FortigiAutomationLibaryForLocalIIS.psm1
|
Function Get-IPFilterRules { Param ( [Parameter(Mandatory=$True)] [psobject]$Object) $Config = Get-WebConfiguration -Filter /system.webserver/security/ipsecurity -PSPath $Object.PSPath $ObjectName = $Object.PSPath.ToString().Replace("WebAdministration::\\","") $ObjectName = $ObjectName.Replace("\","/") $Split = $Object.PSPath.Split("\") $MachineName = $Split[2] $EnvironmentName = $Split[4] If ($Split.Count -gt 4) { $ParentConfig = Get-WebConfiguration -Filter /system.webserver/security/ipsecurity -PSPath $Object.PSParentPath } If ($Split.Count -gt 5) { $CustomerName = $Split[6] } [array]$IPFilterRules = $null Foreach ($Rule in $Config.Collection) { $IPFilterRule = "" | Select-Object -Property Name,Summary,ShortName,ExistsOnParent,ObjectName,FolderName,Type,MachineName,EnvironmentName,CustomerName,Allowed,IpAddress,SubnetMask,DomainName $IPFilterRule.Name = ($ObjectName +" | "+ $Rule.allowed +" - "+ $Rule.ipAddress +" - "+$Rule.subnetMask +" - "+ $Rule.domainName) $StringAllowed = "Deny" If ($Rule.allowed) { $StringAllowed = "Allow" } $IPFilterRule.ShortName = $StringAllowed +": "+$Rule.IpAddress +" - "+$Rule.subnetMask +" - "+ $Rule.domainName $IPFilterRule.ObjectName = $ObjectName $IPFilterRule.FolderName = $Object.Name $IPFilterRule.MachineName = $MachineName $IPFilterRule.EnvironmentName = $EnvironmentName $IPFilterRule.CustomerName = $CustomerName $IPFilterRule.Allowed = IF($Rule.allowed.Length -ne 0){$Rule.allowed} $IPFilterRule.IpAddress = IF($Rule.ipAddress.Length -ne 0){$Rule.ipAddress} $IPFilterRule.SubnetMask = IF($Rule.subnetMask.Length -ne 0){$Rule.subnetMask} $IPFilterRule.DomainName = IF($Rule.domainName.Length -ne 0){$Rule.domainName} $IPFilterRules += $IPFilterRule } Return $IPFilterRules } Function Get-IISConfig { Param( [Parameter(Mandatory=$True)] [psobject]$Object) $ObjectName = $Object.PSPath.ToString().Replace("WebAdministration::\\","") $ObjectName = $ObjectName.Replace("\","/") $Split = $Object.PSPath.Split("\") $MachineName = $Split[2] $EnvironmentName = $Split[4] IF ($Split.Count -gt 5) { $CustomerName = $Split[6] } $Config = Get-WebConfiguration -Filter /system.webserver/security/ipsecurity -PSPath $Object.PSPath $ConfigCollection = $Config.GetCollection() $Return = "" | Select-Object -Property Name,FolderName,Type,MachineName,EnvironmentName,CustomerName,EnableReverseDns,AllowUnlisted,EnableProxyMode,DenyAction,IsInheritedFromDefaultValue,IPFilterRules $Return.Name = $ObjectName $Return.FolderName = $Object.Name $Return.Type = $Object.NodeType $Return.MachineName = $MachineName $Return.EnvironmentName = $EnvironmentName $Return.CustomerName = $CustomerName $Return.EnableReverseDns = $ConfigCollection.GetAttributeValue("enableReverseDns") $Return.AllowUnlisted = $ConfigCollection.GetAttributeValue("allowUnlisted") $Return.EnableProxyMode = $ConfigCollection.GetAttributeValue("enableProxyMode") $Return.DenyAction = $ConfigCollection.GetAttributeValue("denyAction") $Return.IsInheritedFromDefaultValue = $ConfigCollection.GetAttribute("denyAction").IsInheritedFromDefaultValue Return $Return } Function Import-IISIPFiltersBasedOnSharePointList { Param ( [string]$AppID, [string]$AppSecret, [string]$url, [String]$ListName ) Connect-PnpOnline -AppId $AppID -AppSecret $AppSecret -Url $url $List = Get-PnPList | Where-Object {$_.Title -eq $ListName} #Get All items from the list, exclude Processed and Errors $NewIPFilters = Get-PnPListItem -List $List.Id | Where-Object {$_.FieldValues.Processed -ne 1} | Where-Object {$_.FieldValues.Error -ne 1} Foreach ($NewIPFilter in $NewIPFilters) { #Script Input: (we will change this later..) $InputIISObject = $NewIPFilter.FieldValues.IISObject.LookupValue $EntryType = $NewIPFilter.FieldValues.EntryType If ($EntryType -eq "Allow") {$EntryTypeBL = $True} else {$EntryTypeBL = $False} $IPAddress = $NewIPFilter.FieldValues.IPAddress $SubNetMask = $NewIPFilter.FieldValues.SubNetMask $DomainName = $NewIPFilter.FieldValues.DomainName #Check if this new IP Filter is If ($InputIISObject.StartsWith($env:COMPUTERNAME)) { $PSlocation = "IIS:" + $InputIISObject.Replace("/","\").Replace($env:COMPUTERNAME,"") $ConfigFilter = "/system.webserver/security/ipsecurity" #Check if rule already exists $AllreadyExists = $False #Check if location exists If (-not(Test-Path $PSlocation)) { $Message = "Can't add IP filter. IIS object not found." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message $AllreadyExists = $True } Else { $Summary = $IPAddress +" - "+$SubNetMask +" - "+ $DomainName #Kijk of deze Rule al bestaat op het object zelf. $Config = Get-WebConfiguration -Filter $ConfigFilter -PSPath $PSlocation Foreach ($Rule in $Config.Collection) { $RuleSummary = $Rule.ipAddress +" - "+$Rule.subnetMask +" - "+ $Rule.domainName if ($RuleSummary -eq $Summary) { If ($Rule.allowed -eq $EntryTypeBL) { $Message = "Rule not added.. because it already exists." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } Else { If ($EntryTypeBL) { $Message = "Can't add this allow rule.. because a simular deny rule exists. Please remove the other rule before adding this one." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } Else { $Message = "Can't add this deny rule.. because a simular allow rule exists. Please remove the other rule before adding this one." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } } $AllreadyExists = $True } } #Check de child items. Maar pas op Inheritance is een belangrijke factor. $ChildItems = Get-ChildItem -Path $PSlocation -Recurse -Exclude *.* #Als inheritance aanstaat IF ($NewIPFilter.FieldValues.Inheritance) { Foreach ($ChildItem in $ChildItems) { $Config = Get-WebConfiguration -Filter $ConfigFilter -PSPath $ChildItem.PSPath [int]$Index = 0 Foreach ($Rule in $Config.Collection) { $RuleSummary = $Rule.ipAddress +" - "+$Rule.subnetMask +" - "+ $Rule.domainName if ($RuleSummary -eq $Summary) { If ($Rule.allowed -eq $EntryTypeBL) { #If a simular rule is found on a child, remove it.. it will get the same rule because inheritance is on. Remove-WebConfigurationProperty -PSPath $ChildItem.PSPath -Filter $ConfigFilter -Name Collection -AtIndex $Index $Message = "Rule exists on ("+ $ChildItem.PSPath + "). We removed it, so we could add it to the parent." Write-Host $Message } else { If ($EntryTypeBL) { $Message = "Can't add this allow rule.. because a simular deny rule exists on ("+ $ChildItem.PSPath+ "). Please remove the other rule before adding this one." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } Else { $Message = "Can't add this deny rule.. because a simular allow rule exists on ("+ $ChildItem.PSPath+ "). Please remove the other rule before adding this one." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } $AllreadyExists = $True } } $Index = $Index + 1 } } } Else { Foreach ($ChildItem in $ChildItems) { $Config = Get-WebConfiguration -Filter $ConfigFilter -PSPath $ChildItem.PSPath [int]$Index = 0 Foreach ($Rule in $Config.Collection) { $RuleSummary = $Rule.ipAddress +" - "+$Rule.subnetMask +" - "+ $Rule.domainName if ($RuleSummary -eq $Summary) { If ($Rule.allowed -eq $EntryTypeBL) { $Message = "Can't this allow rule. Inheritance is tured off and a simular rule exists on ("+ $ChildItem.PSPath+ "). Please remove the other rule before adding this one." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } else { If ($EntryTypeBL) { $Message = "Can't add this allow rule.. because a simular deny rule exists on ("+ $ChildItem.PSPath+ "). Please remove the other rule before adding this one. Inheritance is turned on, but this doesn't matter." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } Else { $Message = "Can't add this deny rule.. because a simular allow rule exists on ("+ $ChildItem.PSPath+ "). Please remove the other rule before adding this one. Inheritance is turned on, but this doesn't matter." Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } $AllreadyExists = $True } } $Index = $Index + 1 } } } } #Go do. if (-not($AllreadyExists)) { $value = @{"allowed"=$EntryTypeBL.tostring()} If ($IPAddress) { $value += @{"ipAddress"=$IPAddress}} If ($SubNetMask) { $value += @{"subnetMask"=$SubNetMask}} If ($DomainName) { $value += @{"domainName"=$DomainName}} Write-Host "Adding $Summary to $PSlocation" Try { Add-WebConfigurationProperty -Filter $ConfigFilter -PSPath $PSlocation -Name "." -Value $value -ErrorAction Stop } Catch [System.Exception] { Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Error=1;Exception="Unexpected Error."+$_+"."} Write-host "Unexpected Error."$_ break } If ($NewIPFilter.FieldValues.Inheritance) { #Inheritance is the defaults.. we are done. Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Processed=1} } Else { #If Inheritance is OFF.. remove it from child items. Start-Sleep -s 5 $ChildItems = Get-ChildItem -Path $PSlocation -Recurse -Exclude *.* Foreach ($ChildItem in $ChildItems) { $Config = Get-WebConfiguration -Filter $ConfigFilter -PSPath $ChildItem.PSPath [int]$Index = 0 Foreach ($Rule in $Config.Collection) { $RuleSummary = $Rule.ipAddress +" - "+$Rule.subnetMask +" - "+ $Rule.domainName if ($RuleSummary -eq $Summary) { If ($Rule.allowed -eq $EntryTypeBL) { Remove-WebConfigurationProperty -PSPath $ChildItem.PSPath -Filter $ConfigFilter -Name Collection -AtIndex $Index Start-Sleep -s 2 } } $Index = $Index + 1 } } Set-PnPListItem -List $List.Id -Identity $NewIPFilters.Id.ToString() -Values @{Processed=1} } } } } } Function Remove-IISIPFiltersBasedOnSharePointList { Param ( [string]$AppID, [string]$AppSecret, [string]$url, [String]$RemoveIPFiltersListName, [String]$IPFiltersListName ) Connect-PnpOnline -AppId $AppID -AppSecret $AppSecret -Url $url $RemoveIPFilterList = Get-PnPList | Where-Object {$_.Title -eq $RemoveIPFiltersListName} $RemoveIPFilters = Get-PnPListItem -List $RemoveIPFilterList.Id | Where-Object {$_.FieldValues.Processed -ne 1} | Where-Object {$_.FieldValues.Error -ne 1} $IPFilterList = Get-PnPList | Where-Object {$_.Title -eq $IPFiltersListName} $IPFilters = Get-PnPListItem -List $IPFilterList.Id Foreach ($RemoveIPFilter in $RemoveIPFilters) { $IPFilter = $IPFilters | Where-Object {$_.FieldValues.Title -eq $RemoveIPFilter.FieldValues.IPFilter.LookupValue} $EntryType = $IPFilter.FieldValues.EntryType If ($EntryType -eq "Allow") {$EntryTypeBL = $True} else {$EntryTypeBL = $False} $IPAddress = $IPFilter.FieldValues.IPAddress $SubNetMask = $IPFilter.FieldValues.SubNetMask $DomainName = $IPFilter.FieldValues.DomainName $Summary = ($EntryTypeBL.tostring() + "-" + $IPAddress + "-" + $SubNetMask + "-" + $DomainName).replace(" ","") If ($IPFilter) { #Check if this IP Filter was set on this machine. IF ($IPFilter.FieldValues.MachineName -eq $env:COMPUTERNAME) { #Find IIS OBject $PSlocation = "IIS:" + $IPFilter.FieldValues.ObjectName.Replace("/","\").Replace($env:COMPUTERNAME,"") $ConfigFilter = "/system.webserver/security/ipsecurity" If (-not(Test-Path $PSlocation)) { $Message = "Can't remove IP filter. IIS object not found on IIS config." Set-PnPListItem -List $List.Id -Identity $RemoveIPFilter.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } Else { #Zoek de IP Filter rule $Config = Get-WebConfiguration -Filter $ConfigFilter -PSPath $PSlocation [int]$Index = 0 Foreach ($Rule in $Config.Collection) { $RuleSummary = ($Rule.allowed.tostring() + "-" + $Rule.ipAddress +" - "+$Rule.subnetMask +" - "+ $Rule.domainName).replace(" ","") if ($RuleSummary -eq $Summary) { Write-Host Try { Remove-WebConfigurationProperty -PSPath $PSlocation -Filter $ConfigFilter -Name Collection -AtIndex $Index Set-PnPListItem -List $List.Id -Identity $RemoveIPFilter.Id.ToString() -Values @{Processed=1} } Catch [System.Exception] { Set-PnPListItem -List $List.Id -Identity $RemoveIPFilter.Id.ToString() -Values @{Error=1;Exception="Unexpected Error."+$_+"."} Write-host "Unexpected Error."$_ break } } $Index = $Index + 1 } } } } Else { $Message = "Error, IP filter not found." Set-PnPListItem -List $List.Id -Identity $RemoveIPFilter.Id.ToString() -Values @{Error=1;Exception=$Message} Write-Host $Message } } } |