DSCResources/MSFT_SPTrustedIdentityTokenIssuer/MSFT_SPTrustedIdentityTokenIssuer.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [parameter(Mandatory = $true)]
        [String]
        $Name,

        [parameter(Mandatory = $true)]
        [String]
        $Description,

        [parameter(Mandatory = $true)]
        [String]
        $Realm,

        [parameter(Mandatory = $true)]
        [String]
        $SignInUrl,

        [parameter(Mandatory = $true)]
        [String]
        $IdentifierClaim,

        [parameter(Mandatory = $true)]
        [Microsoft.Management.Infrastructure.CimInstance[]]
        $ClaimsMappings,

        [parameter(Mandatory = $true)]
        [String]
        $SigningCertificateThumbPrint,

        [parameter(Mandatory = $false)]
        [ValidateSet("Present","Absent")]
        [String]
        $Ensure = "Present",

        [parameter(Mandatory = $false)]
        [String]
        $ClaimProviderName,

        [parameter(Mandatory = $false)]
        [String]
        $ProviderSignOutUri,

        [parameter(Mandatory = $false)]
        [System.Management.Automation.PSCredential]
        $InstallAccount
    )

    Write-Verbose -Message "Getting SPTrustedIdentityTokenIssuer '$Name' settings"

    $result = Invoke-SPDSCCommand -Credential $InstallAccount `
                                  -Arguments $PSBoundParameters `
                                  -ScriptBlock {
        $params = $args[0]

        $claimsMappings = @()
        $spTrust = Get-SPTrustedIdentityTokenIssuer -Identity $params.Name `
                                                    -ErrorAction SilentlyContinue
        if ($spTrust) 
        { 
            $description = $spTrust.Description
            $realm = $spTrust.DefaultProviderRealm
            $signInUrl = $spTrust.ProviderUri.OriginalString
            $identifierClaim = $spTrust.IdentityClaimTypeInformation.MappedClaimType
            $signingCertificateThumbPrint = $spTrust.SigningCertificate.Thumbprint
            $currentState = "Present"
            $claimProviderName = $sptrust.ClaimProviderName
            $providerSignOutUri = $sptrust.ProviderSignOutUri.OriginalString
            $spTrust.ClaimTypeInformation| Foreach-Object -Process {
                $claimsMappings = $claimsMappings + @{
                    Name = $_.DisplayName
                    IncomingClaimType = $_.InputClaimType
                    LocalClaimType = $_.MappedClaimType
                }
            }
        } 
        else 
        { 
            $description = ""
            $realm = ""
            $signInUrl = ""
            $identifierClaim = ""
            $signingCertificateThumbPrint = ""
            $currentState = "Absent"
            $claimProviderName = ""
            $providerSignOutUri = ""
        }

        return @{
            Name                         = $params.Name
            Description                  = $description
            Realm                        = $realm
            SignInUrl                    = $signInUrl
            IdentifierClaim              = $identifierClaim
            ClaimsMappings               = $claimsMappings
            SigningCertificateThumbPrint = $signingCertificateThumbPrint
            Ensure                       = $currentState
            ClaimProviderName            = $claimProviderName
            ProviderSignOutUri           = $providerSignOutUri
        }        
    }
    return $result
}

function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [parameter(Mandatory = $true)]
        [String]
        $Name,

        [parameter(Mandatory = $true)]
        [String]
        $Description,

        [parameter(Mandatory = $true)]
        [String]
        $Realm,

        [parameter(Mandatory = $true)]
        [String]
        $SignInUrl,

        [parameter(Mandatory = $true)] 
        [String]
        $IdentifierClaim,

        [parameter(Mandatory = $true)]
        [Microsoft.Management.Infrastructure.CimInstance[]]
        $ClaimsMappings,

        [parameter(Mandatory = $true)]
        [String]
        $SigningCertificateThumbPrint,

        [parameter(Mandatory = $false)]
        [ValidateSet("Present","Absent")]
        [String]
        $Ensure = "Present",

        [parameter(Mandatory = $false)]
        [String]
        $ClaimProviderName,

        [parameter(Mandatory = $false)]
        [String]
        $ProviderSignOutUri,

        [parameter(Mandatory = $false)]
        [System.Management.Automation.PSCredential]
        $InstallAccount
    )

    Write-Verbose -Message "Setting SPTrustedIdentityTokenIssuer '$Name' settings"

    $CurrentValues = Get-TargetResource @PSBoundParameters

    if ($Ensure -eq "Present") 
    {
        if ($CurrentValues.Ensure -eq "Absent")
        {
            Write-Verbose -Message "Creating SPTrustedIdentityTokenIssuer '$Name'"
            $result = Invoke-SPDSCCommand -Credential $InstallAccount `
                                          -Arguments $PSBoundParameters `
                                          -ScriptBlock {
                $params = $args[0]

                $cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object -FilterScript {
                    $_.Thumbprint -match $params.SigningCertificateThumbPrint
                }

                if (!$cert) 
                {
                    throw ("The certificate thumbprint does not match a certificate in " + `
                           "certificate store LocalMachine\My.")
                    return
                }

                if ($cert.HasPrivateKey) 
                {
                    throw ("SharePoint requires that the private key of the signing " + `
                           "certificate is not installed in the certificate store.")
                }
                
                $claimsMappingsArray = @()
                $params.ClaimsMappings| Foreach-Object -Process {
                    $runParams = @{}
                    $runParams.Add("IncomingClaimTypeDisplayName", $_.Name)
                    $runParams.Add("IncomingClaimType", $_.IncomingClaimType)
                    if ($null -eq $_.LocalClaimType) 
                    {
                        $runParams.Add("LocalClaimType", $_.IncomingClaimType)
                    }
                    else 
                    {
                        $runParams.Add("LocalClaimType", $_.LocalClaimType)
                    }

                    $newMapping = New-SPClaimTypeMapping @runParams
                    $claimsMappingsArray += $newMapping
                }

                if (!($claimsMappingsArray | Where-Object -FilterScript {
                        $_.MappedClaimType -like $params.IdentifierClaim
                    })) 
                {
                    throw ("IdentifierClaim does not match any claim type specified in " + `
                           "ClaimsMappings.")
                    return
                }

                $runParams = @{}
                $runParams.Add("ImportTrustCertificate", $cert)
                $runParams.Add("Name", $params.Name)
                $runParams.Add("Description", $params.Description)
                $runParams.Add("Realm", $params.Realm)
                $runParams.Add("SignInUrl", $params.SignInUrl)
                $runParams.Add("IdentifierClaim", $params.IdentifierClaim)
                $runParams.Add("ClaimsMappings", $claimsMappingsArray)
                $trust = New-SPTrustedIdentityTokenIssuer @runParams

                if ($null -eq $trust)
                {
                    throw "SharePoint failed to create the SPTrustedIdentityTokenIssuer."
                }

                if ((Get-SPClaimProvider| Where-Object -FilterScript {
                    $_.DisplayName -eq $params.ClaimProviderName
                })) 
                {
                    $trust.ClaimProviderName = $params.ClaimProviderName
                }

                if ($params.ProviderSignOutUri) 
                { 
                    $trust.ProviderSignOutUri = New-Object -TypeName System.Uri ($params.ProviderSignOutUri) 
                }
                $trust.Update()
             }
        }
    }
    else
    {
        Write-Verbose "Removing SPTrustedIdentityTokenIssuer '$Name'"
        $result = Invoke-SPDSCCommand -Credential $InstallAccount `
                                      -Arguments $PSBoundParameters `
                                      -ScriptBlock {
            $params = $args[0]
            $Name = $params.Name
            # SPTrustedIdentityTokenIssuer must be removed from each zone of each web app before
            # it can be deleted
            Get-SPWebApplication | Foreach-Object -Process {
                $wa = $_
                $webAppUrl = $wa.Url
                $update = $false
                $urlZones = [Enum]::GetNames([Microsoft.SharePoint.Administration.SPUrlZone])
                $urlZones | Foreach-Object -Process {
                    $zone = $_
                    $providers = Get-SPAuthenticationProvider -WebApplication $wa.Url `
                                                              -Zone $zone `
                                                              -ErrorAction SilentlyContinue
                    if (!$providers)
                    { 
                        return
                    }
                    $trustedProviderToRemove = $providers | Where-Object -FilterScript {
                        $_ -is [Microsoft.SharePoint.Administration.SPTrustedAuthenticationProvider] `
                        -and $_.LoginProviderName -like $params.Name
                    }
                    if ($trustedProviderToRemove) 
                    {
                        Write-Verbose -Message ("Removing SPTrustedAuthenticationProvider " + `
                                                "'$Name' from web app '$webAppUrl' in zone " + `
                                                "'$zone'")
                        $wa.GetIisSettingsWithFallback($zone).ClaimsAuthenticationProviders.Remove($trustedProviderToRemove) | Out-Null
                        $update = $true
                    }
                }
                if ($update) 
                {
                    $wa.Update()
                }
            }
        
            $runParams = @{ 
                Identity = $params.Name
                Confirm = $false
            }
            Remove-SPTrustedIdentityTokenIssuer @runParams
        }
    }
}

function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([Boolean])]
    param
    (
        [parameter(Mandatory = $true)]
        [String]
        $Name,

        [parameter(Mandatory = $true)]
        [String]
        $Description,

        [parameter(Mandatory = $true)]
        [String]
        $Realm,

        [parameter(Mandatory = $true)]
        [String]
        $SignInUrl,

        [parameter(Mandatory = $true)] 
        [String]
        $IdentifierClaim,

        [parameter(Mandatory = $true)]
        [Microsoft.Management.Infrastructure.CimInstance[]]
        $ClaimsMappings,

        [parameter(Mandatory = $true)]
        [String]
        $SigningCertificateThumbPrint,

        [parameter(Mandatory = $false)]
        [ValidateSet("Present","Absent")]
        [String]
        $Ensure = "Present",

        [parameter(Mandatory = $false)]
        [String]
        $ClaimProviderName,

        [parameter(Mandatory = $false)]
        [String]
        $ProviderSignOutUri,

        [parameter(Mandatory = $false)]
        [System.Management.Automation.PSCredential]
        $InstallAccount
    )

    Write-Verbose -Message "Testing SPTrustedIdentityTokenIssuer '$Name' settings"

    $CurrentValues = Get-TargetResource @PSBoundParameters

    return Test-SPDscParameterState -CurrentValues $CurrentValues `
                                    -DesiredValues $PSBoundParameters `
                                    -ValuesToCheck @("Ensure")
}

Export-ModuleMember -Function *-TargetResource