address copilot feedback

Steve Lee (POWERSHELL HE/HIM) (from Dev Box) · Steve Lee (POWERSHELL HE/HIM) (from Dev Box) · commit a795c265f22b · 2026-03-31T15:48:55.000-07:00
diff --git a/dsc/tests/dsc_resource_list.tests.ps1 b/dsc/tests/dsc_resource_list.tests.ps1
@@ -11,7 +11,7 @@ BeforeDiscovery {
 
 Describe 'Tests for listing resources' {
     It 'dsc resource list' {
-        $resources = dsc resource list | ConvertFrom-Json -Depth 10
+        $resources = dsc resource list | ConvertFrom-Json -Depth 15
         $LASTEXITCODE | Should -Be 0
         $resources | Should -Not -BeNullOrEmpty
         $resources.Count | Should -BeGreaterThan 0
diff --git a/resources/windows_firewall/src/firewall.rs b/resources/windows_firewall/src/firewall.rs
@@ -263,17 +263,24 @@ fn apply_rule_properties(rule: &INetFwRule, desired: &FirewallRule, existing_pro
 
     if let Some(protocol) = desired.protocol {
         validate_protocol(protocol)?;
+    }
+
+    // Determine the effective protocol: the desired value if provided, otherwise
+    // the existing rule's protocol (if updating an existing rule).
+    let effective_protocol = desired.protocol.or(existing_protocol);
 
-        // Reject port specifications for protocols that don't support them (e.g. ICMP).
-        // On existing rules the ports are cleared automatically, but on new rules
-        // (existing_protocol == None) the conflicting SetLocalPorts/SetRemotePorts call
-        // would fail with a confusing COM error.
-        if !protocol_supports_ports(protocol) && existing_protocol.is_none()
+    // Reject port specifications for protocols that don't support them (e.g. ICMP).
+    // This must be checked regardless of whether the protocol itself was changed,
+    // because the caller may only be setting local_ports or remote_ports.
+    if let Some(protocol) = effective_protocol {
+        if !protocol_supports_ports(protocol)
             && (desired.local_ports.is_some() || desired.remote_ports.is_some())
         {
             return Err(t!("firewall.portsNotAllowed", name = name, protocol = protocol).to_string().into());
         }
+    }
 
+    if let Some(protocol) = desired.protocol {
         if let Some(current_protocol) = existing_protocol
             && current_protocol != protocol && !protocol_supports_ports(protocol) {
                 if desired.local_ports.is_none() {
diff --git a/resources/windows_firewall/tests/windows_firewall_export.tests.ps1 b/resources/windows_firewall/tests/windows_firewall_export.tests.ps1
@@ -1,7 +1,7 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
-Describe 'Microsoft.Windows/FirewallRuleList - export operation' -Skip:(!$IsWindows) {
+Describe 'Microsoft.Windows/FirewallRuleList - export operation' -Skip:(!$isElevated) {
     BeforeDiscovery {
         $isElevated = if ($IsWindows) {
             ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
diff --git a/resources/windows_firewall/tests/windows_firewall_get.tests.ps1 b/resources/windows_firewall/tests/windows_firewall_get.tests.ps1
@@ -1,7 +1,7 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
-Describe 'Microsoft.Windows/FirewallRuleList - get operation' -Skip:(!$IsWindows) {
+Describe 'Microsoft.Windows/FirewallRuleList - get operation' -Skip:(!$isElevated) {
     BeforeDiscovery {
         $isElevated = if ($IsWindows) {
             ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
@@ -35,7 +35,7 @@ Describe 'Microsoft.Windows/FirewallRuleList - get operation' -Skip:(!$IsWindows
 
         $result = ($out | ConvertFrom-Json).actualState.rules[0]
         $result.name | Should -BeExactly $knownRuleName
-        $result.PSObject.Properties.Name | Should -Not -Contain '_exist'
+        $result.PSObject.Properties.Name | Should -Not -Contain '_exist' -Because ($result | ConvertTo-Json -Depth 10)
         $result.direction | Should -BeIn @('Inbound', 'Outbound')
         $result.action | Should -BeIn @('Allow', 'Block')
     }
@@ -46,7 +46,7 @@ Describe 'Microsoft.Windows/FirewallRuleList - get operation' -Skip:(!$IsWindows
         $LASTEXITCODE | Should -Be 0 -Because (Get-Content -Raw $testdrive/error.log)
 
         $result = ($out | ConvertFrom-Json).actualState.rules[0]
-        $result.PSObject.Properties.Name | Should -Not -Contain '_exist'
+        $result.PSObject.Properties.Name | Should -Not -Contain '_exist' -Because ($result | ConvertTo-Json -Depth 10)
         $result.name | Should -BeExactly $knownRuleName
     }
 
diff --git a/resources/windows_firewall/tests/windows_firewall_set.tests.ps1 b/resources/windows_firewall/tests/windows_firewall_set.tests.ps1
@@ -1,7 +1,7 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
-Describe 'Microsoft.Windows/FirewallRuleList - set operation' -Skip:(!$IsWindows) {
+Describe 'Microsoft.Windows/FirewallRuleList - set operation' -Skip:(!$isElevated) {
     BeforeDiscovery {
         $isElevated = if ($IsWindows) {
             ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
