Permalink
Browse files

Merge pull request #892 from jensotto/local-farm-token

SPServiceAppSecurity: Added support for local farm token and fixed multiple issues
  • Loading branch information...
ykuijs committed Sep 26, 2018
2 parents ac22dc8 + af1c43f commit 5cf345fd545c3db4f927cbc43a5051a4c1d3ba18
View
@@ -17,6 +17,9 @@
application to prevent issues in the Get method.
* SPWebAppSuiteBar
* Fixed incorrect test method that resulted in this resource to never apply changes.
* SPServiceAppSecurity
* Added local farm token.
* Fixed issues that prevented the resource to work as expected in many situations.
* SPWebAppPropertyBag
* New resource to manage web application property bag
@@ -38,7 +38,7 @@ function Get-TargetResource
"MembersToExclude parameters")
}
if (!$Members -and !$MembersToInclude -and !$MembersToExclude)
if ($null -eq $Members -and $null -eq $MembersToInclude -and $null -eq $MembersToExclude)
{
throw ("At least one of the following parameters must be specified: Members, " + `
"MembersToInclude, MembersToExclude")
@@ -76,10 +76,17 @@ function Get-TargetResource
$user = $securityEntry.Name
if ($user -like "i:*|*" -or $user -like "c:*|*")
{
$user = (New-SPClaimsPrincipal -Identity $user -IdentityType EncodedClaim).Value
if ($user -match "^s-1-[0-59]-\d+-\d+-\d+-\d+-\d+")
if($user.Chars(3) -eq "%" -and $user -ilike "*$((Get-SPFarm).Id.ToString())")
{
$user = Resolve-SPDscSecurityIdentifier -SID $user
$user = "{LocalFarm}"
}
else
{
$user = (New-SPClaimsPrincipal -Identity $user -IdentityType EncodedClaim).Value
if ($user -match "^s-1-[0-59]-\d+-\d+-\d+-\d+-\d+")
{
$user = Resolve-SPDscSecurityIdentifier -SID $user
}
}
}
@@ -143,7 +150,7 @@ function Set-TargetResource
"MembersToExclude parameters")
}
if (!$Members -and !$MembersToInclude -and !$MembersToExclude)
if ($null -eq $Members -and $null -eq $MembersToInclude -and $null -eq $MembersToExclude)
{
throw ("At least one of the following parameters must be specified: Members, " + `
"MembersToInclude, MembersToExclude")
@@ -173,20 +180,30 @@ function Set-TargetResource
}
}
$localFarmEncodedClaim = "c:0%.c|system|$((Get-SPFarm).Id.ToString())"
if ($params.ContainsKey("Members") -eq $true)
{
foreach($desiredMember in $params.Members)
{
$isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
if ($isUser -eq $true)
if($desiredMember.Username -eq "{LocalFarm}")
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSamAccountName
$claim = New-SPClaimsPrincipal -Identity $localFarmEncodedClaim `
-IdentityType EncodedClaim
}
else
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSecurityGroupName
$isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
if ($isUser -eq $true)
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSamAccountName
}
else
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSecurityGroupName
}
}
if ($CurrentValues.Members.Username -contains $desiredMember.Username)
@@ -213,16 +230,24 @@ function Set-TargetResource
{
if ($params.Members.Username -notcontains $currentMember.Username)
{
$isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
if ($isUser -eq $true)
if($currentMember.UserName -eq "{LocalFarm}")
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSamAccountName
$claim = New-SPClaimsPrincipal -Identity $localFarmEncodedClaim `
-IdentityType EncodedClaim
}
else
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSecurityGroupName
$isUser = Test-SPDSCIsADUser -IdentityName $currentMember.Username
if ($isUser -eq $true)
{
$claim = New-SPClaimsPrincipal -Identity $currentMember.Username `
-IdentityType WindowsSamAccountName
}
else
{
$claim = New-SPClaimsPrincipal -Identity $currentMember.Username `
-IdentityType WindowsSecurityGroupName
}
}
Revoke-SPObjectSecurity -Identity $security -Principal $claim
}
@@ -233,17 +258,26 @@ function Set-TargetResource
{
foreach($desiredMember in $params.MembersToInclude)
{
$isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
if ($isUser -eq $true)
if($desiredMember.Username -eq "{LocalFarm}")
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSamAccountName
$claim = New-SPClaimsPrincipal -Identity $localFarmEncodedClaim `
-IdentityType EncodedClaim
}
else
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSecurityGroupName
$isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
if ($isUser -eq $true)
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSamAccountName
}
else
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSecurityGroupName
}
}
if ($CurrentValues.Members.Username -contains $desiredMember.Username)
{
if (($CurrentValues.Members | Where-Object -FilterScript {
@@ -273,16 +307,24 @@ function Set-TargetResource
{
if ($CurrentValues.Members.Username -contains $excludeMember)
{
$isUser = Test-SPDSCIsADUser -IdentityName $desiredMember.Username
if ($isUser -eq $true)
if($excludeMember -eq "{LocalFarm}")
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSamAccountName
$claim = New-SPClaimsPrincipal -Identity $localFarmEncodedClaim `
-IdentityType EncodedClaim
}
else
{
$claim = New-SPClaimsPrincipal -Identity $desiredMember.Username `
-IdentityType WindowsSecurityGroupName
$isUser = Test-SPDSCIsADUser -IdentityName $excludeMember
if ($isUser -eq $true)
{
$claim = New-SPClaimsPrincipal -Identity $excludeMember `
-IdentityType WindowsSamAccountName
}
else
{
$claim = New-SPClaimsPrincipal -Identity $excludeMember `
-IdentityType WindowsSecurityGroupName
}
}
Revoke-SPObjectSecurity -Identity $security -Principal $claim
}
@@ -343,16 +385,10 @@ function Test-TargetResource
return $false
}
if ($Members)
if ($null -ne $Members)
{
Write-Verbose -Message "Processing Members parameter"
if ($null -eq $CurrentValues.Members)
{
Write-Verbose -Message "Security list does not match"
return $false
}
if ($CurrentValues.Members.Count -eq 0)
{
if ($Members.Count -gt 0)
@@ -366,9 +402,14 @@ function Test-TargetResource
return $true
}
}
elseif($Members.Count -eq 0)
{
Write-Verbose -Message "Security list does not match"
return $false
}
$differences = Compare-Object -ReferenceObject $CurrentValues.Members.Username `
-DifferenceObject $Members.Username
-DifferenceObject $Members.Username
if ($null -eq $differences)
{
@@ -422,7 +463,7 @@ function Test-TargetResource
Write-Verbose -Message "Processing MembersToExclude parameter"
foreach ($member in $MembersToExclude)
{
if ($CurrentValues.Members.Username -contains $member.Username)
if ($CurrentValues.Members.Username -contains $member)
{
Write-Verbose -Message "$member already has access. Set result to false"
$result = $false
@@ -14,3 +14,7 @@ and all others that are members and who are not in this list will be removed.
The "MembersToInclude" and "MembersToExclude" properties will allow you to
control a specific set of users to add or remove, without changing any other
members that are in the group already that may not be specified here, allowing
NOTE:
In order to specify Local Farm you can use the token "\{LocalFarm\}"
as the username. The token is case sensitive.
@@ -0,0 +1,31 @@
<#
.EXAMPLE
This example shows how to use the local farm token to grant
full control permission to the local farm to the
user profile service app's sharing permission.
#>
Configuration Example
{
param(
[Parameter(Mandatory = $true)]
[PSCredential]
$SetupAccount
)
Import-DscResource -ModuleName SharePointDsc
node localhost {
$members = @()
$members += MSFT_SPServiceAppSecurityEntry {
Username = "{LocalFarm}"
AccessLevel = "Full Control"
}
SPServiceAppSecurity UserProfileServiceSecurity
{
ServiceAppName = "User Profile Service Application"
SecurityType = "SharingPermissions"
Members = $members
PsDscRunAsCredential = $SetupAccount
}
}
}
Oops, something went wrong.

0 comments on commit 5cf345f

Please sign in to comment.