Framework/Core/SVT/Services/NotificationHub.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#using namespace Microsoft.Azure.Commands.KeyVault.Models
Set-StrictMode -Version Latest 
class NotificationHub: SVTBase
{       
    hidden [PSObject] $ResourceObject;
    hidden [PSObject] $NamespaceObject;

    NotificationHub([string] $subscriptionId, [string] $resourceGroupName, [string] $resourceName): 
        Base($subscriptionId, $resourceGroupName, $resourceName) 
    { 
        $this.GetResourceObject();
    }

    NotificationHub([string] $subscriptionId, [SVTResource] $svtResource): 
        Base($subscriptionId, $svtResource) 
    { 
        $this.GetResourceObject();
    }

    hidden [PSObject] GetResourceObject()
    {
        if (-not $this.ResourceObject) {
            $this.ResourceObject = Get-AzResource  -Name "*$($this.ResourceContext.ResourceName)*" -ResourceType "Microsoft.NotificationHubs/namespaces/notificationHubs"
            $Namespace = $this.ResourceObject.Name.split("/")[0] 
            $this.NamespaceObject = Get-AzNotificationHubsNamespace -ResourceGroup $this.ResourceContext.ResourceGroupName -Namespace $Namespace

            if(-not $this.ResourceObject)
            {
                throw ([SuppressedException]::new(("Resource '{0}' not found under Resource Group '{1}'" -f ($this.ResourceContext.ResourceName), ($this.ResourceContext.ResourceGroupName)), [SuppressedExceptionType]::InvalidOperation))
            }
        }
        return $this.ResourceObject;
    }


    hidden [ControlResult] CheckAuthorizationRule([ControlResult] $controlResult)
    {
        $resourceName = ($this.ResourceContext.ResourceName.Split("/")[1]);
        $accessPolicieswithManageRights =  (Get-AzNotificationHubAuthorizationRules `
                                                -ResourceGroup $this.ResourceContext.ResourceGroupName `
                                                -Namespace $this.NamespaceObject.Name `
                                                -NotificationHub $resourceName) `
                                                | Where-Object Rights -Contains "Manage" `
                                                | Select-Object -Property Name, Rights  
        if((($accessPolicieswithManageRights | Measure-Object).Count -eq 1) -and ($accessPolicieswithManageRights.Name -eq "DefaultFullSharedAccessSignature")) {
            $controlResult.AddMessage([VerificationResult]::Verify,
                            [MessageData]::new("Only the default authorization rule has 'Manage' security claim access rights for resource - ["+ $this.ResourceContext.ResourceName +"]. Please ensure that these authorization rules are not used at the client end."  , 
                            $accessPolicieswithManageRights));

            $controlResult.SetStateData("Access policy with 'Manage' rights",$accessPolicieswithManageRights);
        }
        else {
                if($null -ne $accessPolicieswithManageRights){
                    $controlResult.AddMessage([VerificationResult]::Verify,
                                            [MessageData]::new("Authorization rules having 'Manage' security claim access rights for resource - ["+ $this.ResourceContext.ResourceName +"]. Please ensure that these authorization rules are not used at the client end."  , 
                                            $accessPolicieswithManageRights));
            
                    $controlResult.SetStateData("Access policies with 'Manage' rights",$accessPolicieswithManageRights);
                }
                else{
                    $controlResult.AddMessage([VerificationResult]::Passed,
                                            [MessageData]::new("No authorization rules found with 'Manage' security claim access rights for resource - ["+ $this.ResourceContext.ResourceName +"]"  , 
                                            $accessPolicieswithManageRights));
                }
        }

        return $controlResult;
    }
}