','Scope2' Ensure = 'Present' } @@ -28,6 +29,7 @@ Configuration Example SiteCode = 'Lab' DistributionGroup = 'DistroGroup3' DistributionPointsToInclude = 'DP01.contoso.com','DP02.contoso.com' + SecurityScopesToInclude = 'Scope1','Scope2' Ensure = 'Present' } @@ -36,6 +38,7 @@ Configuration Example SiteCode = 'Lab' DistributionGroup = 'DistroGroup4' DistributionPointsToExclude = 'DP01.contoso.com' + SecurityScopesToExclude = 'Scope1' Ensure = 'Present' } } diff --git a/tests/Unit/CMDistributionGroup.tests.ps1 b/tests/Unit/CMDistributionGroup.tests.ps1 index 19c2b4c..faea211 100644 --- a/tests/Unit/CMDistributionGroup.tests.ps1 +++ b/tests/Unit/CMDistributionGroup.tests.ps1 @@ -52,6 +52,19 @@ try } ) + $cmObjectsReturn = @( + @{ + CategoryName = 'Scope1' + NumberOfAdmins = 1 + NumberOfObjects = 1 + } + @{ + CategoryName = 'Scope2' + NumberOfAdmins = 1 + NumberOfObjects = 1 + } + ) + $getInput = @{ SiteCode = 'Lab' DistributionGroup = 'Group1' @@ -63,39 +76,45 @@ try Context 'When retrieving Distribution Group settings' { - It 'Should return desired result when group exists and contains Distribution Points' { + It 'Should return desired result when group exists and contains Distribution Points and Scopes' { Mock -CommandName Get-CMDistributionPointGroup -MockWith { $distributionPointGroup } Mock -CommandName Get-CMDistributionPoint -MockWith { $distributionPoint } + Mock -CommandName Get-CMObjectSecurityScope -MockWith { $cmObjectsReturn } $result = Get-TargetResource @getInput $result | Should -BeOfType System.Collections.HashTable $result.SiteCode | Should -Be -ExpectedValue 'Lab' $result.DistributionGroup | Should -Be -ExpectedValue 'Group1' $result.DistributionPoints | Should -Be -ExpectedValue 'DP01.contoso.com','DP02.contoso.com' + $result.SecurityScopes | Should -Be -ExpectedValue 'Scope1','Scope2' $result.Ensure | Should -Be -ExpectedValue 'Present' } - It 'Should return desired result when group exists and does not contain Distribution Points' { + It 'Should return desired result when group exists and does not contain Distribution Points or Scopes' { Mock -CommandName Get-CMDistributionPointGroup -MockWith { $distributionPointGroup } Mock -CommandName Get-CMDistributionPoint -MockWith { $null } + Mock -CommandName Get-CMObjectSecurityScope -MockWith { $null } $result = Get-TargetResource @getInput $result | Should -BeOfType System.Collections.HashTable $result.SiteCode | Should -Be -ExpectedValue 'Lab' $result.DistributionGroup | Should -Be -ExpectedValue 'Group1' $result.DistributionPoints | Should -Be -ExpectedValue $null + $result.SecurityScopes | Should -Be -ExpectedValue $null $result.Ensure | Should -Be -ExpectedValue 'Present' } It 'Should return desired result when group is absent' { Mock -CommandName Get-CMDistributionPointGroup -MockWith { $null } Mock -CommandName Get-CMDistributionPoint -MockWith { $null } + Mock -CommandName Get-CMObjectSecurityScope -MockWith { $null } $result = Get-TargetResource @getInput $result | Should -BeOfType System.Collections.HashTable $result.SiteCode | Should -Be -ExpectedValue 'Lab' $result.DistributionGroup | Should -Be -ExpectedValue 'Group1' $result.DistributionPoints | Should -Be -ExpectedValue $null + $result.SecurityScopes | Should -Be -ExpectedValue $null $result.Ensure | Should -Be -ExpectedValue 'Absent' } } @@ -107,6 +126,7 @@ try SiteCode = 'Lab' DistributionGroup = 'Group1' DistributionPoints = @('DP01.contoso.com','DP02.contoso.com') + SecurityScopes = @('Scope1','Scope2') Ensure = 'Present' } @@ -114,6 +134,7 @@ try SiteCode = 'Lab' DistributionGroup = 'Group1' DistributionPoints = 'DP03.contoso.com' + SecurityScopes = 'Scope3' } $groupPresent = @{ @@ -126,6 +147,19 @@ try SiteCode = 'Lab' DistributionGroup = 'Group1' DistributionPointsToInclude = 'DP03.contoso.com','DP04.contoso.com' + SecurityScopesToInclude = 'Scope3','Scope4' + } + + $scopesAddMultiple = @{ + SiteCode = 'Lab' + DistributionGroup = 'Group1' + SecurityScopesToInclude = 'Scope3','Scope4' + } + + $distributionPointGroup = @{ + MemberCount = 0 + Name = 'Group1' + SourceSite = 'LAB' } Mock -CommandName Import-ConfigMgrPowerShellModule @@ -134,6 +168,8 @@ try Mock -CommandName Add-CMDistributionPointToGroup Mock -CommandName Remove-CMDistributionPointFromGroup Mock -CommandName Remove-CMDistributionPointGroup + Mock -CommandName Add-CMObjectSecurityScope + Mock -CommandName Remove-CMObjectSecurityScope } Context 'When Set-TargetResource runs successfully when get returns absent' { @@ -150,6 +186,8 @@ try It 'Should call expected commands when adding a Distribution Point Group' { Mock -CommandName Get-CMDistributionPoint + Mock -CommandName Get-CMDistributionPointGroup + Mock -CommandName Get-CMSecurityScope Set-TargetResource @groupPresent Assert-MockCalled Import-ConfigMgrPowerShellModule -Exactly -Times 1 -Scope It @@ -159,11 +197,17 @@ try Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 0 -Scope It Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 0 -Scope It } It 'Should call expected commands when adding a Distribution Point Group and Distribution Points' { Mock -CommandName Get-CMDistributionPoint -MockWith { $true } + Mock -CommandName Get-CMDistributionPointGroup -MockWith { $distributionPointGroup } + Mock -CommandName Get-CMSecurityScope -MockWith { $true } Set-TargetResource @groupPresentMatch Assert-MockCalled Import-ConfigMgrPowerShellModule -Exactly -Times 1 -Scope It @@ -173,6 +217,10 @@ try Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 1 -Scope It Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 1 -Scope It Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 1 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 1 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 1 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 0 -Scope It } } @@ -188,8 +236,10 @@ try Mock -CommandName Get-TargetResource -MockWith { $getReturnPresent } } - It 'Should call expected commands when adding and removing Distribution Points to groups' { + It 'Should call expected commands when adding and removing Distribution Points and Scopes to groups' { Mock -CommandName Get-CMDistributionPoint -MockWith { $true } + Mock -CommandName Get-CMDistributionPointGroup -MockWith { $distributionPointGroup } + Mock -CommandName Get-CMSecurityScope -MockWith { $true } Set-TargetResource @groupPresentMatch Assert-MockCalled Import-ConfigMgrPowerShellModule -Exactly -Times 1 -Scope It @@ -199,11 +249,17 @@ try Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 1 -Scope It Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 1 -Scope It Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 2 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 1 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 1 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 1 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 2 -Scope It Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 0 -Scope It } It 'Should call expected commands when removing Distribution Point Group' { Mock -CommandName Get-CMDistributionPoint + Mock -CommandName Get-CMDistributionPointGroup + Mock -CommandName Get-CMSecurityScope Set-TargetResource @groupAbsent Assert-MockCalled Import-ConfigMgrPowerShellModule -Exactly -Times 1 -Scope It @@ -213,11 +269,17 @@ try Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 0 -Scope It Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 1 -Scope It } - It 'Should call expected commands when adding multiple Distribution Points to the group' { + It 'Should call expected commands when adding multiple Distribution Points and Scopes to the group' { Mock -CommandName Get-CMDistributionPoint -MockWith { $true } + Mock -CommandName Get-CMDistributionPointGroup -MockWith { $distributionPointGroup } + Mock -CommandName Get-CMSecurityScope -MockWith { $true } Set-TargetResource @groupPresentAddMultiple Assert-MockCalled Import-ConfigMgrPowerShellModule -Exactly -Times 1 -Scope It @@ -227,6 +289,10 @@ try Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 2 -Scope It Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 2 -Scope It Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 1 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 2 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 2 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 0 -Scope It } } @@ -241,13 +307,23 @@ try Ensure = 'Present' } + $scopesIncludeExclude = @{ + SiteCode = 'Lab' + DistributionGroup = 'Group1' + SecurityScopesToInclude = 'Scope3' + SecurityScopesToExclude = 'Scope3' + } + $distroInEx = 'DistributionPointsToInclude and DistributionPointsToExclude contain to same entry DP02.contoso.com, remove from one of the arrays.' + $scopeInEx = 'SecurityScopesToInclude and SecurityScopesToExclude contain to same entry Scope3, remove from one of the arrays' Mock -CommandName Get-TargetResource -MockWith { $getReturnPresent } } It 'Should call expected commands when Set-CMDistributionPoint throws' { Mock -CommandName Get-CMDistributionPoint -MockWith { $true } -ParameterFilter { $Name -eq 'DP03.Contoso.com' } Mock -CommandName Get-CMDistributionPoint -MockWith { $null } -ParameterFilter { $Name -eq 'DP04.Contoso.com' } + Mock -CommandName Get-CMDistributionPointGroup -MockWith { $distributionPointGroup } + Mock -CommandName Get-CMSecurityScope -MockWith { $true } { Set-TargetResource @groupPresentAddMultiple } | Should -Throw Assert-MockCalled Import-ConfigMgrPowerShellModule -Exactly -Times 1 -Scope It @@ -257,6 +333,10 @@ try Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 2 -Scope It Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 1 -Scope It Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 1 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 2 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 2 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 0 -Scope It } @@ -271,6 +351,51 @@ try Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 0 -Scope It Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 0 -Scope It + } + + It 'Should call expected commands when Set-CMDistributionPoint throws with an invalid Scope' { + Mock -CommandName Get-CMDistributionPoint -MockWith { $true } + Mock -CommandName Get-CMDistributionPointGroup -MockWith { $distributionPointGroup } + Mock -CommandName Get-CMSecurityScope -MockWith { $true } -ParameterFilter { $Name -eq 'Scope3' } + Mock -CommandName Get-CMSecurityScope -MockWith { $null } -ParameterFilter { $Name -eq 'Scope4' } + + { Set-TargetResource @groupPresentAddMultiple } | Should -Throw + Assert-MockCalled Import-ConfigMgrPowerShellModule -Exactly -Times 1 -Scope It + Assert-MockCalled Set-Location -Exactly -Times 2 -Scope It + Assert-MockCalled Get-TargetResource -Exactly -Times 1 -Scope It + Assert-MockCalled New-CMDistributionPointGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 2 -Scope It + Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 1 -Scope It + Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 1 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 2 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 1 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 0 -Scope It + } + + It 'Should call expected commands when SecurityScopesToInclude and SecurityScopesTo have the same entry' { + Mock -CommandName Get-CMDistributionPoint + Mock -CommandName Get-CMDistributionPointGroup + Mock -CommandName Get-CMSecurityScope + + { Set-TargetResource @scopesIncludeExclude } | Should -Throw -ExpectedMessage $scopeInEx + Assert-MockCalled Import-ConfigMgrPowerShellModule -Exactly -Times 1 -Scope It + Assert-MockCalled Set-Location -Exactly -Times 2 -Scope It + Assert-MockCalled Get-TargetResource -Exactly -Times 1 -Scope It + Assert-MockCalled New-CMDistributionPointGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPoint -Exactly -Times 0 -Scope It + Assert-MockCalled Add-CMDistributionPointToGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Remove-CMDistributionPointFromGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMDistributionPointGroup -Exactly -Times 0 -Scope It + Assert-MockCalled Get-CMSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Add-CMObjectSecurityScope -Exactly -Times 0 -Scope It + Assert-MockCalled Remove-CMObjectSecurityScope -Exactly -Times 0 -Scope It Assert-MockCalled Remove-CMDistributionPointGroup -Exactly -Times 0 -Scope It } } @@ -300,6 +425,7 @@ try SiteCode = 'Lab' DistributionGroup = 'Group1' DistributionPoints = @('DP01.contoso.com','DP02.contoso.com') + SecurityScopes = @('Scope1','Scope2') Ensure = 'Present' } @@ -307,6 +433,7 @@ try SiteCode = 'Lab' DistributionGroup = 'Group1' DistributionPoints = 'DP03.contoso.com' + SecurityScopes = 'Scope1' } $groupPresentInclude = @{ @@ -328,6 +455,25 @@ try DistributionPointsToInclude = 'DP03.contoso.com' } + $groupPresentScopeInclude = @{ + SiteCode = 'Lab' + DistributionGroup = 'Group1' + SecurityScopesToInclude = 'Scope3' + } + + $groupPresentScopeExclude = @{ + SiteCode = 'Lab' + DistributionGroup = 'Group1' + SecurityScopesToExclude = 'Scope1' + } + + $groupPresentScopeWarningMatch = @{ + SiteCode = 'Lab' + DistributionGroup = 'Group1' + SecurityScopes = 'Scope3' + SecurityScopesToInclude = 'Scope2' + } + $groupPresent = @{ SiteCode = 'Lab' DistributionGroup = 'Group1' @@ -339,6 +485,8 @@ try DistributionGroup = 'Group1' DistributionPointsToExclude = 'DP02.contoso.com' DistributionPointsToInclude = 'DP02.contoso.com' + SecurityScopesToInclude = 'Scope1' + SecurityScopesToExclude = 'Scope1' Ensure = 'Present' } @@ -349,7 +497,7 @@ try Test-TargetResource @groupPresent | Should -Be $true } - It 'Should return desired result false when DistributionPoints does not match get' { + It 'Should return desired result false when DistributionPoints and Security Scopes do not match get' { Test-TargetResource @groupPresentMatch | Should -Be $false } @@ -365,11 +513,23 @@ try Test-TargetResource @groupPresentWarningMatch | Should -Be $false } + It 'Should return desired result false when SecurityScopesToInclude does not match get' { + Test-TargetResource @groupPresentScopeInclude | Should -Be $false + } + + It 'Should return desired result false when SecurityScopesToExclude has a match with get' { + Test-TargetResource @groupPresentScopeExclude | Should -Be $false + } + + It 'Should return desired result false when SecurityScopesToInclude and SecurityScopes does not match get' { + Test-TargetResource @groupPresentScopeWarningMatch | Should -Be $false + } + It 'Should return desired result false when get returns present and expected absent' { Test-TargetResource @groupAbsent | Should -Be $false } - It 'Shoud return desired result false when DistributionPointToInclude and Exclude contain the same DistributionPoint' { + It 'Shoud return desired result false when DistributionPoint and Scope ToInclude and ToExclude contain the same members' { Test-TargetResource @includeExclude | Should -Be $false } } @@ -380,6 +540,7 @@ try SiteCode = 'Lab' DistributionGroup = 'Group1' DistributionPoints = $null + SecurityScopes = $null Ensure = 'Absent' } diff --git a/tests/Unit/Stubs/ConfigMgrCBDscStub.psm1 b/tests/Unit/Stubs/ConfigMgrCBDscStub.psm1 index 2d9c25a..9f54acd 100644 --- a/tests/Unit/Stubs/ConfigMgrCBDscStub.psm1 +++ b/tests/Unit/Stubs/ConfigMgrCBDscStub.psm1 @@ -3811,7 +3811,7 @@ function Add-CMObjectSecurityScope ${Id}, [Parameter(Mandatory=$true, ValueFromPipeline=$true)] - [System.Object[]] + [Hashtable[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] @@ -30426,7 +30426,7 @@ function Remove-CMObjectSecurityScope ${Id}, [Parameter(Mandatory=$true, ValueFromPipeline=$true)] - [System.Object[]] + [Hashtable[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)]