Tests/Unit/MSFT_AdcsOcspExtension.Tests.ps1

Set-StrictMode -Version Latest

$script:DSCModuleName = 'ActiveDirectoryCSDsc'
$script:DSCResourceName = 'MSFT_AdcsOcspExtension'

$script:moduleRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
if ( (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests'))) -or `
     (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1'))) )
{
    & git @('clone', 'https://github.com/PowerShell/DscResource.Tests.git', (Join-Path -Path $script:moduleRoot -ChildPath 'DscResource.Tests'))
}

Import-Module -Name (Join-Path -Path $script:moduleRoot -ChildPath (Join-Path -Path 'DSCResource.Tests' -ChildPath 'TestHelper.psm1')) -Force

# Import Stub function
Import-Module (Join-Path -Path $script:moduleRoot -ChildPath 'Tests\TestHelpers\AdcsStub.psm1')

$TestEnvironment = Initialize-TestEnvironment `
    -DSCModuleName $script:DSCModuleName `
    -DSCResourceName $script:DSCResourceName `
    -TestType Unit

try
{
    InModuleScope $DSCResourceName {
        $ocspUriPathList = @(
            'http://primary-ocsp-responder/ocsp'
            'http://secondary-ocsp-responder/ocsp'
            'http://tertiary-ocsp-responder/ocsp'
        )

        $presentParams = @{
            OcspUriPath      = $ocspUriPathList
            Ensure           = 'Present'
            IsSingleInstance = 'Yes'
            RestartService   = $true
        }

        $setRestartServiceFalsePresentParams = @{
            OcspUriPath      = $ocspUriPathList
            Ensure           = 'Present'
            IsSingleInstance = 'Yes'
            RestartService   = $false
        }

        $absentParams = @{
            OcspUriPath      = $ocspUriPathList
            Ensure           = 'Absent'
            IsSingleInstance = 'Yes'
            RestartService   = $true
        }

        $setRestartServiceFalseAbsentParams = @{
            OcspUriPath      = $ocspUriPathList
            Ensure           = 'Absent'
            IsSingleInstance = 'Yes'
            RestartService   = $false
        }

        Describe "$DSCResourceName\Get-TargetResource" -Tag 'Get' {
            Context 'When the CA is installed and the Get-CAAuthorityInformationAccess cmdlet returns the OCSP URI path list' {
                $retreivedGetTargetValue = @{
                    AddToCertificateAia  = 'false'
                    AddToCertificateOcsp = 'true'
                    Uri                  = 'http://primary-ocsp-responder/ocsp'
                }

                Mock -CommandName 'Get-CAAuthorityInformationAccess' -Mockwith { $retreivedGetTargetValue }

                It 'Should return a hashtable with the expected properties.' {
                    $result = Get-TargetResource @presentParams

                    $result                  | Should -Be System.Collections.Hashtable
                    $result.OcspUriPath      | Should -Be $retreivedGetTargetValue.Uri
                    $result.Ensure           | Should -Be $presentParams.Ensure
                    $result.IsSingleInstance | Should -Be $presentParams.IsSingleInstance
                    $result.RestartService   | Should -Be $presentParams.RestartService
                }
            }
        }

        Describe "$DSCResourceName\Set-TargetResource" -Tag 'Set' {
            Mock -CommandName Remove-CAAuthorityInformationAccess
            Mock -CommandName Add-CAAuthorityInformationAccess
            Mock -CommandName Restart-ServiceIfExists

            Context 'When ensure equals present, and OCSP record is missing, and $RestartService equals $true' {
                $missingOcspUriPath = @{
                    OcspUriPath      = @(
                        'http://primary-ocsp-responder/ocsp'
                        'http://secondary-ocsp-responder/ocsp'
                    )
                    Ensure           = 'Present'
                    IsSingleInstance = 'Yes'
                    RestartService   = $true
                }

                Mock -CommandName Get-TargetResource -MockWith { $missingOcspUriPath }

                It 'Should call the expected mocks' {
                    Set-TargetResource @presentParams

                    Assert-MockCalled -CommandName Remove-CAAuthorityInformationAccess -Exactly -Times 2 -Scope It -ParameterFilter { $OcspUriPath -eq $presentParams.OcspUriPathList }
                    Assert-MockCalled -CommandName Add-CAAuthorityInformationAccess -Exactly -Times 3 -Scope It -ParameterFilter { $OcspUriPath -eq $presentParams.OcspUriPathList }
                    Assert-MockCalled -CommandName Restart-ServiceIfExists -Exactly -Times 1 -Scope It -ParameterFilter { $Name -eq 'CertSvc' }
                }
            }

            Context 'When ensure equals present, and OCSP record is missing, and $RestartService equals $false' {
                $missingOcspUriPathRestartServiceFalse = @{
                    OcspUriPath      = @(
                        'http://primary-ocsp-responder/ocsp'
                        'http://secondary-ocsp-responder/ocsp'
                    )
                    Ensure           = 'Present'
                    IsSingleInstance = 'Yes'
                    RestartService   = $false
                }

                Mock -CommandName Get-TargetResource -MockWith { $missingOcspUriPathRestartServiceFalse }

                It 'Should call the expected mocks' {
                    Set-TargetResource @setRestartServiceFalsePresentParams

                    Assert-MockCalled -CommandName Remove-CAAuthorityInformationAccess -Exactly -Times 2 -Scope It -ParameterFilter { $OcspUriPath -eq $setRestartServiceFalsePresentParams.OcspUriPathList }
                    Assert-MockCalled -CommandName Add-CAAuthorityInformationAccess -Exactly -Times 3 -Scope It -ParameterFilter { $OcspUriPath -eq $setRestartServiceFalsePresentParams.OcspUriPathList }
                    Assert-MockCalled -CommandName Restart-ServiceIfExists -Exactly -Times 0 -Scope It -ParameterFilter { $Name -eq 'CertSvc' }
                }
            }

            Context 'When ensure equals absent, and OCSP records are present, and $RestartService equals $true' {
                Mock -CommandName Get-TargetResource -MockWith { $presentParams }

                It 'Should call the expected mocks' {
                    Set-TargetResource @absentParams

                    Assert-MockCalled -CommandName Remove-CAAuthorityInformationAccess -Exactly -Times 3 -Scope It -ParameterFilter { $OcspUriPath -eq $absentParams.OcspUriPathList }
                    Assert-MockCalled -CommandName Add-CAAuthorityInformationAccess -Exactly -Times 0 -Scope It -ParameterFilter { $OcspUriPath -eq $absentParams.OcspUriPathList }
                    Assert-MockCalled -CommandName Restart-ServiceIfExists -Exactly -Times 1 -Scope It -ParameterFilter { $Name -eq 'CertSvc' }
                }
            }

            Context 'When ensure equals absent, and OCSP records are present, and $RestartService equals $false' {
                Mock -CommandName Get-TargetResource -MockWith { $setRestartServiceFalsePresentParams }

                It 'Should call the expected mocks' {
                    Set-TargetResource @setRestartServiceFalseAbsentParams

                    Assert-MockCalled -CommandName Remove-CAAuthorityInformationAccess -Exactly -Times 3 -Scope It -ParameterFilter { $OcspUriPath -eq $setRestartServiceFalseAbsentParams.OcspUriPathList }
                    Assert-MockCalled -CommandName Add-CAAuthorityInformationAccess -Exactly -Times 0 -Scope It -ParameterFilter { $OcspUriPath -eq $setRestartServiceFalseAbsentParams.OcspUriPathList }
                    Assert-MockCalled -CommandName Restart-ServiceIfExists -Exactly -Times 0 -Scope It -ParameterFilter { $Name -eq 'CertSvc' }
                }
            }
        }

        Describe "$DSCResourceName\Test-TargetResource" -Tag 'Test' {
            Context 'When ensure equals present and in desired state' {
                $desiredStateRecordReturned = @(
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://primary-ocsp-responder/ocsp'
                    }
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://secondary-ocsp-responder/ocsp'
                    }
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://tertiary-ocsp-responder/ocsp'
                    }
                )

                Mock -CommandName 'Get-CAAuthorityInformationAccess' -MockWith { $desiredStateRecordReturned }

                It 'Should return $true' {
                    $result = Test-TargetResource @presentParams

                    $result | Should -Be $true
                }
            }

            Context 'When ensure equals absent and in desired state' {
                $absentStateRecordReturned = @()

                Mock -CommandName 'Get-CAAuthorityInformationAccess' -MockWith { $absentStateRecordReturned }

                It 'Should return $true' {
                    $result = Test-TargetResource @absentParams

                    $result | Should -Be $true
                }
            }

            Context 'When ensure equals present, but not in desired state, and no values stored in OCSP records when passing in a value for OCSP' {
                Mock -CommandName 'Get-CAAuthorityInformationAccess'

                It 'Should return $false' {
                    $result = Test-TargetResource @presentParams

                    $result | Should -Be $false
                }
            }

            Context 'When ensure equals present, but not in desired state, and different values are stored in OCSP records when passing in a value for OCSP' {
                $singleRecordReturned = @{
                    AddToCertificateAia  = 'false'
                    AddToCertificateOcsp = 'true'
                    Uri                  = 'http://secondary-ocsp-responder/ocsp'
                }

                Mock -CommandName 'Get-CAAuthorityInformationAccess' -MockWith { $singleRecordReturned }

                It 'Should return $false' {
                    $result = Test-TargetResource @presentParams

                    $result | Should -Be $false
                }
            }

            Context 'When ensure equals absent, but not in desired state, and OCSP record is returned' {
                $ocspRecordReturned = @(
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://secondary-ocsp-responder/ocsp'
                    }
                )

                Mock -CommandName 'Get-CAAuthorityInformationAccess' -MockWith { $ocspRecordReturned }

                It 'Should return $false' {
                    $result = Test-TargetResource @absentParams

                    $result | Should -Be $false
                }
            }

            Context 'When ensure equals present, but not in desired state, and OCSP record # 3 contains a typographical error' {
                $wrongOcspRecordReturned = @(
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://primary-ocsp-responder/ocsp'
                    }
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://secondary-ocsp-responder/ocsp'
                    }
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://tertiaryyy-ocsp-responder/ocsp'
                    }
                )

                Mock -CommandName 'Get-CAAuthorityInformationAccess' -MockWith { $wrongOcspRecordReturned }

                It 'Should return $false' {
                    $result = Test-TargetResource @presentParams

                    $result | Should -Be $false
                }
            }

            Context 'When ensure equals present, but not in desired state, and counts do not match, and additional OCSP URI record returned' {
                $additionalOcspRecordReturned = @(
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://primary-ocsp-responder/ocsp'
                    }
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://secondary-ocsp-responder/ocsp'
                    }
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://tertiaryyy-ocsp-responder/ocsp'
                    }
                    @{
                        AddToCertificateAia  = 'false'
                        AddToCertificateOcsp = 'true'
                        Uri                  = 'http://rogue-ocsp-responder/ocsp'
                    }
                )

                Mock -CommandName 'Get-CAAuthorityInformationAccess' -MockWith { $additionalOcspRecordReturned }

                It 'Should return $false' {
                    $result = Test-TargetResource @presentParams

                    $result | Should -Be $false
                }
            }
        }
    }
}

finally
{
    Restore-TestEnvironment -TestEnvironment $TestEnvironment
    Remove-Module -Name AdcsStub -Force
}