working on #884 - add invalid owner and AsymmetricKeySize

jpomfret · jpomfret · commit b5f6e66f4541 · 2022-05-27T18:11:15.000+01:00
diff --git a/checks/Databasev5.Tests.ps1 b/checks/Databasev5.Tests.ps1
@@ -83,7 +83,24 @@ Describe "Valid Database Owner" -Tag ValidDatabaseOwner, Medium, Database -ForEa
 }
 
 
-#and can evey check have a skip policy.GROUP.UNIQUETAG - if it doesnt have one already and that will live on the line below the describe
+Describe "Invalid Database Owner" -Tag InvalidDatabaseOwner, Medium, Database -ForEach $InstancesToTest {
+    $skip = Get-DbcConfigValue skip.database.invaliddatabaseowner
+    Context "Testing Database Owners on <_.Name>" {
+
+        It "Database <_.Name> - owner '<_.Owner>' should not be in this list ( <_.ConfigValues.invaliddbownername> ) ) on <_.SqlInstance>" -Skip:$skip -ForEach $psitem.Databases.Where{ if ($Database) { $_.Name -in $Database } else { $psitem.ConfigValues.invaliddbownerexclude -notcontains $PsItem.Name } } {
+            $psitem.Owner | Should -Not -BeIn $psitem.ConfigValues.invaliddbownername -Because "The database owner was one specified as incorrect"
+        }
+    }
+}
 
+Describe "AsymmetricKeySize" -Tag AsymmetricKeySize, CIS, Database -ForEach $InstancesToTest {
+    $skip = Get-DbcConfigValue skip.security.asymmetrickeysize
+    Context "Testing Asymmetric Key Size is 2048 or higher on <_.Name>" {
+        It "Database <_.Name> asymmetric key size should be at least 2048 on <_.SqlInstance>" -Skip:$skip -ForEach $psitem.Databases.Where{ if ($Database) { $_.Name -in $Database } else { $psitem.ConfigValues.asymmetrickeysizeexclude -notcontains $PsItem.Name } } {
+            $psitem.AsymmetricKeySize | Should -Be 0 -Because "Asymmetric keys should have a key length greater than or equal to 2048"
+            #$psitem.AsymmetricKeySize | Should -BeGreaterOrEqual 2048 -Because "Asymmetric keys should have a key length greater than or equal to 2048"
+        }
+    }
+}
 
 
diff --git a/internal/configurations/configuration.ps1 b/internal/configurations/configuration.ps1
@@ -228,6 +228,11 @@ Set-PSFConfig -Module dbachecks -Name policy.build.behind -Value $null -Initiali
 # for full options
 # 1 for Sunday 127 for every day
 
+# exclude databases
+Set-PSFConfig -Module dbachecks -Name policy.asymmetrickeysize.excludedb -Value @('master', 'msdb', 'tempdb')  -Initialize -Description "Databases to exclude from asymmetric key size checks"
+
+
+
 # skips - these are for whole checks that should not run by default or internal commands that can't be skipped using ExcludeTag
 Set-PSFConfig -Module dbachecks -Name skip.dbcc.datapuritycheck -Validation bool -Value $false -Initialize -Description "Skip data purity check in last good dbcc command"
 Set-PSFConfig -Module dbachecks -Name skip.backup.testing -Validation bool -Value $true -Initialize -Description "Don't run Test-DbaLastBackup by default (it's not read-only)"
@@ -247,6 +252,7 @@ Set-PSFConfig -Module dbachecks -Name skip.diffbackuptest -Validation bool -Valu
 Set-PSFConfig -Module dbachecks -Name skip.database.filegrowthdisabled -Validation bool -Value $true -Initialize -Description "Skip validation of datafiles which have growth value equal to zero."
 Set-PSFConfig -Module dbachecks -Name skip.database.logfilecounttest -Validation bool -Value $false -Initialize -Description "Skip the logfilecount test"
 Set-PSFConfig -Module dbachecks -Name skip.database.validdatabaseowner -Validation bool -Value $false -Initialize -Description "Skip the valid database owner test"
+Set-PSFConfig -Module dbachecks -Name skip.database.invaliddatabaseowner -Validation bool -Value $false -Initialize -Description "Skip the invalid database owner test"
 Set-PSFConfig -Module dbachecks -Name skip.database.databasecollation -Validation bool -Value $false -Initialize -Description "Skip the database collation test"
 Set-PSFConfig -Module dbachecks -Name skip.database.suspectpage -Validation bool -Value $false -Initialize -Description "Skip the suspect pages test"
 
diff --git a/internal/functions/Get-AllDatabaseInfo.ps1 b/internal/functions/Get-AllDatabaseInfo.ps1
@@ -49,12 +49,23 @@ function Get-AllDatabaseInfo {
     # Using there so that if the instance is not contactable, no point carrying on with gathering more information
     switch ($tags) {
 
+        'AsymmetricKeySize' {
+            $asymmetrickey = $true
+            $ConfigValues | Add-Member -MemberType NoteProperty -Name 'asymmetrickeysizeexclude' -Value (Get-DbcConfigValue policy.asymmetrickeysize.excludedb)
+        }
+
         'ValidDatabaseOwner' {
             $owner = $true
             $ConfigValues | Add-Member -MemberType NoteProperty -Name 'validdbownername' -Value (Get-DbcConfigValue policy.validdbowner.name)
             $ConfigValues | Add-Member -MemberType NoteProperty -Name 'validdbownerexclude' -Value (Get-DbcConfigValue policy.validdbowner.excludedb)
         }
 
+        'InvalidDatabaseOwner' {
+            $owner = $true
+            $ConfigValues | Add-Member -MemberType NoteProperty -Name 'invaliddbownername' -Value (Get-DbcConfigValue policy.invaliddbowner.name)
+            $ConfigValues | Add-Member -MemberType NoteProperty -Name 'invaliddbownerexclude' -Value (Get-DbcConfigValue policy.invaliddbowner.excludedb)
+        }
+
         'DatabaseCollation' {
             $collation = $true
             $ConfigValues | Add-Member -MemberType NoteProperty -Name 'wrongcollation' -Value (Get-DbcConfigValue policy.database.wrongcollation)
@@ -73,16 +84,18 @@ function Get-AllDatabaseInfo {
         ComputerName     = $Instance.ComputerName
         InstanceName     = $Instance.DbaInstanceName
         Name             = $Instance.Name
-        ConfigValues    = $ConfigValues # can we move this out?
+        ConfigValues    = $ConfigValues # can we move this out to here?
         Databases        = $Instance.Databases.Foreach{
             [PSCustomObject]@{
-                Name            = $psitem.Name
-                SqlInstance     = $Instance.Name
-                Owner           = if ($owner) { $psitem.owner }
-                ServerCollation = if ($collation) { $Instance.collation }
-                Collation       = if ($collation) { $psitem.collation }
-                SuspectPage     = if ($suspectPage) { (Get-DbaSuspectPage -SqlInstance $Instance -Database $psitem.Name | Measure-Object).Count }
-                ConfigValues    = $ConfigValues # can we move this out?
+                Name                = $psitem.Name
+                SqlInstance         = $Instance.Name
+                Owner               = if ($owner) { $psitem.owner }
+                ServerCollation     = if ($collation) { $Instance.collation }
+                Collation           = if ($collation) { $psitem.collation }
+                SuspectPage         = if ($suspectPage) { (Get-DbaSuspectPage -SqlInstance $Instance -Database $psitem.Name | Measure-Object).Count }
+                ConfigValues        = $ConfigValues # can we move this out?
+                AsymmetricKeySize   = if ($asymmetrickey) { ($psitem.AsymmetricKeys | Where-Object { $_.KeyLength -lt 2048} | Measure-Object).Count }
+                #AsymmetricKeySize   = if ($asymmetrickey) { $psitem.AsymmetricKeys.KeyLength }  # doing this I got $null if there wasn't a key 
             }
         }
     }
