Add Set-RegistryProperty and Set-InternetExplorerRegistries.

Made Set-Registry work properly for pipelining purposes.

[#167407675](https://www.pivotaltracker.com/story/show/167407675)
 As a platform engineer I want to see Internet Explorer-based policies that comply with MSFT Baseline Security Standard - 20193

Co-authored-by: George Gelashvili <[email protected]>

Author: dbasner

bosh-psmodules/modules/BOSH.Registry/BOSH.Registry.Tests.ps1

@@ -3,23 +3,87 @@ Import-Module ./BOSH.Registry.psd1
 
 Describe "BOSH.Registry" {
     BeforeEach {
-        Mock Set-ItemProperty { } -ModuleName BOSH.Registry
-        Mock New-Item { } -ModuleName BOSH.Registry
+        Mock Set-ItemProperty { } -ModuleName BOSH.Registry #actually
+        $newItemReturn = [pscustomobject]@{"NewPath" = "HKCU:/Path/created";}
+        Mock New-Item { $newItemReturn } -ModuleName BOSH.Registry
+        # reset for our -parameterfilter mock
+        Mock New-Item { $newItemReturn } -ModuleName BOSH.Registry -ParameterFilter { $PSBoundParameters['ErrorAction'] -eq "Stop" }
     }
 
     It "Set-RegistryProperty adds a property to the registry" {
-        Set-RegistryProperty -Path "HKLM:/Some/Registry/Path" -Name "A Registry Key" -Value "yes"
+        {Set-RegistryProperty -Path "HKLM:/Some/Registry/Path" -Name "A Registry Key" -Value "yes"} | Should -Not -Throw
 
         Assert-MockCalled Set-ItemProperty -Exactly 1 -Scope It -ModuleName BOSH.Registry -ParameterFilter {
             $Path -eq "HKLM:/Some/Registry/Path" -and $Name -eq "A Registry Key" -and $Value -eq "yes"
         }
     }
 
     It "Set-RegistryProperty ensures the folder exists, before modifying the registry property" {
-        Set-RegistryProperty -Path "HKLM:/Some/Registry/Path" -Name "A Registry Key" -Value "yes"
+        {Set-RegistryProperty -Path "HKLM:/Some/Registry/Path" -Name "A Registry Key" -Value "yes"} | Should -Not -Throw
 
         Assert-MockCalled New-Item -Exactly 1 -Scope It -ModuleName BOSH.Registry -ParameterFilter {
-            $Path -eq "HKLM:/Some/Registry/Path" -and $ItemType -eq "Directory"
+            $Path -eq "HKLM:/Some/Registry/Path" -and $ItemType -eq "Directory" -and $Force -eq $True
+        }
+    }
+
+    It "a list of items piped to Set-Registry causes every item in the list to have a key value set" {
+        $keyList = @(
+            [pscustomobject]@{"Path" = "HKCU:/Registry/Key/Path/One"; "Name" = "RegistryOne"; "Value" = "1"},
+            [pscustomobject]@{"Path" = "HKCU:/Registry/Key/Path/Two"; "Name" = "RegistryTwo"; "Value" = "2"},
+            [pscustomobject]@{"Path" = "HKCU:/Registry/Key/Path/Three"; "Name" = "RegistryThree"; "Value" = "3"}
+        )
+
+        $keyList | Set-RegistryProperty
+
+        Assert-MockCalled Set-ItemProperty -Exactly 3 -Scope It -ModuleName BOSH.Registry
+        Assert-MockCalled Set-ItemProperty -Exactly 1 -Scope It -ModuleName BOSH.Registry -ParameterFilter {
+            $Path -eq "HKCU:/Registry/Key/Path/One" -and $Name -eq "RegistryOne" -and $Value -eq "1"
+        }
+        Assert-MockCalled Set-ItemProperty -Exactly 1 -Scope It -ModuleName BOSH.Registry -ParameterFilter {
+            $Path -eq "HKCU:/Registry/Key/Path/Two" -and $Name -eq "RegistryTwo" -and $Value -eq "2"
+        }
+        Assert-MockCalled Set-ItemProperty -Exactly 1 -Scope It -ModuleName BOSH.Registry -ParameterFilter {
+            $Path -eq "HKCU:/Registry/Key/Path/Three" -and $Name -eq "RegistryThree" -and $Value -eq "3"
+        }
+    }
+
+    It "Set-RegistryProperty doesn't call Set-ItemProperty if New-Item fails" {
+        # ErrorAction Parameterfilter is present to ensure we only throw an error on a New-Item call that is configured to throw errors
+        Mock New-Item { Throw 'some error' } -ModuleName BOSH.Registry -ParameterFilter { $PSBoundParameters['ErrorAction'] -eq "Stop" }
+
+        { Set-RegistryProperty -Path "HKLM:/Some/Registry/Path" -Name "A reigstry Key" -Value "no" } | Should -Throw
+
+        Assert-MockCalled Set-ItemProperty -Exactly 0 -Scope It -ModuleName BOSH.Registry
+    }
+
+    It "Set-RegistryProperty throws path couldn't be created if New-Item fails" {
+        # ErrorAction Parameterfilter is present to ensure we only throw an error on a New-Item call that is configured to throw errors
+        Mock New-Item { Throw 'some error' } -ModuleName BOSH.Registry -ParameterFilter { $PSBoundParameters['ErrorAction'] -eq "Stop" }
+
+        { Set-RegistryProperty -Path "Something" -Name "Thing" -Value "no" } | Should -Throw "Unable to create path 'Something'"
+    }
+
+    It "Set-RegistryProperty throws could not set registry key if Set-ItemProperty fails" {
+        # ErrorAction Parameterfilter is present to ensure we only throw an error on a Set-ItemProperty call that is configured to throw errors
+        Mock Set-ItemProperty { Throw 'some error'  } -ModuleName BOSH.Registry -ParameterFilter { $PSBoundParameters['ErrorAction'] -eq "Stop" }
+
+        {Set-RegistryProperty -Path "HKLM:/Some/Registry/Path" -Name "A Registry Key" -Value "yes"} |
+            Should -Throw "Unable to set registry key at 'HKLM:/Some/Registry/Path'"
+    }
+
+    It "Set-InternetExplorerRegistries imports internet-explorer.csv and pipes to Set-RegistryProperty" {
+        Mock Import-Csv { [pscustomobject]@{"Path" = "a"; "Name" = "b"; "Value" = "c"} } -ModuleName BOSH.Registry
+        Mock Set-RegistryProperty { } -ModuleName BOSH.Registry
+
+        { Set-InternetExplorerRegistries } | Should -Not -Throw
+
+        $expectedPath = Join-Path -Path $PSScriptRoot -ChildPath "data\internet-explorer.csv"
+
+        Assert-MockCalled Import-Csv -Exactly 1 -Scope It -ModuleName BOSH.Registry -ParameterFilter {
+            $Path -eq $expectedPath
+        }
+        Assert-MockCalled Set-RegistryProperty -Exactly 1 -Scope It -ModuleName BOSH.Registry -ParameterFilter {
+            $Path -eq "a" -and $Name -eq "b" -and $Value -eq "c"
         }
     }
 }

bosh-psmodules/modules/BOSH.Registry/BOSH.Registry.psd1

@@ -7,7 +7,8 @@
     Description = 'Install Microsoft SSHD'
     PowerShellVersion = '4.0'
     FunctionsToExport = @(
-        'Set-RegistryProperty'
+        'Set-RegistryProperty',
+        'Set-InternetExplorerRegistries'
     )
     CmdletsToExport = @()
     VariablesToExport = @()

bosh-psmodules/modules/BOSH.Registry/BOSH.Registry.psm1

@@ -1,23 +1,64 @@
-<#
-.Synopsis
-    Apply a registry property, ensuring the path to the registry exists
-.Description
-    This cmdlet ensures the registry exists before configuring the requested property
-.Parameter Path
-    The path of the registry the property should be associated with
-.Parameter Name
-    The name of the registry property
-.Parameter Value
-    The value of the registry property
-#>
-Function Set-RegistryProperty {
-    Param(
-        [string]$Path,
-        [string]$Name,
-        [string]$Value
-    )
+function Set-RegistryProperty {
+    <#
+    .SYNOPSIS
+        Apply a registry property, ensuring the path to the registry exists
+    .DESCRIPTION
+        This cmdlet ensures the registry exists before configuring the requested property
+    .PARAMETER Path
+        The path of the registry the property should be associated with
+    .PARAMETER Name
+        The name of the registry property
+    .PARAMETER Value
+        The value of the registry property
+    .INPUTS
+        Any object, or list of objects with properties names Path, Name & Value
+    .OUTPUTS
+        If successful Set-RegistryProperty will not return any output, however it will throw an exception if any part
+        of the command fails
+    #>
 
-    New-Item -Path $Path -ItemType "Directory"
+    [CmdletBinding()]
+    param(
+        [Parameter(ValueFromPipelineByPropertyName)]
+        [String]$Path,
+        [Parameter(ValueFromPipelineByPropertyName)]
+        [String]$Name,
+        [Parameter(ValueFromPipelineByPropertyName)]
+        [String]$Value
+    )
 
-    Set-ItemProperty -Path $Path -Name $Name -Value $Value
+    Process {
+        try{
+            New-Item -Path $Path -ItemType "Directory" -Force -ErrorAction "Stop"
+        } catch {
+            throw "Unable to create path '$Path':$_"
+        }
+        try {
+            Set-ItemProperty -Path $Path -Name $Name -Value $Value -ErrorAction "Stop" #[System.Management.Automation.ActionPreference]::Stop
+        } catch {
+            throw "Unable to set registry key at '$Path':$_"
+        }
+    }
 }
+
+function Set-InternetExplorerRegistries {
+    <#
+    .SYNOPSIS
+        Apply BOSH Windows Stemcell registry settings related to internet explorer
+    .DESCRIPTION
+        Apply Internet Explorer registry settings taken from Microsoft's baseline security analysis tool
+    .INPUTS
+        None. You can't pipe anything in to this command
+    .OUTPUTS
+        Set-InternetExplorerRegistries will return any failure output from Import-Csv or Set-RegistryProperty
+    #>
+
+    [CmdletBinding()]
+
+    param()
+
+    process {
+        $source = Join-Path -Path $PSScriptRoot -ChildPath "data\internet-explorer.csv"
+        Import-Csv -Path $source | Set-RegistryProperty
+    }
+}

bosh-psmodules/modules/BOSH.Registry/data/internet-explorer.csv

@@ -0,0 +1,40 @@
+Path,Name,Value
+HKCU:\Software\Policies\Microsoft\Internet Explorer\Control Panel,FormSuggest Passwords,1
+HKCU:\Software\Policies\Microsoft\Internet Explorer\Main,FormSuggest Passwords,no
+HKCU:\Software\Policies\Microsoft\Internet Explorer\Main,FormSuggest PW Ask,no
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Download,CheckExeSignatures,yes
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Download,RunInvalidSignatures,0
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds,DisableEnclosureDownload,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main,DisableEPMCompat,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main,Isolation,PMEM
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main,Isolation64Bit,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL,(Reserved),1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL,explorer.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL,iexplore.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING,(Reserved),1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING,explorer.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING,iexplore.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING,(Reserved),1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING,explorer.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING,iexplore.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL,(Reserved),1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL,explorer.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL,iexplore.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD,(Reserved),1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD,explorer.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD,iexplore.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND,(Reserved),1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND,explorer.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND,iexplore.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS,(Reserved),1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS,explorer.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS,iexplore.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION,(Reserved),1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION,explorer.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION,iexplore.exe,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter,EnabledV9,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter,PreventOverride,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter,PreventOverrideAppRepUnknown,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Restrictions,NoCrashDetection,1
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Security,DisableSecuritySettingsCheck,0
+HKLM:\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX,BlockNonAdminActiveXInstall,1

scripts/install-bosh-psmodules.ps1

@@ -29,4 +29,6 @@ $path = "C:\Program Files\WindowsPowerShell\Modules"
 Remove-Item -Path (Join-Path $path "BOSH.*") -Force -Recurse
 
 Unzip -ZipFile "C:\provision\bosh-psmodules.zip" -OutPath $path -Keep $false
-Import-Module BOSH.Utils
+
+Import-Module -Name BOSH.Utils
+Import-Module -Name BOSH.Registry