Skip to content

Commit

Permalink
Extended permissions fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@SSvilen
SSvilen committed Feb 3, 2020
1 parent 07b70f8 commit 017e892
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 18 deletions.
16 changes: 4 additions & 12 deletions source/DSCResources/MSFT_xExchReceiveConnector/MSFT_xExchReceiveConnector.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1180,7 +1180,7 @@ function Test-TargetResource
$testResults = $false
}

if ($ExtendedRightAllowEntries -and $adPermissions.Deny -contains $false)
if ($ExtendedRightAllowEntries)
{
$splat = @{
ADPermissions = $adPermissions
Expand All @@ -1196,11 +1196,7 @@ function Test-TargetResource
$testResults = $false
}
}
if (-not $ExtendedRightAllowEntries -and $adPermissions -and $adPermissions.Deny -notcontains $false)
{
return $false
}
if ($ExtendedRightDenyEntries -and $adPermissions.Deny -contains $true)
if ($ExtendedRightDenyEntries)
{
$splat = @{
ADPermissions = $adPermissions
Expand All @@ -1216,10 +1212,6 @@ function Test-TargetResource
$testResults = $false
}
}
if (-not $ExtendedRightDenyEntries -and $adPermissions -and $adPermissions.Deny -contains $true)
{
return $false
}
}
}

Expand Down Expand Up @@ -1268,8 +1260,8 @@ function Test-ExtendedRightsPresent
$permissionsFound = $ADPermissions | Where-Object { ($_.User.RawIdentity -match $Right.Key) -and ($_.ExtendedRights.RawIdentity -eq $Value) }
if ($null -ne $permissionsFound)
{
if ($Deny -eq $true -and $permissionsFound.Deny -eq $false -or
$Deny -eq $false -and $permissionsFound.Deny -eq $true)
if (($Deny -eq $true -and $permissionsFound.Deny.ToBool() -eq $false) -or
($Deny -eq $false -and $permissionsFound.Deny.ToBool() -eq $true))
{
Write-InvalidSettingVerbose -SettingName 'ExtendedRight' -ExpectedValue "User:$($Right.Key) Value:$Value" -ActualValue "Deny: $($permissionsFound.Deny)" -Verbose:$VerbosePreference
return $false
Expand Down
24 changes: 18 additions & 6 deletions tests/Unit/MSFT_xExchReceiveConnector.tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,7 @@ try
User = [PSCustomObject] @{
RawIdentity = 'User1Allow'
}
Deny = $false
Deny = [System.Management.Automation.SwitchParameter]::new($false)
ExtendedRights = [PSCustomObject] @{
RawIdentity = 'ms-Exch-SMTP-Accept-Any-Recipient'
}
Expand All @@ -383,7 +383,7 @@ try
User = [PSCustomObject] @{
RawIdentity = 'User1Allow'
}
Deny = $false
Deny = [System.Management.Automation.SwitchParameter]::new($false)
ExtendedRights = [PSCustomObject] @{
RawIdentity = 'ms-Exch-SMTP-Accept-Any-Sender'
}
Expand All @@ -395,7 +395,7 @@ try
User = [PSCustomObject] @{
RawIdentity = 'User2Deny'
}
Deny = $true
Deny = [System.Management.Automation.SwitchParameter]::new($true)
ExtendedRights = [PSCustomObject] @{
RawIdentity = 'ms-Exch-SMTP-Accept-Any-Recipient'
}
Expand All @@ -407,7 +407,7 @@ try
User = [PSCustomObject] @{
RawIdentity = 'User2Deny'
}
Deny = $true
Deny = [System.Management.Automation.SwitchParameter]::new($true)
ExtendedRights = [PSCustomObject] @{
RawIdentity = 'ms-Exch-SMTP-Accept-Any-Sender'
}
Expand All @@ -416,8 +416,19 @@ try

Mock -CommandName 'Get-ADPermission' -MockWith { return $ADPermissions }

Context 'When permissions do not match' {
It 'Should return $false' {
Context 'When permissions are not compliant' {
It 'Should return $false when extended permissions do not match' {
$TestTargetResourceParamsFalse = @{ } + $TestTargetResourceParams
$TestTargetResourceParamsFalse['ExtendedRightAllowEntries'] = (
New-CimInstance -ClassName 'MSFT_KeyValuePair' -Property @{
key = 'User1Allow'
value = 'ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-SMTP-Accept-Authoritative-Domain-Sender'
} -ClientOnly
)

Test-TargetResource @TestTargetResourceParamsFalse | Should -Be $false
}
It 'Should return $false when permissions are not present' {
$TestTargetResourceParamsFalse = @{ } + $TestTargetResourceParams
$TestTargetResourceParamsFalse['ExtendedRightAllowEntries'] = (
New-CimInstance -ClassName 'MSFT_KeyValuePair' -Property @{
Expand All @@ -426,6 +437,7 @@ try
} -ClientOnly
)

Mock -CommandName 'Get-ADPermission' -MockWith { return ($ADPermissions | Where-Object -FilterScript { $_.User.RawIdentity -eq 'User2Deny' }) }
Test-TargetResource @TestTargetResourceParamsFalse | Should -Be $false
}
}
Expand Down

0 comments on commit 017e892

Please sign in to comment.