icinga-powershell-framework/lib/core/icingaagent/tests/Test-IcingaAcl.psm1

function Test-IcingaAcl()
{
    param(
        [string]$Directory,
        [switch]$WriteOutput,
        [string]$ServiceUser = (Get-IcingaServiceUser)
    );

    if ([string]::IsNullOrEmpty($Directory) -Or -Not (Test-Path $Directory)) {
        Write-IcingaConsoleWarning 'The specified directory "{0}" was not found' -Objects $Directory;
        return $FALSE;
    }

    $FolderACL      = Get-Acl $Directory;
    $UserFound      = $FALSE;
    $HasAccess      = $FALSE;
    $ServiceUserSID = Get-IcingaUserSID $ServiceUser;

    foreach ($user in $FolderACL.Access) {
        # Not only check here for the exact name but also for included strings like NT AU or NT-AU or even further later on
        # As the Get-Acl Cmdlet will translate usernames into the own language, resultng in 'NT AUTHORITY\NetworkService' being translated
        # to 'NT-AUTORITÄT\Netzwerkdienst' for example
        $UserSID = $null;
        try {
            $UserSID = Get-IcingaUserSID $user.IdentityReference;
        } catch {
            $UserSID = $null;
        }

        if ($ServiceUserSID -eq $UserSID) {
            $UserFound = $TRUE;
            if (($user.FileSystemRights -Like '*Modify*' -And $user.FileSystemRights -Like '*Synchronize*') -Or $user.FileSystemRights -like '*FullControl*') {
                $HasAccess = $TRUE;
            }
        }
    }

    if ($WriteOutput) {
        [string]$messageFormat = 'Directory "{0}" {1} by the Icinga Service User "{2}"';
        if ($UserFound) {
            if ($HasAccess) {
                Write-IcingaTestOutput -Severity 'Passed' -Message ([string]::Format($messageFormat, $Directory, 'is accessible and writable', $ServiceUser));
            } else {
                Write-IcingaTestOutput -Severity 'Failed' -Message ([string]::Format($messageFormat, $Directory, 'is accessible but NOT writable', $ServiceUser));
                Write-IcingaConsolePlain "\_ Please run the following command to fix this issue: Set-IcingaAcl -Directory '$Directory'";
            }
        } else {
            Write-IcingaTestOutput -Severity 'Failed' -Message ([string]::Format($messageFormat, $Directory, 'is not accessible', $ServiceUser));
            Write-IcingaConsolePlain "\_ Please run the following command to fix this issue: Set-IcingaAcl -Directory '$Directory'";
        }
    }

    return $UserFound;
}
Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`function Test-IcingaAcl()`
			`{`
			`param(`
			`[string]$Directory,`
Adds support for JEA profiles 2021-08-06 12:12:27 -04:00			`[switch]$WriteOutput,`
			`[string]$ServiceUser = (Get-IcingaServiceUser)`
Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`);`

Fixes unhandled $null directory value on Test-IcingaAcl 2020-06-02 09:51:01 -04:00			`if ([string]::IsNullOrEmpty($Directory) -Or -Not (Test-Path $Directory)) {`
Adds support for JEA profiles 2021-08-06 12:12:27 -04:00			`Write-IcingaConsoleWarning 'The specified directory "{0}" was not found' -Objects $Directory;`
			`return $FALSE;`
Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`}`

Fixes handling for LocalSystem account if set as service user Fixes #51 2020-03-11 08:01:54 -04:00			`$FolderACL = Get-Acl $Directory;`
			`$UserFound = $FALSE;`
			`$HasAccess = $FALSE;`
			`$ServiceUserSID = Get-IcingaUserSID $ServiceUser;`

Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`foreach ($user in $FolderACL.Access) {`
			`# Not only check here for the exact name but also for included strings like NT AU or NT-AU or even further later on`
			`# As the Get-Acl Cmdlet will translate usernames into the own language, resultng in 'NT AUTHORITY\NetworkService' being translated`
			`# to 'NT-AUTORITÄT\Netzwerkdienst' for example`
Fixes handling for LocalSystem account if set as service user Fixes #51 2020-03-11 08:01:54 -04:00			`$UserSID = $null;`
			`try {`
			`$UserSID = Get-IcingaUserSID $user.IdentityReference;`
			`} catch {`
			`$UserSID = $null;`
			`}`

			`if ($ServiceUserSID -eq $UserSID) {`
Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`$UserFound = $TRUE;`
Fixes handling for LocalSystem account if set as service user Fixes #51 2020-03-11 08:01:54 -04:00			`if (($user.FileSystemRights -Like 'Modify' -And $user.FileSystemRights -Like 'Synchronize') -Or $user.FileSystemRights -like 'FullControl') {`
Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`$HasAccess = $TRUE;`
			`}`
			`}`
			`}`

			`if ($WriteOutput) {`
			`[string]$messageFormat = 'Directory "{0}" {1} by the Icinga Service User "{2}"';`
			`if ($UserFound) {`
			`if ($HasAccess) {`
Adds mmc list view, kickstart filter, spelling fix 2021-08-18 09:05:53 -04:00			`Write-IcingaTestOutput -Severity 'Passed' -Message ([string]::Format($messageFormat, $Directory, 'is accessible and writable', $ServiceUser));`
Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`} else {`
Adds mmc list view, kickstart filter, spelling fix 2021-08-18 09:05:53 -04:00			`Write-IcingaTestOutput -Severity 'Failed' -Message ([string]::Format($messageFormat, $Directory, 'is accessible but NOT writable', $ServiceUser));`
Replaces Write-Host calls with custom console writes 2020-05-13 10:53:15 -04:00			`Write-IcingaConsolePlain "\_ Please run the following command to fix this issue: Set-IcingaAcl -Directory '$Directory'";`
Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`}`
			`} else {`
Fixes and improves various messages, handlings and severities for wizard 2020-05-22 10:34:18 -04:00			`Write-IcingaTestOutput -Severity 'Failed' -Message ([string]::Format($messageFormat, $Directory, 'is not accessible', $ServiceUser));`
Replaces Write-Host calls with custom console writes 2020-05-13 10:53:15 -04:00			`Write-IcingaConsolePlain "\_ Please run the following command to fix this issue: Set-IcingaAcl -Directory '$Directory'";`
Added Icinga Agent management Cmdlets 2019-09-29 12:25:40 -04:00			`}`
			`}`

			`return $UserFound;`
			`}`