diff --git a/CHANGELOG.md b/CHANGELOG.md index 39401b0d..958f057f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- Firewall + - Added `PolicyStore` parameter (defaults to PersistentStore to prevent a breaking change) and read only property `PolicyStoreSourceType` - fixes [Issue #428](https://github.com/dsccommunity/NetworkingDsc/issues/428). + ### Changed - Updated CHANGELOG.md diff --git a/source/DSCResources/DSC_Firewall/DSC_Firewall.data.psd1 b/source/DSCResources/DSC_Firewall/DSC_Firewall.data.psd1 index 73bc7daa..f92c0ac5 100644 --- a/source/DSCResources/DSC_Firewall/DSC_Firewall.data.psd1 +++ b/source/DSCResources/DSC_Firewall/DSC_Firewall.data.psd1 @@ -1,36 +1,37 @@ @{ ParameterList = @( - @{ Name = 'Name'; Variable = 'FirewallRule'; Type = 'String' } - @{ Name = 'DisplayName'; Variable = 'FirewallRule'; Type = 'String' } - @{ Name = 'Group'; Variable = 'FirewallRule'; Type = 'String' } - @{ Name = 'DisplayGroup'; Variable = 'FirewallRule'; Type = '' } - @{ Name = 'Enabled'; Variable = 'FirewallRule'; Type = 'String' } - @{ Name = 'Action'; Variable = 'FirewallRule'; Type = 'String' } - @{ Name = 'Profile'; Variable = 'FirewallRule'; Type = 'Array'; Delimiter = ', ' } - @{ Name = 'Direction'; Variable = 'FirewallRule'; Type = 'String' } - @{ Name = 'Description'; Variable = 'FirewallRule'; Type = 'String' } - @{ Name = 'RemotePort'; Variable = 'properties'; Property = 'PortFilters'; Type = 'Array' } - @{ Name = 'LocalPort'; Variable = 'properties'; Property = 'PortFilters'; Type = 'Array' } - @{ Name = 'Protocol'; Variable = 'properties'; Property = 'PortFilters'; Type = 'String' } - @{ Name = 'Program'; Variable = 'properties'; Property = 'ApplicationFilters'; Type = 'String' } - @{ Name = 'Service'; Variable = 'properties'; Property = 'ServiceFilters'; Type = 'String' } - @{ Name = 'Authentication'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } - @{ Name = 'Encryption'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } - @{ Name = 'InterfaceAlias'; Variable = 'properties'; Property = 'InterfaceFilters'; Type = 'Array' } - @{ Name = 'InterfaceType'; Variable = 'properties'; Property = 'InterfaceTypeFilters'; Type = 'String' } - @{ Name = 'LocalAddress'; Variable = 'properties'; Property = 'AddressFilters'; Type = 'ArrayIP' } - @{ Name = 'LocalUser'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } - @{ Name = 'Package'; Variable = 'properties'; Property = 'ApplicationFilters'; Type = 'String' } - @{ Name = 'Platform'; Variable = 'FirewallRule'; Type = 'Array' } - @{ Name = 'RemoteAddress'; Variable = 'properties'; Property = 'AddressFilters'; Type = 'ArrayIP' } - @{ Name = 'RemoteMachine'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } - @{ Name = 'RemoteUser'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } - @{ Name = 'DynamicTransport'; Variable = 'properties'; Property = 'PortFilters'; Type = 'String' } - @{ Name = 'EdgeTraversalPolicy'; Variable = 'FirewallRule'; Type = 'String' } - @{ Name = 'IcmpType'; Variable = 'properties'; Property = 'PortFilters'; Type = 'Array' } - @{ Name = 'LocalOnlyMapping'; Variable = 'FirewallRule'; Type = 'Boolean' } - @{ Name = 'LooseSourceMapping'; Variable = 'FirewallRule'; Type = 'Boolean' } - @{ Name = 'OverrideBlockRules'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'Boolean' } - @{ Name = 'Owner'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'Name'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'DisplayName'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'Group'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'DisplayGroup'; Variable = 'FirewallRule'; Type = '' } + @{ Name = 'Enabled'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'Action'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'Profile'; Variable = 'FirewallRule'; Type = 'Array'; Delimiter = ', ' } + @{ Name = 'Direction'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'Description'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'RemotePort'; Variable = 'properties'; Property = 'PortFilters'; Type = 'Array' } + @{ Name = 'LocalPort'; Variable = 'properties'; Property = 'PortFilters'; Type = 'Array' } + @{ Name = 'Protocol'; Variable = 'properties'; Property = 'PortFilters'; Type = 'String' } + @{ Name = 'Program'; Variable = 'properties'; Property = 'ApplicationFilters'; Type = 'String' } + @{ Name = 'Service'; Variable = 'properties'; Property = 'ServiceFilters'; Type = 'String' } + @{ Name = 'Authentication'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } + @{ Name = 'Encryption'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } + @{ Name = 'InterfaceAlias'; Variable = 'properties'; Property = 'InterfaceFilters'; Type = 'Array' } + @{ Name = 'InterfaceType'; Variable = 'properties'; Property = 'InterfaceTypeFilters'; Type = 'String' } + @{ Name = 'LocalAddress'; Variable = 'properties'; Property = 'AddressFilters'; Type = 'ArrayIP' } + @{ Name = 'LocalUser'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } + @{ Name = 'Package'; Variable = 'properties'; Property = 'ApplicationFilters'; Type = 'String' } + @{ Name = 'Platform'; Variable = 'FirewallRule'; Type = 'Array' } + @{ Name = 'RemoteAddress'; Variable = 'properties'; Property = 'AddressFilters'; Type = 'ArrayIP' } + @{ Name = 'RemoteMachine'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } + @{ Name = 'RemoteUser'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'String' } + @{ Name = 'DynamicTransport'; Variable = 'properties'; Property = 'PortFilters'; Type = 'String' } + @{ Name = 'EdgeTraversalPolicy'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'IcmpType'; Variable = 'properties'; Property = 'PortFilters'; Type = 'Array' } + @{ Name = 'LocalOnlyMapping'; Variable = 'FirewallRule'; Type = 'Boolean' } + @{ Name = 'LooseSourceMapping'; Variable = 'FirewallRule'; Type = 'Boolean' } + @{ Name = 'OverrideBlockRules'; Variable = 'properties'; Property = 'SecurityFilters'; Type = 'Boolean' } + @{ Name = 'Owner'; Variable = 'FirewallRule'; Type = 'String' } + @{ Name = 'PolicyStoreSourceType'; Variable = 'FirewallRule'; Type = 'String' } # Use this instead of PolicyStore as Get-NetFirewallRule does not include PoliyStore ) } diff --git a/source/DSCResources/DSC_Firewall/DSC_Firewall.psm1 b/source/DSCResources/DSC_Firewall/DSC_Firewall.psm1 index f5dd463d..e44b5c2a 100644 --- a/source/DSCResources/DSC_Firewall/DSC_Firewall.psm1 +++ b/source/DSCResources/DSC_Firewall/DSC_Firewall.psm1 @@ -34,6 +34,9 @@ $script:parameterList = $script:resourceData.ParameterList .PARAMETER Name Name of the firewall rule. + + .PARAMETER PolicyStore + Targets the policy store from which to retrieve the rules. #> function Get-TargetResource { @@ -45,7 +48,12 @@ function Get-TargetResource [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] - $Name + $Name, + + [Parameter()] + [ValidateSet('PersistentStore', 'localhost')] + [String] + $PolicyStore = 'PersistentStore' ) $ErrorActionPreference = 'Stop' @@ -57,7 +65,7 @@ function Get-TargetResource $($script:localizedData.FindFirewallRuleMessage) -f $Name ) -join '') - $firewallRule = Get-FirewallRule -Name $Name + $firewallRule = Get-FirewallRule -Name $Name -PolicyStore $PolicyStore if (-not $firewallRule) { @@ -70,7 +78,7 @@ function Get-TargetResource } } - $properties = Get-FirewallRuleProperty -FirewallRule $firewallRule + $properties = Get-FirewallRuleProperty -FirewallRule $firewallRule -PolicyStore $PolicyStore $result = @{ Ensure = 'Present' @@ -238,6 +246,9 @@ function Get-TargetResource .PARAMETER Owner Specifies that matching firewall rules of the indicated owner are created. + + .PARAMETER PolicyStore + Specifies the policy store from which to retrieve the rules to be created. #> function Set-TargetResource { @@ -397,7 +408,12 @@ function Set-TargetResource [Parameter()] [ValidateNotNullOrEmpty()] [String] - $Owner + $Owner, + + [Parameter()] + [ValidateSet('PersistentStore', 'localhost')] + [String] + $PolicyStore = 'PersistentStore' ) Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " @@ -410,7 +426,7 @@ function Set-TargetResource Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " $($script:localizedData.FindFirewallRuleMessage) -f $Name ) -join '') - $firewallRule = Get-FirewallRule -Name $Name + $firewallRule = Get-FirewallRule -Name $Name -PolicyStore $PolicyStore $exists = ($null -ne $firewallRule) @@ -440,13 +456,13 @@ function Set-TargetResource if ($PSBoundParameters.ContainsKey('Group') ` -and ($Group -ne $FirewallRule.Group)) { - Remove-NetFirewallRule -Name (ConvertTo-FirewallRuleNameEscapedString -Name $Name) + Remove-NetFirewallRule -Name (ConvertTo-FirewallRuleNameEscapedString -Name $Name) -PolicyStore $PolicyStore <# Merge the existing rule values into the PSBoundParameters so that it can be splatted. #> - $properties = Get-FirewallRuleProperty -FirewallRule $firewallRule + $properties = Get-FirewallRuleProperty -FirewallRule $firewallRule -PolicyStore $PolicyStore <# Loop through each possible property and if it is not passed as a parameter @@ -532,7 +548,7 @@ function Set-TargetResource ) -join '') # Remove the existing Firewall rule - Remove-NetFirewallRule -Name (ConvertTo-FirewallRuleNameEscapedString -Name $Name) + Remove-NetFirewallRule -Name (ConvertTo-FirewallRuleNameEscapedString -Name $Name) -PolicyStore $PolicyStore } else { @@ -660,6 +676,9 @@ function Set-TargetResource .PARAMETER Owner Specifies that matching firewall rules of the indicated owner are created. + + .PARAMETER PolicyStore + Specifies the policy store from which to retrieve the rules to be created. #> function Test-TargetResource { @@ -820,7 +839,12 @@ function Test-TargetResource [Parameter()] [ValidateNotNullOrEmpty()] [String] - $Owner + $Owner, + + [Parameter()] + [ValidateSet('PersistentStore', 'localhost')] + [String] + $PolicyStore = 'PersistentStore' ) Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " @@ -834,7 +858,7 @@ function Test-TargetResource $($script:localizedData.FindFirewallRuleMessage) -f $Name ) -join '') - $firewallRule = Get-FirewallRule -Name $Name + $firewallRule = Get-FirewallRule -Name $Name -PolicyStore $PolicyStore $exists = ($null -ne $firewallRule) @@ -989,6 +1013,12 @@ function Test-TargetResource .PARAMETER Owner Specifies that matching firewall rules of the indicated owner are created. + + .PARAMETER PolicyStore + Specifies the policy store from which to retrieve the rules to be created. + + .PARAMETER PolicyStoreSourceType + Specifies that firewall rules that match the indicated policy store source type are retrieved. #> function Test-RuleProperties { @@ -1139,10 +1169,20 @@ function Test-RuleProperties [Parameter()] [String] - $Owner + $Owner, + + [Parameter()] + [ValidateSet('PersistentStore', 'localhost')] + [String] + $PolicyStore = 'PersistentStore', + + [Parameter()] + [ValidateSet('None', 'Local', 'GroupPolicy', 'Dynamic', 'Generated', 'Hardcoded')] + [String] + $PolicyStoreSourceType ) - $properties = Get-FirewallRuleProperty -FirewallRule $FirewallRule + $properties = Get-FirewallRuleProperty -FirewallRule $FirewallRule -PolicyStore $PolicyStore $desiredConfigurationMatch = $true <# @@ -1242,6 +1282,9 @@ function Test-RuleProperties .PARAMETER Name The name of the Firewall Rule to Retrieve. + + .PARAMETER PolicyStore + Specifies the policy store from which to retrieve the rules to be created. #> function Get-FirewallRule { @@ -1252,10 +1295,15 @@ function Get-FirewallRule [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] - $Name + $Name, + + [Parameter()] + [ValidateSet('PersistentStore', 'localhost')] + [String] + $PolicyStore = 'PersistentStore' ) - $firewallRule = @(Get-NetFirewallRule -Name (ConvertTo-FirewallRuleNameEscapedString -Name $Name) -ErrorAction SilentlyContinue) + $firewallRule = @(Get-NetFirewallRule -Name (ConvertTo-FirewallRuleNameEscapedString -Name $Name) -PolicyStore $PolicyStore -ErrorAction SilentlyContinue) if (-not $firewallRule) { @@ -1285,6 +1333,9 @@ function Get-FirewallRule .PARAMETER FirewallRule The firewall rule object to pull the additional firewall objects for. + + .PARAMETER PolicyStore + Specifies the policy store from which to retrieve the rules to be created. #> function Get-FirewallRuleProperty { @@ -1293,7 +1344,12 @@ function Get-FirewallRuleProperty param ( [Parameter(Mandatory = $true)] - $FirewallRule + $FirewallRule, + + [Parameter()] + [ValidateSet('PersistentStore', 'localhost')] + [String] + $PolicyStore = 'PersistentStore' ) Write-Verbose -Message ( @( "$($MyInvocation.MyCommand): " @@ -1371,7 +1427,7 @@ function ConvertTo-FirewallRuleNameEscapedString $Name ) - return $Name.Replace('[','`[').Replace(']','`]').Replace('*','`*') + return $Name.Replace('[', '`[').Replace(']', '`]').Replace('*', '`*') } Export-ModuleMember -Function *-TargetResource diff --git a/source/DSCResources/DSC_Firewall/DSC_Firewall.schema.mof b/source/DSCResources/DSC_Firewall/DSC_Firewall.schema.mof index ab750490..d8c41f7b 100644 --- a/source/DSCResources/DSC_Firewall/DSC_Firewall.schema.mof +++ b/source/DSCResources/DSC_Firewall/DSC_Firewall.schema.mof @@ -33,5 +33,7 @@ class DSC_Firewall : OMI_BaseResource [Write, Description("Indicates that matching firewall rules of the indicated value are created.")] Boolean LooseSourceMapping; [Write, Description("Indicates that matching network traffic that would otherwise be blocked are allowed.")] Boolean OverrideBlockRules; [Write, Description("Specifies that matching firewall rules of the indicated owner are created.")] String Owner; + [Write, Description("Specifies the policy store from which to retrieve the rules to be created."), ValueMap{"PersistentStore", "localhost"},Values{"PersistentStore", "localhost"}] String PolicyStore; + [Read, Description("Specifies that firewall rules that match the indicated policy store source type are retrieved.")] String PolicyStoreSourceType; [Read, Description("The current value of the Display Group of the Firewall Rule.")] string DisplayGroup; };