From da968db3e2385e53ebb0ec89e417b69fea142eba Mon Sep 17 00:00:00 2001 From: DrIOS <58635327+DrIOSX@users.noreply.github.com> Date: Sun, 4 Aug 2024 13:51:29 -0500 Subject: [PATCH] change: refactor Get-CISSpoOutput to support application auth using Pnp Powershell --- source/Private/Get-CISSpoOutput.ps1 | 152 +++++++++++++++++++++---- source/Private/Invoke-TestFunction.ps1 | 2 +- 2 files changed, 133 insertions(+), 21 deletions(-) diff --git a/source/Private/Get-CISSpoOutput.ps1 b/source/Private/Get-CISSpoOutput.ps1 index 10a16ee..2c45cd3 100644 --- a/source/Private/Get-CISSpoOutput.ps1 +++ b/source/Private/Get-CISSpoOutput.ps1 @@ -1,37 +1,150 @@ +<# + .SYNOPSIS + Retrieves configuration settings from SharePoint Online or PnP based on the specified recommendation. + .DESCRIPTION + The Get-CISSpoOutput function retrieves specific configuration settings from SharePoint Online or PnP based on a recommendation number. + It dynamically switches between using SPO and PnP commands based on the provided authentication context. + .PARAMETER Rec + The recommendation number corresponding to the specific test to be run. + .INPUTS + None. You cannot pipe objects to this function. + .OUTPUTS + PSCustomObject + Returns configuration details for the specified recommendation. + .EXAMPLE + PS> Get-CISSpoOutput -Rec '7.2.1' + Retrieves the LegacyAuthProtocolsEnabled property from the SharePoint Online or PnP tenant. +#> function Get-CISSpoOutput { - [cmdletBinding()] + [CmdletBinding()] param( - [Parameter(Mandatory = $true)] + [Parameter(Mandatory = $true, HelpMessage = "The recommendation number corresponding to the specific test to be run.")] [String]$Rec ) begin { - if (($script:PnpAuth)) { - $UsePnP = $true - } + # Check if PnP should be used + $UsePnP = $script:PnpAuth # Determine the prefix based on the switch $prefix = if ($UsePnP) { "PnP" } else { "SPO" } # Define a hashtable to map the function calls $commandMap = @{ - '7.2.1' = "Get-${prefix}Tenant | Select-Object -Property LegacyAuthProtocolsEnabled" - '7.2.2' = "Get-${prefix}Tenant | Select-Object EnableAzureADB2BIntegration" - '7.2.3' = "Get-${prefix}Tenant | Select-Object SharingCapability" - '7.2.4' = "Get-${prefix}Tenant | Select-Object OneDriveSharingCapability" - '7.2.5' = "Get-${prefix}Tenant | Select-Object PreventExternalUsersFromResharing" - '7.2.6' = "Get-${prefix}Tenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList" - '7.2.7' = "Get-${prefix}Tenant | Select-Object DefaultSharingLinkType" - '7.2.9' = "Get-${prefix}Tenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays" - '7.2.10' = "Get-${prefix}Tenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays" - '7.3.1' = "Get-${prefix}Tenant | Select-Object DisallowInfectedFileDownload" - '7.3.2' = "Get-${prefix}TenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList" - '7.3.4' = if ($prefix -eq "SPO") {"Get-${prefix}Site -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages"} else {"Get-${Prefix}TenantSite | Select-Object Title, Url, DenyAddAndCustomizePages"} + # Test-ModernAuthSharePoint.ps1 + # 7.2.1 (L1) Ensure Legacy Authentication Protocols are disabled + # $SPOTenant Mock Object + '7.2.1' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property LegacyAuthProtocolsEnabled + } + # Test-SharePointAADB2B.ps1 + # 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled + # $SPOTenantAzureADB2B Mock Object + '7.2.2' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property EnableAzureADB2BIntegration + } + # Test-RestrictExternalSharing.ps1 + # 7.2.3 (L1) Ensure external content sharing is restricted + # Retrieve the SharingCapability setting for the SharePoint tenant + # $SPOTenantSharingCapability Mock Object + '7.2.3' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property SharingCapability + } + # Test-OneDriveContentRestrictions.ps1 + # 7.2.4 (L2) Ensure OneDrive content sharing is restricted + # $SPOTenant Mock Object + '7.2.4' = { + Invoke-Command { + if ($prefix -eq "SPO") { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" | Select-Object -Property OneDriveSharingCapability + } else { + # Workaround until bugfix in PnP.PowerShell + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" | Select-Object -Property OneDriveLoopSharingCapability | Select-Object @{Name = "OneDriveSharingCapability"; Expression = { $_.OneDriveLoopSharingCapability }} + } + } + } + # Test-SharePointGuestsItemSharing.ps1 + # 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own + # $SPOTenant Mock Object + '7.2.5' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property PreventExternalUsersFromResharing + } + # Test-SharePointExternalSharingDomains.ps1 + # 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists + # Add Authorized Domains? + # $SPOTenant Mock Object + '7.2.6' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property SharingDomainRestrictionMode, SharingAllowedDomainList + } + # Test-LinkSharingRestrictions.ps1 + # Retrieve link sharing configuration for SharePoint and OneDrive + # $SPOTenantLinkSharing Mock Object + '7.2.7' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property DefaultSharingLinkType + } + # Test-GuestAccessExpiration.ps1 + # Retrieve SharePoint tenant settings related to guest access expiration + # $SPOTenantGuestAccess Mock Object + '7.2.9' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property ExternalUserExpirationRequired, ExternalUserExpireInDays + } + # Test-ReauthWithCode.ps1 + # 7.2.10 (L1) Ensure reauthentication with verification code is restricted + # Retrieve reauthentication settings for SharePoint Online + # $SPOTenantReauthentication Mock Object + '7.2.10' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property EmailAttestationRequired, EmailAttestationReAuthDays + } + # Test-DisallowInfectedFilesDownload.ps1 + # Retrieve the SharePoint tenant configuration + # $SPOTenantDisallowInfectedFileDownload Mock Object + '7.3.1' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}Tenant").Name)" + } | Select-Object -Property DisallowInfectedFileDownload + } + # Test-OneDriveSyncRestrictions.ps1 + # Retrieve OneDrive sync client restriction settings + # Add isHybrid parameter? + # $SPOTenantSyncClientRestriction Mock Object + '7.3.2' = { + Invoke-Command { + & "$((Get-Command -Name "Get-${prefix}TenantSyncClientRestriction").Name)" + } | Select-Object -Property TenantRestrictionEnabled, AllowedDomainList + } + # Test-RestrictCustomScripts.ps1 + # Retrieve all site collections and select necessary properties + # $SPOSitesCustomScript Mock Object + '7.3.4' = { + Invoke-Command { + if ($prefix -eq "SPO") { + & "$((Get-Command -Name "Get-${prefix}Site").Name)" -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages + } else { + & "$((Get-Command -Name "Get-${prefix}TenantSite").Name)" | Select-Object Title, Url, DenyAddAndCustomizePages + } + } + } } } process { try { Write-Verbose "Returning data for Rec: $Rec" if ($commandMap.ContainsKey($Rec)) { - $command = $commandMap[$Rec] - $result = Invoke-Expression $command + # Invoke the script block associated with the command + $result = & $commandMap[$Rec] -ErrorAction Stop return $result } else { @@ -41,7 +154,6 @@ function Get-CISSpoOutput { catch { throw "Get-CISSpoOutput: `n$_" } - } end { Write-Verbose "Finished processing for Rec: $Rec" diff --git a/source/Private/Invoke-TestFunction.ps1 b/source/Private/Invoke-TestFunction.ps1 index 1aae8bb..4e2f07e 100644 --- a/source/Private/Invoke-TestFunction.ps1 +++ b/source/Private/Invoke-TestFunction.ps1 @@ -33,7 +33,7 @@ function Invoke-TestFunction { return $result } catch { - Write-Error "An error occurred during the test: $_" + Write-Error "An error occurred during the test $recnum`:: $_" $script:FailedTests.Add([PSCustomObject]@{ Test = $functionName; Error = $_ }) # Call Initialize-CISAuditResult with error parameters