scheiblingco
diff --git a/‎Modules/CIPPCore/Public/Compare-CIPPDlpCompliancePolicy.ps1‎
Lines changed: 165 additions & 0 deletions b/‎Modules/CIPPCore/Public/Compare-CIPPDlpCompliancePolicy.ps1‎
Lines changed: 165 additions & 0 deletions
diff --git a/‎Modules/CIPPCore/Public/ConvertTo-CIPPSensitiveInformationType.ps1‎
Lines changed: 103 additions & 0 deletions b/‎Modules/CIPPCore/Public/ConvertTo-CIPPSensitiveInformationType.ps1‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎Modules/CIPPCore/Public/Get-CIPPDlpComplianceFieldList.ps1‎
Lines changed: 65 additions & 0 deletions b/‎Modules/CIPPCore/Public/Get-CIPPDlpComplianceFieldList.ps1‎
Lines changed: 65 additions & 0 deletions
@@ -0,0 +1,165 @@
+function ConvertTo-CIPPComparableString {
+    <#
+    .SYNOPSIS
+        Produce an order-independent canonical string for a value, for equality comparison.
+    .DESCRIPTION
+        Recursively serializes scalars, dictionaries/objects (keys sorted), and arrays (elements sorted)
+        into a deterministic string. Two values are equal iff their canonical strings match - independent
+        of property order or array order, which is the right semantics for DLP locations and the set of
+        sensitive information types (order is not meaningful for matching).
+    .FUNCTIONALITY
+        Internal
+    #>
+    [CmdletBinding()]
+    param($Value)
+
+    if ($null -eq $Value) { return 'null' }
+    if ($Value -is [string]) { return '"' + $Value + '"' }
+    if ($Value -is [bool] -or $Value -is [int] -or $Value -is [long] -or $Value -is [double] -or $Value -is [decimal]) {
+        return [string]$Value
+    }
+    if ($Value -is [System.Collections.IDictionary]) {
+        $parts = foreach ($k in (@($Value.Keys) | Sort-Object)) { '"' + $k + '":' + (ConvertTo-CIPPComparableString -Value $Value[$k]) }
+        return '{' + ($parts -join ',') + '}'
+    }
+    if ($Value -is [System.Management.Automation.PSCustomObject]) {
+        $parts = foreach ($p in ($Value.PSObject.Properties | Sort-Object Name)) { '"' + $p.Name + '":' + (ConvertTo-CIPPComparableString -Value $p.Value) }
+        return '{' + ($parts -join ',') + '}'
+    }
+    if ($Value -is [System.Collections.IEnumerable]) {
+        $items = @(foreach ($item in $Value) { ConvertTo-CIPPComparableString -Value $item }) | Sort-Object
+        return '[' + ($items -join ',') + ']'
+    }
+    return '"' + ([string]$Value) + '"'
+}
+
+function ConvertTo-CIPPDlpComparable {
+    <#
+    .SYNOPSIS
+        Normalize a DLP policy source (template or live policy) + its rules into a comparable param map.
+    .DESCRIPTION
+        Runs the source through the exact same normalization the deploy path uses - allowlist filtering,
+        location normalization, sensitive-information-type conversion (which also strips output-only
+        rulePackId), and IncidentReportContent string->array - so a template and the live policy it was
+        deployed from collapse to identical structures when nothing has actually drifted.
+    .PARAMETER PolicySource
+        The policy-level object (a stored template, or a Get-DlpCompliancePolicy result).
+    .PARAMETER RuleSource
+        The rule collection (template RuleParams, or Get-DlpComplianceRule results).
+    .OUTPUTS
+        PSCustomObject with Policy (hashtable of normalized policy params) and Rules (ordered map of
+        rule name -> hashtable of normalized rule params).
+    .FUNCTIONALITY
+        Internal
+    #>
+    [CmdletBinding()]
+    param($PolicySource, $RuleSource)
+
+    $Fields = Get-CIPPDlpComplianceFieldList
+
+    $Policy = Format-CIPPCompliancePolicyParams -Source $PolicySource -AllowedFields $Fields.Policy -LocationFields $Fields.Location
+    $Policy.Remove('Name') | Out-Null  # identity, not a comparable setting
+    # Mirror deploy: an invalid/transient Mode (e.g. PendingDeletion) is never deployed, so it must not
+    # register as drift either.
+    if ($Policy.ContainsKey('Mode') -and $Policy['Mode'] -notin $Fields.ValidPolicyModes) {
+        $Policy.Remove('Mode') | Out-Null
+    }
+
+    $Rules = [ordered]@{}
+    foreach ($Rule in @($RuleSource) | Where-Object { $_ }) {
+        $RuleParams = Format-CIPPCompliancePolicyParams -Source $Rule -AllowedFields $Fields.Rule
+        $RuleName = [string]$RuleParams['Name']
+        $RuleParams.Remove('Policy') | Out-Null
+        $RuleParams.Remove('Name') | Out-Null
+        foreach ($SitField in @('ContentContainsSensitiveInformation', 'ExceptIfContentContainsSensitiveInformation')) {
+            if ($RuleParams.ContainsKey($SitField)) {
+                $RuleParams[$SitField] = @(ConvertTo-CIPPSensitiveInformationType -SensitiveInformation $RuleParams[$SitField])
+            }
+        }
+        if ($RuleParams.ContainsKey('IncidentReportContent') -and $RuleParams['IncidentReportContent'] -is [string]) {
+            $RuleParams['IncidentReportContent'] = @($RuleParams['IncidentReportContent'] -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ })
+        }
+        if (-not [string]::IsNullOrWhiteSpace($RuleName)) { $Rules[$RuleName] = $RuleParams }
+    }
+
+    return [pscustomobject]@{ Policy = $Policy; Rules = $Rules }
+}
+
+function Compare-CIPPDlpCompliancePolicy {
+    <#
+    .SYNOPSIS
+        Compare a stored DLP template against the live policy + rules in a tenant and report drift.
+    .DESCRIPTION
+        Normalizes both sides through ConvertTo-CIPPDlpComparable and diffs them field by field
+        (policy-level and per-rule, matched by rule name). Returns the overall state and the specific
+        differing fields with their expected (template) and current (tenant) values, so callers can
+        decide whether to remediate and can surface exactly what differs.
+    .PARAMETER TenantFilter
+        Target tenant.
+    .PARAMETER Template
+        The stored template object (already ConvertFrom-Json'd).
+    .OUTPUTS
+        PSCustomObject: Name, State ('Missing' | 'PendingDeletion' | 'InSync' | 'Drift'), and Differences
+        (array of { Scope, Field, Expected, Current }).
+    .FUNCTIONALITY
+        Internal
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory)] [string] $TenantFilter,
+        [Parameter(Mandatory)] $Template
+    )
+
+    $PolicyName = $Template.Name ?? $Template.name
+
+    $LivePolicy = try {
+        New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-DlpCompliancePolicy' -Compliance |
+            Where-Object { $_.Name -eq $PolicyName } | Select-Object -First 1
+    } catch { $null }
+
+    if (-not $LivePolicy) {
+        return [pscustomobject]@{ Name = $PolicyName; State = 'Missing'; Differences = @() }
+    }
+    if ($LivePolicy.Mode -eq 'PendingDeletion') {
+        return [pscustomobject]@{ Name = $PolicyName; State = 'PendingDeletion'; Differences = @() }
+    }
+
+    $LiveRules = try {
+        @(New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-DlpComplianceRule' -Compliance |
+                Where-Object { $_.ParentPolicyName -eq $PolicyName })
+    } catch { @() }
+
+    $Want = ConvertTo-CIPPDlpComparable -PolicySource $Template -RuleSource $Template.RuleParams
+    $Have = ConvertTo-CIPPDlpComparable -PolicySource $LivePolicy -RuleSource $LiveRules
+
+    $Differences = [System.Collections.Generic.List[object]]::new()
+
+    # Policy-level diff
+    foreach ($Key in (@($Want.Policy.Keys) + @($Have.Policy.Keys) | Select-Object -Unique)) {
+        $Expected = if ($Want.Policy.ContainsKey($Key)) { $Want.Policy[$Key] } else { $null }
+        $Current = if ($Have.Policy.ContainsKey($Key)) { $Have.Policy[$Key] } else { $null }
+        if ((ConvertTo-CIPPComparableString -Value $Expected) -ne (ConvertTo-CIPPComparableString -Value $Current)) {
+            $Differences.Add([pscustomobject]@{ Scope = 'Policy'; Field = $Key; Expected = $Expected; Current = $Current })
+        }
+    }
+
+    # Rule-level diff (only rules the template defines; matched by name)
+    foreach ($RuleName in @($Want.Rules.Keys)) {
+        if (@($Have.Rules.Keys) -notcontains $RuleName) {
+            $Differences.Add([pscustomobject]@{ Scope = "Rule '$RuleName'"; Field = '(entire rule)'; Expected = 'present'; Current = 'missing' })
+            continue
+        }
+        $WantRule = $Want.Rules[$RuleName]
+        $HaveRule = $Have.Rules[$RuleName]
+        foreach ($Key in (@($WantRule.Keys) + @($HaveRule.Keys) | Select-Object -Unique)) {
+            $Expected = if ($WantRule.ContainsKey($Key)) { $WantRule[$Key] } else { $null }
+            $Current = if ($HaveRule.ContainsKey($Key)) { $HaveRule[$Key] } else { $null }
+            if ((ConvertTo-CIPPComparableString -Value $Expected) -ne (ConvertTo-CIPPComparableString -Value $Current)) {
+                $Differences.Add([pscustomobject]@{ Scope = "Rule '$RuleName'"; Field = $Key; Expected = $Expected; Current = $Current })
+            }
+        }
+    }
+
+    $State = if ($Differences.Count -eq 0) { 'InSync' } else { 'Drift' }
+    return [pscustomobject]@{ Name = $PolicyName; State = $State; Differences = @($Differences) }
+}
@@ -0,0 +1,103 @@
+function ConvertTo-CIPPSensitiveInformationType {
+    <#
+    .SYNOPSIS
+        Normalize a DLP rule's ContentContainsSensitiveInformation value into clean input objects.
+    .DESCRIPTION
+        Get-DlpComplianceRule returns ContentContainsSensitiveInformation (and the ExceptIf variant)
+        in an output-only @odata serialization that New-/Set-DlpComplianceRule will not accept as input.
+        Two shapes occur:
+
+          - Flat list: an array of SITs, each SIT being an array of '{ _key, _value }' GenericHashTable
+            pairs - e.g. { _key = 'name'; _value = 'Credit Card Number' }.
+
+          - Grouped: an array containing a single wrapper '{ groups = (...); operator = 'And' }', where
+            each group is an array of pairs carrying 'name', 'operator', and a nested 'sensitivetypes'
+            value (itself a flat list of SITs). Used by templates that AND/OR several named groups
+            together (e.g. HIPAA Enhanced). NOTE the wrapper is delivered inside an array, so the
+            top-level value is an array in BOTH shapes.
+
+        This collapses every '{ _key, _value }' pair group into a single flat object and recurses through
+        the grouped / groups / sensitivetypes nesting, producing a structure the New-/Set-* cmdlets accept.
+
+        The function is idempotent: a value already in the clean shape (no '_key' pairs) is returned
+        unchanged, so it is safe to call at both template-build time and deploy time.
+    .PARAMETER SensitiveInformation
+        The ContentContainsSensitiveInformation value to normalize.
+    .FUNCTIONALITY
+        Internal
+    #>
+    [CmdletBinding()]
+    param($SensitiveInformation)
+
+    if ($null -eq $SensitiveInformation) { return $null }
+
+    # Output-only SIT properties that Get-DlpComplianceRule emits but New-/Set-DlpComplianceRule reject
+    # as input (matched case-insensitively against the lower-cased key).
+    $script:InvalidSitProperties = @('rulepackid')
+
+    # Recursively normalize a single entry. An entry is one of:
+    #   - a raw array of { _key, _value } pairs (a SIT, or a group)  -> collapse to a flat object
+    #   - a grouped wrapper object { groups, operator }              -> recurse each group
+    #   - an already-clean object with a nested sensitivetypes list  -> recurse that list
+    #   - anything else                                              -> pass through unchanged
+    # 'groups' and 'sensitivetypes' are recursed on BOTH the raw and the already-clean paths so the
+    # conversion is correct whether the wrapper arrives bare or (as the cmdlets deliver it) array-wrapped,
+    # and so re-running on an already-converted value is a no-op.
+    function Convert-Entry {
+        param($Entry)
+
+        if ($null -eq $Entry) { return $null }
+
+        $first = @($Entry) | Where-Object { $null -ne $_ } | Select-Object -First 1
+        $isRawPairs = ($Entry -isnot [string]) -and $null -ne $first -and ($first.PSObject.Properties.Name -contains '_key')
+
+        if ($isRawPairs) {
+            $ht = [ordered]@{}
+            foreach ($pair in @($Entry)) {
+                if ($null -eq $pair -or ($pair.PSObject.Properties.Name -notcontains '_key')) { continue }
+                $key = [string]$pair._key
+                # Skip output-only properties the New-/Set-* cmdlets reject as input (e.g. rulePackId,
+                # which Get-DlpComplianceRule emits on every SIT).
+                if ($key -in $script:InvalidSitProperties) { continue }
+                if ($key -in @('sensitivetypes', 'groups')) {
+                    $ht[$key] = @(foreach ($child in @($pair._value)) { Convert-Entry -Entry $child })
+                } else {
+                    $ht[$key] = $pair._value
+                }
+            }
+            return [pscustomobject]$ht
+        }
+
+        # Already clean (or partially clean) object - recurse the nested collections, strip invalid
+        # properties, pass the rest through. Rebuild when there is anything to recurse or strip.
+        $propNames = @($Entry.PSObject.Properties.Name)
+        $needsRebuild = ($propNames | Where-Object { $_ -in @('groups', 'sensitivetypes') -or $_ -in $script:InvalidSitProperties }).Count -gt 0
+        if ($needsRebuild) {
+            $clone = [ordered]@{}
+            foreach ($prop in $Entry.PSObject.Properties) {
+                if ($prop.Name -in $script:InvalidSitProperties) { continue }
+                if ($prop.Name -in @('groups', 'sensitivetypes')) {
+                    $clone[$prop.Name] = @(foreach ($child in @($prop.Value)) { Convert-Entry -Entry $child })
+                } else {
+                    $clone[$prop.Name] = $prop.Value
+                }
+            }
+            return [pscustomobject]$clone
+        }
+
+        return $Entry
+    }
+
+    # Grouped form: a bare wrapper object exposing a 'groups' collection. (When array-wrapped, the
+    # branch below handles it via Convert-Entry on each element.)
+    if ($SensitiveInformation -isnot [System.Collections.IEnumerable] -and
+        ($SensitiveInformation.PSObject.Properties.Name -contains 'groups')) {
+        # Callers MUST wrap the result in @(...) so this lands as a PswsHashtable[] array on the wire -
+        # PowerShell unwraps a single-element return to a bare object, which is rejected server-side.
+        return @(Convert-Entry -Entry $SensitiveInformation)
+    }
+
+    # Array form (the normal case): flat list of SITs, OR an array carrying the grouped wrapper.
+    # Callers must wrap in @(...) - see the note above.
+    return @(foreach ($entry in @($SensitiveInformation)) { Convert-Entry -Entry $entry })
+}
@@ -0,0 +1,65 @@
+function Get-CIPPDlpComplianceFieldList {
+    <#
+    .SYNOPSIS
+        Single source of truth for the DLP compliance policy/rule cmdlet parameter allowlists.
+    .DESCRIPTION
+        The New-/Set-DlpCompliancePolicy and New-/Set-DlpComplianceRule cmdlets accept only a subset of
+        the (much larger) set of properties Get-* returns. These allowlists are shared by every code path
+        that builds or compares DLP policy params - template creation, deploy, and drift comparison - so
+        the accepted fields never diverge between them (divergence here previously caused 'Mode'/'Priority'
+        being sent where invalid, etc.).
+
+        Priority is intentionally excluded: Microsoft assigns it per tenant from existing policy ordering,
+        so it varies between tenants and must not be captured into, deployed from, or drift-compared.
+    .OUTPUTS
+        PSCustomObject with Policy, Rule, and Location (subset of Policy) string arrays.
+    .FUNCTIONALITY
+        Internal
+    #>
+    [CmdletBinding()]
+    param()
+
+    $Policy = @(
+        'Name', 'Comment', 'Mode',
+        'ExchangeLocation', 'ExchangeLocationException',
+        'SharePointLocation', 'SharePointLocationException',
+        'OneDriveLocation', 'OneDriveLocationException',
+        'TeamsLocation', 'TeamsLocationException',
+        'EndpointDlpLocation', 'EndpointDlpLocationException',
+        'OnPremisesScannerDlpLocation', 'OnPremisesScannerDlpLocationException',
+        'ThirdPartyAppDlpLocation', 'ThirdPartyAppDlpLocationException',
+        'PowerBIDlpLocation', 'PowerBIDlpLocationException',
+        'ModernGroupLocation', 'ModernGroupLocationException'
+    )
+
+    # Note: DLP rules have no 'Mode' parameter (that is policy-level). 'Policy' is the parent reference
+    # added at deploy time; it is not a comparable setting.
+    $Rule = @(
+        'Name', 'Policy', 'Comment', 'Disabled',
+        'ContentContainsSensitiveInformation', 'ExceptIfContentContainsSensitiveInformation',
+        'ContentPropertyContainsWords', 'BlockAccess', 'BlockAccessScope',
+        'NotifyUser', 'NotifyEmailCustomText', 'NotifyEmailCustomSubject',
+        'NotifyPolicyTipCustomText', 'GenerateAlert', 'AlertProperties',
+        'GenerateIncidentReport', 'IncidentReportContent',
+        'AccessScope', 'From', 'FromMemberOf', 'FromAddressContainsWords',
+        'FromAddressMatchesPatterns', 'SentTo', 'SentToMemberOf',
+        'RecipientDomainIs', 'AnyOfRecipientAddressContainsWords',
+        'AnyOfRecipientAddressMatchesPatterns', 'AnyOfRecipientAddressDomainIs',
+        'ExceptIfFrom', 'ExceptIfFromMemberOf', 'ExceptIfFromAddressContainsWords',
+        'ExceptIfFromAddressMatchesPatterns',
+        'AddRecipients', 'BlockMessage', 'GenerateAlertOn', 'IncidentReportTo',
+        'ReportSeverityLevel', 'RuleErrorAction',
+        'ContentExtensionMatchesWords', 'DocumentNameMatchesPatterns',
+        'DocumentNameMatchesWords', 'DocumentSizeOver',
+        'ContentCharacterSetContainsWords', 'ContentFileTypeMatches'
+    )
+
+    return [pscustomobject]@{
+        Policy   = $Policy
+        Rule     = $Rule
+        Location = @($Policy | Where-Object { $_ -like '*Location*' })
+        # Valid -Mode input values for New-/Set-DlpCompliancePolicy. Transient/output-only states such as
+        # 'PendingDeletion' are NOT accepted as input and must be dropped before deploy.
+        ValidPolicyModes = @('Enable', 'TestWithNotifications', 'TestWithoutNotifications', 'Disable')
+    }
+}