DSCResources/MSFT_SPSecureStoreServiceApp/MSFT_SPSecureStoreServiceApp.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter()]
        [System.String]
        $ProxyName,

        [Parameter(Mandatory = $true)]
        [System.String]
        $ApplicationPool,

        [Parameter(Mandatory = $true)]
        [System.Boolean]
        $AuditingEnabled,

        [Parameter()]
        [System.UInt32]
        $AuditlogMaxSize,

        [Parameter()]
        [System.String]
        $DatabaseName,

        [Parameter()]
        [System.String]
        $DatabaseServer,

        [Parameter()]
        [System.Boolean]
        $UseSQLAuthentication,

        [Parameter()]
        [System.String]
        $FailoverDatabaseServer,

        [Parameter()]
        [System.Boolean]
        $PartitionMode,

        [Parameter()]
        [System.Boolean]
        $Sharing,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $MasterKey,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present",

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $DatabaseCredentials,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $InstallAccount
    )

    Write-Verbose -Message "Getting secure store service application '$Name'"

    $result = Invoke-SPDscCommand -Credential $InstallAccount `
        -Arguments $PSBoundParameters `
        -ScriptBlock {
        $params = $args[0]

        $nullReturn = @{
            Name            = $params.Name
            ApplicationPool = $params.ApplicationPool
            AuditingEnabled = $false
            Ensure          = "Absent"
        }

        $serviceApps = Get-SPServiceApplication -Name $params.Name -ErrorAction SilentlyContinue
        if ($null -eq $serviceApps)
        {
            return $nullReturn
        }
        $serviceApp = $serviceApps | Where-Object -FilterScript {
            $_.GetType().FullName -eq "Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication"
        }

        if ($null -eq $serviceApp)
        {
            return $nullReturn
        }
        else
        {
            $serviceAppProxies = Get-SPServiceApplicationProxy -ErrorAction SilentlyContinue
            if ($null -ne $serviceAppProxies)
            {
                $serviceAppProxy = $serviceAppProxies | Where-Object -FilterScript {
                    $serviceApp.IsConnected($_)
                }
                if ($null -ne $serviceAppProxy)
                {
                    $proxyName = $serviceAppProxy.Name
                }
            }

            $propertyFlags = [System.Reflection.BindingFlags]::Instance `
                -bor [System.Reflection.BindingFlags]::NonPublic

            $propData = $serviceApp.GetType().GetProperties($propertyFlags)

            $dbProp = $propData | Where-Object -FilterScript {
                $_.Name -eq "Database"
            }

            $db = $dbProp.GetValue($serviceApp)

            $auditProp = $propData | Where-Object -FilterScript {
                $_.Name -eq "AuditEnabled"
            }

            $auditEnabled = $auditProp.GetValue($serviceApp)

            return  @{
                Name                   = $serviceApp.DisplayName
                ProxyName              = $proxyName
                AuditingEnabled        = $auditEnabled
                ApplicationPool        = $serviceApp.ApplicationPool.Name
                DatabaseName           = $db.Name
                DatabaseServer         = $db.NormalizedDataSource
                FailoverDatabaseServer = $db.FailoverServer
                Ensure                 = "Present"
            }
        }
    }
    return $result
}

function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter()]
        [System.String]
        $ProxyName,

        [Parameter(Mandatory = $true)]
        [System.String]
        $ApplicationPool,

        [Parameter(Mandatory = $true)]
        [System.Boolean]
        $AuditingEnabled,

        [Parameter()]
        [System.UInt32]
        $AuditlogMaxSize,

        [Parameter()]
        [System.String]
        $DatabaseName,

        [Parameter()]
        [System.String]
        $DatabaseServer,

        [Parameter()]
        [System.Boolean]
        $UseSQLAuthentication,

        [Parameter()]
        [System.String]
        $FailoverDatabaseServer,

        [Parameter()]
        [System.Boolean]
        $PartitionMode,

        [Parameter()]
        [System.Boolean]
        $Sharing,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $MasterKey,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present",

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $DatabaseCredentials,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $InstallAccount
    )

    Write-Verbose -Message "Setting secure store service application '$Name'"

    $result = Get-TargetResource @PSBoundParameters
    $params = $PSBoundParameters

    if ($result.Ensure -eq "Absent" -and $Ensure -eq "Present")
    {
        Write-Verbose -Message "Creating Secure Store Service Application $Name"
        Invoke-SPDscCommand -Credential $InstallAccount `
            -Arguments $params `
            -ScriptBlock {
            $params = $args[0]

            $newParams = @{
                Name            = $params.Name
                ApplicationPool = $params.ApplicationPool
                AuditingEnabled = $params.AuditingEnabled
            }

            if ($params.UseSQLAuthentication -eq $true)
            {
                Write-Verbose -Message "Using SQL authentication to create service application as `$useSQLAuthentication is set to $($params.useSQLAuthentication)."
                $newParams.Add("DatabaseUsername", $params.DatabaseCredentials.Username)
                $newParams.Add("DatabasePassword", $params.DatabaseCredentials.Password)
            }

            $paramList = @('AuditlogMaxSize', 'DatabaseName', 'DatabaseServer', 'FailoverDatabaseServer', 'PartitionMode', 'Sharing')

            foreach ($item in ($params.GetEnumerator() | Where-Object -FilterScript { $_.Key -in $paramList }))
            {
                $newParams.Add($item.Key, $item.Value)
            }

            $pName = "$($params.Name) Proxy"

            if ($params.ContainsKey("ProxyName") -and $null -ne $params.ProxyName)
            {
                $pName = $params.ProxyName
            }

            New-SPSecureStoreServiceApplication @newParams | New-SPSecureStoreServiceApplicationProxy -Name $pName

            if ($params.ContainsKey("MasterKey"))
            {
                $newPassPhrase = $params.MasterKey.GetNetworkCredential().Password
                $proxy = Get-SPServiceApplicationProxy | Where-Object -FilterScript { $_.Name -eq $pName }
                Update-SPSecureStoreMasterKey -ServiceApplicationProxy $proxy -Passphrase $newPassPhrase
            }
        }
    }

    if ($result.Ensure -eq "Present" -and $Ensure -eq "Present")
    {
        # Added check for -notlike with a wildcard as $result.DatabaseServer might not be a FQDN when we are using an Always On AG
        if ($PSBoundParameters.ContainsKey("DatabaseServer") -and `
            ($result.DatabaseServer -ne $DatabaseServer) -and `
            ($DatabaseServer -notlike "$($result.DatabaseServer).*"))
        {
            $message = ("Specified database server does not match the actual " + `
                    "database server. This resource cannot move the database " + `
                    "to a different SQL instance.")
            Add-SPDscEvent -Message $message `
                -EntryType 'Error' `
                -EventID 100 `
                -Source $MyInvocation.MyCommand.Source
            throw $message
        }

        if ($PSBoundParameters.ContainsKey("DatabaseName") -and `
            ($result.DatabaseName -ne $DatabaseName))
        {
            $message = ("Specified database name does not match the actual " + `
                    "database name. This resource cannot rename the database.")
            Add-SPDscEvent -Message $message `
                -EntryType 'Error' `
                -EventID 100 `
                -Source $MyInvocation.MyCommand.Source
            throw $message
        }

        if ([string]::IsNullOrEmpty($ApplicationPool) -eq $false `
                -and $ApplicationPool -ne $result.ApplicationPool)
        {
            Write-Verbose -Message "Updating Secure Store Service Application $Name"
            Invoke-SPDscCommand -Credential $InstallAccount `
                -Arguments $PSBoundParameters `
                -ScriptBlock {
                $params = $args[0]

                $serviceApp = Get-SPServiceApplication -Name $params.Name | Where-Object -FilterScript {
                    $_.GetType().FullName -eq "Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication"
                }
                $appPool = Get-SPServiceApplicationPool -Identity $params.ApplicationPool
                Set-SPSecureStoreServiceApplication -Identity $serviceApp -ApplicationPool $appPool
            }
        }
    }

    if ($Ensure -eq "Absent")
    {
        # The service app should not exit
        Write-Verbose -Message "Removing Secure Store Service Application $Name"
        Invoke-SPDscCommand -Credential $InstallAccount `
            -Arguments $PSBoundParameters `
            -ScriptBlock {
            $params = $args[0]

            $serviceApp = Get-SPServiceApplication -Name $params.Name | Where-Object -FilterScript {
                $_.GetType().FullName -eq "Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication"
            }

            # Remove the connected proxy(ies)
            $proxies = Get-SPServiceApplicationProxy
            foreach ($proxyInstance in $proxies)
            {
                if ($serviceApp.IsConnected($proxyInstance))
                {
                    $proxyInstance.Delete()
                }
            }

            Remove-SPServiceApplication $serviceApp -Confirm:$false
        }
    }
}

function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter()]
        [System.String]
        $ProxyName,

        [Parameter(Mandatory = $true)]
        [System.String]
        $ApplicationPool,

        [Parameter(Mandatory = $true)]
        [System.Boolean]
        $AuditingEnabled,

        [Parameter()]
        [System.UInt32]
        $AuditlogMaxSize,

        [Parameter()]
        [System.String]
        $DatabaseName,

        [Parameter()]
        [System.String]
        $DatabaseServer,

        [Parameter()]
        [System.Boolean]
        $UseSQLAuthentication,

        [Parameter()]
        [System.String]
        $FailoverDatabaseServer,

        [Parameter()]
        [System.Boolean]
        $PartitionMode,

        [Parameter()]
        [System.Boolean]
        $Sharing,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $MasterKey,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present",

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $DatabaseCredentials,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $InstallAccount
    )

    Write-Verbose -Message "Testing secure store service application $Name"

    $PSBoundParameters.Ensure = $Ensure

    $CurrentValues = Get-TargetResource @PSBoundParameters

    Write-Verbose -Message "Current Values: $(Convert-SPDscHashtableToString -Hashtable $CurrentValues)"
    Write-Verbose -Message "Target Values: $(Convert-SPDscHashtableToString -Hashtable $PSBoundParameters)"

    # Added check for -notlike with a wildcard as $CurrentValues.DatabaseServer might not be a FQDN when we are using an Always On AG
    if ($PSBoundParameters.ContainsKey("DatabaseServer") -and `
        ($null -ne $CurrentValues.DatabaseServer) -and `
        ($CurrentValues.DatabaseServer -ne $DatabaseServer) -and `
        ($DatabaseServer -notlike "$($CurrentValues.DatabaseServer).*"))
    {
        $message = ("Specified database server {$DatabaseServer} does not match the actual " + `
                "database server {$($CurrentValues.DatabaseServer)}. This resource " + `
                "cannot move the database to a different SQL instance.")
        Write-Verbose -Message $message
        Add-SPDscEvent -Message $message -EntryType 'Error' -EventID 1 -Source $MyInvocation.MyCommand.Source

        Write-Verbose -Message "Test-TargetResource returned false"
        return $false
    }

    if ($PSBoundParameters.ContainsKey("DatabaseName") -and `
        ($null -ne $CurrentValues.DatabaseName) -and `
        ($CurrentValues.DatabaseName -ne $DatabaseName))
    {
        $message = ("Specified database name {$DatabaseName} does not match the " + `
                "actual database name {$($($CurrentValues.DatabaseName))}. This " + `
                "resource cannot rename the database.")
        Write-Verbose -Message $message
        Add-SPDscEvent -Message $message -EntryType 'Error' -EventID 1 -Source $MyInvocation.MyCommand.Source

        Write-Verbose -Message "Test-TargetResource returned false"
        return $false
    }

    $result = Test-SPDscParameterState -CurrentValues $CurrentValues `
        -Source $($MyInvocation.MyCommand.Source) `
        -DesiredValues $PSBoundParameters `
        -ValuesToCheck @("ApplicationPool", "Ensure")

    Write-Verbose -Message "Test-TargetResource returned $result"

    return $result
}

function Export-TargetResource
{
    $VerbosePreference = "SilentlyContinue"
    $ParentModuleBase = Get-Module "SharePointDsc" -ListAvailable | Select-Object -ExpandProperty Modulebase
    $module = Join-Path -Path $ParentModuleBase -ChildPath  "\DSCResources\MSFT_SPSecureStoreServiceApp\MSFT_SPSecureStoreServiceApp.psm1" -Resolve
    $Content = ''
    $params = Get-DSCFakeParameters -ModulePath $module

    $ssas = Get-SPServiceApplication | Where-Object { $_.GetType().Name -eq "SecureStoreServiceApplication" }

    $i = 1
    $total = $ssas
    foreach ($ssa in $ssas)
    {
        try
        {
            $serviceName = $ssa.DisplayName
            Write-Host "Scanning Secure Store Service Application [$i/$total] {$serviceName}"

            $params.Name = $serviceName
            $PartialContent = " SPSecureStoreServiceApp " + $ssa.Name.Replace(" ", "") + "`r`n"
            $PartialContent += " {`r`n"
            $results = Get-TargetResource @params

            if ($results.Contains("InstallAccount"))
            {
                $results.Remove("InstallAccount")
            }

            $results = Repair-Credentials -results $results

            $foundFailOver = $false
            if ($null -eq $results.FailOverDatabaseServer)
            {
                $results.Remove("FailOverDatabaseServer")
            }
            else
            {
                $foundFailOver = $true
                Add-ConfigurationDataEntry -Node "NonNodeData" -Key "SecureStoreFailOverDatabaseServer" -Value $results.FailOverDatabaseServer -Description "Name of the SQL Server that hosts the FailOver database for your SharePoint Farm's Secure Store Service Application;"
                $results.FailOverDatabaseServer = "`$ConfigurationData.NonNodeData.SecureStoreFailOverDatabaseServer"
            }

            Add-ConfigurationDataEntry -Node "NonNodeData" -Key "DatabaseServer" -Value $results.DatabaseServer -Description "Name of the Database Server associated with the destination SharePoint Farm;"
            $results.DatabaseServer = "`$ConfigurationData.NonNodeData.DatabaseServer"

            $currentBlock = Get-DSCBlock -Params $results -ModulePath $module
            $currentBlock = Convert-DSCStringParamToVariable -DSCBlock $currentBlock -ParameterName "DatabaseServer"
            $currentBlock = Convert-DSCStringParamToVariable -DSCBlock $currentBlock -ParameterName "PsDscRunAsCredential"
            if ($foundFailOver)
            {
                $currentBlock = Convert-DSCStringParamToVariable -DSCBlock $currentBlock -ParameterName "FailOverDatabaseServer"
            }
            $PartialContent += $currentBlock
            $PartialContent += " }`r`n"
            $Content += $PartialContent
            $i++
        }
        catch
        {
            $Global:ErrorLog += "[Secure Store Service Application]" + $ssa.DisplayName + "`r`n"
            $Global:ErrorLog += "$_`r`n`r`n"
        }
    }
    return $Content
}

Export-ModuleMember -Function *-TargetResource