Framework/Core/SVT/Services/ServiceFabric.ps1

Set-StrictMode -Version Latest 
class ServiceFabric : SVTBase
{       
    hidden [PSObject] $ResourceObject;
    hidden [string] $ClusterTagValue;
    hidden [PSObject] $ApplicationList;
    hidden [string] $DefaultTagName = "clusterName"
    hidden [string] $CertStoreLocation = "CurrentUser"
    hidden [string] $CertStoreName = "My"
    hidden [boolean] $IsSDKAvailable = $false

    ServiceFabric([string] $subscriptionId, [SVTResource] $svtResource): 
        Base($subscriptionId, $svtResource) 
    { 
        $this.GetResourceObject();
        
    }

    hidden [PSObject] GetResourceObject()
    {
        if (-not $this.ResourceObject) 
        {
            $this.ResourceObject =  Get-AzResource -ResourceGroupName $this.ResourceContext.ResourceGroupName -ResourceType $this.ResourceContext.ResourceType -Name $this.ResourceContext.ResourceName    

            $this.ResourceObject.Tags.GetEnumerator() | Where-Object { $_.Key -eq $this.DefaultTagName } | ForEach-Object {$this.ClusterTagValue = $_.Value }
            
            # Check if Service Fabric SDK is installed
            try {

                $scanSource = [RemoteReportHelper]::GetScanSource();         
                if($scanSource -eq [ScanSource]::SpotCheck -and (Get-Command Connect-ServiceFabricCluster -ErrorAction SilentlyContinue)){    
                    $this.IsSDKAvailable = $true        
                }else
                {
                  $this.IsSDKAvailable = $false    
                }

            }catch {
                # No need to break execution
                # All controls which requires SDK to be present in user machine will be treated as manual controls
                $this.IsSDKAvailable = $false
            }
            
            
            if(-not $this.ResourceObject)
            {
                throw ([SuppressedException]::new(("Resource '{0}' not found under Resource Group '{1}'" -f ($this.ResourceContext.ResourceName), ($this.ResourceContext.ResourceGroupName)), [SuppressedExceptionType]::InvalidOperation))
            }
        }
        return $this.ResourceObject;
    }

    [ControlItem[]] ApplyServiceFilters([ControlItem[]] $controls)
    {
        $result = @();
        #Check VM type
        $VMType = $this.ResourceObject.Properties.vmImage
        if($VMType -eq "Linux")
        {
            $result += $controls | Where-Object { $_.Tags -contains "Linux" };
        }
        else
        {
            $result += $controls | Where-Object { $_.Tags -contains "Windows" };;
        }
        return $result;
    }

    hidden [ControlResult] CheckSecurityMode([ControlResult] $controlResult)
    {
        $isCertificateEnabled = [Helpers]::CheckMember($this.ResourceObject.Properties,"certificate" ) 
        
        #Validate if primary certificate is enabled on cluster. Presence of certificate property value indicates, security mode is turned on.
        if($isCertificateEnabled)
        {            
            $controlResult.AddMessage([VerificationResult]::Passed,"Service Fabric cluster is secured with certificate", $this.ResourceObject.Properties.certificate);
        }
        else
        {            
            $controlResult.AddMessage([VerificationResult]::Failed,"Service Fabric cluster is not secured with certificate");
        }
        return $controlResult;    
    }

    hidden [ControlResult] CheckClusterCertificateSSL([ControlResult] $controlResult)
    {
        $managementEndpointUri = $this.ResourceObject.Properties.managementEndpoint
        $managementEndpointUriScheme = ([System.Uri]$managementEndpointUri).Scheme               

        #Validate if cluster management endpoint url is SSL enabled
        if($managementEndpointUriScheme -eq "https")
        {   
            #Hit web request to management endpoint uri and validate certificate trust level
            $request = [System.Net.HttpWebRequest]::Create($managementEndpointUri) 
            try
            {
                $request.GetResponse().Dispose()
                $controlResult.AddMessage([VerificationResult]::Passed,"Service Fabric cluster is protected with CA signed certificate");                    
            }
            catch [System.Net.WebException]
            {
                #Trust failure indicates self-signed certificate or domain mismatch certificate present on endpoint
                if ($_.Exception.Status -eq [System.Net.WebExceptionStatus]::TrustFailure)
                {                        
                    $controlResult.AddMessage([VerificationResult]::Verify,"Validate if self-signed certificate is not used for cluster management endpoint protection",$this.ResourceObject.Properties.managementEndpoint);
                    $controlResult.SetStateData("Management endpoint", $this.ResourceObject.Properties.managementEndpoint);
                }
                elseif($_.Exception.Message.Contains('403'))
                {
                    $controlResult.AddMessage([VerificationResult]::Passed,"Service Fabric cluster is protected with CA signed certificate");
                }
                else
                {                    
                    $controlResult.AddMessage([VerificationResult]::Manual,"Unable to Validate certificate details. Please verify manually that self-signed certificate is not used for cluster management endpoint protection",$this.ResourceObject.Properties.managementEndpoint);
                    $controlResult.AddMessage($_.Exception.Message);
                }
            }
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Failed,"Service Fabric cluster is not protected by SSL")
        }
        return $controlResult;    
    }

    hidden [ControlResult] CheckAADClientAuthentication([ControlResult] $controlResult)
    {
        $isAADEnabled = [Helpers]::CheckMember($this.ResourceObject.Properties,"azureActiveDirectory")
        
        #Presence of 'AzureActiveDirectory' indicates, AAD authentication is enabled for client authentication
        if($isAADEnabled)
        {            
            $controlResult.AddMessage([VerificationResult]::Passed,"AAD is enabled for client authentication",$this.ResourceObject.Properties.azureActiveDirectory )
        }
        else
        {            
            $controlResult.AddMessage([VerificationResult]::Failed,"AAD is not enabled for client authentication")
        }

        return $controlResult
    }

    hidden [ControlResult] CheckClusterProtectionLevel([ControlResult] $controlResult)
    {
        $fabricSecuritySettings = $this.ResourceObject.Properties.fabricSettings | Where-Object {$_.Name -eq "Security"}

        #Absence of security settings indicates, secure mode is not enabled on cluster.
        if($null -ne $fabricSecuritySettings)
        {
            $clusterProtectionLevel = $fabricSecuritySettings.parameters | Where-Object { $_.name -eq "ClusterProtectionLevel"}
            if($clusterProtectionLevel.value -eq "EncryptAndSign")
            {
              $controlResult.AddMessage([VerificationResult]::Passed,"Cluster security is ON with 'EncryptAndSign' protection level",$clusterProtectionLevel);
            }
            else 
            {
              $controlResult.AddMessage([VerificationResult]::Failed,"Cluster security is not set with 'EncryptAndSign' protection level. Current protection level is :", $clusterProtectionLevel);
                $controlResult.SetStateData("Cluster protection level", $clusterProtectionLevel);
            }
        }
        else
        {
          $controlResult.AddMessage([VerificationResult]::Failed,"Cluster security is OFF");
        }

        return $controlResult
    }

    hidden [ControlResult[]] CheckNSGConfigurations([ControlResult] $controlResult)
    {
        $isVerify = $true;
        $nsgEnabledVNet = @{};
        $nsgDisabledVNet = @{};

        $virtualNetworkResources = $this.GetLinkedResources("Microsoft.Network/virtualNetworks") 
        if($virtualNetworkResources -ne $null)
        {
            #Iterate through all cluster linked VNet resources
            $virtualNetworkResources |ForEach-Object{            
                $virtualNetwork=Get-AzVirtualNetwork -ResourceGroupName $_.ResourceGroupName -Name $_.Name 
                $subnetConfig = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $virtualNetwork
                #Iterate through Subnet and validate if NSG is configured or not
                $subnetConfig | ForEach-Object{
                    $subnetName =$_.Name
                    $isCompliant =  ($null -ne $_.NetworkSecurityGroup)        
                    #If NSG is enabled on Subnet display all security rules applied
                    if($isCompliant)
                    {
                        $nsgResource = Get-AzResource -ResourceId $_.NetworkSecurityGroup.Id
                        $nsgResourceDetails = Get-AzNetworkSecurityGroup -ResourceGroupName $nsgResource.ResourceGroupName -Name $nsgResource.Name                
                        
                        $nsgEnabledVNet.Add($subnetName, $nsgResourceDetails)
                    }
                    #If NSG is not enabled on Subnet, fail the TCP with Subnet details
                    else
                    {
                        $nsgDisabledVNet.Add($subnetName, $_)
                        $isVerify = $false
                    } 
                }                
            }

            if($nsgEnabledVNet.Keys.Count -gt 0)
            {
                $nsgEnabledVNet.Keys  | Foreach-Object {
                    $controlResult.AddMessage("Validate NSG security rules applied on subnet '$_'",$nsgEnabledVNet[$_]);
                }
            }

            if($nsgDisabledVNet.Keys.Count -gt 0)
            {
                $nsgDisabledVNet.Keys  | Foreach-Object {
                    $controlResult.AddMessage("NSG is not configured on subnet '$_'",$nsgDisabledVNet[$_]);
                }
            }

            if($isVerify)
            {
                $controlResult.VerificationResult = [VerificationResult]::Verify;
            }
            else
            {
                $controlResult.VerificationResult = [VerificationResult]::Failed;
            }

            $NSGState = New-Object -TypeName PSObject 
            $NSGState | Add-Member -NotePropertyName NSGConfiguredSubnet -NotePropertyValue $nsgEnabledVNet
            $NSGState | Add-Member -NotePropertyName NSGNotConfiguredSubnet -NotePropertyValue $nsgDisabledVNet

            $controlResult.SetStateData("NSG security rules applied on subnet", $NSGState);
        }else{
            $controlResult.AddMessage("Not able to fetch details of VNet resources linked with cluster.");
            $controlResult.AddMessage("Manually verify that NSG is enabled on Subnet.");
            $controlResult.VerificationResult = [VerificationResult]::Manual;
        }
        

        return $controlResult        
    }

    hidden [ControlResult[]] CheckVmssDiagnostics([ControlResult] $controlResult)
    {
        $isPassed = $true;
        $diagnosticsEnabledScaleSet = @{};
        $diagnosticsDisabledScaleSet = @{};
        $vmssResources = $this.GetLinkedResources("Microsoft.Compute/virtualMachineScaleSets")
        #Iterate through cluster linked vmss resources
        $vmssResources | ForEach-Object{
            $VMScaleSetName = $_.Name    
            $nodeTypeResource = Get-AzVMss -ResourceGroupName  $_.ResourceGroupName -VMScaleSetName  $VMScaleSetName

            # Fetch diagnostics settings based on OS
            if($this.ResourceObject.Properties.vmImage -eq "Linux")
            {
                $diagnosticsSettings = $nodeTypeResource.VirtualMachineProfile.ExtensionProfile.Extensions  | ? { $_.Type -eq "LinuxDiagnostic" -and $_.Publisher -eq "Microsoft.OSTCExtensions" }                
            }
            else
            {
                   $diagnosticsSettings = $nodeTypeResource.VirtualMachineProfile.ExtensionProfile.Extensions  | ? { $_.Type -eq "IaaSDiagnostics" -and $_.Publisher -eq "Microsoft.Azure.Diagnostics" }
            }
            #Validate if diagnostics is enabled on vmss
            if($null -ne $diagnosticsSettings )
            {
                $diagnosticsEnabledScaleSet.Add($VMScaleSetName, $diagnosticsSettings)        
            }
            else
            {
                $isPassed = $false;
                $diagnosticsDisabledScaleSet.Add($VMScaleSetName, $diagnosticsSettings)        
            } 
        }

        if($diagnosticsEnabledScaleSet.Keys.Count -gt 0)
        {
            $diagnosticsEnabledScaleSet.Keys  | Foreach-Object {
                $controlResult.AddMessage("Diagnostics is enabled on Vmss '$_'",$diagnosticsEnabledScaleSet[$_]);
            }
        }

        if($diagnosticsDisabledScaleSet.Keys.Count -gt 0)
        {
            $diagnosticsDisabledScaleSet.Keys  | Foreach-Object {
                $controlResult.AddMessage("Diagnostics is disabled on Vmss '$_'",$diagnosticsDisabledScaleSet[$_]);
            }
        }

        if($isPassed)
        {
            $controlResult.VerificationResult = [VerificationResult]::Passed;
        }
        else
        {
            $controlResult.VerificationResult = [VerificationResult]::Failed;
            $controlResult.SetStateData("Diagnostics is disabled on Vmss", $diagnosticsDisabledScaleSet);
        }
        return $controlResult        
    }
    hidden [ControlResult[]] CheckReverseProxyPort([ControlResult] $controlResult)
    {
        # add attestation details
        $isPassed = $true;
        $reverseProxyEnabledNode = @{};
        $reverseProxyDisabledNode = @();
        $reverseProxyExposedNode = @{};
        $nodeTypes= $this.ResourceObject.Properties.nodeTypes
        #Iterate through each node
        $nodeTypes | ForEach-Object{

            if([Helpers]::CheckMember($_,"reverseProxyEndpointPort"))
            {
                $reverseProxyEnabledNode.Add($_.name, $_.reverseProxyEndpointPort)
            }else{
                $reverseProxyDisabledNode += $_.name
            }
        }
        # if reverse proxy is not enabled in any node, pass TCP
        if(($reverseProxyEnabledNode | Measure-Object).Count -gt 0)
        {
            $loadBalancerBackendPorts = @()
            $loadBalancerResources = $this.GetLinkedResources("Microsoft.Network/loadBalancers")
            #Collect all open ports on load balancer
            $loadBalancerResources | ForEach-Object{
                $loadBalancerResource = Get-AzLoadBalancer -Name $_.Name -ResourceGroupName $_.ResourceGroupName
                $loadBalancingRules = @($loadBalancerResource.FrontendIpConfigurations | ? { $null -ne $_.PublicIpAddress } | ForEach-Object { $_.LoadBalancingRules })
            
                $loadBalancingRules | ForEach-Object {
                    $loadBalancingRuleId = $_.Id;
                    $loadBalancingRule = $loadBalancerResource.LoadBalancingRules | ? { $_.Id -eq  $loadBalancingRuleId } | Select-Object -First 1
                    $loadBalancerBackendPorts += $loadBalancingRule.BackendPort;
                };   
            }
            #If no ports open, Pass the TCP
            if($loadBalancerBackendPorts.Count -eq 0)
            {
                $controlResult.AddMessage("No ports enabled in load balancer.")  
                $controlResultList += $controlResult      
            }
            #If Ports are open for public in load balancer, check if any reverse proxy port is exposed
            else
            {
                $reverseProxyEnabledNode.Keys  | Foreach-Object {
                    if($loadBalancerBackendPorts.Contains( [Int32] $reverseProxyEnabledNode[$_]))
                    {
                        $isPassed = $false;
                        $controlResult.AddMessage("Reverse proxy port is publicly exposed for node '$_'");
                        $reverseProxyExposedNode.Add($_, $reverseProxyEnabledNode[$_])
                    }else{
                        $controlResult.AddMessage("Reverse proxy port is not publicly exposed for node '$_'.") 
                    }
                    
                }
            }
        }else{
            $controlResult.AddMessage("Reverse proxy service is not enabled in cluster.") 
        }
        if($isPassed)
        {
            
            $controlResult.VerificationResult = [VerificationResult]::Passed;
        }
        else
        {
            $controlResult.VerificationResult = [VerificationResult]::Failed;
            $controlResult.SetStateData("Reverse proxy port is publicly exposed", $reverseProxyExposedNode);
        }
        return $controlResult
    }

    hidden [ControlResult] CheckClusterUpgradeMode([ControlResult] $controlResult)
    {
        if([Helpers]::CheckMember($this.ResourceObject.Properties,"upgradeMode") -and $this.ResourceObject.Properties.upgradeMode -eq "Automatic")
        {            
            $controlResult.AddMessage([VerificationResult]::Passed,"Upgrade mode for cluster is set to automatic." )
        }
        else
        {            
            $controlResult.AddMessage([VerificationResult]::Failed,"Upgrade mode for cluster is set to manual.")
        }

        return $controlResult
    }

    hidden [ControlResult[]] CheckStatefulServiceReplicaSetSize([ControlResult] $controlResult)
    {   
        $isConnectionSuccessful = $false
        if($this.IsSDKAvailable -eq $true)
        {
            #Function to validate authentication and connect with Service Fabric cluster
            $sfCluster = $null       
            $uri = ([System.Uri]$this.ResourceObject.Properties.managementEndpoint).Host                
            $primaryNodeType = $this.ResourceObject.Properties.nodeTypes | Where-Object { $_.isPrimary -eq $true }
                    
            $ClusterConnectionUri = $uri +":"+ $primaryNodeType.clientConnectionEndpointPort
            $isClusterSecure =  [Helpers]::CheckMember($this.ResourceObject.Properties,"certificate" )               
                    
            if($isClusterSecure)
            {
                    $serviceFabricCertificate = $this.ResourceObject.Properties.certificate              
                    $CertThumbprint= $this.ResourceObject.Properties.certificate.thumbprint
                    $serviceFabricAAD = $null
                    if([Helpers]::CheckMember($this.ResourceObject.Properties,"azureActiveDirectory" ))
                    {
                        $serviceFabricAAD =$this.ResourceObject.Properties.azureActiveDirectory
                    }  
                    if($null -ne $serviceFabricAAD)
                    {
                        try
                        {
                            $this.PublishCustomMessage("Connecting Service Fabric using AAD...")
                            $sfCluster = Connect-ServiceFabricCluster -ConnectionEndpoint $ClusterConnectionUri -AzureActiveDirectory -ServerCertThumbprint $CertThumbprint #-SecurityToken "
                            $isConnectionSuccessful = $true
                            $this.PublishCustomMessage("Connection using AAD is successful.")
                        }
                        catch
                        {
                            $this.PublishCustomMessage("You may not have permission to connect with cluster", [MessageType]::Warning);
                        }
                    }              
                    else
                    {
                        $this.PublishCustomMessage("Validating if cluster certificate present on machine...")
                        $IsCertPresent = (Get-ChildItem -Path "Cert:\$($this.CertStoreLocation)\$($this.CertStoreName)" | Where-Object {$_.Thumbprint -eq $CertThumbprint }| Measure-Object).Count                   
                        if($IsCertPresent)
                        {
                           try
                           {
                              $this.PublishCustomMessage("Connecting Service Fabric using certificate")
                              $sfCluster = Connect-serviceFabricCluster -ConnectionEndpoint $ClusterConnectionUri -KeepAliveIntervalInSec 10 -X509Credential -ServerCertThumbprint $CertThumbprint -FindType FindByThumbprint -FindValue $CertThumbprint -StoreLocation $this.CertStoreLocation -StoreName $this.CertStoreName 
                              $isConnectionSuccessful = $true
                           }catch
                           {
                               $this.PublishCustomMessage("Cannot connect with Service Fabric cluster using cluster certificate. Verify that valid cluster certificate is present in 'CurrentUser' location.", [MessageType]::Warning);    
                           }
                                                
                        }
                        else
                        {
                            $this.PublishCustomMessage("Cannot connect with Service Fabric cluster due to unavailability of cluster certificate in local machine. Validate cluster certificate is present in 'CurrentUser' location.", [MessageType]::Warning);                    
                        }
                    }                    
            }
            else
            {
                $sfCluster = Connect-serviceFabricCluster -ConnectionEndpoint $ClusterConnectionUri
                $isConnectionSuccessful = $true
                $this.PublishCustomMessage("Service Fabric connection is successful");
            }
            
            try
            {
              $this.ApplicationList = Get-ServiceFabricApplication -ErrorAction SilentlyContinue
            }catch
            {
               # No need to break execution, handled in next condition
            }

            $isPassed = $true;
            $complianteServices = @{};
            $nonComplianteServices = @{};
            #Iterate through the applications present in cluster
            if($isConnectionSuccessful -eq $false)
            {
              $controlResult.AddMessage([VerificationResult]::Manual,"Cannot connect with Service Fabric cluster.")
              $controlResult.CurrentSessionContext.Permissions.HasRequiredAccess = $false;

            }elseif($this.ApplicationList)
            {
                $this.ApplicationList | ForEach-Object{
                    $serviceFabricApplication = $_

                    Get-ServiceFabricService -ApplicationName $serviceFabricApplication.ApplicationName | ForEach-Object{                
                        $serviceName = $_.ServiceName 
                        $serviceDescription = Get-ServiceFabricServiceDescription -ServiceName $_.ServiceName 
                        #Filter application with Stateful service type
                        if($serviceDescription.ServiceKind -eq "Stateful")
                        {
                            #Validate minimum replica and target replica size for each service
                            $isCompliant = !($serviceDescription.MinReplicaSetSize -lt 3 -or $serviceDescription.TargetReplicaSetSize -lt 3)
                            
                            $stateObject = "" | Select-Object "MinReplicaSetSize" ,"TargetReplicaSetSize"
                            $stateObject.MinReplicaSetSize = $serviceDescription.MinReplicaSetSize
                            $stateObject.TargetReplicaSetSize = $serviceDescription.TargetReplicaSetSize
                            if($isCompliant)
                            {
                                $complianteServices.Add($serviceName, $stateObject)
                            } 
                            else
                            { 
                                $isPassed = $False
                                $nonComplianteServices.Add($serviceName, $stateObject)
                            }
                        }                
                    }
                }

                if($complianteServices.Keys.Count -gt 0)
                {
                    $controlResult.AddMessage("Replica set size for below services are complaint");
                    $complianteServices.Keys  | Foreach-Object {
                        $controlResult.AddMessage("Replica set size details for service '$_'",$complianteServices[$_]);
                    }
                }

                if($nonComplianteServices.Keys.Count -gt 0)
                {
                    $controlResult.AddMessage("Replica set size for below services are non-complaint");
                    $nonComplianteServices.Keys  | Foreach-Object {
                        $controlResult.AddMessage("Replica set size details for service '$_'",$nonComplianteServices[$_]);
                    }
                }

                if($isPassed)
                {
                    $controlResult.VerificationResult = [VerificationResult]::Passed;
                }
                else
                {
                    $controlResult.VerificationResult = [VerificationResult]::Failed;
                    $controlResult.SetStateData("Replica set size are non-complaint for", $nonComplianteServices);
                }
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,"No stateful service found.")
            }
        }else{
            
            $scanSource = [RemoteReportHelper]::GetScanSource();
            if($scanSource -eq [ScanSource]::SpotCheck)
            { 
               $controlResult.AddMessage("Service Fabric SDK is not present in user machine. To evaluate this control SDK should be available on user machine.")
            }
            $controlResult.CurrentSessionContext.Permissions.HasRequiredAccess = $false;
            $controlResult.VerificationResult = [VerificationResult]::Manual;
        }
        
        return $controlResult;
    }

    hidden [ControlResult[]] CheckStatelessServiceInstanceCount([ControlResult] $controlResult)
    {
        $isConnectionSuccessful = $false
        if($this.IsSDKAvailable -eq $true)
        {
           
            #Function to validate authentication and connect with Service Fabric cluster
            $sfCluster = $null       
            $uri = ([System.Uri]$this.ResourceObject.Properties.managementEndpoint).Host                
            $primaryNodeType = $this.ResourceObject.Properties.nodeTypes | Where-Object { $_.isPrimary -eq $true }
                    
            $ClusterConnectionUri = $uri +":"+ $primaryNodeType.clientConnectionEndpointPort
            $isClusterSecure =  [Helpers]::CheckMember($this.ResourceObject.Properties,"certificate" )               
                    
            if($isClusterSecure)
            {
                    $serviceFabricCertificate = $this.ResourceObject.Properties.certificate              
                    $CertThumbprint= $this.ResourceObject.Properties.certificate.thumbprint
                    $serviceFabricAAD = $null
                    if([Helpers]::CheckMember($this.ResourceObject.Properties,"azureActiveDirectory" ))
                    {
                        $serviceFabricAAD =$this.ResourceObject.Properties.azureActiveDirectory
                    }  
                    if($null -ne $serviceFabricAAD)
                    {
                        try
                        {
                            $this.PublishCustomMessage("Connecting Service Fabric using AAD...")
                            $sfCluster = Connect-ServiceFabricCluster -ConnectionEndpoint $ClusterConnectionUri -AzureActiveDirectory -ServerCertThumbprint $CertThumbprint #-SecurityToken "
                            $isConnectionSuccessful = $true
                            $this.PublishCustomMessage("Connection using AAD is successful.")
                        }
                        catch
                        {
                            $this.PublishCustomMessage("You may not have permission to connect with cluster", [MessageType]::Warning);
                        }
                    }              
                    else
                    {
                        $this.PublishCustomMessage("Validating if cluster certificate present on machine...")
                        $IsCertPresent = (Get-ChildItem -Path "Cert:\$($this.CertStoreLocation)\$($this.CertStoreName)" | Where-Object {$_.Thumbprint -eq $CertThumbprint }| Measure-Object).Count                   
                        if($IsCertPresent)
                        {
                           try
                           {
                              $this.PublishCustomMessage("Connecting Service Fabric using certificate")
                              $sfCluster = Connect-serviceFabricCluster -ConnectionEndpoint $ClusterConnectionUri -KeepAliveIntervalInSec 10 -X509Credential -ServerCertThumbprint $CertThumbprint -FindType FindByThumbprint -FindValue $CertThumbprint -StoreLocation $this.CertStoreLocation -StoreName $this.CertStoreName 
                              $isConnectionSuccessful = $true
                           }catch
                           {
                               $this.PublishCustomMessage("Cannot connect with Service Fabric cluster using cluster certificate. Verify that valid cluster certificate is present in 'CurrentUser' location.", [MessageType]::Warning);    
                           }
                                                
                        }
                        else
                        {
                            $this.PublishCustomMessage("Cannot connect with Service Fabric cluster due to unavailability of cluster certificate in local machine. Validate cluster certificate is present in 'CurrentUser' location.", [MessageType]::Warning);                    
                        }
                    }                    
            }
            else
            {
                $sfCluster = Connect-serviceFabricCluster -ConnectionEndpoint $ClusterConnectionUri
                $isConnectionSuccessful = $true
                $this.PublishCustomMessage("Service Fabric connection is successful");
            }

            try
            {
                $this.ApplicationList = Get-ServiceFabricApplication -ErrorAction SilentlyContinue
            }catch
            {
               # No need to break execution, handled in next condition
            }
            
            $isPassed = $true;
            $complianteServices = @{};
            $nonComplianteServices = @{};
               
            if($isConnectionSuccessful -eq $false)
            {
              $controlResult.AddMessage([VerificationResult]::Manual,"Cannot connect with Service Fabric cluster.")
              $controlResult.CurrentSessionContext.Permissions.HasRequiredAccess = $false;
            }elseif($this.ApplicationList)
            {
                #Iterate through the applications present in cluster
                $this.ApplicationList | ForEach-Object{
                    $serviceFabricApplication = $_
                    Get-ServiceFabricService -ApplicationName $serviceFabricApplication.ApplicationName | 
                    ForEach-Object{
                        $serviceName = $_.ServiceName                 
                        $serviceDescription = Get-ServiceFabricServiceDescription -ServiceName $serviceName 
                        #Filter application with Stateless service type
                        if($serviceDescription.ServiceKind -eq "Stateless")
                        {     
                            #Validate instancecount it -1 (auto) or greater than equal to 3
                            $isCompliant = ($serviceDescription.InstanceCount -eq -1 -or $serviceDescription.InstanceCount -ge 3)
                            if($isCompliant)
                            {
                                $complianteServices.Add($serviceName, $serviceDescription.InstanceCount)
                            } 
                            else
                            { 
                                $isPassed = $False
                                $nonComplianteServices.Add($serviceName, $serviceDescription.InstanceCount)
                            }
                            
                        } 
                    } 
                }
                if($complianteServices.Keys.Count -gt 0)
                {
                    $controlResult.AddMessage("Instance count for below services are complaint");
                    $complianteServices.Keys  | Foreach-Object {
                        $controlResult.AddMessage("Instance count details for service '$_'",$complianteServices[$_]);
                    }
                }
    
                if($nonComplianteServices.Keys.Count -gt 0)
                {
                    $controlResult.AddMessage("Instance count for below services are non-complaint");
                    $nonComplianteServices.Keys  | Foreach-Object {
                        $controlResult.AddMessage("Instance count details for service '$_'",$nonComplianteServices[$_]);
                    }
                }
    
                if($isPassed)
                {
                    $controlResult.VerificationResult = [VerificationResult]::Passed;
                }
                else
                {
                    $controlResult.VerificationResult = [VerificationResult]::Failed;
                    $controlResult.SetStateData("Instance count are non-complaint for", $nonComplianteServices);
                }
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,"No stateless service found.")
            } 
        }else{

             $scanSource = [RemoteReportHelper]::GetScanSource();
             if($scanSource -eq [ScanSource]::SpotCheck)
             { 
                $controlResult.AddMessage("Service Fabric SDK is not present in user machine. To evaluate this control SDK should be available on user machine.")
             }
             $controlResult.CurrentSessionContext.Permissions.HasRequiredAccess = $false;
             $controlResult.VerificationResult = [VerificationResult]::Manual;
        }
        
        
        return $controlResult;        
    }

    hidden [ControlResult[]] CheckPublicEndpointSSL([ControlResult] $controlResult)
    {    
        $isConnectionSuccessful = $false
        if($this.IsSDKAvailable -eq $true)
        {          
            #Function to validate authentication and connect with Service Fabric cluster
            $sfCluster = $null       
            $uri = ([System.Uri]$this.ResourceObject.Properties.managementEndpoint).Host                
            $primaryNodeType = $this.ResourceObject.Properties.nodeTypes | Where-Object { $_.isPrimary -eq $true }
                    
            $ClusterConnectionUri = $uri +":"+ $primaryNodeType.clientConnectionEndpointPort
            $isClusterSecure =  [Helpers]::CheckMember($this.ResourceObject.Properties,"certificate" )               
                    
            if($isClusterSecure)
            {
                    $serviceFabricCertificate = $this.ResourceObject.Properties.certificate              
                    $CertThumbprint= $this.ResourceObject.Properties.certificate.thumbprint
                    $serviceFabricAAD = $null
                    if([Helpers]::CheckMember($this.ResourceObject.Properties,"azureActiveDirectory" ))
                    {
                        $serviceFabricAAD =$this.ResourceObject.Properties.azureActiveDirectory
                    }  
                    if($null -ne $serviceFabricAAD)
                    {
                        try
                        {
                            $this.PublishCustomMessage("Connecting Service Fabric using AAD...")
                            $sfCluster = Connect-ServiceFabricCluster -ConnectionEndpoint $ClusterConnectionUri -AzureActiveDirectory -ServerCertThumbprint $CertThumbprint #-SecurityToken "
                            $isConnectionSuccessful = $true
                            $this.PublishCustomMessage("Connection using AAD is successful.")
                        }
                        catch
                        {
                            $this.PublishCustomMessage("You may not have permission to connect with cluster", [MessageType]::Warning);
                        }
                    }              
                    else
                    {
                        $this.PublishCustomMessage("Validating if cluster certificate present on machine...")
                        $IsCertPresent = (Get-ChildItem -Path "Cert:\$($this.CertStoreLocation)\$($this.CertStoreName)" | Where-Object {$_.Thumbprint -eq $CertThumbprint }| Measure-Object).Count                   
                        if($IsCertPresent)
                        {
                           try
                           {
                              $this.PublishCustomMessage("Connecting Service Fabric using certificate")
                              $sfCluster = Connect-serviceFabricCluster -ConnectionEndpoint $ClusterConnectionUri -KeepAliveIntervalInSec 10 -X509Credential -ServerCertThumbprint $CertThumbprint -FindType FindByThumbprint -FindValue $CertThumbprint -StoreLocation $this.CertStoreLocation -StoreName $this.CertStoreName 
                              $isConnectionSuccessful = $true
                           }catch
                           {
                               $this.PublishCustomMessage("Cannot connect with Service Fabric cluster using cluster certificate. Verify that valid cluster certificate is present in 'CurrentUser' location.", [MessageType]::Warning);    
                           }
                                                
                        }
                        else
                        {
                            $this.PublishCustomMessage("Cannot connect with Service Fabric cluster due to unavailability of cluster certificate in local machine. Validate cluster certificate is present in 'CurrentUser' location.", [MessageType]::Warning);                    
                        }
                    }                    
            }
            else
            {
                $sfCluster = Connect-serviceFabricCluster -ConnectionEndpoint $ClusterConnectionUri
                $isConnectionSuccessful = $true
                $this.PublishCustomMessage("Service Fabric connection is successful");
            }

            try
            {
                $this.ApplicationList = Get-ServiceFabricApplication -ErrorAction SilentlyContinue
            }catch
            {
               #No need to break execution, handled in next condition
            }
            
            $isManual = $false;
            $isPassed = $true;
            $compliantPort = @{};
            $nonCompliantPort = @{};

            $loadBalancerBackendPorts = @()
            $loadBalancerResources = $this.GetLinkedResources("Microsoft.Network/loadBalancers")
            #Collect all open ports on load balancer
            $loadBalancerResources | ForEach-Object{
                $loadBalancerResource = Get-AzLoadBalancer -Name $_.Name -ResourceGroupName $_.ResourceGroupName
                $loadBalancingRules = @($loadBalancerResource.FrontendIpConfigurations | ? { $null -ne $_.PublicIpAddress } | ForEach-Object { $_.LoadBalancingRules })
            
                $loadBalancingRules | ForEach-Object {
                    $loadBalancingRuleId = $_.Id;
                    $loadBalancingRule = $loadBalancerResource.LoadBalancingRules | ? { $_.Id -eq  $loadBalancingRuleId } | Select-Object -First 1
                    $loadBalancerBackendPorts += $loadBalancingRule.BackendPort;
                };   
            }
            
            #If no ports open, Pass the TCP
            if($loadBalancerBackendPorts.Count -eq 0)
            {
                $controlResult.AddMessage("No ports enabled.")       
            }
            #If Ports are open for public in load balancer, map load balancer ports with application endpoint ports and validate if SSL is enabled.
            else
            {
        
               if($isConnectionSuccessful -eq $false)
               {
                    $isManual = $true;
                    $controlResult.AddMessage("Cannot connect with Service Fabric cluster.")
                    $controlResult.CurrentSessionContext.Permissions.HasRequiredAccess = $false;
               }
               elseif($this.ApplicationList)
                {
                    $controlResult.AddMessage("List of publicly exposed port",$loadBalancerBackendPorts) 

                    $this.ApplicationList | 
                    ForEach-Object{
                        $serviceFabricApplication = $_
                        Get-ServiceFabricServiceType -ApplicationTypeName $serviceFabricApplication.ApplicationTypeName -ApplicationTypeVersion $serviceFabricApplication.ApplicationTypeVersion | 
                        ForEach-Object{
                            $currentService = $_
                            $serviceManifest = [xml](Get-ServiceFabricServiceManifest -ApplicationTypeName $serviceFabricApplication.ApplicationTypeName -ApplicationTypeVersion $serviceFabricApplication.ApplicationTypeVersion -ServiceManifestName $_.ServiceManifestName)
                            if([Helpers]::CheckMember($serviceManifest.ServiceManifest,"Resources.Endpoints"))
                            {
                                $serviceManifest.ServiceManifest.Resources.Endpoints.ChildNodes | 
                                ForEach-Object{
                                    $endpoint = $_
                                    $serviceTypeName = $currentService.ServiceTypeName
                            
                                    if(-not [Helpers]::CheckMember($endpoint,"Port"))
                                    {
                                        #Add message
                                        #$childControlResult.AddMessage([VerificationResult]::Passed)
                                    }
                                    else
                                    {
                                        if($loadBalancerBackendPorts.Contains([Int32] $endpoint.Port) )
                                        {                      
                                            if([Helpers]::CheckMember($endpoint,"Protocol") -and $endpoint.Protocol -eq "https"){  
                                                $compliantPort.Add($serviceFabricApplication.ApplicationName.OriginalString + "/" + $serviceTypeName + "/"+$endpoint.Name,  $endpoint.Port) 
                                                
                                             }
                                            elseif([Helpers]::CheckMember($endpoint,"Protocol") -and $endpoint.Protocol -eq "http"){  
                                                $isPassed = $false;
                                        
                                                $nonCompliantPort.Add($serviceFabricApplication.ApplicationName.OriginalString + "/" + $serviceTypeName + "/"+$endpoint.Name,  $endpoint.Port) 
                                            }
                                            else {  
                                                $isPassed = $false;
                                                $nonCompliantPort.Add($serviceFabricApplication.ApplicationName.OriginalString + "/" + $serviceTypeName + "/"+$endpoint.Name,  $endpoint.Port) 
                                            
                                             }                            
                                        }
                                        else
                                        {   
                                            $compliantPort.Add($serviceFabricApplication.ApplicationName.OriginalString + "/" + $serviceTypeName + "/"+$endpoint.Name,  $endpoint.Port)                     
                                            
                                        }
                                    }                             
                                } 
                            }
                                          
                        }
                    }             
                }
                else
                {
                    $controlResult.AddMessage("No service found.")
                }    
            }     

            if($compliantPort.Keys.Count -gt 0)
            {
                $controlResult.AddMessage("Following endpoint(s) are compliant");
                $compliantPort.Keys  | Foreach-Object {
                    $controlResult.AddMessage("Endpoint: '$_' Port: $($compliantPort[$_])");
                }
            }

            if($nonCompliantPort.Keys.Count -gt 0)
            {
                $controlResult.AddMessage("Following publicly exposed endpoint(s) are not secured using SSL");
                $nonCompliantPort.Keys  | Foreach-Object {
                    $controlResult.AddMessage("EndPoint: '$_' Port: $($nonCompliantPort[$_])");
                }
            }

            if($isManual)
            {
                $controlResult.VerificationResult = [VerificationResult]::Manual;
            }
            elseif($isPassed)
            {
                $controlResult.VerificationResult = [VerificationResult]::Passed;
            }
            else
            {
                $controlResult.VerificationResult = [VerificationResult]::Failed;
                $controlResult.SetStateData("Following ports are non-complaint", $nonCompliantPort);
            }
        }else{
            
            $scanSource = [RemoteReportHelper]::GetScanSource();
            if($scanSource -eq [ScanSource]::SpotCheck)
            { 
               $controlResult.AddMessage("Service Fabric SDK is not present in user machine. To evaluate this control SDK should be available on user machine.")
            }
            $controlResult.CurrentSessionContext.Permissions.HasRequiredAccess = $false;
            $controlResult.VerificationResult = [VerificationResult]::Manual;
        }
    
            
        return $controlResult       
    }
    [void] CheckClusterAccess()
    {    
        #Function to validate authentication and connect with Service Fabric cluster
        $sfCluster = $null       
        $uri = ([System.Uri]$this.ResourceObject.Properties.managementEndpoint).Host                
        $primaryNodeType = $this.ResourceObject.Properties.nodeTypes | Where-Object { $_.isPrimary -eq $true }
                
        $ClusterConnectionUri = $uri +":"+ $primaryNodeType.clientConnectionEndpointPort
        $this.PublishCustomMessage("Connecting with Service Fabric cluster...")
        $this.PublishCustomMessage("Validating if Service Fabric is secure...")
        
        $isClusterSecure =  [Helpers]::CheckMember($this.ResourceObject.Properties,"certificate" )               
                
        if($isClusterSecure)
        {
            $serviceFabricCertificate = $this.ResourceObject.Properties.certificate              
            $this.PublishCustomMessage("Service Fabric is secure")
            $CertThumbprint= $this.ResourceObject.Properties.certificate.thumbprint
            $serviceFabricAAD = $null
            if([Helpers]::CheckMember($this.ResourceObject.Properties,"azureActiveDirectory" ))
            {
             $serviceFabricAAD =$this.ResourceObject.Properties.azureActiveDirectory
            }  
            if($null -ne $serviceFabricAAD)
            {
                try
                {
                    $this.PublishCustomMessage("Connecting Service Fabric using AAD...")
                    $sfCluster = Connect-ServiceFabricCluster -ConnectionEndpoint $ClusterConnectionUri -AzureActiveDirectory -ServerCertThumbprint $CertThumbprint #-SecurityToken "
                     $this.PublishCustomMessage("Connection using AAD is successful.")
                }
                catch
                {
                    throw ([SuppressedException]::new(("You may not have permission to connect with cluster"), [SuppressedExceptionType]::InvalidOperation))
                }
            }              
            else
            {
                $this.PublishCustomMessage("Validating if cluster certificate present on machine...")
                $IsCertPresent = (Get-ChildItem -Path "Cert:\$($this.CertStoreLocation)\$($this.CertStoreName)" | Where-Object {$_.Thumbprint -eq $CertThumbprint }| Measure-Object).Count                   
                if($IsCertPresent)
                {
                    $this.PublishCustomMessage("Connecting Service Fabric using certificate")
                    $sfCluster = Connect-serviceFabricCluster -ConnectionEndpoint $ClusterConnectionUri -KeepAliveIntervalInSec 300 -X509Credential -ServerCertThumbprint $CertThumbprint -FindType FindByThumbprint -FindValue $CertThumbprint -StoreLocation $this.CertStoreLocation -StoreName $this.CertStoreName 
                }
                else
                {
                    throw ([SuppressedException]::new(("Cannot connect with Service Fabric due to unavailability of cluster certificate in local machine. Validate cluster certificate is present in 'CurrentUser' location."), [SuppressedExceptionType]::InvalidOperation))
                }
            }                    
        }
        else
        {
            $this.PublishCustomMessage("Service Fabric is unsecure");
            $sfCluster = Connect-serviceFabricCluster -ConnectionEndpoint $ClusterConnectionUri
            $this.PublishCustomMessage("Service Fabric connection is successful");
        }
    }

    [PSObject] GetLinkedResources([string] $resourceType)
    {
        return  Get-AzResource -TagName $this.DefaultTagName -TagValue $this.ClusterTagValue | Where-Object { ($_.ResourceType -EQ $resourceType) -and ($_.ResourceGroupName -eq $this.ResourceContext.ResourceGroupName) }
    }    

}