diff --git a/CHANGELOG.md b/CHANGELOG.md index bd45734..f2778b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,9 @@ - Fixed Markdown validation warnings in README.md - Added .MetaTestOptIn.json file to root of module - Add Integration Tests for module resources +- Rename functions with improper Verb-Noun constructs +- Add comment based help to any functions without it +- Update Schema.mof Description fields ## 1.2.0.0 diff --git a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 index 71621aa..632efe2 100644 --- a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 +++ b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 @@ -1,3 +1,84 @@ +<# + .SYNOPSIS + Gets DSC resource configuration. + + .PARAMETER MountPoint + The MountPoint name as reported in Get-BitLockerVolume. + + .PARAMETER MinDiskCapacityGB + Optional parameter specifying the minimum disk size, in GB, that should + be considered for AutoBitlocker. + + .PARAMETER PrimaryProtector + The type of key protector that will be used as the primary key + protector. + + .PARAMETER AdAccountOrGroup + Specifies an account using the format Domain\User. + + .PARAMETER AdAccountOrGroupProtector + Indicates that BitLocker uses an AD DS account as a protector for the + volume encryption key. + + .PARAMETER AllowImmediateReboot + Whether the computer can be immediately rebooted after enabling + Bitlocker on an OS drive. Defaults to false. + + .PARAMETER AutoUnlock + Whether volumes should be enabled for auto unlock using + Enable-BitlockerAutoUnlock. + + .PARAMETER EncryptionMethod + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER HardwareEncryption + Indicates that the volume uses hardware encryption. + + .PARAMETER Password + Specifies a secure string object that contains a password. + + .PARAMETER PasswordProtector + Indicates that BitLocker uses a password as a protector for the volume + encryption key. + + .PARAMETER Pin + Specifies a secure string object that contains a PIN. + + .PARAMETER RecoveryKeyPath + Specifies a path to a recovery key. + + .PARAMETER RecoveryKeyProtector + Indicates that BitLocker uses a recovery key as a protector for the + volume encryption key. + + .PARAMETER RecoveryPasswordProtector + Indicates that BitLocker uses a recovery password as a protector for + the volume encryption key. + + .PARAMETER Service + Indicates that the system account for this computer unlocks the + encrypted volume. + + .PARAMETER SkipHardwareTest + Indicates that BitLocker does not perform a hardware test before it + begins encryption. + + .PARAMETER StartupKeyPath + Specifies a path to a startup key. + + .PARAMETER StartupKeyProtector + Indicates that BitLocker uses a startup key as a protector for the + volume encryption key. + + .PARAMETER TpmProtector + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER UsedSpaceOnly + Indicates that BitLocker does not encrypt disk space which contains + unused data. +#> function Get-TargetResource { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSDSCUseVerboseMessageInDSCResource', '')] @@ -92,7 +173,7 @@ function Get-TargetResource #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker $returnValue = @{ DriveType = $DriveType @@ -101,6 +182,87 @@ function Get-TargetResource $returnValue } +<# + .SYNOPSIS + Configures settings defined DSC resource configuration. + + .PARAMETER MountPoint + The MountPoint name as reported in Get-BitLockerVolume. + + .PARAMETER MinDiskCapacityGB + Optional parameter specifying the minimum disk size, in GB, that should + be considered for AutoBitlocker. + + .PARAMETER PrimaryProtector + The type of key protector that will be used as the primary key + protector. + + .PARAMETER AdAccountOrGroup + Specifies an account using the format Domain\User. + + .PARAMETER AdAccountOrGroupProtector + Indicates that BitLocker uses an AD DS account as a protector for the + volume encryption key. + + .PARAMETER AllowImmediateReboot + Whether the computer can be immediately rebooted after enabling + Bitlocker on an OS drive. Defaults to false. + + .PARAMETER AutoUnlock + Whether volumes should be enabled for auto unlock using + Enable-BitlockerAutoUnlock. + + .PARAMETER EncryptionMethod + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER HardwareEncryption + Indicates that the volume uses hardware encryption. + + .PARAMETER Password + Specifies a secure string object that contains a password. + + .PARAMETER PasswordProtector + Indicates that BitLocker uses a password as a protector for the volume + encryption key. + + .PARAMETER Pin + Specifies a secure string object that contains a PIN. + + .PARAMETER RecoveryKeyPath + Specifies a path to a recovery key. + + .PARAMETER RecoveryKeyProtector + Indicates that BitLocker uses a recovery key as a protector for the + volume encryption key. + + .PARAMETER RecoveryPasswordProtector + Indicates that BitLocker uses a recovery password as a protector for + the volume encryption key. + + .PARAMETER Service + Indicates that the system account for this computer unlocks the + encrypted volume. + + .PARAMETER SkipHardwareTest + Indicates that BitLocker does not perform a hardware test before it + begins encryption. + + .PARAMETER StartupKeyPath + Specifies a path to a startup key. + + .PARAMETER StartupKeyProtector + Indicates that BitLocker uses a startup key as a protector for the + volume encryption key. + + .PARAMETER TpmProtector + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER UsedSpaceOnly + Indicates that BitLocker does not encrypt disk space which contains + unused data. +#> function Set-TargetResource { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSDSCUseVerboseMessageInDSCResource', '')] @@ -194,9 +356,9 @@ function Set-TargetResource #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker - $autoBlVols = GetAutoBitlockerStatus @PSBoundParameters + $autoBlVols = Get-AutoBitlockerStatus @PSBoundParameters if ($null -eq $autoBlVols) { @@ -204,24 +366,106 @@ function Set-TargetResource } else { - RemoveParameters -PSBoundParametersIn $PSBoundParameters -ParamsToRemove "DriveType","MinDiskCapacityGB" - AddParameters -PSBoundParametersIn $PSBoundParameters -ParamsToAdd @{"MountPoint" = ""} + Remove-FromPSBoundParametersUsingHashtable -PSBoundParametersIn $PSBoundParameters -ParamsToRemove "DriveType","MinDiskCapacityGB" + Add-ToPSBoundParametersFromHashtable -PSBoundParametersIn $PSBoundParameters -ParamsToAdd @{"MountPoint" = ""} #Loop through each potential AutoBitlocker volume, see whether they are enabled for Bitlocker, and if not, enable it foreach ($key in $autoBlVols.Keys) { $PSBoundParameters["MountPoint"] = $key - $testResult = TestBitlocker @PSBoundParameters + $testResult = Test-BitlockerEnabled @PSBoundParameters if ($testResult -eq $false) { - EnableBitlocker @PSBoundParameters -VerbosePreference $VerbosePreference + Enable-BitlockerInternal @PSBoundParameters -VerbosePreference $VerbosePreference } } } } +<# + .SYNOPSIS + Tests whether settings defined DSC resource configuration are in the + expected state. + + .PARAMETER MountPoint + The MountPoint name as reported in Get-BitLockerVolume. + + .PARAMETER MinDiskCapacityGB + Optional parameter specifying the minimum disk size, in GB, that should + be considered for AutoBitlocker. + + .PARAMETER PrimaryProtector + The type of key protector that will be used as the primary key + protector. + + .PARAMETER AdAccountOrGroup + Specifies an account using the format Domain\User. + + .PARAMETER AdAccountOrGroupProtector + Indicates that BitLocker uses an AD DS account as a protector for the + volume encryption key. + + .PARAMETER AllowImmediateReboot + Whether the computer can be immediately rebooted after enabling + Bitlocker on an OS drive. Defaults to false. + + .PARAMETER AutoUnlock + Whether volumes should be enabled for auto unlock using + Enable-BitlockerAutoUnlock. + + .PARAMETER EncryptionMethod + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER HardwareEncryption + Indicates that the volume uses hardware encryption. + + .PARAMETER Password + Specifies a secure string object that contains a password. + + .PARAMETER PasswordProtector + Indicates that BitLocker uses a password as a protector for the volume + encryption key. + + .PARAMETER Pin + Specifies a secure string object that contains a PIN. + + .PARAMETER RecoveryKeyPath + Specifies a path to a recovery key. + + .PARAMETER RecoveryKeyProtector + Indicates that BitLocker uses a recovery key as a protector for the + volume encryption key. + + .PARAMETER RecoveryPasswordProtector + Indicates that BitLocker uses a recovery password as a protector for + the volume encryption key. + + .PARAMETER Service + Indicates that the system account for this computer unlocks the + encrypted volume. + + .PARAMETER SkipHardwareTest + Indicates that BitLocker does not perform a hardware test before it + begins encryption. + + .PARAMETER StartupKeyPath + Specifies a path to a startup key. + + .PARAMETER StartupKeyProtector + Indicates that BitLocker uses a startup key as a protector for the + volume encryption key. + + .PARAMETER TpmProtector + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER UsedSpaceOnly + Indicates that BitLocker does not encrypt disk space which contains + unused data. +#> function Test-TargetResource { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSDSCUseVerboseMessageInDSCResource', '')] @@ -316,9 +560,9 @@ function Test-TargetResource #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker - $autoBlVols = GetAutoBitlockerStatus @PSBoundParameters + $autoBlVols = Get-AutoBitlockerStatus @PSBoundParameters $allEnabled = $true @@ -330,15 +574,15 @@ function Test-TargetResource } else { - RemoveParameters -PSBoundParametersIn $PSBoundParameters -ParamsToRemove "DriveType","MinDiskCapacityGB" - AddParameters -PSBoundParametersIn $PSBoundParameters -ParamsToAdd @{"MountPoint" = ""} + Remove-FromPSBoundParametersUsingHashtable -PSBoundParametersIn $PSBoundParameters -ParamsToRemove "DriveType","MinDiskCapacityGB" + Add-ToPSBoundParametersFromHashtable -PSBoundParametersIn $PSBoundParameters -ParamsToAdd @{"MountPoint" = ""} #Check whether any potential AutoBitlocker volume is not currently enabled for Bitlocker, or doesn't have the correct settings foreach ($key in $autoBlVols.Keys) { $PSBoundParameters["MountPoint"] = $key - $testResult = TestBitlocker @PSBoundParameters -VerbosePreference $VerbosePreference + $testResult = Test-BitlockerEnabled @PSBoundParameters -VerbosePreference $VerbosePreference if ($testResult -eq $false) { @@ -352,7 +596,88 @@ function Test-TargetResource return $allEnabled } -function GetAutoBitlockerStatus +<# + .SYNOPSIS + Checks the status on all volumes eligible for AutoBitlocker. + + .PARAMETER MountPoint + The MountPoint name as reported in Get-BitLockerVolume. + + .PARAMETER MinDiskCapacityGB + Optional parameter specifying the minimum disk size, in GB, that should + be considered for AutoBitlocker. + + .PARAMETER PrimaryProtector + The type of key protector that will be used as the primary key + protector. + + .PARAMETER AdAccountOrGroup + Specifies an account using the format Domain\User. + + .PARAMETER AdAccountOrGroupProtector + Indicates that BitLocker uses an AD DS account as a protector for the + volume encryption key. + + .PARAMETER AllowImmediateReboot + Whether the computer can be immediately rebooted after enabling + Bitlocker on an OS drive. Defaults to false. + + .PARAMETER AutoUnlock + Whether volumes should be enabled for auto unlock using + Enable-BitlockerAutoUnlock. + + .PARAMETER EncryptionMethod + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER HardwareEncryption + Indicates that the volume uses hardware encryption. + + .PARAMETER Password + Specifies a secure string object that contains a password. + + .PARAMETER PasswordProtector + Indicates that BitLocker uses a password as a protector for the volume + encryption key. + + .PARAMETER Pin + Specifies a secure string object that contains a PIN. + + .PARAMETER RecoveryKeyPath + Specifies a path to a recovery key. + + .PARAMETER RecoveryKeyProtector + Indicates that BitLocker uses a recovery key as a protector for the + volume encryption key. + + .PARAMETER RecoveryPasswordProtector + Indicates that BitLocker uses a recovery password as a protector for + the volume encryption key. + + .PARAMETER Service + Indicates that the system account for this computer unlocks the + encrypted volume. + + .PARAMETER SkipHardwareTest + Indicates that BitLocker does not perform a hardware test before it + begins encryption. + + .PARAMETER StartupKeyPath + Specifies a path to a startup key. + + .PARAMETER StartupKeyProtector + Indicates that BitLocker uses a startup key as a protector for the + volume encryption key. + + .PARAMETER TpmProtector + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER UsedSpaceOnly + Indicates that BitLocker does not encrypt disk space which contains + unused data. +#> +function Get-AutoBitlockerStatus { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] diff --git a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof index 419b839..f090d76 100644 --- a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof +++ b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof @@ -2,22 +2,17 @@ [ClassVersion("1.0.0.0"), FriendlyName("xBLAutoBitlocker")] class MSFT_xBLAutoBitlocker : OMI_BaseResource { - //Used to automatically enable Bitlocker on drives of type Fixed or Removable. Does not work on Operating System drives. - - [Key, ValueMap{"Fixed","Removable"}, Values{"Fixed","Removable"}] String DriveType; //The type of volume, as reported by Get-Volume, to auto apply Bitlocker to - [Write] Sint32 MinDiskCapacityGB; //If specified, only disks this size or greater will auto apply Bitlocker + [Key, ValueMap{"Fixed","Removable"}, Values{"Fixed","Removable"}, Description("The type of volume, as reported by Get-Volume, to auto apply Bitlocker to")] String DriveType; + [Write, Description("If specified, only disks this size or greater will auto apply Bitlocker")] Sint32 MinDiskCapacityGB; [Required, ValueMap{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}] String PrimaryProtector; - [Write] Boolean AutoUnlock; //Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock - - //Remaing properties correspond directly to Enable-Bitlocker parameters - //http://technet.microsoft.com/en-us/library/jj649837.aspx + [Write, Description("Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock")] Boolean AutoUnlock; [Write] String AdAccountOrGroup; [Write] Boolean AdAccountOrGroupProtector; [Write, ValueMap{"Aes128","Aes256"}, Values{"Aes128","Aes256"}] String EncryptionMethod; [Write] Boolean HardwareEncryption; - [Write, EmbeddedInstance("MSFT_Credential")] String Password; //NOTE: Username doesn't matter for the credential. Just put the Password in the Password field + [Write, EmbeddedInstance("MSFT_Credential"), Description("NOTE: Username doesn't matter for the credential. Just put the Password in the Password field")] String Password; [Write] Boolean PasswordProtector; - [Write, EmbeddedInstance("MSFT_Credential")] String Pin; //NOTE: Username doesn't matter for the credential. Just put the Pin in the Password field + [Write, EmbeddedInstance("MSFT_Credential"), Description("NOTE: Username doesn't matter for the credential. Just put the Pin in the Password field")] String Pin; [Write] String RecoveryKeyPath; [Write] Boolean RecoveryKeyProtector; [Write] Boolean RecoveryPasswordProtector; diff --git a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 index 1cc4fe5..549662f 100644 --- a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 +++ b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 @@ -1,3 +1,80 @@ +<# + .SYNOPSIS + Gets DSC resource configuration. + + .PARAMETER MountPoint + The MountPoint name as reported in Get-BitLockerVolume. + + .PARAMETER PrimaryProtector + The type of key protector that will be used as the primary key + protector. + + .PARAMETER AdAccountOrGroup + Specifies an account using the format Domain\User. + + .PARAMETER AdAccountOrGroupProtector + Indicates that BitLocker uses an AD DS account as a protector for the + volume encryption key. + + .PARAMETER AllowImmediateReboot + Whether the computer can be immediately rebooted after enabling + Bitlocker on an OS drive. Defaults to false. + + .PARAMETER AutoUnlock + Whether volumes should be enabled for auto unlock using + Enable-BitlockerAutoUnlock. + + .PARAMETER EncryptionMethod + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER HardwareEncryption + Indicates that the volume uses hardware encryption. + + .PARAMETER Password + Specifies a secure string object that contains a password. + + .PARAMETER PasswordProtector + Indicates that BitLocker uses a password as a protector for the volume + encryption key. + + .PARAMETER Pin + Specifies a secure string object that contains a PIN. + + .PARAMETER RecoveryKeyPath + Specifies a path to a recovery key. + + .PARAMETER RecoveryKeyProtector + Indicates that BitLocker uses a recovery key as a protector for the + volume encryption key. + + .PARAMETER RecoveryPasswordProtector + Indicates that BitLocker uses a recovery password as a protector for + the volume encryption key. + + .PARAMETER Service + Indicates that the system account for this computer unlocks the + encrypted volume. + + .PARAMETER SkipHardwareTest + Indicates that BitLocker does not perform a hardware test before it + begins encryption. + + .PARAMETER StartupKeyPath + Specifies a path to a startup key. + + .PARAMETER StartupKeyProtector + Indicates that BitLocker uses a startup key as a protector for the + volume encryption key. + + .PARAMETER TpmProtector + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER UsedSpaceOnly + Indicates that BitLocker does not encrypt disk space which contains + unused data. +#> function Get-TargetResource { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSDSCUseVerboseMessageInDSCResource', '')] @@ -90,7 +167,7 @@ function Get-TargetResource #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker $returnValue = @{ MountPoint = $MountPoint @@ -99,7 +176,83 @@ function Get-TargetResource $returnValue } +<# + .SYNOPSIS + Configures settings defined DSC resource configuration. + + .PARAMETER MountPoint + The MountPoint name as reported in Get-BitLockerVolume. + + .PARAMETER PrimaryProtector + The type of key protector that will be used as the primary key + protector. + + .PARAMETER AdAccountOrGroup + Specifies an account using the format Domain\User. + + .PARAMETER AdAccountOrGroupProtector + Indicates that BitLocker uses an AD DS account as a protector for the + volume encryption key. + + .PARAMETER AllowImmediateReboot + Whether the computer can be immediately rebooted after enabling + Bitlocker on an OS drive. Defaults to false. + + .PARAMETER AutoUnlock + Whether volumes should be enabled for auto unlock using + Enable-BitlockerAutoUnlock. + + .PARAMETER EncryptionMethod + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER HardwareEncryption + Indicates that the volume uses hardware encryption. + + .PARAMETER Password + Specifies a secure string object that contains a password. + + .PARAMETER PasswordProtector + Indicates that BitLocker uses a password as a protector for the volume + encryption key. + .PARAMETER Pin + Specifies a secure string object that contains a PIN. + + .PARAMETER RecoveryKeyPath + Specifies a path to a recovery key. + + .PARAMETER RecoveryKeyProtector + Indicates that BitLocker uses a recovery key as a protector for the + volume encryption key. + + .PARAMETER RecoveryPasswordProtector + Indicates that BitLocker uses a recovery password as a protector for + the volume encryption key. + + .PARAMETER Service + Indicates that the system account for this computer unlocks the + encrypted volume. + + .PARAMETER SkipHardwareTest + Indicates that BitLocker does not perform a hardware test before it + begins encryption. + + .PARAMETER StartupKeyPath + Specifies a path to a startup key. + + .PARAMETER StartupKeyProtector + Indicates that BitLocker uses a startup key as a protector for the + volume encryption key. + + .PARAMETER TpmProtector + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER UsedSpaceOnly + Indicates that BitLocker does not encrypt disk space which contains + unused data. +#> function Set-TargetResource { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSDSCUseVerboseMessageInDSCResource', '')] @@ -191,11 +344,89 @@ function Set-TargetResource #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker - EnableBitlocker @PSBoundParameters -VerbosePreference $VerbosePreference + Enable-BitlockerInternal @PSBoundParameters -VerbosePreference $VerbosePreference } +<# + .SYNOPSIS + Tests whether settings defined DSC resource configuration are in the + expected state. + + .PARAMETER MountPoint + The MountPoint name as reported in Get-BitLockerVolume. + + .PARAMETER PrimaryProtector + The type of key protector that will be used as the primary key + protector. + + .PARAMETER AdAccountOrGroup + Specifies an account using the format Domain\User. + + .PARAMETER AdAccountOrGroupProtector + Indicates that BitLocker uses an AD DS account as a protector for the + volume encryption key. + + .PARAMETER AllowImmediateReboot + Whether the computer can be immediately rebooted after enabling + Bitlocker on an OS drive. Defaults to false. + + .PARAMETER AutoUnlock + Whether volumes should be enabled for auto unlock using + Enable-BitlockerAutoUnlock. + + .PARAMETER EncryptionMethod + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER HardwareEncryption + Indicates that the volume uses hardware encryption. + + .PARAMETER Password + Specifies a secure string object that contains a password. + + .PARAMETER PasswordProtector + Indicates that BitLocker uses a password as a protector for the volume + encryption key. + + .PARAMETER Pin + Specifies a secure string object that contains a PIN. + + .PARAMETER RecoveryKeyPath + Specifies a path to a recovery key. + + .PARAMETER RecoveryKeyProtector + Indicates that BitLocker uses a recovery key as a protector for the + volume encryption key. + + .PARAMETER RecoveryPasswordProtector + Indicates that BitLocker uses a recovery password as a protector for + the volume encryption key. + + .PARAMETER Service + Indicates that the system account for this computer unlocks the + encrypted volume. + + .PARAMETER SkipHardwareTest + Indicates that BitLocker does not perform a hardware test before it + begins encryption. + + .PARAMETER StartupKeyPath + Specifies a path to a startup key. + + .PARAMETER StartupKeyProtector + Indicates that BitLocker uses a startup key as a protector for the + volume encryption key. + + .PARAMETER TpmProtector + Indicates that BitLocker uses the TPM as a protector for the volume + encryption key. + + .PARAMETER UsedSpaceOnly + Indicates that BitLocker does not encrypt disk space which contains + unused data. +#> function Test-TargetResource { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSDSCUseVerboseMessageInDSCResource', '')] @@ -288,9 +519,9 @@ function Test-TargetResource #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker - $testResult = TestBitlocker @PSBoundParameters -VerbosePreference $VerbosePreference + $testResult = Test-BitlockerEnabled @PSBoundParameters -VerbosePreference $VerbosePreference return $testResult } diff --git a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof index 1ca2f91..cc523e9 100644 --- a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof +++ b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof @@ -2,20 +2,17 @@ [ClassVersion("1.0.0.0"), FriendlyName("xBLBitlocker")] class MSFT_xBLBitlocker : OMI_BaseResource { - [Key] String MountPoint; //The MountPoint name as reported in Get-BitLockerVolume - [Required, ValueMap{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}] String PrimaryProtector; //The type of key protector that will be used as the primary key protector - [Write] Boolean AutoUnlock; //Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock - [Write] Boolean AllowImmediateReboot; //Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false. - - //Remaing properties correspond directly to Enable-Bitlocker parameters - //http://technet.microsoft.com/en-us/library/jj649837.aspx + [Key, Description("The MountPoint name as reported in Get-BitLockerVolume")] String MountPoint; + [Required, ValueMap{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Description("The type of key protector that will be used as the primary key protector")] String PrimaryProtector; + [Write, Description("Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock")] Boolean AutoUnlock; + [Write, Description("Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false.")] Boolean AllowImmediateReboot; [Write] String AdAccountOrGroup; [Write] Boolean AdAccountOrGroupProtector; [Write, ValueMap{"Aes128","Aes256"}, Values{"Aes128","Aes256"}] String EncryptionMethod; [Write] Boolean HardwareEncryption; - [Write, EmbeddedInstance("MSFT_Credential")] String Password; //NOTE: Username doesn't matter for the credential. Just put the Password in the Password field + [Write, EmbeddedInstance("MSFT_Credential"), Description("NOTE: Username doesn't matter for the credential. Just put the Password in the Password field")] String Password; [Write] Boolean PasswordProtector; - [Write, EmbeddedInstance("MSFT_Credential")] String Pin; //NOTE: Username doesn't matter for the credential. Just put the Pin in the Password field + [Write, EmbeddedInstance("MSFT_Credential"), Description("NOTE: Username doesn't matter for the credential. Just put the Pin in the Password field")] String Pin; [Write] String RecoveryKeyPath; [Write] Boolean RecoveryKeyProtector; [Write] Boolean RecoveryPasswordProtector; diff --git a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 index 6766709..d31621b 100644 --- a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 +++ b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 @@ -1,3 +1,23 @@ +<# + .SYNOPSIS + Gets DSC resource configuration. + + .PARAMETER Identity + A required string value which is used as a Key for the resource. The + value does not matter, as long as its not empty. + + .PARAMETER AllowClear + Indicates that the provisioning process clears the TPM, if necessary, + to move the TPM closer to complying with Windows Server 2012 standards. + + .PARAMETER AllowPhysicalPresence + Indicates that the provisioning process may send physical presence + commands that require a user to be present in order to continue. + + .PARAMETER AllowImmediateReboot + Whether the computer can rebooted immediately after initializing the + TPM. +#> function Get-TargetResource { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSDSCUseVerboseMessageInDSCResource', '')] @@ -7,12 +27,24 @@ function Get-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Identity + $Identity, + + [Parameter()] + [System.Boolean] + $AllowClear, + + [Parameter()] + [System.Boolean] + $AllowPhysicalPresence, + + [Parameter()] + [System.Boolean] + $AllowImmediateReboot = $false ) #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker $tpm = Get-Tpm @@ -26,7 +58,26 @@ function Get-TargetResource $returnValue } +<# + .SYNOPSIS + Configures settings defined DSC resource configuration. + + .PARAMETER Identity + A required string value which is used as a Key for the resource. The + value does not matter, as long as its not empty. + + .PARAMETER AllowClear + Indicates that the provisioning process clears the TPM, if necessary, + to move the TPM closer to complying with Windows Server 2012 standards. + .PARAMETER AllowPhysicalPresence + Indicates that the provisioning process may send physical presence + commands that require a user to be present in order to continue. + + .PARAMETER AllowImmediateReboot + Whether the computer can rebooted immediately after initializing the + TPM. +#> function Set-TargetResource { # Suppressing this rule because $global:DSCMachineStatus is used to trigger a reboot. @@ -59,7 +110,7 @@ function Set-TargetResource #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker $PSBoundParameters.Remove('Identity') | Out-Null $PSBoundParameters.Remove('AllowImmediateReboot') | Out-Null @@ -87,7 +138,27 @@ function Set-TargetResource } } +<# + .SYNOPSIS + Tests whether settings defined DSC resource configuration are in the + expected state. + + .PARAMETER Identity + A required string value which is used as a Key for the resource. The + value does not matter, as long as its not empty. + + .PARAMETER AllowClear + Indicates that the provisioning process clears the TPM, if necessary, + to move the TPM closer to complying with Windows Server 2012 standards. + + .PARAMETER AllowPhysicalPresence + Indicates that the provisioning process may send physical presence + commands that require a user to be present in order to continue. + .PARAMETER AllowImmediateReboot + Whether the computer can rebooted immediately after initializing the + TPM. +#> function Test-TargetResource { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSDSCUseVerboseMessageInDSCResource', '')] @@ -114,7 +185,7 @@ function Test-TargetResource #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 - CheckForPreReqs + Assert-HasPrereqsForBitlocker $tpm = Get-Tpm diff --git a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof index 383c7bc..cc55c12 100644 --- a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof +++ b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof @@ -2,10 +2,10 @@ [ClassVersion("1.0.0.0"), FriendlyName("xBLTpm")] class MSFT_xBLTpm : OMI_BaseResource { - [Key] String Identity; //Not actually used, so could be anything - [Write] Boolean AllowClear; //Indicates that the provisioning process clears the TPM, if necessary, to move the TPM closer to complying with Windows Server� 2012 standards - [Write] Boolean AllowPhysicalPresence; //Indicates that the provisioning process may send physical presence commands that require a user to be present in order to continue. - [Write] Boolean AllowImmediateReboot; //Whether the computer can rebooted immediately after initializing the TPM + [Key, Description("A required string value which is used as a Key for the resource. The value does not matter, as long as its not empty.")] String Identity; + [Write, Description("Indicates that the provisioning process clears the TPM, if necessary, to move the TPM closer to complying with Windows Server 2012 standards.")] Boolean AllowClear; + [Write, Description("Indicates that the provisioning process may send physical presence commands that require a user to be present in order to continue.")] Boolean AllowPhysicalPresence; + [Write, Description("Whether the computer can rebooted immediately after initializing the TPM.")] Boolean AllowImmediateReboot; }; diff --git a/Misc/xBitlockerCommon.psm1 b/Misc/xBitlockerCommon.psm1 index aa20481..2a217cf 100644 --- a/Misc/xBitlockerCommon.psm1 +++ b/Misc/xBitlockerCommon.psm1 @@ -78,7 +78,7 @@ .PARAMETER VerbosePreference Used to modify the default VerbosePreference for the function. #> -function EnableBitlocker +function Enable-BitlockerInternal { # Suppressing this rule because $global:DSCMachineStatus is used to trigger a reboot. [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '', Scope='Function', Target='DSCMachineStatus')] @@ -487,31 +487,31 @@ function Add-MissingBitLockerKeyProtector $VerbosePreference ) - if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and $PrimaryProtector -notlike "AdAccountOrGroupProtector" -and !(ContainsKeyProtector -Type "AdAccountOrGroup" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and $PrimaryProtector -notlike "AdAccountOrGroupProtector" -and !(Test-CollectionContainsKeyProtector -Type "AdAccountOrGroup" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding AdAccountOrGroupProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -AdAccountOrGroupProtector -AdAccountOrGroup $AdAccountOrGroup } - if ($PSBoundParameters.ContainsKey("PasswordProtector") -and $PrimaryProtector -notlike "PasswordProtector" -and !(ContainsKeyProtector -Type "Password" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("PasswordProtector") -and $PrimaryProtector -notlike "PasswordProtector" -and !(Test-CollectionContainsKeyProtector -Type "Password" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding PasswordProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -PasswordProtector -Password $Password.Password } - if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and $PrimaryProtector -notlike "RecoveryKeyProtector" -and !(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and $PrimaryProtector -notlike "RecoveryKeyProtector" -and !(Test-CollectionContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding RecoveryKeyProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryKeyProtector -RecoveryKeyPath $RecoveryKeyPath } - if ($PSBoundParameters.ContainsKey("RecoveryPasswordProtector") -and $PrimaryProtector -notlike "RecoveryPasswordProtector" -and !(ContainsKeyProtector -Type "RecoveryPassword" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("RecoveryPasswordProtector") -and $PrimaryProtector -notlike "RecoveryPasswordProtector" -and !(Test-CollectionContainsKeyProtector -Type "RecoveryPassword" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding RecoveryPasswordProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector } - if ($PSBoundParameters.ContainsKey("StartupKeyProtector") -and $PrimaryProtector -notlike "TpmProtector" -and $PrimaryProtector -notlike "StartupKeyProtector" -and !(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("StartupKeyProtector") -and $PrimaryProtector -notlike "TpmProtector" -and $PrimaryProtector -notlike "StartupKeyProtector" -and !(Test-CollectionContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding StartupKeyProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -StartupKeyProtector -StartupKeyPath $StartupKeyPath @@ -599,7 +599,7 @@ function Add-MissingBitLockerKeyProtector .PARAMETER VerbosePreference Used to modify the default VerbosePreference for the function. #> -function TestBitlocker +function Test-BitlockerEnabled { [CmdletBinding()] [OutputType([System.Boolean])] @@ -715,31 +715,31 @@ function TestBitlocker } else { - if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and !(ContainsKeyProtector -Type "AdAccountOrGroup" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and !(Test-CollectionContainsKeyProtector -Type "AdAccountOrGroup" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have AdAccountOrGroupProtector (AdAccountOrGroup)" return $false } - if ($PSBoundParameters.ContainsKey("PasswordProtector") -and !(ContainsKeyProtector -Type "Password" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("PasswordProtector") -and !(Test-CollectionContainsKeyProtector -Type "Password" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have PasswordProtector (Password)" return $false } - if ($PSBoundParameters.ContainsKey("Pin") -and !(ContainsKeyProtector -Type "TpmPin" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) + if ($PSBoundParameters.ContainsKey("Pin") -and !(Test-CollectionContainsKeyProtector -Type "TpmPin" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have TpmPin assigned." return $false } - if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and !(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and !(Test-CollectionContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have RecoveryKeyProtector (ExternalKey)" return $false } - if ($PSBoundParameters.ContainsKey("RecoveryPasswordProtector") -and !(ContainsKeyProtector -Type "RecoveryPassword" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("RecoveryPasswordProtector") -and !(Test-CollectionContainsKeyProtector -Type "RecoveryPassword" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have RecoveryPasswordProtector (RecoveryPassword)" return $false @@ -749,7 +749,7 @@ function TestBitlocker { if ($PrimaryProtector -notlike "TpmProtector") { - if (!(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) + if (!(Test-CollectionContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have StartupKeyProtector (ExternalKey)" return $false @@ -757,7 +757,7 @@ function TestBitlocker } else #TpmProtector is primary { - if(!(ContainsKeyProtector -Type "Tpm" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true) -and !(ContainsKeyProtector -Type "StartupKey" -KeyProtectorCollection $blv.KeyProtector -Contains $true)) + if(!(Test-CollectionContainsKeyProtector -Type "Tpm" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true) -and !(Test-CollectionContainsKeyProtector -Type "StartupKey" -KeyProtectorCollection $blv.KeyProtector -Contains $true)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have TPM + StartupKey protector." return $false @@ -765,7 +765,7 @@ function TestBitlocker } } - if ($PSBoundParameters.ContainsKey("TpmProtector") -and !(ContainsKeyProtector -Type "Tpm" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) + if ($PSBoundParameters.ContainsKey("TpmProtector") -and !(Test-CollectionContainsKeyProtector -Type "Tpm" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have TpmProtector" return $false @@ -775,9 +775,16 @@ function TestBitlocker return $true } -#Ensures that required Bitlocker prereqs are installed -function CheckForPreReqs +<# + .SYNOPSIS + Tests whether the requires prerequisite features for Bitlocker are + installed, and throws an exception if they are not. +#> +function Assert-HasPrereqsForBitlocker { + [CmdletBinding()] + param() + $hasAllPreReqs = $true $blFeature = Get-WindowsFeature BitLocker @@ -811,24 +818,45 @@ function CheckForPreReqs } } -#Checks whether the KeyProtectorCollection returned from Get-BitlockerVolume contains the specified key protector type -function ContainsKeyProtector +<# + .SYNOPSIS + Tests whether the KeyProtectorCollection returned from + Get-BitlockerVolume contains the specified KeyProtector type. + + .PARAMETER Type + The KeyProtector type to look for in the KeyProtectorCollection. + + .PARAMETER KeyProtectorCollection + The KeyProtectorCollection to look for the KeyProtector type within. + + .PARAMETER StartsWith + Whether to look for a KeyProtector type that only StartsWith the input + Type. + + .PARAMETER Contains + Whether to look for a KeyProtector type that only Contains the input + Type. +#> +function Test-CollectionContainsKeyProtector { + [CmdletBinding()] + [OutputType([System.Boolean])] param ( - [Parameter()] - [string] + [Parameter(Mandatory = $true)] + [System.String] $Type, [Parameter()] + [System.Object[]] $KeyProtectorCollection, [Parameter()] - [bool] + [System.Boolean] $StartsWith = $false, [Parameter()] - [bool] + [System.Boolean] $Contains = $false ) @@ -866,7 +894,7 @@ function ContainsKeyProtector A Hashtable containing new Key/Value pairs to add to the given PSBoundParametersIn Hashtable. #> -function AddParameters +function Add-ToPSBoundParametersFromHashtable { [CmdletBinding()] param @@ -911,7 +939,7 @@ function AddParameters A String array containing the list of parameter names to remove in the given PSBoundParametersIn HashTable. #> -function RemoveParameters +function Remove-FromPSBoundParametersUsingHashtable { [CmdletBinding()] param @@ -924,7 +952,7 @@ function RemoveParameters [System.String[]] $ParamsToKeep, - [Parameter(Mandatory = $true, ParameterSetName = 'RemoveParameters')] + [Parameter(Mandatory = $true, ParameterSetName = 'Remove-FromPSBoundParametersUsingHashtable')] [System.String[]] $ParamsToRemove ) @@ -952,12 +980,16 @@ function RemoveParameters } <# -.SYNOPSIS -Returns the OS edtion we currently running on + .SYNOPSIS + Returns the OS edition we are currently running on #> function Get-OSEdition { - (Get-ItemProperty -Path 'HKLM:/software/microsoft/windows nt/currentversion' -Name InstallationType).InstallationType + [CmdletBinding()] + [OutputType([System.String])] + param() + + return (Get-ItemProperty -Path 'HKLM:/software/microsoft/windows nt/currentversion' -Name InstallationType).InstallationType } Export-ModuleMember -Function * diff --git a/README.md b/README.md index f2e6689..9c338ef 100644 --- a/README.md +++ b/README.md @@ -143,15 +143,16 @@ parameters. . **xBLTpm** has the following properties. -* Identity: Not actually used, so could be anything +* Identity: A required string value which is used as a Key for the resource. + The value does not matter, as long as its not empty. * AllowClear: Indicates that the provisioning process clears the TPM, if necessary, to move the TPM closer to complying with Windows Server 2012 - standards + standards. * AllowPhysicalPresence: Indicates that the provisioning process may send physical presence commands that require a user to be present in order to continue. * AllowImmediateReboot: Whether the computer can rebooted immediately after - initializing the TPM + initializing the TPM. ## Examples diff --git a/Tests/Unit/MSFT_xBLAutoBitlocker.tests.ps1 b/Tests/Unit/MSFT_xBLAutoBitlocker.tests.ps1 index e7bc3a4..3750886 100644 --- a/Tests/Unit/MSFT_xBLAutoBitlocker.tests.ps1 +++ b/Tests/Unit/MSFT_xBLAutoBitlocker.tests.ps1 @@ -45,11 +45,11 @@ try } # Override Helper functions - function CheckForPreReqs {} - function RemoveParameters {} - function AddParameters {} - function TestBitlocker {} - function EnableBitlocker {} + function Assert-HasPrereqsForBitlocker {} + function Remove-FromPSBoundParametersUsingHashtable {} + function Add-ToPSBoundParametersFromHashtable {} + function Test-BitlockerEnabled {} + function Enable-BitlockerInternal {} Describe 'MSFT_xBLAutoBitlocker\Get-TargetResource' -Tag 'Get' { AfterEach { @@ -60,9 +60,9 @@ try $testPrimaryProtector = 'TpmProtector' Mock -CommandName Import-Module -Verifiable - Mock -CommandName CheckForPreReqs -Verifiable + Mock -CommandName Assert-HasPrereqsForBitlocker -Verifiable - Context 'When Get-TargetResource is called and CheckForPrereqs succeeds' { + Context 'When Get-TargetResource is called and Assert-HasPrereqsForBitlocker succeeds' { It 'Should return a Hashtable with the input resource DriveType' { $getResult = Get-TargetResource -DriveType $testDriveType -PrimaryProtector $testPrimaryProtector $getResult | Should -Be -Not $null @@ -80,47 +80,47 @@ try $testPrimaryProtector = 'TpmProtector' Mock -CommandName Import-Module -Verifiable - Mock -CommandName CheckForPreReqs -Verifiable + Mock -CommandName Assert-HasPrereqsForBitlocker -Verifiable - Context 'When Set-TargetResource is called, CheckForPrereqs succeeds, and GetAutoBitlockerStatus returns null' { - Mock -CommandName GetAutoBitlockerStatus -Verifiable + Context 'When Set-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, and Get-AutoBitlockerStatus returns null' { + Mock -CommandName Get-AutoBitlockerStatus -Verifiable It 'Should throw an exception' { { Set-TargetResource -DriveType $testDriveType -PrimaryProtector $testPrimaryProtector } | Should -Throw -ExpectedMessage 'No Auto Bitlocker volumes were found' } } - Context 'When Set-TargetResource is called, CheckForPrereqs succeeds, GetAutoBitlockerStatus returns a valid hashtable, and TestBitlocker returns False' { - Mock -CommandName GetAutoBitlockerStatus -Verifiable -MockWith { + Context 'When Set-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, Get-AutoBitlockerStatus returns a valid hashtable, and Test-BitlockerEnabled returns False' { + Mock -CommandName Get-AutoBitlockerStatus -Verifiable -MockWith { return @{ Keys = @('Volume1') } } - Mock -CommandName RemoveParameters -Verifiable - Mock -CommandName AddParameters -Verifiable - Mock -CommandName TestBitlocker -Verifiable -MockWith { return $false } - Mock -CommandName EnableBitlocker -Verifiable + Mock -CommandName Remove-FromPSBoundParametersUsingHashtable -Verifiable + Mock -CommandName Add-ToPSBoundParametersFromHashtable -Verifiable + Mock -CommandName Test-BitlockerEnabled -Verifiable -MockWith { return $false } + Mock -CommandName Enable-BitlockerInternal -Verifiable It 'Should enable Bitlocker' { Set-TargetResource -DriveType $testDriveType -PrimaryProtector $testPrimaryProtector } } - Context 'When Set-TargetResource is called, CheckForPrereqs succeeds, GetAutoBitlockerStatus returns a valid hashtable, and TestBitlocker returns True' { - Mock -CommandName GetAutoBitlockerStatus -Verifiable -MockWith { + Context 'When Set-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, Get-AutoBitlockerStatus returns a valid hashtable, and Test-BitlockerEnabled returns True' { + Mock -CommandName Get-AutoBitlockerStatus -Verifiable -MockWith { return @{ Keys = @('Volume1') } } - Mock -CommandName RemoveParameters -Verifiable - Mock -CommandName AddParameters -Verifiable - Mock -CommandName TestBitlocker -Verifiable -MockWith { return $true } - Mock -CommandName EnableBitlocker + Mock -CommandName Remove-FromPSBoundParametersUsingHashtable -Verifiable + Mock -CommandName Add-ToPSBoundParametersFromHashtable -Verifiable + Mock -CommandName Test-BitlockerEnabled -Verifiable -MockWith { return $true } + Mock -CommandName Enable-BitlockerInternal It 'Should not enable Bitlocker' { Set-TargetResource -DriveType $testDriveType -PrimaryProtector $testPrimaryProtector - Assert-MockCalled -CommandName EnableBitlocker -Times 0 + Assert-MockCalled -CommandName Enable-BitlockerInternal -Times 0 } } } @@ -134,10 +134,10 @@ try $testPrimaryProtector = 'TpmProtector' Mock -CommandName Import-Module -Verifiable - Mock -CommandName CheckForPreReqs -Verifiable + Mock -CommandName Assert-HasPrereqsForBitlocker -Verifiable - Context 'When Test-TargetResource is called, CheckForPrereqs succeeds, and GetAutoBitlockerStatus returns null' { - Mock -CommandName GetAutoBitlockerStatus -Verifiable + Context 'When Test-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, and Get-AutoBitlockerStatus returns null' { + Mock -CommandName Get-AutoBitlockerStatus -Verifiable Mock -CommandName Write-Error -Verifiable It 'Should write an error and return false' { @@ -145,30 +145,30 @@ try } } - Context 'When Test-TargetResource is called, CheckForPrereqs succeeds, GetAutoBitlockerStatus returns a valid hashtable, and TestBitlocker returns False' { - Mock -CommandName GetAutoBitlockerStatus -Verifiable -MockWith { + Context 'When Test-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, Get-AutoBitlockerStatus returns a valid hashtable, and Test-BitlockerEnabled returns False' { + Mock -CommandName Get-AutoBitlockerStatus -Verifiable -MockWith { return @{ Keys = @('Volume1') } } - Mock -CommandName RemoveParameters -Verifiable - Mock -CommandName AddParameters -Verifiable - Mock -CommandName TestBitlocker -Verifiable -MockWith { return $false } + Mock -CommandName Remove-FromPSBoundParametersUsingHashtable -Verifiable + Mock -CommandName Add-ToPSBoundParametersFromHashtable -Verifiable + Mock -CommandName Test-BitlockerEnabled -Verifiable -MockWith { return $false } It 'Should return False' { Test-TargetResource -DriveType $testDriveType -PrimaryProtector $testPrimaryProtector | Should -Be $false } } - Context 'When Test-TargetResource is called, CheckForPrereqs succeeds, GetAutoBitlockerStatus returns a valid hashtable, and TestBitlocker returns True' { - Mock -CommandName GetAutoBitlockerStatus -Verifiable -MockWith { + Context 'When Test-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, Get-AutoBitlockerStatus returns a valid hashtable, and Test-BitlockerEnabled returns True' { + Mock -CommandName Get-AutoBitlockerStatus -Verifiable -MockWith { return @{ Keys = @('Volume1') } } - Mock -CommandName RemoveParameters -Verifiable - Mock -CommandName AddParameters -Verifiable - Mock -CommandName TestBitlocker -Verifiable -MockWith { return $true } + Mock -CommandName Remove-FromPSBoundParametersUsingHashtable -Verifiable + Mock -CommandName Add-ToPSBoundParametersFromHashtable -Verifiable + Mock -CommandName Test-BitlockerEnabled -Verifiable -MockWith { return $true } It 'Should return True' { Test-TargetResource -DriveType $testDriveType -PrimaryProtector $testPrimaryProtector | Should -Be $true @@ -176,7 +176,7 @@ try } } - Describe 'MSFT_xBLAutoBitlocker\GetAutoBitlockerStatus' { + Describe 'MSFT_xBLAutoBitlocker\Get-AutoBitlockerStatus' { # Get-BitlockerVolume is used to obtain list of volumes in the system and their current encryption status Mock ` -CommandName Get-BitlockerVolume ` @@ -379,121 +379,121 @@ try Context 'When Volume C: Reports as OS Volume' { It 'Should Not Be In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector TpmProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'C:' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector TpmProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'C:' } It 'Should Not Be In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector TpmProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'C:' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector TpmProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'C:' } } Context 'When Volume D: Reports Fixed to OS, but Removable to Bitlocker' { It 'Should Not Be In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'D:' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'D:' } It 'Should Be In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'D:' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'D:' } } Context 'When Volume E: Reports Fixed to OS and Bitlocker' { It 'Should Be In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'E:' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'E:' } It 'Should Not Be In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'E:' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'E:' } } Context 'When Volume F: Reports as Removable to OS and Bitlocker' { It 'Should Not Be In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'F:' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'F:' } It 'Should Be In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'F:' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'F:' } } Context 'When Volume \\?\Volume{00000000-0000-0000-0000-000000000001}\ Reports Fixed to OS, but Removable to Bitlocker' { It 'Should Not Be In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain '\\?\Volume{00000000-0000-0000-0000-000000000001}\' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain '\\?\Volume{00000000-0000-0000-0000-000000000001}\' } It 'Should Be In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000001}\' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000001}\' } } Context 'When Volume \\?\Volume{00000000-0000-0000-0000-000000000002}\ Reports Fixed to OS and Bitlocker' { It 'Should Be In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000002}\' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000002}\' } It 'Should Not Be In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain '\\?\Volume{00000000-0000-0000-0000-000000000002}\' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain '\\?\Volume{00000000-0000-0000-0000-000000000002}\' } } Context 'When Volume \\?\Volume{00000000-0000-0000-0000-000000000003}\ Reports as Removable to OS and Bitlocker' { It 'Should Not Be In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain '\\?\Volume{00000000-0000-0000-0000-000000000003}\' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Not -Contain '\\?\Volume{00000000-0000-0000-0000-000000000003}\' } It 'Should Be In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000003}\' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000003}\' } } Context 'When MinDiskCapacity Parameter is Defined at 100 GB for Fixed Disks' { It 'Should Exclude E: from The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector -MinDiskCapacityGB 100|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'E:' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector -MinDiskCapacityGB 100|Select-Object -ExpandProperty Keys)|Should -Not -Contain 'E:' } It 'Should Include Volume \\?\Volume{00000000-0000-0000-0000-000000000002}\ In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector -MinDiskCapacityGB 100|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000002}\' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector -MinDiskCapacityGB 100|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000002}\' } } Context 'When MinDiskCapacity Parameter is Not Defined for Fixed Disks' { It 'Should Include E: In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'E:' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'E:' } It 'Should Include Volume \\?\Volume{00000000-0000-0000-0000-000000000002}\ In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000002}\' + (Get-AutoBitlockerStatus -DriveType 'Fixed' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000002}\' } } Context 'When MinDiskCapacity Parameter is Defined at 100 GB for Removable Disks' { It 'Should Exclude \\?\Volume{00000000-0000-0000-0000-000000000003}\ from The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector -MinDiskCapacityGB 100|Select-Object -ExpandProperty Keys)|Should -Not -Contain '\\?\Volume{00000000-0000-0000-0000-000000000003}\' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector -MinDiskCapacityGB 100|Select-Object -ExpandProperty Keys)|Should -Not -Contain '\\?\Volume{00000000-0000-0000-0000-000000000003}\' } It 'Should Include F: In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector -MinDiskCapacityGB 100|Select-Object -ExpandProperty Keys)|Should -Contain 'F:' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector -MinDiskCapacityGB 100|Select-Object -ExpandProperty Keys)|Should -Contain 'F:' } } Context 'When MinDiskCapacity Parameter is Not Defined for Fixed Disks' { It 'Should Include \\?\Volume{00000000-0000-0000-0000-000000000003}\ In The List of Eligible Fixed Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000003}\' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain '\\?\Volume{00000000-0000-0000-0000-000000000003}\' } It 'Should Include F: In The List of Eligible Removable Volumes' { - (GetAutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'F:' + (Get-AutoBitlockerStatus -DriveType 'Removable' -PrimaryProtector RecoveryPasswordProtector|Select-Object -ExpandProperty Keys)|Should -Contain 'F:' } } } diff --git a/Tests/Unit/MSFT_xBLBitlocker.tests.ps1 b/Tests/Unit/MSFT_xBLBitlocker.tests.ps1 index a6fbe08..f1d26cb 100644 --- a/Tests/Unit/MSFT_xBLBitlocker.tests.ps1 +++ b/Tests/Unit/MSFT_xBLBitlocker.tests.ps1 @@ -37,14 +37,14 @@ try InModuleScope $script:DSCResourceName { # Override helper functions - function CheckForPreReqs {} + function Assert-HasPrereqsForBitlocker {} # Setup common test variables $testMountPoint = 'C:' $testPrimaryProtector = 'TpmProtector' # Setup common Mocks - Mock -CommandName CheckForPreReqs -Verifiable + Mock -CommandName Assert-HasPrereqsForBitlocker -Verifiable Describe 'MSFT_xBLBitlocker\Get-TargetResource' -Tag 'Get' { AfterEach { @@ -67,8 +67,8 @@ try } Context 'When Set-TargetResource is called' { - It 'Should call EnableBitlocker' { - Mock -CommandName EnableBitlocker -Verifiable + It 'Should call Enable-BitlockerInternal' { + Mock -CommandName Enable-BitlockerInternal -Verifiable Set-TargetResource -MountPoint $testMountPoint -PrimaryProtector $testPrimaryProtector } @@ -80,17 +80,17 @@ try Assert-VerifiableMock } - Context 'When TestBitlocker returns True' { + Context 'When Test-BitlockerEnabled returns True' { It 'Should return True' { - Mock -CommandName TestBitlocker -Verifiable -MockWith { return $true } + Mock -CommandName Test-BitlockerEnabled -Verifiable -MockWith { return $true } Test-TargetResource -MountPoint $testMountPoint -PrimaryProtector $testPrimaryProtector | Should -Be $true } } - Context 'When TestBitlocker returns False' { + Context 'When Test-BitlockerEnabled returns False' { It 'Should return False' { - Mock -CommandName TestBitlocker -Verifiable -MockWith { return $false } + Mock -CommandName Test-BitlockerEnabled -Verifiable -MockWith { return $false } Test-TargetResource -MountPoint $testMountPoint -PrimaryProtector $testPrimaryProtector | Should -Be $false } diff --git a/Tests/Unit/MSFT_xBLTpm.tests.ps1 b/Tests/Unit/MSFT_xBLTpm.tests.ps1 index 3731750..03de837 100644 --- a/Tests/Unit/MSFT_xBLTpm.tests.ps1 +++ b/Tests/Unit/MSFT_xBLTpm.tests.ps1 @@ -37,7 +37,7 @@ try InModuleScope $script:DSCResourceName { # Override helper functions - function CheckForPreReqs {} + function Assert-HasPrereqsForBitlocker {} # Override Bitlocker functions function Get-Tpm {} @@ -51,9 +51,9 @@ try } Mock -CommandName Import-Module -Verifiable - Mock -CommandName CheckForPreReqs -Verifiable + Mock -CommandName Assert-HasPrereqsForBitlocker -Verifiable - Context 'When Get-TargetResource is called, CheckForPrereqs succeeds, and Get-Tpm returns a value' { + Context 'When Get-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, and Get-Tpm returns a value' { Mock -CommandName Get-Tpm -Verifiable -MockWith { return 'NotNull' } It 'Should return a Hashtable with the input resource Identity' { @@ -71,9 +71,9 @@ try } Mock -CommandName Import-Module -Verifiable - Mock -CommandName CheckForPreReqs -Verifiable + Mock -CommandName Assert-HasPrereqsForBitlocker -Verifiable - Context 'When Set-TargetResource is called, CheckForPrereqs succeeds, and a restart is required' { + Context 'When Set-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, and a restart is required' { Mock -CommandName Initialize-Tpm -Verifiable -MockWith { return @{ RestartRequired = $true @@ -102,9 +102,9 @@ try } Mock -CommandName Import-Module -Verifiable - Mock -CommandName CheckForPreReqs -Verifiable + Mock -CommandName Assert-HasPrereqsForBitlocker -Verifiable - Context 'When Test-TargetResource is called, CheckForPrereqs succeeds, Get-Tpm returns a value, and TpmReady is True' { + Context 'When Test-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, Get-Tpm returns a value, and TpmReady is True' { Mock -CommandName Get-Tpm -Verifiable -MockWith { return @{ TpmReady = $true @@ -116,7 +116,7 @@ try } } - Context 'When Test-TargetResource is called, CheckForPrereqs succeeds, Get-Tpm returns a value, and TpmReady is False' { + Context 'When Test-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, Get-Tpm returns a value, and TpmReady is False' { Mock -CommandName Get-Tpm -Verifiable -MockWith { return @{ TpmReady = $false @@ -128,7 +128,7 @@ try } } - Context 'When Test-TargetResource is called, CheckForPrereqs succeeds, and Get-Tpm returns null' { + Context 'When Test-TargetResource is called, Assert-HasPrereqsForBitlocker succeeds, and Get-Tpm returns null' { Mock -CommandName Get-Tpm -Verifiable Mock -CommandName Write-Error -Verifiable diff --git a/Tests/Unit/xBitlockerCommon.tests.ps1 b/Tests/Unit/xBitlockerCommon.tests.ps1 index 0d5845c..581f181 100644 --- a/Tests/Unit/xBitlockerCommon.tests.ps1 +++ b/Tests/Unit/xBitlockerCommon.tests.ps1 @@ -16,7 +16,7 @@ try ) } - Describe 'xBitlockerCommon\TestBitlocker' { + Describe 'xBitlockerCommon\Test-BitlockerEnabled' { Context 'When OS Volume is not Encrypted and No Key Protectors Assigned' { Mock ` @@ -37,7 +37,7 @@ try } It 'Should Fail The Test (TPM and RecoveryPassword Protectors)' { - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true | Should -Be $false } } @@ -67,7 +67,7 @@ try } It 'Should Pass The Test (TPM and RecoveryPassword Protectors)' { - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true -verbose | Should -Be $true + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true -verbose | Should -Be $true } } @@ -97,19 +97,19 @@ try } It 'Should Fail The Test (TPM and RecoveryPassword Protectors)' { - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true | Should -Be $false } } - Context 'When TestBitlocker is called and Get-BitlockerVolume returns null' { + Context 'When Test-BitlockerEnabled is called and Get-BitlockerVolume returns null' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' | Should -Be $false } } - Context 'When TestBitlocker is called and Get-BitlockerVolume returns a volume with no key protectors' { + Context 'When Test-BitlockerEnabled is called and Get-BitlockerVolume returns a volume with no key protectors' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return @{ @@ -117,11 +117,11 @@ try } } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' | Should -Be $false } } - Context 'When TestBitlocker is called, AutoUnlock is requested on a non-OS disk, and AutoUnlock is not enabled' { + Context 'When Test-BitlockerEnabled is called, AutoUnlock is requested on a non-OS disk, and AutoUnlock is not enabled' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return @{ @@ -131,7 +131,7 @@ try } } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -AutoUnlock $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -AutoUnlock $true | Should -Be $false } } @@ -143,80 +143,80 @@ try $fakePin = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList 'fakepin', (New-Object -TypeName System.Security.SecureString) - Context 'When TestBitlocker is called, a AdAccountOrGroupProtector protector is requested, and does not exist on the disk' { + Context 'When Test-BitlockerEnabled is called, a AdAccountOrGroupProtector protector is requested, and does not exist on the disk' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $defaultBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false } + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -AdAccountOrGroupProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -AdAccountOrGroupProtector $true | Should -Be $false } } - Context 'When TestBitlocker is called, a PasswordProtector protector is requested, and does not exist on the disk' { + Context 'When Test-BitlockerEnabled is called, a PasswordProtector protector is requested, and does not exist on the disk' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $defaultBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false } + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -PasswordProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -PasswordProtector $true | Should -Be $false } } - Context 'When TestBitlocker is called, a Pin protector is requested, and does not exist on the disk' { + Context 'When Test-BitlockerEnabled is called, a Pin protector is requested, and does not exist on the disk' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $defaultBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false } + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -Pin $fakePin | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -Pin $fakePin | Should -Be $false } } - Context 'When TestBitlocker is called, a RecoveryKeyProtector protector is requested, and does not exist on the disk' { + Context 'When Test-BitlockerEnabled is called, a RecoveryKeyProtector protector is requested, and does not exist on the disk' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $defaultBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false } + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -RecoveryKeyProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -RecoveryKeyProtector $true | Should -Be $false } } - Context 'When TestBitlocker is called, a RecoveryPasswordProtector protector is requested, and does not exist on the disk' { + Context 'When Test-BitlockerEnabled is called, a RecoveryPasswordProtector protector is requested, and does not exist on the disk' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $defaultBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false } + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -RecoveryPasswordProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -RecoveryPasswordProtector $true | Should -Be $false } } - Context 'When TestBitlocker is called, a StartupKeyProtector protector is requested without a primary TPM protector, and does not exist on the disk' { + Context 'When Test-BitlockerEnabled is called, a StartupKeyProtector protector is requested without a primary TPM protector, and does not exist on the disk' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $defaultBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false } + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'StartupKeyProtector' -StartupKeyProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'StartupKeyProtector' -StartupKeyProtector $true | Should -Be $false } } - Context 'When TestBitlocker is called, a StartupKeyProtector protector is requested with a primary TPM protector, and does not exist on the disk' { + Context 'When Test-BitlockerEnabled is called, a StartupKeyProtector protector is requested with a primary TPM protector, and does not exist on the disk' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $defaultBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false } + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -StartupKeyProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -StartupKeyProtector $true | Should -Be $false } } - Context 'When TestBitlocker is called, a TpmProtector protector is requested, and does not exist on the disk' { + Context 'When Test-BitlockerEnabled is called, a TpmProtector protector is requested, and does not exist on the disk' { It 'Should return False' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $defaultBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false } + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false } - TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -TpmProtector $true | Should -Be $false + Test-BitlockerEnabled -MountPoint 'C:' -PrimaryProtector 'TpmProtector' -TpmProtector $true | Should -Be $false } } } - Describe 'xBitlockerCommon\CheckForPreReqs' { + Describe 'xBitlockerCommon\Assert-HasPrereqsForBitlocker' { function Get-WindowsFeature { param @@ -253,12 +253,12 @@ try It 'Should not generate any error messages' { Mock -CommandName Write-Error - CheckForPreReqs + Assert-HasPrereqsForBitlocker Assert-MockCalled -Command Write-Error -Exactly -Times 0 -Scope It } - It 'Should run the CheckForPreReqs function without exceptions' { - {CheckForPreReqs} | Should -Not -Throw + It 'Should run the Assert-HasPrereqsForBitlocker function without exceptions' { + {Assert-HasPrereqsForBitlocker} | Should -Not -Throw } } @@ -283,12 +283,12 @@ try It 'Should not generate any error messages' { Mock -CommandName Write-Error - CheckForPreReqs + Assert-HasPrereqsForBitlocker Assert-MockCalled -Command Write-Error -Exactly -Times 0 -Scope It } - It 'Should run the CheckForPreReqs function without exceptions' { - {CheckForPreReqs} | Should -Not -Throw + It 'Should run the Assert-HasPrereqsForBitlocker function without exceptions' { + {Assert-HasPrereqsForBitlocker} | Should -Not -Throw } } @@ -308,28 +308,28 @@ try Mock -CommandName Write-Error It 'Should give an error that Bitlocker Windows Feature needs to be installed' { - {CheckForPreReqs} | Should -Throw + {Assert-HasPrereqsForBitlocker} | Should -Throw Assert-MockCalled -Command Write-Error -Exactly -Times 1 -Scope It -ParameterFilter { $Message -eq 'The Bitlocker feature needs to be installed before the xBitlocker module can be used' } } It 'Should give an error that RSAT-Feature-Tools-BitLocker Windows Feature needs to be installed' { - {CheckForPreReqs} | Should -Throw + {Assert-HasPrereqsForBitlocker} | Should -Throw Assert-MockCalled -Command Write-Error -Exactly -Times 1 -Scope It -ParameterFilter { $Message -eq 'The RSAT-Feature-Tools-BitLocker feature needs to be installed before the xBitlocker module can be used' } } It 'Should give an error that RSAT-Feature-Tools-BitLocker-RemoteAdminTool Windows Feature needs to be installed' { - {CheckForPreReqs} | Should -Throw + {Assert-HasPrereqsForBitlocker} | Should -Throw Assert-MockCalled -Command Write-Error -Exactly -Times 1 -Scope It -ParameterFilter { $Message -eq 'The RSAT-Feature-Tools-BitLocker-RemoteAdminTool feature needs to be installed before the xBitlocker module can be used' } } - It 'The CheckForPreReqs function should throw an exceptions about missing required Windows Features' { - {CheckForPreReqs} | Should -Throw 'Required Bitlocker features need to be installed before xBitlocker can be used' + It 'The Assert-HasPrereqsForBitlocker function should throw an exceptions about missing required Windows Features' { + {Assert-HasPrereqsForBitlocker} | Should -Throw 'Required Bitlocker features need to be installed before xBitlocker can be used' } } @@ -363,28 +363,28 @@ try Mock -CommandName Write-Error It 'Should give an error that Bitlocker Windows Feature needs to be installed' { - {CheckForPreReqs} | Should -Throw + {Assert-HasPrereqsForBitlocker} | Should -Throw Assert-MockCalled -Command Write-Error -Exactly -Times 1 -Scope It -ParameterFilter { $Message -eq 'The Bitlocker feature needs to be installed before the xBitlocker module can be used' } } It 'Should give an error that RSAT-Feature-Tools-BitLocker Windows Feature needs to be installed' { - {CheckForPreReqs} | Should -Throw + {Assert-HasPrereqsForBitlocker} | Should -Throw Assert-MockCalled -Command Write-Error -Exactly -Times 1 -Scope It -ParameterFilter { $Message -eq 'The RSAT-Feature-Tools-BitLocker feature needs to be installed before the xBitlocker module can be used' } } It 'Should not give an error that RSAT-Feature-Tools-BitLocker-RemoteAdminTool Windows Feature needs to be installed as this Windows Features is not available on Server Core.' { - {CheckForPreReqs} | Should -Throw + {Assert-HasPrereqsForBitlocker} | Should -Throw Assert-MockCalled -Command Write-Error -Exactly -Times 0 -Scope It -ParameterFilter { $Message -eq 'The RSAT-Feature-Tools-BitLocker-RemoteAdminTool feature needs to be installed before the xBitlocker module can be used' } } - It 'The CheckForPreReqs function should throw an exceptions about missing required Windows Features' { - {CheckForPreReqs} | Should -Throw 'Required Bitlocker features need to be installed before xBitlocker can be used' + It 'The Assert-HasPrereqsForBitlocker function should throw an exceptions about missing required Windows Features' { + {Assert-HasPrereqsForBitlocker} | Should -Throw 'Required Bitlocker features need to be installed before xBitlocker can be used' } } } @@ -437,7 +437,7 @@ try } } - Describe 'xBitLockerCommon\EnableBitlocker' -Tag 'Helper' { + Describe 'xBitLockerCommon\Enable-BitlockerInternal' -Tag 'Helper' { # Override Bitlocker cmdlets function Enable-Bitlocker {} function Enable-BitlockerAutoUnlock {} @@ -460,15 +460,15 @@ try VolumeType = 'OperatingSystem' } - Context 'When EnableBitlocker is called Get-BitlockerVolume returns null' { + Context 'When Enable-BitlockerInternal is called Get-BitlockerVolume returns null' { It 'Should throw an exception' { Mock -CommandName Get-BitLockerVolume -Verifiable - { EnableBitlocker -MountPoint 'C:' -Pin $fakePin -PrimaryProtector 'PasswordProtector' } | Should -Throw -ExpectedMessage 'Unable to find Bitlocker Volume associated with Mount Point' + { Enable-BitlockerInternal -MountPoint 'C:' -Pin $fakePin -PrimaryProtector 'PasswordProtector' } | Should -Throw -ExpectedMessage 'Unable to find Bitlocker Volume associated with Mount Point' } } - Context 'When EnableBitlocker is called with TpmProtector set to True and PrimaryProtector not set to TpmProtector' { + Context 'When Enable-BitlockerInternal is called with TpmProtector set to True and PrimaryProtector not set to TpmProtector' { $badPrimaryProtectorCases = @( @{ PrimaryProtector = 'PasswordProtector' @@ -492,23 +492,23 @@ try Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $encryptedBLV } - { EnableBitlocker -MountPoint $mountPoint -TpmProtector $true -PrimaryProtector $PrimaryProtector } | Should -Throw -ExpectedMessage 'If TpmProtector is used, it must be the PrimaryProtector.' + { Enable-BitlockerInternal -MountPoint $mountPoint -TpmProtector $true -PrimaryProtector $PrimaryProtector } | Should -Throw -ExpectedMessage 'If TpmProtector is used, it must be the PrimaryProtector.' } } - Context 'When EnableBitlocker is called with Pin specified and TpmProtector not specified' { + Context 'When Enable-BitlockerInternal is called with Pin specified and TpmProtector not specified' { It 'Should throw an exception' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $encryptedBLV } - { EnableBitlocker -MountPoint $mountPoint -Pin $fakePin -PrimaryProtector 'PasswordProtector' } | Should -Throw -ExpectedMessage 'A TpmProtector must be used if Pin is used.' + { Enable-BitlockerInternal -MountPoint $mountPoint -Pin $fakePin -PrimaryProtector 'PasswordProtector' } | Should -Throw -ExpectedMessage 'A TpmProtector must be used if Pin is used.' } } - Context 'When EnableBitlocker is called with Pin specified and TpmProtector not specified' { + Context 'When Enable-BitlockerInternal is called with Pin specified and TpmProtector not specified' { It 'Should throw an exception' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $encryptedBLV } - { EnableBitlocker -MountPoint $mountPoint -Pin $fakePin -PrimaryProtector 'PasswordProtector' } | Should -Throw -ExpectedMessage 'A TpmProtector must be used if Pin is used.' + { Enable-BitlockerInternal -MountPoint $mountPoint -Pin $fakePin -PrimaryProtector 'PasswordProtector' } | Should -Throw -ExpectedMessage 'A TpmProtector must be used if Pin is used.' } } @@ -526,27 +526,27 @@ try StartupKeyProtector = $true } - Context 'When EnableBitlocker is called and the volume is not yet encrypted' { + Context 'When Enable-BitlockerInternal is called and the volume is not yet encrypted' { It 'Should enable Bitlocker with the correct key protectors and parameters' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $decryptedOSBLV } Mock -CommandName Enable-Bitlocker -Verifiable -MockWith { return $encryptedOSBLV } Mock -CommandName Start-Sleep -Verifiable Mock -CommandName Restart-Computer -Verifiable - EnableBitlocker @defaultEnableParams + Enable-BitlockerInternal @defaultEnableParams } } - Context 'When EnableBitlocker is called, the volume is not yet encrypted, and Enable-Bitlocker does not return a result' { + Context 'When Enable-BitlockerInternal is called, the volume is not yet encrypted, and Enable-Bitlocker does not return a result' { It 'Should throw an exception' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $decryptedOSBLV } Mock -CommandName Enable-Bitlocker -Verifiable - { EnableBitlocker @defaultEnableParams } | Should -Throw -ExpectedMessage 'Failed to successfully enable Bitlocker on MountPoint' + { Enable-BitlockerInternal @defaultEnableParams } | Should -Throw -ExpectedMessage 'Failed to successfully enable Bitlocker on MountPoint' } } - Context 'When EnableBitlocker is called, the volume is not yet encrypted and is not an OS drive, and AutoUnlock is specified' { + Context 'When Enable-BitlockerInternal is called, the volume is not yet encrypted and is not an OS drive, and AutoUnlock is specified' { It 'Should enable Bitlocker with the correct key protectors and parameters and enable AutoUnlock' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return @{ @@ -559,13 +559,13 @@ try $defaultEnableParams.Add('AutoUnlock', $true) - EnableBitlocker @defaultEnableParams + Enable-BitlockerInternal @defaultEnableParams $defaultEnableParams.Remove('AutoUnlock') } } - Context 'When EnableBitlocker is called with TPM only and the volume is not yet encrypted' { + Context 'When Enable-BitlockerInternal is called with TPM only and the volume is not yet encrypted' { It 'Should enable Bitlocker with the correct key protectors and parameters' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $decryptedOSBLV } Mock -CommandName Enable-Bitlocker -Verifiable -MockWith { return $encryptedBLV } @@ -576,11 +576,11 @@ try TpmProtector = $true } - EnableBitlocker @tpmOnlyEnableParams + Enable-BitlockerInternal @tpmOnlyEnableParams } } - Context 'When EnableBitlocker is called with TPM and pin only and the volume is not yet encrypted' { + Context 'When Enable-BitlockerInternal is called with TPM and pin only and the volume is not yet encrypted' { It 'Should enable Bitlocker with the correct key protectors and parameters' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $decryptedOSBLV } Mock -CommandName Enable-Bitlocker -Verifiable -MockWith { return $encryptedBLV } @@ -592,11 +592,11 @@ try Pin = $fakePin } - EnableBitlocker @tpmAndPinOnlyEnableParams + Enable-BitlockerInternal @tpmAndPinOnlyEnableParams } } - Context 'When EnableBitlocker is called with TPM and pin only and the volume is not yet encrypted' { + Context 'When Enable-BitlockerInternal is called with TPM and pin only and the volume is not yet encrypted' { It 'Should enable Bitlocker with the correct key protectors and parameters' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $decryptedOSBLV } Mock -CommandName Enable-Bitlocker -Verifiable -MockWith { return $encryptedBLV } @@ -609,11 +609,11 @@ try StartupKeyPath = 'C:\' } - EnableBitlocker @tpmAndStartupOnlyEnableParams + Enable-BitlockerInternal @tpmAndStartupOnlyEnableParams } } - Context 'When EnableBitlocker is called with a Password Protector and the volume is not yet encrypted' { + Context 'When Enable-BitlockerInternal is called with a Password Protector and the volume is not yet encrypted' { It 'Should enable Bitlocker with the correct key protectors and parameters' { Mock -CommandName Get-BitLockerVolume -MockWith { return $decryptedOSBLV } Mock -CommandName Enable-Bitlocker -MockWith { return $encryptedBLV } @@ -625,11 +625,11 @@ try Password = $fakePin } - EnableBitlocker @passwordEnableParams + Enable-BitlockerInternal @passwordEnableParams } } - Context 'When EnableBitlocker is called with a Recovery Password Protector and the volume is not yet encrypted' { + Context 'When Enable-BitlockerInternal is called with a Recovery Password Protector and the volume is not yet encrypted' { It 'Should enable Bitlocker with the correct key protectors and parameters' { Mock -CommandName Get-BitLockerVolume -MockWith { return $decryptedOSBLV } Mock -CommandName Enable-Bitlocker -MockWith { return $encryptedBLV } @@ -641,11 +641,11 @@ try Password = $fakePin } - EnableBitlocker @recoveryPasswordEnableParams + Enable-BitlockerInternal @recoveryPasswordEnableParams } } - Context 'When EnableBitlocker is called with a StartupKey Protector and the volume is not yet encrypted' { + Context 'When Enable-BitlockerInternal is called with a StartupKey Protector and the volume is not yet encrypted' { It 'Should enable Bitlocker with the correct key protectors and parameters' { Mock -CommandName Get-BitLockerVolume -MockWith { return $decryptedOSBLV } Mock -CommandName Enable-Bitlocker -MockWith { return $encryptedBLV } @@ -657,7 +657,7 @@ try StartupKeyPath = 'C:\Path' } - EnableBitlocker @startupKeyEnableParams + Enable-BitlockerInternal @startupKeyEnableParams } } } @@ -682,55 +682,55 @@ try Context 'When Add-MissingBitLockerKeyProtector is called, the AdAccountOrGroupProtector protector is requested but not yet present on the volume, and is not the PrimaryKeyProtector' { It 'Should add the AdAccountOrGroupProtector protector' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $encryptedBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false} + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false} Mock -CommandName Add-BitLockerKeyProtector -Verifiable -ParameterFilter {$MountPoint -eq 'AdAccountOrGroupProtector'} - EnableBitlocker -MountPoint 'AdAccountOrGroupProtector' -Pin $fakePin -PrimaryProtector 'TpmProtector' -TpmProtector $true -AdAccountOrGroupProtector $true + Enable-BitlockerInternal -MountPoint 'AdAccountOrGroupProtector' -Pin $fakePin -PrimaryProtector 'TpmProtector' -TpmProtector $true -AdAccountOrGroupProtector $true } } Context 'When Add-MissingBitLockerKeyProtector is called, the PasswordProtector protector is requested but not yet present on the volume, and is not the PrimaryKeyProtector' { It 'Should add the PasswordProtector protector' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $encryptedBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false} + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false} Mock -CommandName Add-BitLockerKeyProtector -Verifiable -ParameterFilter {$MountPoint -eq 'PasswordProtector'} - EnableBitlocker -MountPoint 'PasswordProtector' -Pin $fakePin -PrimaryProtector 'TpmProtector' -TpmProtector $true -PasswordProtector $true + Enable-BitlockerInternal -MountPoint 'PasswordProtector' -Pin $fakePin -PrimaryProtector 'TpmProtector' -TpmProtector $true -PasswordProtector $true } } Context 'When Add-MissingBitLockerKeyProtector is called, the RecoveryKeyProtector protector is requested but not yet present on the volume, and is not the PrimaryKeyProtector' { It 'Should add the RecoveryKeyProtector protector' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $encryptedBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false} + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false} Mock -CommandName Add-BitLockerKeyProtector -Verifiable -ParameterFilter {$MountPoint -eq 'RecoveryKeyProtector'} - EnableBitlocker -MountPoint 'RecoveryKeyProtector' -Pin $fakePin -PrimaryProtector 'TpmProtector' -TpmProtector $true -RecoveryKeyProtector $true + Enable-BitlockerInternal -MountPoint 'RecoveryKeyProtector' -Pin $fakePin -PrimaryProtector 'TpmProtector' -TpmProtector $true -RecoveryKeyProtector $true } } Context 'When Add-MissingBitLockerKeyProtector is called, the RecoveryPasswordProtector protector is requested but not yet present on the volume, and is not the PrimaryKeyProtector' { It 'Should add the RecoveryPasswordProtector protector' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $encryptedBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false} + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false} Mock -CommandName Add-BitLockerKeyProtector -Verifiable -ParameterFilter {$MountPoint -eq 'RecoveryPasswordProtector'} - EnableBitlocker -MountPoint 'RecoveryPasswordProtector' -Pin $fakePin -PrimaryProtector 'TpmProtector' -TpmProtector $true -RecoveryPasswordProtector $true + Enable-BitlockerInternal -MountPoint 'RecoveryPasswordProtector' -Pin $fakePin -PrimaryProtector 'TpmProtector' -TpmProtector $true -RecoveryPasswordProtector $true } } Context 'When Add-MissingBitLockerKeyProtector is called, the StartupKeyProtector protector is requested but not yet present on the volume, and is not the PrimaryKeyProtector' { It 'Should add the StartupKeyProtector protector' { Mock -CommandName Get-BitLockerVolume -Verifiable -MockWith { return $encryptedBLV } - Mock -CommandName ContainsKeyProtector -Verifiable -MockWith { return $false} + Mock -CommandName Test-CollectionContainsKeyProtector -Verifiable -MockWith { return $false} Mock -CommandName Add-BitLockerKeyProtector -Verifiable -ParameterFilter {$MountPoint -eq 'StartupKeyProtector'} - EnableBitlocker -MountPoint 'StartupKeyProtector' -PrimaryProtector 'RecoveryPasswordProtector' -RecoveryPasswordProtector $true -StartupKeyProtector $true + Enable-BitlockerInternal -MountPoint 'StartupKeyProtector' -PrimaryProtector 'RecoveryPasswordProtector' -RecoveryPasswordProtector $true -StartupKeyProtector $true } } } - Describe 'xBitLockerCommon\ContainsKeyProtector' -Tag 'Helper' { + Describe 'xBitLockerCommon\Test-CollectionContainsKeyProtector' -Tag 'Helper' { $testKeyProtectorCollection = @( @{ KeyProtectorType = 'RecoveryPassword' @@ -745,49 +745,49 @@ try } ) - Context 'When ContainsKeyProtector is called and the target KeyProtector exists in the collection' { + Context 'When Test-CollectionContainsKeyProtector is called and the target KeyProtector exists in the collection' { It 'Should return True' { - ContainsKeyProtector -Type 'AdAccountOrGroup' -KeyProtectorCollection $testKeyProtectorCollection | Should -Be $true + Test-CollectionContainsKeyProtector -Type 'AdAccountOrGroup' -KeyProtectorCollection $testKeyProtectorCollection | Should -Be $true } } - Context 'When ContainsKeyProtector is called and the target KeyProtector does not exist in the collection' { + Context 'When Test-CollectionContainsKeyProtector is called and the target KeyProtector does not exist in the collection' { It 'Should return False' { - ContainsKeyProtector -Type 'AdAccountOrGroup2' -KeyProtectorCollection $testKeyProtectorCollection | Should -Be $false + Test-CollectionContainsKeyProtector -Type 'AdAccountOrGroup2' -KeyProtectorCollection $testKeyProtectorCollection | Should -Be $false } } - Context 'When ContainsKeyProtector is called with the StartsWith switch and the target KeyProtector exists in the collection' { + Context 'When Test-CollectionContainsKeyProtector is called with the StartsWith switch and the target KeyProtector exists in the collection' { It 'Should return True' { - ContainsKeyProtector -Type 'AdAccount' -KeyProtectorCollection $testKeyProtectorCollection -StartsWith $true | Should -Be $true + Test-CollectionContainsKeyProtector -Type 'AdAccount' -KeyProtectorCollection $testKeyProtectorCollection -StartsWith $true | Should -Be $true } } - Context 'When ContainsKeyProtector is called with the StartsWith switch and the target KeyProtector does not exist in the collection' { + Context 'When Test-CollectionContainsKeyProtector is called with the StartsWith switch and the target KeyProtector does not exist in the collection' { It 'Should return False' { - ContainsKeyProtector -Type 'Account' -KeyProtectorCollection $testKeyProtectorCollection -StartsWith $true | Should -Be $false + Test-CollectionContainsKeyProtector -Type 'Account' -KeyProtectorCollection $testKeyProtectorCollection -StartsWith $true | Should -Be $false } } - Context 'When ContainsKeyProtector is called with the Contains switch and the target KeyProtector exists in the collection' { + Context 'When Test-CollectionContainsKeyProtector is called with the Contains switch and the target KeyProtector exists in the collection' { It 'Should return True' { - ContainsKeyProtector -Type 'Account' -KeyProtectorCollection $testKeyProtectorCollection -Contains $true | Should -Be $true + Test-CollectionContainsKeyProtector -Type 'Account' -KeyProtectorCollection $testKeyProtectorCollection -Contains $true | Should -Be $true } } - Context 'When ContainsKeyProtector is called with the Contains switch and the target KeyProtector does not exist in the collection' { + Context 'When Test-CollectionContainsKeyProtector is called with the Contains switch and the target KeyProtector does not exist in the collection' { It 'Should return False' { - ContainsKeyProtector -Type 'NotInCollection' -KeyProtectorCollection $testKeyProtectorCollection -Contains $true | Should -Be $false + Test-CollectionContainsKeyProtector -Type 'NotInCollection' -KeyProtectorCollection $testKeyProtectorCollection -Contains $true | Should -Be $false } } } - Describe 'xBitLockerCommon\AddParameters' -Tag 'Helper' { + Describe 'xBitLockerCommon\Add-ToPSBoundParametersFromHashtable' -Tag 'Helper' { AfterEach { Assert-VerifiableMock } - Context 'When AddParameters is called, a parameter is added, and a parameter is changed' { + Context 'When Add-ToPSBoundParametersFromHashtable is called, a parameter is added, and a parameter is changed' { It 'Should add a new parameter and change the existing parameter' { $param1 = 'abc' $param2 = $null @@ -806,7 +806,7 @@ try Param4 = $param4 } - AddParameters -PSBoundParametersIn $psBoundParametersIn -ParamsToAdd $paramsToAdd + Add-ToPSBoundParametersFromHashtable -PSBoundParametersIn $psBoundParametersIn -ParamsToAdd $paramsToAdd $psBoundParametersIn.ContainsKey('Param1') -and $psBoundParametersIn['Param1'] -eq $param1 | Should -Be $true $psBoundParametersIn.ContainsKey('Param2') -and $psBoundParametersIn['Param2'] -eq $param2new | Should -Be $true @@ -816,19 +816,19 @@ try } } - Describe 'xBitLockerCommon\RemoveParameters' -Tag 'Helper' { + Describe 'xBitLockerCommon\Remove-FromPSBoundParametersUsingHashtable' -Tag 'Helper' { AfterEach { Assert-VerifiableMock } - Context 'When RemoveParameters is called and both ParamsToKeep and ParamsToRemove are specified' { + Context 'When Remove-FromPSBoundParametersUsingHashtable is called and both ParamsToKeep and ParamsToRemove are specified' { It 'Should throw an exception' { - { RemoveParameters -PSBoundParametersIn @{} -ParamsToKeep @('Param1') -ParamsToRemove @('Param2') } | ` + { Remove-FromPSBoundParametersUsingHashtable -PSBoundParametersIn @{} -ParamsToKeep @('Param1') -ParamsToRemove @('Param2') } | ` Should -Throw -ExpectedMessage 'Parameter set cannot be resolved using the specified named parameters.' } } - Context 'When RemoveParameters is called with ParamsToKeep' { + Context 'When Remove-FromPSBoundParametersUsingHashtable is called with ParamsToKeep' { It 'Should remove any parameter not specified in ParamsToKeep' { $psBoundParametersIn = @{ Param1 = 1 @@ -838,7 +838,7 @@ try $paramsToKeep = @('Param1', 'Param2') - RemoveParameters -PSBoundParametersIn $psBoundParametersIn -ParamsToKeep $paramsToKeep + Remove-FromPSBoundParametersUsingHashtable -PSBoundParametersIn $psBoundParametersIn -ParamsToKeep $paramsToKeep $psBoundParametersIn.ContainsKey('Param1') | Should -Be $true $psBoundParametersIn.ContainsKey('Param2') | Should -Be $true @@ -846,7 +846,7 @@ try } } - Context 'When RemoveParameters is called with ParamsToRemove' { + Context 'When Remove-FromPSBoundParametersUsingHashtable is called with ParamsToRemove' { It 'Should remove any parameter specified in ParamsToRemove' { $psBoundParametersIn = @{ Param1 = 1 @@ -859,7 +859,7 @@ try 'param2' ) - RemoveParameters -PSBoundParametersIn $psBoundParametersIn -ParamsToRemove $paramsToRemove + Remove-FromPSBoundParametersUsingHashtable -PSBoundParametersIn $psBoundParametersIn -ParamsToRemove $paramsToRemove $psBoundParametersIn.ContainsKey('Param1') | Should -Be $false $psBoundParametersIn.ContainsKey('Param2') | Should -Be $false