From 6892e7199c7b01407f933bdd1f5862f293625b43 Mon Sep 17 00:00:00 2001 From: Mike Hendrickson Date: Tue, 27 Nov 2018 14:29:11 -0800 Subject: [PATCH] Fixes issue where Switch parameters are passed to Enable-Bitlocker even if the corresponding DSC resource parameter was set to False - Post Review #1 --- CHANGELOG.md | 2 + Misc/xBitlockerCommon.psm1 | 8 +- ...SFT_xBLAutoBitlocker.Integration.tests.ps1 | 5 -- .../MSFT_xBLBitlocker.Integration.tests.ps1 | 87 +++++++++---------- .../Integration/MSFT_xBLBitlocker.config.ps1 | 25 +++++- .../MSFT_xBLTpm.Integration.tests.ps1 | 5 -- Tests/TestHelpers/xBitlockerTestHelper.psm1 | 26 ++++++ 7 files changed, 98 insertions(+), 60 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2778b9..5ca108e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ - Rename functions with improper Verb-Noun constructs - Add comment based help to any functions without it - Update Schema.mof Description fields +- Fixes issue where Switch parameters are passed to Enable-Bitlocker even if + the corresponding DSC resource parameter was set to False (Issue #12) ## 1.2.0.0 diff --git a/Misc/xBitlockerCommon.psm1 b/Misc/xBitlockerCommon.psm1 index b1d7f3a..6e5500f 100644 --- a/Misc/xBitlockerCommon.psm1 +++ b/Misc/xBitlockerCommon.psm1 @@ -208,22 +208,22 @@ function Enable-BitlockerInternal if ($PSBoundParameters.ContainsKey("HardwareEncryption")) { - $params.Add("HardwareEncryption", $true) + $params.Add("HardwareEncryption", $HardwareEncryption) } if ($PSBoundParameters.ContainsKey("Service")) { - $params.Add("Service", $true) + $params.Add("Service", $Service) } if ($PSBoundParameters.ContainsKey("SkipHardwareTest")) { - $params.Add("SkipHardwareTest", $true) + $params.Add("SkipHardwareTest", $SkipHardwareTest) } if ($PSBoundParameters.ContainsKey("UsedSpaceOnly")) { - $params.Add("UsedSpaceOnly", $true) + $params.Add("UsedSpaceOnly", $UsedSpaceOnly) } #Now add the primary protector diff --git a/Tests/Integration/MSFT_xBLAutoBitlocker.Integration.tests.ps1 b/Tests/Integration/MSFT_xBLAutoBitlocker.Integration.tests.ps1 index c978bff..12cdc65 100644 --- a/Tests/Integration/MSFT_xBLAutoBitlocker.Integration.tests.ps1 +++ b/Tests/Integration/MSFT_xBLAutoBitlocker.Integration.tests.ps1 @@ -85,11 +85,6 @@ try } It 'Should have set the resource and all the parameters should match' { - $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript { - $_.ConfigurationName -eq $configurationName ` - -and $_.ResourceId -eq "[$($script:dscResourceFriendlyName)]Integration_Test" - } - $fixedDriveBlvs = Get-BitLockerVolume | Where-Object -FilterScript {$_.VolumeType -eq 'Data'} foreach ($fixedDriveBlv in $fixedDriveBlvs) diff --git a/Tests/Integration/MSFT_xBLBitlocker.Integration.tests.ps1 b/Tests/Integration/MSFT_xBLBitlocker.Integration.tests.ps1 index b6ce04e..e8e4fd0 100644 --- a/Tests/Integration/MSFT_xBLBitlocker.Integration.tests.ps1 +++ b/Tests/Integration/MSFT_xBLBitlocker.Integration.tests.ps1 @@ -33,14 +33,6 @@ if (!(Test-RequiredFeaturesInstalled)) return } -# Disable Bitlocker on the OS drive before performing any tests -$sysDriveBlv = Get-BitLockerVolume -MountPoint $env:SystemDrive - -if ($sysDriveBlv.KeyProtector.Count -gt 0 -or $sysDriveBlv.ProtectionStatus -ne 'Off') -{ - Disable-BitLocker -MountPoint $env:SystemDrive -} - # Using try/finally to always cleanup. try { @@ -49,48 +41,53 @@ try . $configurationFile Describe "$($script:dcsResourceName)_Integration" { - $configurationName = "$($script:dcsResourceName)_BasicTPMEncryptionOnSysDrive_Config" - - Context ('When using configuration {0}' -f $configurationName) { - It 'Should compile and apply the MOF without throwing' { - { - $configurationParameters = @{ - OutputPath = $TestDrive - ConfigurationData = $ConfigurationData - } - - & $configurationName @configurationParameters - - $startDscConfigurationParameters = @{ - Path = $TestDrive - ComputerName = 'localhost' - Wait = $true - Verbose = $true - Force = $true - ErrorAction = 'Stop' - } - - Start-DscConfiguration @startDscConfigurationParameters - } | Should -Not -Throw - } + $configurationNames = @( + "$($script:dcsResourceName)_BasicTPMEncryptionOnSysDrive_Config" + "$($script:dcsResourceName)_TPMEncryptionOnSysDriveWithFalseSwitchParams_Config" + ) + + foreach ($configurationName in $configurationNames) + { + Context ('When using configuration {0}' -f $configurationName) { + BeforeAll { + Disable-BitLockerOnTestDrive -MountPoint $env:SystemDrive + } - It 'Should be able to call Get-DscConfiguration without throwing' { - { - $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction Stop - } | Should -Not -Throw - } + It 'Should compile and apply the MOF without throwing' { + { + $configurationParameters = @{ + OutputPath = $TestDrive + ConfigurationData = $ConfigurationData + } + + & $configurationName @configurationParameters + + $startDscConfigurationParameters = @{ + Path = $TestDrive + ComputerName = 'localhost' + Wait = $true + Verbose = $true + Force = $true + ErrorAction = 'Stop' + } + + Start-DscConfiguration @startDscConfigurationParameters + } | Should -Not -Throw + } - It 'Should have set the resource and all the parameters should match' { - $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript { - $_.ConfigurationName -eq $configurationName ` - -and $_.ResourceId -eq "[$($script:dscResourceFriendlyName)]Integration_Test" + It 'Should be able to call Get-DscConfiguration without throwing' { + { + $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction Stop + } | Should -Not -Throw } - (Get-BitlockerVolume -MountPoint $env:SystemDrive).KeyProtector[0].KeyProtectorType | Should -Be 'Tpm' - } + It 'Should have set the resource and all the parameters should match' { + (Get-BitlockerVolume -MountPoint $env:SystemDrive).KeyProtector[0].KeyProtectorType | Should -Be 'Tpm' + } - It 'Should return $true when Test-DscConfiguration is run' { - Test-DscConfiguration -Verbose | Should -Be $true + It 'Should return $true when Test-DscConfiguration is run' { + Test-DscConfiguration -Verbose | Should -Be $true + } } } } diff --git a/Tests/Integration/MSFT_xBLBitlocker.config.ps1 b/Tests/Integration/MSFT_xBLBitlocker.config.ps1 index e14e19c..db776e4 100644 --- a/Tests/Integration/MSFT_xBLBitlocker.config.ps1 +++ b/Tests/Integration/MSFT_xBLBitlocker.config.ps1 @@ -20,7 +20,7 @@ else <# .SYNOPSIS - Enables Bitlocker on the Operating System drive using a TpmProtector + Enables Bitlocker on the Operating System drive using a TpmProtector. #> Configuration MSFT_xBLBitlocker_BasicTPMEncryptionOnSysDrive_Config { @@ -32,6 +32,29 @@ Configuration MSFT_xBLBitlocker_BasicTPMEncryptionOnSysDrive_Config { MountPoint = $env:SystemDrive PrimaryProtector = 'TpmProtector' + UsedSpaceOnly = $true + } + } +} + +<# + .SYNOPSIS + Enables Bitlocker on the Operating System drive using a TpmProtector + and passed multiple Switch parameters of Enable-Bitlocker with False + values. +#> +Configuration MSFT_xBLBitlocker_TPMEncryptionOnSysDriveWithFalseSwitchParams_Config +{ + Import-DscResource -ModuleName 'xBitlocker' + + Node $AllNodes.NodeName + { + xBLBitlocker Integration_Test + { + MountPoint = $env:SystemDrive + PrimaryProtector = 'TpmProtector' + HardwareEncryption = $false + UsedSpaceOnly = $false } } } diff --git a/Tests/Integration/MSFT_xBLTpm.Integration.tests.ps1 b/Tests/Integration/MSFT_xBLTpm.Integration.tests.ps1 index c2c96f5..8890e21 100644 --- a/Tests/Integration/MSFT_xBLTpm.Integration.tests.ps1 +++ b/Tests/Integration/MSFT_xBLTpm.Integration.tests.ps1 @@ -73,11 +73,6 @@ try } It 'Should have set the resource and all the parameters should match' { - $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript { - $_.ConfigurationName -eq $configurationName ` - -and $_.ResourceId -eq "[$($script:dscResourceFriendlyName)]Integration_Test" - } - (Get-Tpm).TpmReady | Should -Be $true } diff --git a/Tests/TestHelpers/xBitlockerTestHelper.psm1 b/Tests/TestHelpers/xBitlockerTestHelper.psm1 index 43a48d0..e50fcb3 100644 --- a/Tests/TestHelpers/xBitlockerTestHelper.psm1 +++ b/Tests/TestHelpers/xBitlockerTestHelper.psm1 @@ -42,3 +42,29 @@ function Test-HasPresentTpm return $hasReadyTpm } + +<# + .SYNOPSIS + Disables BitLocker on a test drive, if Enabled + + .PARAMETER MountPoint + The MountPoint to disable BitLocker on +#> +function Disable-BitLockerOnTestDrive +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [ValidateNotNullorEmpty()] + [System.String] + $MountPoint + ) + + $blv = Get-BitLockerVolume -MountPoint $MountPoint + + if ($blv.KeyProtector.Count -gt 0 -or $blv.ProtectionStatus -ne 'Off') + { + Disable-BitLocker -MountPoint $blv + } +}