Correctly handles fully decrypted volumes when correct Key Protectors is present (#16)

- Fixed issue which caused Test-TargetResource to incorrectly succeed on fully
  decrypted volumes when correct Key Protectors were present (issue #13)

Author: MartinVokurek

Misc/xBitlockerCommon.psm1

@@ -86,7 +86,7 @@ function EnableBitlocker
         {
             throw "A TpmProtector must be used if Pin is used."
         }
-    
+
         if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and $PrimaryProtector -notlike "AdAccountOrGroupProtector" -and !(ContainsKeyProtector -Type "AdAccountOrGroup" -KeyProtectorCollection $blv.KeyProtector))
         {
             Write-Verbose "Adding AdAccountOrGroupProtector"
@@ -164,7 +164,7 @@ function EnableBitlocker
                 $handledTpmAlready = $true
 
                 $params.Add("Pin", $Pin.Password)
-                
+
                 if ($PSBoundParameters.ContainsKey("StartupKeyProtector"))
                 {
                     $params.Add("TpmAndPinAndStartupKeyProtector", $true)
@@ -181,7 +181,7 @@ function EnableBitlocker
                 $handledTpmAlready = $true
 
                 $params.Add("TpmAndStartupKeyProtector", $true)
-                $params.Add("StartupKeyPath", $StartupKeyPath)                
+                $params.Add("StartupKeyPath", $StartupKeyPath)
             }
 
 
@@ -325,6 +325,11 @@ function TestBitlocker
         Write-Verbose "Unable to locate MountPoint: $($MountPoint)"
         return $false
     }
+    elseif ($blv.VolumeStatus -eq "FullyDecrypted")
+    {
+        Write-Verbose "MountPoint: $($MountPoint) Not Encrypted"
+        return $false
+    }
     elseif ($blv.KeyProtector -eq $null -or $blv.KeyProtector.Count -eq 0)
     {
         Write-Verbose "No key protectors on MountPoint: $($MountPoint)"
@@ -352,7 +357,7 @@ function TestBitlocker
         if ($PSBoundParameters.ContainsKey("Pin") -and !(ContainsKeyProtector -Type "TpmPin" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true))
         {
             Write-Verbose "MountPoint '$($MountPoint) 'does not have TpmPin assigned."
-            return $false            
+            return $false
         }
 
         if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and !(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector))
@@ -383,7 +388,7 @@ function TestBitlocker
                 {
                     Write-Verbose "MountPoint '$($MountPoint) 'does not have TPM + StartupKey protector."
                     return $false
-                }          
+                }
             }
         }
 
@@ -397,7 +402,7 @@ function TestBitlocker
     return $true
 }
 
-#Ensures that required Bitlocker prereqs are installed 
+#Ensures that required Bitlocker prereqs are installed
 function CheckForPreReqs
 {
     $hasAllPreReqs = $true

README.md

@@ -131,6 +131,8 @@ Defaults to false.
 * Fixed encoding on README.md.
 * Added `PowerShellVersion = '4.0'`, and updated copyright information, in the
   module manifest.
+* Fixed issue which caused Test to incorrectly succeed on fully decrypted volumes when correct Key Protectors were present ([issue #13](https://github.com/PowerShell/xBitlocker/issues/13))
+
 
 ### 1.1.0.0
 

Tests/Unit/xBitlockerCommon.tests.ps1

@@ -0,0 +1,108 @@
+$script:moduleRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
+Import-Module -Name (Join-Path -Path $script:moduleRoot -ChildPath (Join-Path -Path 'Misc' -ChildPath 'xBitlockerCommon.psm1')) -Force
+
+# Begin Testing
+try
+{
+    InModuleScope "xBitlockerCommon" {
+
+        function Get-BitlockerVolume
+        {
+            param
+            (
+                [Parameter()]
+                [System.String]
+                $MountPoint
+            )
+        }
+
+        Describe "xBitlockerCommon\TestBitlocker" {
+
+            Context 'When OS Volume is not Encrypted and No Key Protectors Assigned' {
+                Mock `
+                    -CommandName Get-BitlockerVolume `
+                    -ModuleName 'xBitlockerCommon' `
+                    -MockWith {
+                            # Decrypted with no Key Protectors
+                            return @{
+                            VolumeType = 'OperatingSystem'
+                            MountPoint = $MountPoint
+                            CapacityGB = 500
+                            VolumeStatus = 'FullyDecrypted'
+                            EncryptionPercentage = 0
+                            KeyProtector = @()
+                            AutoUnlockEnabled = $null
+                            ProtectionStatus = 'Off'
+                        }
+                    }
+
+                It 'Should Fail The Test (TPM and RecoveryPassword Protectors)' {
+                    TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true | Should -Be $false
+                }
+            }
+
+            Context 'When OS Volume is Encrypted using TPM and Recovery Password Protectors' {
+                Mock `
+                    -CommandName Get-BitlockerVolume `
+                    -ModuleName 'xBitlockerCommon' `
+                    -MockWith {
+                        # Encrypted with TPM and Recovery Password Key Protectors
+                        return @{
+                            VolumeType = 'OperatingSystem'
+                            MountPoint = $MountPoint
+                            CapacityGB = 500
+                            VolumeStatus = 'FullyEncrypted'
+                            EncryptionPercentage = 100
+                            KeyProtector = @(
+                                @{
+                                    KeyProtectorType = 'Tpm'
+                                },
+                                @{
+                                    KeyProtectorType = 'RecoveryPassword'
+                                }
+                            )
+                            AutoUnlockEnabled = $null
+                            ProtectionStatus = 'On'
+                        }
+                    }
+
+                It 'Should Pass The Test (TPM and RecoveryPassword Protectors)' {
+                    TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true -verbose | Should -Be $true
+                }
+            }
+
+            Context 'When OS Volume is Decrypted, but has TPM and Recovery Password Protectors assigned' {
+                Mock `
+                    -CommandName Get-BitlockerVolume `
+                    -ModuleName 'xBitlockerCommon' `
+                    -MockWith {
+                        # Encrypted with TPM and Recovery Password Key Protectors
+                        return @{
+                            VolumeType = 'OperatingSystem'
+                            MountPoint = $MountPoint
+                            CapacityGB = 500
+                            VolumeStatus = 'FullyDecrypted'
+                            EncryptionPercentage = 0
+                            KeyProtector = @(
+                                @{
+                                    KeyProtectorType = 'Tpm'
+                                },
+                                @{
+                                    KeyProtectorType = 'RecoveryPassword'
+                                }
+                            )
+                            AutoUnlockEnabled = $null
+                            ProtectionStatus = 'Off'
+                        }
+                    }
+
+                It 'Should Fail The Test (TPM and RecoveryPassword Protectors)' {
+                    TestBitlocker -MountPoint 'C:' -PrimaryProtector 'TPMProtector' -RecoveryPasswordProtector $true | Should -Be $false
+                }
+            }
+        }
+    }
+}
+finally
+{
+}