icinga-powershell-framework/lib/core/icingaagent/tests/Test-IcingaAgentServicePermission.psm1

function Test-IcingaAgentServicePermission()
{
    param(
        [switch]$Silent = $FALSE
    );

    $ServiceUser       = Get-IcingaServiceUser;
    $ServiceUserSID    = Get-IcingaUserSID $ServiceUser;
    $SystemContent     = Get-IcingaAgentServicePermission;
    [bool]$FoundSID    = $FALSE;

    if ($ServiceUser -eq 'NT Authority\SYSTEM') {
        Write-IcingaTestOutput -Severity 'Passed' -Message ([string]::Format('The specified user "{0}" is allowed to run as service', $ServiceUser));
        return $TRUE;
    }

    # Never update system SIDs
    if ($ServiceUserSID.Length -le 16) {
        Write-IcingaTestOutput -Severity 'Passed' -Message ([string]::Format('It seems the provided SID "{0}" is a system SID. Skipping permission check', $ServiceUserSID));
        return $TRUE;
    }

    if ([string]::IsNullOrEmpty($ServiceUser)) {
        if (-Not $Silent) {
            Write-IcingaTestOutput -Severity 'Failed' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';
        }
        return $FALSE;
    }

    foreach ($line in $SystemContent) {
        if ($line -like '*SeServiceLogonRight*') {
            $Index           = $line.IndexOf('= ') + 2;
            [string]$SIDs    = $line.Substring($Index, $line.Length - $Index);
            [array]$SIDArray = $SIDs.Split(',');

            foreach ($sid in $SIDArray) {
                if ($sid -like "*$ServiceUserSID" -Or $sid -eq $ServiceUser) {
                    $FoundSID = $TRUE;
                    break;
                }
            }
        }
        if ($FoundSID) {
            break;
        }
    }

    if (-Not $Silent) {
        if ($FoundSID) {
            Write-IcingaTestOutput -Severity 'Passed' -Message ([string]::Format('The specified user "{0}" is allowed to run as service', $ServiceUser));
        } else {
            Write-IcingaTestOutput -Severity 'Failed' -Message ([string]::Format('The specified user "{0}" is not allowed to run as service', $ServiceUser));
        }
    }

    return $FoundSID;
}
Added Icinga Service and Service permission management 2019-10-17 16:51:12 -04:00			`function Test-IcingaAgentServicePermission()`
			`{`
			`param(`
			`[switch]$Silent = $FALSE`
			`);`

			`$ServiceUser = Get-IcingaServiceUser;`
			`$ServiceUserSID = Get-IcingaUserSID $ServiceUser;`
			`$SystemContent = Get-IcingaAgentServicePermission;`
			`[bool]$FoundSID = $FALSE;`

Fixes handling for LocalSystem account if set as service user Fixes #51 2020-03-11 08:01:54 -04:00			`if ($ServiceUser -eq 'NT Authority\SYSTEM') {`
Adds new command to test the functionality of Icinga for Windows 2024-03-14 12:16:09 -04:00			`Write-IcingaTestOutput -Severity 'Passed' -Message ([string]::Format('The specified user "{0}" is allowed to run as service', $ServiceUser));`
Fixes handling for LocalSystem account if set as service user Fixes #51 2020-03-11 08:01:54 -04:00			`return $TRUE;`
			`}`

Fixes security catalog compilation on non-english Windows versions 2025-12-23 11:25:23 -05:00			`# Never update system SIDs`
			`if ($ServiceUserSID.Length -le 16) {`
			`Write-IcingaTestOutput -Severity 'Passed' -Message ([string]::Format('It seems the provided SID "{0}" is a system SID. Skipping permission check', $ServiceUserSID));`
			`return $TRUE;`
			`}`

Added Icinga Service and Service permission management 2019-10-17 16:51:12 -04:00			`if ([string]::IsNullOrEmpty($ServiceUser)) {`
			`if (-Not $Silent) {`
Fixes and improves various messages, handlings and severities for wizard 2020-05-22 10:34:18 -04:00			`Write-IcingaTestOutput -Severity 'Failed' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';`
Added Icinga Service and Service permission management 2019-10-17 16:51:12 -04:00			`}`
			`return $FALSE;`
			`}`

			`foreach ($line in $SystemContent) {`
			`if ($line -like 'SeServiceLogonRight') {`
			`$Index = $line.IndexOf('= ') + 2;`
			`[string]$SIDs = $line.Substring($Index, $line.Length - $Index);`
			`[array]$SIDArray = $SIDs.Split(',');`

			`foreach ($sid in $SIDArray) {`
			`if ($sid -like "*$ServiceUserSID" -Or $sid -eq $ServiceUser) {`
			`$FoundSID = $TRUE;`
			`break;`
			`}`
			`}`
			`}`
			`if ($FoundSID) {`
			`break;`
			`}`
			`}`

			`if (-Not $Silent) {`
			`if ($FoundSID) {`
Fixes and improves various messages, handlings and severities for wizard 2020-05-22 10:34:18 -04:00			`Write-IcingaTestOutput -Severity 'Passed' -Message ([string]::Format('The specified user "{0}" is allowed to run as service', $ServiceUser));`
Added Icinga Service and Service permission management 2019-10-17 16:51:12 -04:00			`} else {`
Fixes and improves various messages, handlings and severities for wizard 2020-05-22 10:34:18 -04:00			`Write-IcingaTestOutput -Severity 'Failed' -Message ([string]::Format('The specified user "{0}" is not allowed to run as service', $ServiceUser));`
Added Icinga Service and Service permission management 2019-10-17 16:51:12 -04:00			`}`
			`}`

			`return $FoundSID;`
			`}`