Merge pull request #4353 from SteveL-MSFT/deviceguard-startprocess

Fix DeviceGuard data being returned from Get-ComputerInfo and Start-Process test failure
2017-07-28 14:22:51 -07:00 · 2017-07-28 14:22:51 -07:00 · 06d416b954
parent d2e3d60391 48625af83e
commit 06d416b954
3 changed files with 88 additions and 14 deletions
--- a/src/Microsoft.PowerShell.Commands.Management/commands/management/GetComputerInfoCommand.cs
+++ b/src/Microsoft.PowerShell.Commands.Management/commands/management/GetComputerInfoCommand.cs
@ -436,8 +436,14 @@ namespace Microsoft.PowerShell.Commands
                var wmiGuard = session.GetFirst<WmiDeviceGuard>(CIMHelper.DeviceGuardNamespace,
                                                                CIMHelper.ClassNames.DeviceGuard);

-                if (wmiGuard != null)
+                if (wmiGuard != null) {
+                    var smartStatus = EnumConverter<DeviceGuardSmartStatus>.Convert((int?)wmiGuard.VirtualizationBasedSecurityStatus ?? 0);
+                    if (smartStatus != null)
+                    {
+                        status = (DeviceGuardSmartStatus)smartStatus;
+                    }
                    guard = wmiGuard.AsOutputType;
+                }
            }

            return new DeviceGuardInfo
--- a/test/powershell/Modules/Microsoft.PowerShell.Management/Get-ComputerInfo.Tests.ps1
+++ b/test/powershell/Modules/Microsoft.PowerShell.Management/Get-ComputerInfo.Tests.ps1
@ -23,6 +23,23 @@ function Get-ComputerInfoForTest
    }
 }

+function Get-StringValuesFromValueMap
+{
+    param([string[]] $values, [hashtable] $valuemap)
+
+    [string] $stringValues = [string]::Empty
+
+    foreach ($value in $values)
+    {
+        if ($stringValues -ne [string]::Empty)
+        {
+            $stringValues += ","
+        }
+        $stringValues += $valuemap[$value]
+    }
+    $stringValues
+}
+
 function Get-PropertyNamesForComputerInfoTest
 {
    $propertyNames = @()
@ -1346,11 +1363,46 @@ try {
            else
            {
                $deviceGuard = Get-DeviceGuard
-                $observed.DeviceGuardSmartStatus | Should Be $deviceGuard.SmartStatus
-                $observed.DeviceGuardRequiredSecurityProperties | Should Be $deviceGuard.RequiredSecurityProperties
+                # can't get amended qualifiers using cim cmdlets so we define them here
+                $requiredSecurityPropertiesValues = @{
+                    "1" = "BaseVirtualizationSupport"
+                    "2" = "SecureBoot"
+                    "3" = "DMAProtection"
+                    "4" = "SecureMemoryOverwrite"
+                    "5" = "UEFICodeReadonly"
+                    "6" = "SMMSecurityMitigations1.0"
+                }
+                $smartStatusValues = @{
+                    "0" = "Off"
+                    "1" = "Enabled"
+                    "2" = "Running"
+                }
+                $securityServicesRunningValues = @{
+                    "0" = "0"
+                    "1" = "CredentialGuard"
+                    "2" = "HypervisorEnforcedCodeIntegrity"
+                }
+                $observed.DeviceGuardSmartStatus | Should Be (Get-StringValuesFromValueMap -valuemap $smartStatusValues -values $deviceGuard.SmartStatus)
+                if ($deviceGuard.RequiredSecurityProperties -eq $null)
+                {
+                    $observed.DeviceGuardRequiredSecurityProperties | Should BeNullOrEmpty
+                }
+                else
+                {
+                    $observed.DeviceGuardRequiredSecurityProperties | Should Not BeNullOrEmpty
+                    [string]::Join(",", $observed.DeviceGuardRequiredSecurityProperties) | Should Be (Get-StringValuesFromValueMap -valuemap $requiredSecurityPropertiesValues -values $deviceGuard.RequiredSecurityProperties)
+                }
                $observed.DeviceGuardAvailableSecurityProperties | Should Be $deviceGuard.AvailableSecurityProperties
                $observed.DeviceGuardSecurityServicesConfigured | Should Be $deviceGuard.SecurityServicesConfigured
-                $observed.DeviceGuardSecurityServicesRunning | Should Be $deviceGuard.SecurityServicesRunning
+                if ($deviceGuard.SecurityServicesRunning -eq $null)
+                {
+                    $observed.DeviceGuardSecurityServicesRunning | Should BeNullOrEmpty
+                }
+                else
+                {
+                    $observed.DeviceGuardSecurityServicesRunning | Should Not BeNullOrEmpty
+                    [string]::Join(",", $observed.DeviceGuardSecurityServicesRunning) | Should Be (Get-StringValuesFromValueMap -valuemap $securityServicesRunningValues -values $deviceGuard.SecurityServicesRunning)
+                }
                $observed.DeviceGuardCodeIntegrityPolicyEnforcementStatus | Should Be $deviceGuard.CodeIntegrityPolicyEnforcementStatus
                $observed.DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus | Should Be $deviceGuard.UserModeCodeIntegrityPolicyEnforcementStatus
            }
--- a/test/powershell/Modules/Microsoft.PowerShell.Management/Start-Process.Tests.ps1
+++ b/test/powershell/Modules/Microsoft.PowerShell.Management/Start-Process.Tests.ps1
@ -1,4 +1,4 @@
-Describe "Start-Process" -Tags @("CI","SLOW") {
+Describe "Start-Process" -Tags @("Feature") {

    BeforeAll {
        $isNanoServer = [System.Management.Automation.Platform]::IsNanoServer
@ -10,7 +10,7 @@ Describe "Start-Process" -Tags @("CI","SLOW") {
        $tempFile = Join-Path -Path $TestDrive -ChildPath PSTest
        $assetsFile = Join-Path -Path (Join-Path -Path $PSScriptRoot -ChildPath assets) -ChildPath SortTest.txt
        if ($IsWindows) {
-	        $pingParam = "-n 2 localhost"
+            $pingParam = "-n 2 localhost"
        }
        elseif ($IsLinux -Or $IsOSX) {
 	        $pingParam = "-c 2 localhost"
@ -104,15 +104,31 @@ Describe "Start-Process" -Tags @("CI","SLOW") {
        $process.Name | Should Be "notepad"
        $process | Stop-Process
    }
+}

-    It "Should open the application that associates with extension '.txt'" -Skip:(!$isFullWin) {
-        $txtFile = Join-Path $TestDrive "TxtTest.txt"
-        New-Item $txtFile -ItemType File -Force
-        $process = Start-Process $txtFile -PassThru -WindowStyle Normal
-        $process.Name | Should Not BeNullOrEmpty
-        $process.Id | Should BeGreaterThan 1
-        $process | Stop-Process
+Describe "Start-Process tests requiring admin" -Tags "Feature","RequireAdminOnWindows" {
+
+    BeforeEach {
+        cmd /c assoc .foo=foofile
+        cmd /c ftype foofile=cmd /c echo %1^> $testdrive\foo.txt
+        Remove-Item $testdrive\foo.txt -Force -ErrorAction SilentlyContinue
    }

-    Remove-Item -Path $tempFile -Force
+    AfterEach {
+        cmd /c assoc .foo=
+        cmd /c ftype foofile=
+    }
+
+    It "Should open the application that is associated a file" -Skip:(!$isFullWin) {
+        $fooFile = Join-Path $TestDrive "FooTest.foo"
+        New-Item $fooFile -ItemType File -Force
+        Start-Process $fooFile
+        $startTime = Get-Date
+        while (((Get-Date) - $startTime).TotalSeconds -lt 10 -and (!(Test-Path $testdrive\foo.txt)))
+        {
+            Start-Sleep -Milliseconds 100
+        }
+        "$testdrive\foo.txt" | Should Exist
+        Get-Content $testdrive\foo.txt | Should BeExactly $fooFile
+    }
 }