DscResources/Carbon_Privilege/Carbon_Privilege.psm1

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

& (Join-Path -Path $PSScriptRoot -ChildPath '..\Initialize-CarbonDscResource.ps1' -Resolve)

function Get-TargetResource
{
    [CmdletBinding(SupportsShouldProcess=$true)]
    [OutputType([hashtable])]
    param(
        [Parameter(Mandatory=$true)]
        [string]
        # The identity of the principal whose privileges to get.
        $Identity,
        
        [AllowEmptyCollection()]
        [string[]]
        # The user's expected/desired privileges.
        $Privilege = @(),
        
        [ValidateSet('Present','Absent')]
        [string]
        # Should the user exist or not exist?
        $Ensure = 'Present'
    )

    Set-StrictMode -Version 'Latest'

    [string[]]$currentPrivileges = Get-Privilege -Identity $Identity
    $Ensure = 'Present'
    if( -not $currentPrivileges )
    {
        [string[]]$currentPrivileges = @()
    }

    foreach( $item in $Privilege )
    {
        if( $currentPrivileges -notcontains $item )
        {
            $Ensure = 'Absent'
            break
        }
    }

    foreach( $item in $currentPrivileges )
    {
        if( $Privilege -notcontains $item )
        {
            $Ensure = 'Absent'
            break
        }
    }

    $resource = @{
                    Identity = $Identity;
                    Privilege = $currentPrivileges;
                    Ensure = $Ensure;
                }

    
    return $resource
}


function Set-TargetResource
{
    <#
    .SYNOPSIS
    DSC resource for managing privileges.
 
    .DESCRIPTION
    The `Carbon_Privilege` resource manages privileges, i.e. the system operations and logons a user or group can perform.
 
    Privileges are granted by default. The user/group is granted only the privileges specified by the `Privilege` property. All other privileges are revoked.
     
    To revoke *all* a user's privileges, set the `Ensure` property to `Absent`. To revoke specific privileges, grant the user just the desired privileges. All others are revoked.
 
    *Privilege names are **case-sensitive**.* Valid privileges are documented on Microsoft's website: [Privilege Constants](http://msdn.microsoft.com/en-us/library/windows/desktop/bb530716.aspx) and [Account Right Constants](http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671.aspx). Here is the most current list, as of August 2014:
 
     * SeAssignPrimaryTokenPrivilege
     * SeAuditPrivilege
     * SeBackupPrivilege
     * SeBatchLogonRight
     * SeChangeNotifyPrivilege
     * SeCreateGlobalPrivilege
     * SeCreatePagefilePrivilege
     * SeCreatePermanentPrivilege
     * SeCreateSymbolicLinkPrivilege
     * SeCreateTokenPrivilege
     * SeDebugPrivilege
     * SeDenyBatchLogonRight
     * SeDenyInteractiveLogonRight
     * SeDenyNetworkLogonRight
     * SeDenyRemoteInteractiveLogonRight
     * SeDenyServiceLogonRight
     * SeEnableDelegationPrivilege
     * SeImpersonatePrivilege
     * SeIncreaseBasePriorityPrivilege
     * SeIncreaseQuotaPrivilege
     * SeIncreaseWorkingSetPrivilege
     * SeInteractiveLogonRight
     * SeLoadDriverPrivilege
     * SeLockMemoryPrivilege
     * SeMachineAccountPrivilege
     * SeManageVolumePrivilege
     * SeNetworkLogonRight
     * SeProfileSingleProcessPrivilege
     * SeRelabelPrivilege
     * SeRemoteInteractiveLogonRight
     * SeRemoteShutdownPrivilege
     * SeRestorePrivilege
     * SeSecurityPrivilege
     * SeServiceLogonRight
     * SeShutdownPrivilege
     * SeSyncAgentPrivilege
     * SeSystemEnvironmentPrivilege
     * SeSystemProfilePrivilege
     * SeSystemtimePrivilege
     * SeTakeOwnershipPrivilege
     * SeTcbPrivilege
     * SeTimeZonePrivilege
     * SeTrustedCredManAccessPrivilege
     * SeUndockPrivilege
     * SeUnsolicitedInputPrivilege
 
    `Carbon_Privilege` is new in Carbon 2.0.
 
    .LINK
    Get-Privilege
 
    .LINK
    Grant-Privilege
 
    .LINK
    Revoke-Privilege
 
    .LINK
    Test-Privilege
 
    .LINK
    http://msdn.microsoft.com/en-us/library/windows/desktop/bb530716.aspx
 
    .LINK
    http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671.aspx
 
    .EXAMPLE
    >
    Demonstrates how to grant a service user the ability to log in as a service.
 
        Carbon_Privilege GrantServiceLogonPrivileges
        {
            Identity = 'CarbonServiceUser'
            Privilege = 'SeBatchLogonRight','SeServiceLogonRight';
        }
 
    .EXAMPLE
    >
    Demonstrates how to revoke all a user/group's privileges. To revoke specific privileges, grant just the privileges you want. All other privileges are revoked.
 
        Carbon_Privilege RevokePrivileges
        {
            Identity = 'CarbonServiceUser'
            Ensure = 'Absent'
        }
    #>

    [CmdletBinding(SupportsShouldProcess=$true)]
    param(
        [Parameter(Mandatory=$true)]
        [string]
        # The identity of the principal whose privileges to set.
        $Identity,
        
        [AllowEmptyCollection()]
        [string[]]
        # The user's expected/desired privileges. *Privilege names are **case-sensitive**.* Ignored when `Ensure` is set to `Absent`.
        $Privilege = @(),
        
        [ValidateSet('Present','Absent')]
        [string]
        # Should the user exist or not exist?
        $Ensure = 'Present'
    )

    Set-StrictMode -Version 'Latest'

    $currentPrivileges = Get-Privilege -Identity $Identity
    if( $currentPrivileges )
    {
        Write-Verbose ('Revoking ''{0}'' privileges: {1}' -f $Identity,($currentPrivileges -join ','))
        Revoke-Privilege -Identity $Identity -Privilege $currentPrivileges
    }

    if( $Ensure -eq 'Present' -and $Privilege )
    {
        Write-Verbose ('Granting ''{0}'' privileges: {1}' -f $Identity,($Privilege -join ','))
        Grant-Privilege -Identity $Identity -Privilege $Privilege
    }
}


function Test-TargetResource
{
    [CmdletBinding(SupportsShouldProcess=$true)]
    [OutputType([bool])]
    param(
        [Parameter(Mandatory=$true)]
        [string]
        # The identity of the principal whose privileges to test.
        $Identity,
        
        [AllowEmptyCollection()]
        [string[]]
        # The user's expected/desired privileges.
        $Privilege = @(),
        
        [ValidateSet('Present','Absent')]
        [string]
        # Should the user exist or not exist?
        $Ensure = 'Present'
    )

    Set-StrictMode -Version 'Latest'

    $resource = Get-TargetResource -Identity $Identity -Privilege $Privilege

    $privilegeMissing = $resource.Ensure -eq 'Absent'
    if( $Ensure -eq 'Absent' )
    {
        $absent = $resource.Privilege.Length -eq 0
        if( $absent )
        {
            Write-Verbose ('Identity ''{0}'' has no privileges' -f $Identity)
            return $true
        }
        
        Write-Verbose ('Identity ''{0}'' has privilege(s) {1}' -f $Identity,($resource.Privilege -join ','))
        return $false
    }

    if( $privilegeMissing )
    {
        $msgParts = @()
        $extraPrivileges = $resource.Privilege | Where-Object { $Privilege -notcontains $_ }
        if( $extraPrivileges )
        {
            $msgParts += 'extra privilege(s): {0}' -f ($extraPrivileges -join ',')
        }

        $missingPrivileges = $Privilege | Where-Object { $resource.Privilege -notcontains $_ }
        if( $missingPrivileges )
        {
            $msgParts += 'missing privilege(s): {0}' -f ($missingPrivileges -join ',')
        }
        Write-Verbose ('Identity ''{0}'' {1}' -f $Identity,($msgParts -join '; '))
        return $false
    }

    return $true
}