github.com/cloudfoundry-incubator/stembuild@v0.0.0-20211223202937-5b61d62226c6/modules/BOSH.WindowsUpdates/BOSH.WindowsUpdates.Tests.ps1 (about) 1 Remove-Module -Name BOSH.WindowsUpdates -ErrorAction Ignore 2 Import-Module ./BOSH.WindowsUpdates.psm1 3 4 Remove-Module -Name BOSH.Utils -ErrorAction Ignore 5 Import-Module ../BOSH.Utils/BOSH.Utils.psm1 6 7 Describe "Disable-AutomaticUpdates" { 8 9 BeforeEach { 10 $oldWuauStatus = (Get-Service wuauserv).Status 11 $oldWuauStartMode = ( Get-Service wuauserv ).StartType 12 13 { Set-Service -Name wuauserv -StartupType "Manual" } | Should Not Throw 14 { Set-Service -Name wuauserv -Status "Running" } | Should Not Throw 15 16 17 $oldAUOptions = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update').AUOptions 18 $oldEnableFeaturedSoftware = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update').EnableFeaturedSoftware 19 $oldIncludeRecUpdates = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update').IncludeRecommendedUpdates 20 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Value 2 -Name 'AUOptions' 21 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Value 2 -Name 'EnableFeaturedSoftware' 22 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Value 2 -Name 'IncludeRecommendedUpdates' 23 24 { Disable-AutomaticUpdates } | Should Not Throw 25 } 26 27 AfterEach { 28 if ($oldAUOptions -eq "") { 29 Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Name 'AUOptions' 30 } else { 31 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Value $oldAUOptions -Name 'AUOptions' 32 } 33 34 if ($oldEnableFeaturedSoftware -eq "") { 35 Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Name 'EnableFeaturedSoftware' 36 } else { 37 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Value $oldEnableFeaturedSoftware -Name 'EnableFeaturedSoftware' 38 } 39 40 if ($oldIncludeRecUpdates -eq "") { 41 Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Name 'IncludeRecommendedUpdates' 42 } else { 43 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update' -Value $oldAUOptions -Name 'IncludeRecommendedUpdates' 44 } 45 46 { Set-Service -Name wuauserv -StartupType $oldWuauStartMode } | Should Not Throw 47 if ($oldWuauStatus -eq "Stopped") { 48 Stop-Service wuauserv 49 } else { 50 { Set-Service -Name wuauserv -Status $oldWuauStatus } | Should Not Throw 51 } 52 } 53 54 It "stops and disables the Windows Updates service" { 55 (Get-Service -Name "wuauserv").Status | Should Be "Stopped" 56 (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='wuauserv'").StartMode | Should Be "Disabled" 57 } 58 59 It "sets registry keys to stop automatically installing updates" { 60 (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update').AUOptions | Should Be "1" 61 (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update').EnableFeaturedSoftware | Should Be "0" 62 (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update').IncludeRecommendedUpdates | Should Be "0" 63 } 64 } 65 66 Describe "Enable-SecurityPatches" { 67 It "enables CVE-2015-6161" { 68 $handlerHardeningPath32Exists = $false 69 $oldIExplore32 = "" 70 if (Test-Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING") { 71 $handlerHardeningPathExists32 = $true 72 $oldIExplore32 = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING").'iexplore.exe' 73 } 74 75 $handlerHardeningPath64Exists = $false 76 $oldIExplore64 = "" 77 if (Test-Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING") { 78 $handlerHardeningPath64Exists = $true 79 $oldIExplore64 = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING").'iexplore.exe' 80 } 81 82 { Enable-CVE-2015-6161 } | Should Not Throw 83 84 (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING").'iexplore.exe' | Should Be "1" 85 (Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING").'iexplore.exe' | Should Be "1" 86 87 if ($handlerHardeningPath32Exists) { 88 if ($oldIExplore32 -eq "") 89 { 90 Remove-Item-Property -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" -Name "iexplore.exe" 91 } else { 92 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" -Value $oldIExplore32 -Name "iexplore.exe" 93 } 94 } else { 95 Remove-Item "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" 96 } 97 98 if ($handlerHardeningPath32Exists) { 99 if ($oldIExplore64 -eq "") 100 { 101 Remove-Item-Property -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" -Name "iexplore.exe" 102 } else { 103 Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" -Value $oldIExplore64 -Name "iexplore.exe" 104 } 105 } else { 106 Remove-Item "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" 107 } 108 } 109 110 It "enables CVE-2017-8529" { 111 $disclosureFixPathExists32 = $false 112 $oldIExplore32 = "" 113 if (Test-Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX") { 114 $disclosureFixPathExists32 = $true 115 $oldIExplore32 = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX").'iexplore.exe' 116 } 117 118 $disclosureFixPathExists64 = $false 119 $oldIExplore64 = "" 120 if (Test-Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX") { 121 $disclosureFixPathExists64 = $true 122 $oldIExplore64 = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX").'iexplore.exe' 123 } 124 125 { Enable-CVE-2017-8529 } | Should Not Throw 126 127 (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX").'iexplore.exe' | Should Be "1" 128 (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX").'iexplore.exe' | Should Be "1" 129 130 if ($disclosureFixPathExists32) { 131 if ($oldIExplore32 -eq "") 132 { 133 Remove-Item-Property -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" -Name "iexplore.exe" 134 } else { 135 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" -Value $oldIExplore32 -Name "iexplore.exe" 136 } 137 } else { 138 Remove-Item "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" 139 } 140 141 if ($disclosureFixPathExists64) { 142 if ($oldIExplore64 -eq "") 143 { 144 Remove-Item-Property -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" -Name "iexplore.exe" 145 } else { 146 Set-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" -Value $oldIExplore64 -Name "iexplore.exe" 147 } 148 } else { 149 Remove-Item "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" 150 } 151 } 152 153 It "enables CredSSP" { 154 $credSSPPathExists = $false 155 $credSSPParamPathExists = $false 156 $oldEcryptOracle = "" 157 if ( Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP" ) 158 { 159 $credSSPPathExists = $true 160 if ( Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters") { 161 $credSSPParamPathExists = $true 162 $oldEcryptOracle = (Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters").AllowEncryptionOracle 163 } 164 } 165 166 { Enable-CredSSP } | Should Not Throw 167 168 (Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters").AllowEncryptionOracle | Should Be "1" 169 170 if ($credSSPPathExists) { 171 if ( $credSSPParamPathExists ) { 172 if ($oldEcryptOracle -eq "") 173 { 174 Remove-Item-Property -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" -Name "AllowEncryptionOracle" 175 } else { 176 Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" -Value $oldEcryptOracle -Name "AllowEncryptionOracle" 177 } 178 } else { 179 Remove-Item "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" 180 } 181 } else { 182 Remove-Item "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP" -Recurse 183 184 } 185 } 186 } 187 188 Describe "Upgrade-PSVersion" { 189 It "Only installs if powershell 5.1 or above is not installed" { 190 Mock Test-PSVersion { $true } -ModuleName BOSH.WindowsUpdates 191 Mock Invoke-WebRequest { } -ModuleName BOSH.WindowsUpdates 192 Mock Start-Process { } -ModuleName BOSH.WindowsUpdates 193 194 { Upgrade-PSVersion } | Should Not Throw 195 196 Assert-MockCalled Test-PSVersion -Times 1 -Scope It -ModuleName BOSH.WindowsUpdates 197 Assert-MockCalled Invoke-WebRequest -Times 0 -Scope It -ModuleName BOSH.WindowsUpdates 198 Assert-MockCalled Start-Process -Times 0 -Scope It -ModuleName BOSH.WindowsUpdates 199 } 200 201 It "Only installs if powershell 5.1 or above is not installed" { 202 Mock Test-PSVersion { $false } -ModuleName BOSH.WindowsUpdates 203 Mock Invoke-WebRequest { } -ModuleName BOSH.WindowsUpdates 204 Mock Start-Process { } -ModuleName BOSH.WindowsUpdates 205 206 { Upgrade-PSVersion } | Should Not Throw 207 208 Assert-MockCalled Test-PSVersion -Times 1 -Scope It -ModuleName BOSH.WindowsUpdates 209 Assert-MockCalled Invoke-WebRequest -Times 1 -Scope It -ParameterFilter { $Uri -eq "https://go.microsoft.com/fwlink/?linkid=839516" -and $Outfile -eq "C:\provision\PS51.msu" -and $UseBasicParsing.IsPresent } -ModuleName BOSH.WindowsUpdates 210 Assert-MockCalled Start-Process -Times 1 -Scope It -ParameterFilter { $FilePath -eq "C:\provision\PS51.msu" -and $ArgumentList -eq '/quiet /norestart /log:"C:\provision\psupgrade.log"' -and $Wait.IsPresent -and $Passthru.IsPresent } -ModuleName BOSH.WindowsUpdates 211 } 212 } 213 214 Remove-Module -Name BOSH.WindowsUpdates -ErrorAction Ignore 215 Remove-Module -Name BOSH.Utils -ErrorAction Ignore