Initial commit

.gitattributes

@@ -0,0 +1 @@
+**/*.psd1  diff

.github/workflows/run_opa_tests.yaml

@@ -0,0 +1,34 @@
+name: Run OPA Tests
+on:
+  # Run tests on each commit, newly opened/reopened PR, and
+  # PR review submission (e.g. approval)
+  workflow_dispatch:
+  push:
+    paths:
+      - "**.rego"
+  pull_request:
+    types: [opened, reopened]
+    branches:
+      - "main"
+    paths:
+      - "**.rego"
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  Run-OPA-Tests:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out repository code
+      uses: actions/checkout@v3
+
+    - name: Setup OPA
+      uses: open-policy-agent/setup-opa@v2
+      with:
+        version: <0.50
+
+    - name: Run OPA Check
+      run: opa check Rego Testing/Unit/Rego --strict
+
+    - name: Run OPA Tests
+      run: opa test Rego/*.rego Testing/Unit/Rego/**/*.rego -v

.github/workflows/run_powershell_tests.yaml

@@ -0,0 +1,42 @@
+name: Run PowerShell Tests
+on:
+  # Run tests on each commit, newly opened/reopened PR, and
+  # PR review submission (e.g. approval)
+  workflow_dispatch:
+  push:
+    paths:
+      - "**.ps1"
+      - "**.psm1"
+      - ".github/workflows/run_powershell_tests.yaml"
+  pull_request:
+    types: [opened, reopened]
+    branches:
+      - "main"
+    paths:
+      - "**.ps1"
+      - "**.psm1"
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  Run-PowerShell-Tests:
+    runs-on: windows-latest
+    steps:
+    - name: Check out repository code
+      uses: actions/checkout@v3
+
+    - name: Remove Graph 2.0
+      shell: powershell
+      run: |
+        # Remove Microsoft.Graph module(s) from image until SCUBA steps up to 2.0+
+        Write-Output "NOTICE: Removing Microsoft.Graph version 2.0.  Remove this step when SCuBA steps up to this version."
+        Uninstall-Module Microsoft.Graph -ErrorAction SilentlyContinue
+        Get-InstalledModule Microsoft.Graph.* | %{ if($_.Name -ne "Microsoft.Graph.Authentication"){ Write-Output "Removing: $($_.Name)"; Uninstall-Module $_.Name -AllowPrerelease -AllVersions } }
+        Uninstall-Module Microsoft.Graph.Authentication -AllowPrerelease -AllVersions
+
+    - name: Run Pester Tests
+      if: '!cancelled()'
+      shell: powershell
+      run: |
+        ./SetUp.ps1
+        Invoke-Pester -Output 'Detailed' -Path './Testing/Unit/PowerShell'

.github/workflows/run_psscriptanalyzer.yaml

@@ -0,0 +1,34 @@
+name: Run PS Linter
+on: 
+  push:
+    paths:
+      - "**.ps1"
+      - "**.psm1"
+  pull_request:
+    types: [opened, reopened]
+    branches:
+      - "main"
+    paths:
+      - "**.ps1"
+      - "**.psm1"
+  workflow_dispatch:
+
+jobs:
+  lint:
+    name: Run PS Linter
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+    - uses: actions/checkout@v2
+    - name: lint
+      uses: docker://devblackops/github-action-psscriptanalyzer:2.4.0
+      with:
+        repoToken: ${{ secrets.GITHUB_TOKEN }}
+        settingsPath: PSScriptAnalyzerSettings.psd1
+        failOnErrors: true
+        failOnWarnings: true
+        failOnInfos: true
+        sendComment: true

.github/workflows/run_release.yaml

@@ -0,0 +1,66 @@
+on: 
+  workflow_dispatch:
+    inputs:
+      releaseName:
+        description: "Release Name"
+        required: true
+        type: string
+      version:
+        description: "Release Version (e.g., 1.2.4)"
+        required: true
+        type: string
+
+name: Build and Sign Release
+
+jobs:
+  build-and-deploy:
+    runs-on: windows-latest
+    env:
+      CODESIGN_PW: ${{ secrets.CODESIGN_PW }}
+      CODESIGN_PFX: ${{ secrets.CODESIGN_PFX }}
+      RELEASE_VERSION: ${{ inputs.version }}
+    permissions:
+      contents: write
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        path: repo
+    - name: Sign Scripts
+      shell: pwsh
+      run: |
+        $ErrorActionPreference = "Stop"
+        $PSDefaultParameterValues['*:ErrorAction']='Stop'
+        Set-StrictMode -Version Latest
+
+        New-Item -ItemType directory -Path certificate
+        Set-Content -Path certificate\cert.txt -Value $env:CODESIGN_PFX
+        certutil -decode certificate\cert.txt certificate\cert.pfx
+
+        $cert = Get-PfxCertificate -FilePath certificate\cert.pfx -Password (ConvertTo-SecureString -String $env:CODESIGN_PW -Force -AsPlainText)
+
+        Get-ChildItem -Recurse -Path repo -Include **.ps1,**.psm1,**.psd1 | ForEach-Object {
+          $path = $_.FullName
+          Set-AuthenticodeSignature -Certificate $cert -FilePath $path -TimestampServer "http://timestamp.digicert.com/" -IncludeChain NotRoot -HashAlgorithm SHA256
+          # Delay for 4 seconds to avoid exceeding rate limits (1000 / 5 minutes, 100 / 5 seconds)
+          Start-Sleep -Seconds 4
+        }
+
+        Remove-Item -Recurse -Force certificate
+        Remove-Item -Recurse -Force repo -Include .git*
+
+        Move-Item  -Path repo -Destination "ScubaGear-${env:RELEASE_VERSION}" -Force
+        Compress-Archive -Path "ScubaGear-${env:RELEASE_VERSION}" -DestinationPath "ScubaGear-${env:RELEASE_VERSION}.zip"
+
+        Get-ChildItem -Path . | Write-Output
+    - name: release
+      uses: softprops/action-gh-release@v1
+      id: create_release
+      with:
+        draft: true
+        prerelease: false
+        name: ${{ inputs.releaseName }}
+        tag_name: v${{ inputs.version }}
+        files: ScubaGear-${{ inputs.version }}.zip
+        generate_release_notes: true
+        fail_on_unmatched_files: true

.github/workflows/run_smoke_test.yaml

@@ -0,0 +1,86 @@
+on: 
+  workflow_dispatch:
+  pull_request:
+    types: [opened, reopened]
+    branches:
+      - "main"
+  pull_request_review:
+      types: [submitted]  
+  push:
+    paths:
+      - ".github/workflows/run_smoke_test.yaml"
+    branches:
+      - "main"
+      - "*smoke*"
+
+name: Smoke Test
+
+jobs:
+  Run-Smoke-Test:
+    runs-on: windows-latest
+    env:
+      SCUBA_GITHUB_AUTOMATION_CREDS: ${{ secrets.SCUBA_GITHUB_AUTOMATION_CREDS }}
+    defaults:
+          run:
+            shell: powershell 
+    permissions:
+      contents: read 
+    steps:
+    - name: Checkout repo code
+      uses: actions/checkout@v3
+
+    - name: Remove Graph 2.0
+      shell: powershell
+      run: |
+        # Remove Microsoft.Graph module(s) from image until SCUBA steps up to 2.0+
+        Write-Output "NOTICE: Removing Microsoft.Graph version 2.0.  Remove this step when SCuBA steps up to this version."
+        Uninstall-Module Microsoft.Graph -ErrorAction SilentlyContinue
+        Get-InstalledModule Microsoft.Graph.* | %{ if($_.Name -ne "Microsoft.Graph.Authentication"){ Write-Output "Removing: $($_.Name)"; Uninstall-Module $_.Name -AllowPrerelease -AllVersions } }
+        Uninstall-Module Microsoft.Graph.Authentication -AllowPrerelease -AllVersions
+  
+    - name: Execute ScubaGear and Check Outputs
+      run: |
+        . Testing/Functional/SmokeTest/SmokeTestUtils.ps1
+        ./AllowBasicAuthentication.ps1 -RunAsAdmin
+
+        ##### Install all the dependencies
+        Install-SmokeTestExternalDependencies
+
+        # ScubaGear currently requires the provisioning of a certificate for using a ServicePrinicpal, rather than
+        # using Workload Identity Federation, which would ordinarily be preferred for calling Microsoft APIs from
+        # GitHub actions.
+        $AUTOMATION_CREDS = $env:SCUBA_GITHUB_AUTOMATION_CREDS | ConvertFrom-Json
+        $TestTenants = $AUTOMATION_CREDS.TestTenants
+        Write-Output "Identified $($TestTenants.Count) Test Tenants"
+
+        $TestContainers = @()
+        ForEach ($TestTenantObj in $TestTenants){
+          $Properties = Get-Member -InputObject $TestTenantObj -MemberType NoteProperty
+          $TestTenant = $TestTenantObj | Select-Object -ExpandProperty $Properties.Name
+          $OrgName = $TestTenant.DisplayName
+          $DomainName = $TestTenant.DomainName
+          $AppId = $TestTenant.AppId
+          $PlainTextPassword = $TestTenant.CertificatePassword
+          $CertPwd = ConvertTo-SecureString -String $PlainTextPassword -Force -AsPlainText
+          $M365Env = $TestTenant.M365Env
+          try {
+            $Result = New-ServicePrincipalCertificate `
+              -EncodedCertificate $TestTenant.CertificateB64 `
+              -CertificatePassword $CertPwd
+            $Thumbprint = $Result[-1]
+          }
+          catch {
+            Write-Output "Failed to install certificate for $OrgName"
+          }
+
+          $TestContainers += New-PesterContainer `
+            -Path "Testing/Functional/SmokeTest/SmokeTest001.Tests.ps1" `
+            -Data @{ Thumbprint = $Thumbprint; Organization = $DomainName; AppId = $AppId; M365Environment = $M365Env }
+          $TestContainers += New-PesterContainer `
+            -Path "Testing/Functional/SmokeTest/SmokeTest002.Tests.ps1" `
+            -Data @{ OrganizationDomain = $DomainName; OrganizationName = $OrgName }
+        }
+
+        Invoke-Pester -Container $TestContainers -Output Detailed
+
+        Remove-MyCertificates

.gitignore

@@ -0,0 +1,29 @@
+# dependencies
+
+# testing
+
+# production
+
+# msc
+*.xml
+*.cer
+*.exe
+/M365/*.xml
+/PowerShell/output
+/PowerShell/example
+/PowerShell/M365Baseline*
+/output
+/example
+/M365Baseline*
+/Reports*
+/utils/Reports*
+/utils/output
+/utils/M365Baseline*
+
+# IDE
+/.vscode
+
+# Reports
+**/M365BaselineConformance*
+/Testing/Functional/Reports*
+/Testing/Functional/Archive*

AllowBasicAuthentication.ps1

@@ -0,0 +1,57 @@
+#Requires -RunAsAdministrator
+
+<#
+    .SYNOPSIS
+        Set Registry to allow basic authentication for WinRM Client
+
+    .DESCRIPTION
+        Run this script to enable basic authentication on your local desktop if you get an error when connecting to Exchange Online.
+
+    .NOTES
+        See README file Troubleshooting section for details.
+        This script requires administrative privileges on your local desktop and updates a registry key.
+#>
+
+function Test-RegistryKey {
+    <#
+        .SYNOPSIS
+            Test if registry key exists
+    #>
+    param (
+        [parameter (Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]$Path,
+        [parameter (Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]$Key
+    )
+
+    try {
+        Get-ItemProperty -Path $Path -Name $Key -ErrorAction Stop | Out-Null
+        return $true
+    }
+    catch {
+        return $false
+    }
+}
+
+$regPath = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+$regKey = 'AllowBasic'
+
+if (-Not $(Test-Path -LiteralPath $regPath)) {
+    New-Item -Path $regPath -Force | Out-Null
+    New-ItemProperty -Path $regPath -Name $regKey | Out-Null
+} elseif (-Not $(Test-RegistryKey -Path $regPath -Key $regKey)) {
+    New-ItemProperty -Path $regPath -Name $regKey | Out-Null
+}
+
+try {
+    $allowBasic = Get-ItemPropertyValue -Path $regPath -Name $regKey -ErrorAction Stop
+
+    if ($allowBasic -ne '1') {
+        Set-ItemProperty -Path $regPath -Name $regKey -Type DWord -Value '1'
+    }
+}
+catch {
+    Write-Error -Message "Unexpected error occured attempting to update registry key, $regKey."
+}
+
+