DSCResources/MSFT_SPCacheAccounts/MSFT_SPCacheAccounts.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $WebAppUrl,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SuperUserAlias,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SuperReaderAlias,

        [Parameter()]
        [System.Boolean]
        $SetWebAppPolicy = $true,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $InstallAccount
    )

    Write-Verbose -Message "Getting cache accounts for $WebAppUrl"

    $result = Invoke-SPDSCCommand -Credential $InstallAccount -Arguments $PSBoundParameters -ScriptBlock {
        $params = $args[0]

        $wa = Get-SPWebApplication -Identity $params.WebAppUrl -ErrorAction SilentlyContinue

        if ($null -eq $wa)
        {
            return @{
                WebAppUrl = $params.WebAppUrl
                SuperUserAlias = $null
                SuperReaderAlias = $null
                SetWebAppPolicy = $false
                InstallAccount = $params.InstallAccount
            }
        }

        $returnVal = @{
            InstallAccount = $params.InstallAccount
            WebAppUrl = $params.WebAppUrl
        }

        $policiesSet = $true
        if ($wa.UseClaimsAuthentication -eq $true)
        {
            if ($wa.Properties.ContainsKey("portalsuperuseraccount"))
            {
                $claim = New-SPClaimsPrincipal -Identity $wa.Properties["portalsuperuseraccount"] `
                                               -IdentityType EncodedClaim `
                                               -ErrorAction SilentlyContinue
                if ($null -ne $claim)
                {
                    $returnVal.Add("SuperUserAlias", $claim.Value)
                }
                else
                {
                    $returnVal.Add("SuperUserAlias", "")
                }
            }
            else
            {
                $returnVal.Add("SuperUserAlias", "")
            }
            if ($wa.Properties.ContainsKey("portalsuperreaderaccount"))
            {
                $claim = New-SPClaimsPrincipal -Identity $wa.Properties["portalsuperreaderaccount"] `
                                               -IdentityType EncodedClaim `
                                               -ErrorAction SilentlyContinue
                if ($null -ne $claim)
                {
                    $returnVal.Add("SuperReaderAlias", $claim.Value)
                }
                else
                {
                    $returnVal.Add("SuperReaderAlias", "")
                }
            }
            else
            {
                $returnVal.Add("SuperReaderAlias", "")
            }
            if ($wa.Policies.UserName -notcontains ((New-SPClaimsPrincipal -Identity $params.SuperReaderAlias `
                                                                           -IdentityType WindowsSamAccountName).ToEncodedString()))
            {
                $policiesSet = $false
            }

            if ($wa.Policies.UserName -notcontains ((New-SPClaimsPrincipal -Identity $params.SuperUserAlias `
                                                                           -IdentityType WindowsSamAccountName).ToEncodedString()))
            {
                $policiesSet = $false
            }
        }
        else
        {
            if ($wa.Properties.ContainsKey("portalsuperuseraccount"))
            {
                $returnVal.Add("SuperUserAlias", $wa.Properties["portalsuperuseraccount"])
            }
            else
            {
                $returnVal.Add("SuperUserAlias", "")
            }

            if ($wa.Properties.ContainsKey("portalsuperreaderaccount"))
            {
                $returnVal.Add("SuperReaderAlias", $wa.Properties["portalsuperreaderaccount"])
            }
            else
            {
                $returnVal.Add("SuperReaderAlias", "")
            }

            if ($wa.Policies.UserName -notcontains $params.SuperReaderAlias)
            {
                $policiesSet = $false
            }

            if ($wa.Policies.UserName -notcontains $params.SuperUserAlias)
            {
                $policiesSet = $false
            }
        }
        $returnVal.Add("SetWebAppPolicy", $policiesSet)

        return $returnVal
    }
    return $result
}


function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $WebAppUrl,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SuperUserAlias,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SuperReaderAlias,

        [Parameter()]
        [System.Boolean]
        $SetWebAppPolicy = $true,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $InstallAccount    )

    Write-Verbose -Message "Setting cache accounts for $WebAppUrl"

    $PSBoundParameters.SetWebAppPolicy = $SetWebAppPolicy

    Invoke-SPDSCCommand -Credential $InstallAccount -Arguments $PSBoundParameters -ScriptBlock {
        $params = $args[0]

        $wa = Get-SPWebApplication -Identity $params.WebAppUrl -ErrorAction SilentlyContinue
        if ($null -eq $wa)
        {
            throw [Exception] "The web applications $($params.WebAppUrl) can not be found to set cache accounts"
        }

        if ($wa.UseClaimsAuthentication -eq $true)
        {
            $wa.Properties["portalsuperuseraccount"] = (New-SPClaimsPrincipal -Identity $params.SuperUserAlias `
                                                                              -IdentityType WindowsSamAccountName).ToEncodedString()
            $wa.Properties["portalsuperreaderaccount"] = (New-SPClaimsPrincipal -Identity $params.SuperReaderAlias `
                                                                                -IdentityType WindowsSamAccountName).ToEncodedString()
        }
        else
        {
            $wa.Properties["portalsuperuseraccount"] = $params.SuperUserAlias
            $wa.Properties["portalsuperreaderaccount"] = $params.SuperReaderAlias
        }

        if ($params.SetWebAppPolicy -eq $true)
        {
            if ($wa.UseClaimsAuthentication -eq $true)
            {
                $claimsReader = (New-SPClaimsPrincipal -Identity $params.SuperReaderAlias `
                                                       -IdentityType WindowsSamAccountName).ToEncodedString()
                if ($wa.Policies.UserName -contains $claimsReader)
                {
                    $wa.Policies.Remove($claimsReader)
                }
                $policy = $wa.Policies.Add($claimsReader, "Super Reader (Claims)")
                $policyRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead)
                $policy.PolicyRoleBindings.Add($policyRole)

                $claimsSuper = (New-SPClaimsPrincipal -Identity $params.SuperUserAlias `
                                                      -IdentityType WindowsSamAccountName).ToEncodedString()
                if ($wa.Policies.UserName -contains $claimsSuper)
                {
                    $wa.Policies.Remove($claimsSuper)
                }
                $policy = $wa.Policies.Add($claimsSuper, "Super User (Claims)")
                $policyRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
                $policy.PolicyRoleBindings.Add($policyRole)
            }
            else
            {
                if ($wa.Policies.UserName -contains $params.SuperReaderAlias)
                {
                    $wa.Policies.Remove($params.SuperReaderAlias)
                }

                $readPolicy = $wa.Policies.Add($params.SuperReaderAlias, "Super Reader")
                $readPolicyRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead)
                $readPolicy.PolicyRoleBindings.Add($readPolicyRole)

                if ($wa.Policies.UserName -contains $params.SuperUserAlias)
                {
                    $wa.Policies.Remove($params.SuperUserAlias)
                }
                $policy = $wa.Policies.Add($params.SuperUserAlias, "Super User")
                $policyRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
                $policy.PolicyRoleBindings.Add($policyRole)
            }
        }

        $wa.Update()
    }
}


function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $WebAppUrl,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SuperUserAlias,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SuperReaderAlias,

        [Parameter()]
        [System.Boolean]
        $SetWebAppPolicy = $true,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $InstallAccount    )

    Write-Verbose -Message "Testing cache accounts for $WebAppUrl"

    $PSBoundParameters.SetWebAppPolicy = $SetWebAppPolicy

    $CurrentValues = Get-TargetResource @PSBoundParameters

    if ($SetWebAppPolicy -eq $true)
    {
        return Test-SPDscParameterState -CurrentValues $CurrentValues `
                                        -DesiredValues $PSBoundParameters `
                                        -ValuesToCheck @("SuperUserAlias", `
                                                        "SuperReaderAlias", `
                                                        "SetWebAppPolicy")
    }
    else
    {
        return Test-SPDscParameterState -CurrentValues $CurrentValues `
                                        -DesiredValues $PSBoundParameters `
                                        -ValuesToCheck @("SuperUserAlias", `
                                                        "SuperReaderAlias")
    }
}

Export-ModuleMember -Function *-TargetResource