forked from PowerShell/WmiNamespaceSecurityDsc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathWmiNamespaceSecurity.Tests.ps1
106 lines (85 loc) · 3.84 KB
/
WmiNamespaceSecurity.Tests.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
$nsname = "WmiNamespaceTest"
$nspath = "root\$nsname"
$testuser = "WmiNamespaceUser"
$testuserPassword = "Pa55w0rd!!"
$principal = New-Object Security.Principal.WindowsPrincipal -ArgumentList ([Security.Principal.WindowsIdentity]::GetCurrent())
if (!$principal.IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator)) {
throw "These tests require an elevated PowerShell session"
}
# used to access the type until types export is supported
Import-Module WmiNamespaceSecurityResource
. (Get-module WmiNamespaceSecurityResource) { set-variable -name wminsclass -value ([type]"WmiNamespaceSecurity") -scope 1 }
. (Get-module WmiNamespaceSecurityResource) { set-variable -name wmiperms -value ([type]"WmiPermission") -scope 1 }
Describe "Set WMI Namespace Security" {
BeforeAll {
net user $testuser /delete 2> $null
net user $testuser $testuserPassword /add 2> $null
$ns = Get-CimInstance -Namespace root -ClassName __namespace -Filter "Name='$nsname'"
if ($ns -ne $Null) {
$ns | Remove-CimInstance
}
New-CimInstance -Namespace "root" -ClassName __namespace -Property @{Name=$nsname}
}
AfterAll {
net user $testuser /delete 2> $null
Get-CimInstance -Namespace root -ClassName __namespace -Filter "Name='$nsname'" | Remove-CimInstance
}
It "Add user to namespace ACL" {
Configuration SetTest {
Import-DscResource -Module WmiNamespaceSecurity
WMINamespaceSecurity namespacetest {
Path = "$nspath"
AppliesTo = "self"
Principal = "$testuser"
AccessType = "Allow"
Permission = "Enable", "MethodExecute", "ProviderWrite"
Ensure = "Present"
}
}
SetTest -OutputPath TestDrive:\dsc
"TestDrive:\dsc\localhost.mof" | Should Exist
Start-DscConfiguration -Path "TestDrive:\dsc" -Force -Wait
$sd = $wminsclass::GetSecurityDescriptor($nspath)
$ace = $wminsclass::FindAce($sd.DACL, $testuser, "Allow")
$ace | Should Not BeNullOrEmpty
$ace.AccessMask | Should BeExactly ([uint32]($wmiperms::Enable + $wmiperms::MethodExecute + $wmiperms::ProviderWrite))
}
It "Change user permission in namespace ACL" {
Configuration SetTest {
Import-DscResource -Module WmiNamespaceSecurity
WMINamespaceSecurity namespacetest {
Path = "$nspath"
AppliesTo = "self"
Principal = "$testuser"
AccessType = "Allow"
Permission = "Enable", "ProviderWrite"
Ensure = "Present"
}
}
SetTest -OutputPath TestDrive:\dsc
"TestDrive:\dsc\localhost.mof" | Should Exist
Start-DscConfiguration -Path "TestDrive:\dsc" -Force -Wait
$sd = $wminsclass::GetSecurityDescriptor($nspath)
$ace = $wminsclass::FindAce($sd.DACL, $testuser, "Allow")
$ace | Should Not BeNullOrEmpty
$ace.AccessMask | Should BeExactly ([uint32]($wmiperms::Enable + $wmiperms::ProviderWrite))
}
It "Remove user from namespace ACL" {
Configuration SetTest {
Import-DscResource -Module WmiNamespaceSecurity
WMINamespaceSecurity namespacetest {
Path = "$nspath"
Principal = "$testuser"
AccessType = "Allow"
Ensure = "Absent"
}
}
SetTest -OutputPath TestDrive:\dsc
"TestDrive:\dsc\localhost.mof" | Should Exist
Start-DscConfiguration -Path "TestDrive:\dsc" -Force -Wait
$sd = $wminsclass::GetSecurityDescriptor($nspath)
$ace, $index = $wminsclass::FindAce($sd.DACL, $testuser, "Allow")
$ace | Should BeNullOrEmpty
$index | Should BeExactly -1
}
}