DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateSet('Yes')]
        [String]
        $IsSingleInstance,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter()]
        [System.String]
        $NameIdentifier,

        [Parameter()]
        [System.Boolean]
        $UseSessionCookies = $false,

        [Parameter()]
        [System.Boolean]
        $AllowOAuthOverHttp = $false,

        [Parameter()]
        [System.Boolean]
        $AllowMetadataOverHttp = $false,

        [Parameter()]
        [System.UInt32]
        $FormsTokenLifetime,

        [Parameter()]
        [System.UInt32]
        $WindowsTokenLifetime,

        [Parameter()]
        [System.UInt32]
        $LogonTokenCacheExpirationWindow,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present"
    )

    Write-Verbose -Message "Getting Security Token Service Configuration"

    if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
        $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true)
    {
        if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime)
        {
            $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
                    "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
            Add-SPDscEvent -Message $message `
                -EntryType 'Error' `
                -EventID 100 `
                -Source $MyInvocation.MyCommand.Source
            throw $message
        }
    }

    if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
        $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true)
    {
        if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime)
        {
            $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
                    "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
            Add-SPDscEvent -Message $message `
                -EntryType 'Error' `
                -EventID 100 `
                -Source $MyInvocation.MyCommand.Source
            throw $message
        }
    }

    $result = Invoke-SPDscCommand -Arguments $PSBoundParameters `
        -ScriptBlock {
        $params = $args[0]

        $config = Get-SPSecurityTokenServiceConfig

        $nullReturn = @{
            IsSingleInstance                = "Yes"
            Name                            = $params.Name
            NameIdentifier                  = $params.NameIdentifier
            UseSessionCookies               = $params.UseSessionCookies
            AllowOAuthOverHttp              = $params.AllowOAuthOverHttp
            AllowMetadataOverHttp           = $params.AllowMetadataOverHttp
            FormsTokenLifetime              = $params.FormsTokenLifetime
            WindowsTokenLifetime            = $params.WindowsTokenLifetime
            LogonTokenCacheExpirationWindow = $params.LogonTokenCacheExpirationWindow
            Ensure                          = "Absent"
        }

        if ($null -eq $config)
        {
            return $nullReturn
        }

        return @{
            IsSingleInstance                = "Yes"
            Name                            = $config.Name
            NameIdentifier                  = $config.NameIdentifier
            UseSessionCookies               = $config.UseSessionCookies
            AllowOAuthOverHttp              = $config.AllowOAuthOverHttp
            AllowMetadataOverHttp           = $config.AllowMetadataOverHttp
            FormsTokenLifetime              = $config.FormsTokenLifetime.TotalMinutes
            WindowsTokenLifetime            = $config.WindowsTokenLifetime.TotalMinutes
            LogonTokenCacheExpirationWindow = $config.LogonTokenCacheExpirationWindow.TotalMinutes
            Ensure                          = "Present"
        }
    }
    return $result
}

function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateSet('Yes')]
        [String]
        $IsSingleInstance,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter()]
        [System.String]
        $NameIdentifier,

        [Parameter()]
        [System.Boolean]
        $UseSessionCookies = $false,

        [Parameter()]
        [System.Boolean]
        $AllowOAuthOverHttp = $false,

        [Parameter()]
        [System.Boolean]
        $AllowMetadataOverHttp = $false,

        [Parameter()]
        [System.UInt32]
        $FormsTokenLifetime,

        [Parameter()]
        [System.UInt32]
        $WindowsTokenLifetime,

        [Parameter()]
        [System.UInt32]
        $LogonTokenCacheExpirationWindow,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present"
    )

    Write-Verbose -Message "Setting Security Token Service Configuration"

    if ($Ensure -eq "Absent")
    {
        $message = ("This resource cannot undo Security Token Service Configuration changes. " + `
                "Please set Ensure to Present or omit the resource")
        Add-SPDscEvent -Message $message `
            -EntryType 'Error' `
            -EventID 100 `
            -Source $MyInvocation.MyCommand.Source
        throw $message
    }

    if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
        $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true)
    {
        if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime)
        {
            $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
                    "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
            Add-SPDscEvent -Message $message `
                -EntryType 'Error' `
                -EventID 100 `
                -Source $MyInvocation.MyCommand.Source
            throw $message
        }
    }

    if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
        $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true)
    {
        if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime)
        {
            $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
                    "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
            Add-SPDscEvent -Message $message `
                -EntryType 'Error' `
                -EventID 100 `
                -Source $MyInvocation.MyCommand.Source
            throw $message
        }
    }

    Invoke-SPDscCommand -Arguments $PSBoundParameters `
        -ScriptBlock {
        $params = $args[0]
        $config = Get-SPSecurityTokenServiceConfig
        $config.Name = $params.Name

        if ($params.ContainsKey("NameIdentifier"))
        {
            $config.NameIdentifier = $params.NameIdentifier
        }

        if ($params.ContainsKey("UseSessionCookies"))
        {
            $config.UseSessionCookies = $params.UseSessionCookies
        }

        if ($params.ContainsKey("AllowOAuthOverHttp"))
        {
            $config.AllowOAuthOverHttp = $params.AllowOAuthOverHttp
        }

        if ($params.ContainsKey("AllowMetadataOverHttp"))
        {
            $config.AllowMetadataOverHttp = $params.AllowMetadataOverHttp
        }

        if ($params.ContainsKey("FormsTokenLifetime"))
        {
            $config.FormsTokenLifetime = (New-TimeSpan -Minutes $params.FormsTokenLifetime)
        }

        if ($params.ContainsKey("WindowsTokenLifetime"))
        {
            $config.WindowsTokenLifetime = (New-TimeSpan -Minutes $params.WindowsTokenLifetime)
        }

        if ($params.ContainsKey("LogonTokenCacheExpirationWindow"))
        {
            if (-not $params.ContainsKey("WindowsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.WindowsTokenLifetime.TotalMinutes))
            {
                $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
                            "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
                Add-SPDscEvent -Message $message `
                    -EntryType 'Error' `
                    -EventID 100 `
                    -Source $MyInvocation.MyCommand.Source
                throw $message
            }

            if (-not $params.ContainsKey("FormsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.FormsTokenLifetime.TotalMinutes))
            {
                $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
                            "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
                Add-SPDscEvent -Message $message `
                    -EntryType 'Error' `
                    -EventID 100 `
                    -Source $MyInvocation.MyCommand.Source
                throw $message
            }

            $config.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes $params.LogonTokenCacheExpirationWindow)
        }

        $config.Update()
    }
}

function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateSet('Yes')]
        [String]
        $IsSingleInstance,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter()]
        [System.String]
        $NameIdentifier,

        [Parameter()]
        [System.Boolean]
        $UseSessionCookies = $false,

        [Parameter()]
        [System.Boolean]
        $AllowOAuthOverHttp = $false,

        [Parameter()]
        [System.Boolean]
        $AllowMetadataOverHttp = $false,

        [Parameter()]
        [System.UInt32]
        $FormsTokenLifetime,

        [Parameter()]
        [System.UInt32]
        $WindowsTokenLifetime,

        [Parameter()]
        [System.UInt32]
        $LogonTokenCacheExpirationWindow,

        [Parameter()]
        [ValidateSet("Present", "Absent")]
        [System.String]
        $Ensure = "Present"
    )

    Write-Verbose -Message "Testing the Security Token Service Configuration"

    $PSBoundParameters.Ensure = $Ensure

    $CurrentValues = Get-TargetResource @PSBoundParameters

    Write-Verbose -Message "Current Values: $(Convert-SPDscHashtableToString -Hashtable $CurrentValues)"
    Write-Verbose -Message "Target Values: $(Convert-SPDscHashtableToString -Hashtable $PSBoundParameters)"

    $result = Test-SPDscParameterState -CurrentValues $CurrentValues `
        -Source $($MyInvocation.MyCommand.Source) `
        -DesiredValues $PSBoundParameters `
        -ValuesToCheck @("Ensure",
        "NameIdentifier",
        "UseSessionCookies",
        "AllowOAuthOverHttp",
        "AllowMetadataOverHttp",
        "FormsTokenLifetime",
        "WindowsTokenLifetime",
        "LogonTokenCacheExpirationWindow")

    Write-Verbose -Message "Test-TargetResource returned $result"

    return $result
}

Export-ModuleMember -Function *-TargetResource