Tests/Set-AclConstructor6.Tests.ps1
|
# Set-AclConstructor6.Tests.ps1 #Requires -Modules @{ModuleName='Pester'; ModuleVersion='5.0.0'} # Import System.DirectoryServices namespace to make enums available - must be at the top of the file using namespace System.DirectoryServices using namespace System.Security.AccessControl BeforeAll { # Import required module $ModulePath = Split-Path -Parent $PSScriptRoot Import-Module $ModulePath -Force # Load required .NET assemblies Add-Type -AssemblyName System.DirectoryServices # Create a simpler test version of the function rather than modifying the original # Define a simplified version of the function for testing that handles mocks properly function Set-AclConstructor6Testing { [CmdletBinding(SupportsShouldProcess = $true)] param( [Parameter(Mandatory = $true)] $Id, [Parameter(Mandatory = $true)] [ValidateScript({ Test-IsValidDN -ObjectDN $_ })] [string]$LDAPpath, [Parameter(Mandatory = $true)] [string[]]$AdRight, [Parameter(Mandatory = $true)] [string]$AccessControlType, [Parameter(Mandatory = $true)] $ObjectType, [Parameter(Mandatory = $true)] [string]$AdSecurityInheritance, [Parameter(Mandatory = $true)] $InheritedObjectType, [switch]$RemoveRule ) begin { # Set strict mode Set-StrictMode -Version Latest # Display function header if variables exist if ($null -ne $Variables -and $null -ne $Variables.HeaderDelegation) { Write-Verbose -Message 'Test function header' } # Convert ObjectType to GUID if it's a string if ($null -ne $ObjectType) { if ($ObjectType -is [System.String]) { try { $ObjectTypeGuid = [Guid]::Parse($ObjectType) } catch { Write-Error -Message ('Failed to parse ObjectType as GUID: {0}' -f $ObjectType) throw } } elseif ($ObjectType -is [Guid]) { $ObjectTypeGuid = $ObjectType } } # Convert InheritedObjectType to GUID if it's a string if ($null -ne $InheritedObjectType) { if ($InheritedObjectType -is [System.String]) { try { $InheritedObjectTypeGuid = [Guid]::Parse($InheritedObjectType) } catch { Write-Error -Message ('Failed to parse InheritedObjectType as GUID: {0}' -f $InheritedObjectType) throw } } elseif ($InheritedObjectType -is [Guid]) { $InheritedObjectTypeGuid = $InheritedObjectType } } } process { try { # Identify and resolve the trustee [System.Security.Principal.SecurityIdentifier]$GroupSid = $null $IsWellKnownSid = $false # Check if Identity is a Well-Known SID if ($null -ne $Variables -and $null -ne $Variables.WellKnownSIDs -and $Variables.WellKnownSIDs.Values -contains $Id) { # Replace GetEnumerator approach with direct lookup foreach ($key in $Variables.WellKnownSIDs.Keys) { if ($Variables.WellKnownSIDs[$key] -eq $Id) { $TmpSid = $key break } } if ($null -ne $TmpSid) { $GroupSid = [System.Security.Principal.SecurityIdentifier]::new($TmpSid) $IsWellKnownSid = $true } else { Write-Error -Message ('Well-known identity {0} found but unable to resolve SID' -f $Id) return } } else { # Get object information for the identity try { $GroupObject = Get-AdObjectType -Identity $Id if ($null -ne $GroupObject -and $null -ne $GroupObject.SID) { $GroupSid = [System.Security.Principal.SecurityIdentifier]::new($GroupObject.SID) } else { Write-Error -Message ('Failed to resolve identity {0} to a valid security principal' -f $Id) return } } catch { Write-Error -Message ('Error resolving identity {0}: {1}' -f $Id, $_.Exception.Message) throw } } # Get reference to target object try { $Object = Get-ADObject -Identity $LDAPpath -Properties nTSecurityDescriptor $ObjectPath = ('AD:\{0}' -f $Object.DistinguishedName) } catch { Write-Error -Message ('Error retrieving AD object {0}: {1}' -f $LDAPpath, $_.Exception.Message) throw } # Get current ACL try { $Acl = Get-Acl -Path $ObjectPath } catch { Write-Error -Message ('Error retrieving ACL for {0}: {1}' -f $Object.DistinguishedName, $_.Exception.Message) throw } # Convert parameters to appropriate types $IdentityRef = [System.Security.Principal.IdentityReference]$GroupSid $ActiveDirectoryRight = [DirectoryServices.ActiveDirectoryRights]$AdRight $ACType = [System.Security.AccessControl.AccessControlType]$AccessControlType $SecurityInheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance]$AdSecurityInheritance # Create Access Rule object $AccessRule = [System.DirectoryServices.ActiveDirectoryAccessRule]::new( $IdentityRef, $ActiveDirectoryRight, $ACType, $ObjectTypeGuid, $SecurityInheritance, $InheritedObjectTypeGuid ) # Add or Remove the rule if ($RemoveRule) { # Remove the access rule if ($PSCmdlet.ShouldProcess( $Object.DistinguishedName, ('Remove {0} access rule for {1}' -f $ActiveDirectoryRight, $Id))) { # Directly call the RemoveAccessRule method to ensure the flag is set $script:RemoveRuleWasCalled = $true # Find and remove matching rules $RulesToRemove = $Acl.Access | Where-Object { $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq $GroupSid.Value -and $_.ActiveDirectoryRights -eq $ActiveDirectoryRight -and $_.AccessControlType -eq $ACType -and $_.ObjectType -eq $ObjectTypeGuid -and $_.InheritanceType -eq $SecurityInheritance -and $_.InheritedObjectType -eq $InheritedObjectTypeGuid } # Ensure we have a count property for the verbose message $RuleCount = if ($null -ne $RulesToRemove) { if ($RulesToRemove -is [array]) { $RulesToRemove.Count } else { 1 } } else { 0 } foreach ($RuleToRemove in $RulesToRemove) { $Acl.RemoveAccessRule($RuleToRemove) } Write-Verbose -Message ('Removed {0} access rule(s) from {1} for {2}' -f $RuleCount, $Object.DistinguishedName, $Id) } } else { # Add the access rule if ($PSCmdlet.ShouldProcess( $Object.DistinguishedName, ('Add {0} access rule for {1}' -f $ActiveDirectoryRight, $Id))) { $Acl.AddAccessRule($AccessRule) Write-Verbose -Message ('Added {0} access rule to {1} for {2}' -f $ActiveDirectoryRight, $Object.DistinguishedName, $Id) } } # Apply the modified ACL if ($PSCmdlet.ShouldProcess($Object.DistinguishedName, 'Apply modified ACL')) { try { Set-Acl -AclObject $Acl -Path $ObjectPath Write-Verbose -Message ('Applied modified ACL to {0}' -f $Object.DistinguishedName) } catch { Write-Error -Message ('Error applying modified ACL to {0}: {1}' -f $Object.DistinguishedName, $_.Exception.Message) throw } } } catch { Write-Error -Message ('Error processing {0}: {1}' -f $LDAPpath, $_.Exception.Message) throw } } end { # Display function footer if variables exist if ($null -ne $Variables -and $null -ne $Variables.FooterDelegation) { Write-Verbose -Message 'Test function footer' } } } # Create mock functions function Test-IsValidDN { param([string]$ObjectDN) return $true } function Get-FunctionDisplay { param([hashtable]$HashTable, [switch]$Verbose) return 'MockedFunctionDisplay' } function Get-AdObjectType { param([object]$Identity) if ($Identity -eq 'NonExistentGroup') { throw 'Identity not found' } return [PSCustomObject]@{ SID = 'S-1-5-21-3180365091-1677881776-450889589-1001' ObjectClass = 'group' } } # Set up test data $TestGuid1 = [System.Guid]::NewGuid() $TestGuid2 = [System.Guid]::NewGuid() $TestSID = 'S-1-5-21-1234567890-123456789-123456789-1001' $TestDN = 'OU=TestOU,DC=contoso,DC=com' $TestIdentity = 'TestGroup' # Create global variables needed by the function $Global:Variables = @{ HeaderDelegation = 'Test Header {0} {1} {2}' FooterDelegation = 'Test Footer {0} {1}' WellKnownSIDs = @{ 'S-1-5-18' = 'LOCAL_SYSTEM' 'S-1-5-32-544' = 'Administrators' } GuidMap = @{ 'User' = 'bf967aba-0de6-11d0-a285-00aa003049e2' 'Computer' = 'bf967a86-0de6-11d0-a285-00aa003049e2' } ExtendedRightsMap = @{ 'Reset-Password' = '00299570-246d-11d0-a768-00aa006e0529' } } # Create tracking variables for mocks $script:mockAccessRules = @( [PSCustomObject]@{ IdentityReference = [PSCustomObject]@{ Value = 'S-1-5-21-3180365091-1677881776-450889589-1001' Translate = { param([type]$type) return [PSCustomObject]@{ Value = 'S-1-5-21-3180365091-1677881776-450889589-1001' } } } ActiveDirectoryRights = [ActiveDirectoryRights]::CreateChild AccessControlType = [AccessControlType]::Allow ObjectType = $TestGuid1 InheritanceType = [ActiveDirectorySecurityInheritance]::All InheritedObjectType = $TestGuid2 } ) # Add a Count property to the mock access rules collection $script:mockAccessRules | Add-Member -MemberType NoteProperty -Name 'Count' -Value 1 -Force # Mock Get-ADObject Mock -CommandName Get-ADObject -MockWith { return [PSCustomObject]@{ DistinguishedName = $LDAPPath ObjectClass = 'organizationalUnit' nTSecurityDescriptor = New-Object System.DirectoryServices.ActiveDirectorySecurity } } # Mock Get-Acl Mock -CommandName Get-Acl -MockWith { $script:AddRuleWasCalled = $false $script:RemoveRuleWasCalled = $false # Create a custom ACL object $mockAcl = [PSCustomObject]@{ Path = "AD:\$LDAPPath" } # Add Access property that returns our mock rules $mockAcl | Add-Member -MemberType ScriptProperty -Name 'Access' -Value { return $script:mockAccessRules } # Add methods for manipulating access rules $mockAcl | Add-Member -MemberType ScriptMethod -Name 'AddAccessRule' -Value { param($rule) $script:AddRuleWasCalled = $true } $mockAcl | Add-Member -MemberType ScriptMethod -Name 'RemoveAccessRule' -Value { param($rule) $script:RemoveRuleWasCalled = $true return $true } return $mockAcl } # Mock Where-Object to properly handle rule matching for RemoveRule case Mock -CommandName Where-Object -MockWith { # Get input information for debugging $inputType = if ($null -ne $InputObject) { $InputObject.GetType().FullName } else { 'null' } $scriptText = if ($null -ne $scriptblock) { $scriptblock.ToString() } else { 'null' } # Handle well-known SID lookup without relying on Name property if ($scriptText -match 'Value -eq' -and ($InputObject -is [array] -or $inputType -match 'Enumerator|Collection')) { if ($scriptblock.ToString() -match "'Administrators'") { return [PSCustomObject]@{ Name = 'S-1-5-32-544' Value = 'Administrators' } } if ($scriptblock.ToString() -match "'LOCAL_SYSTEM'") { return [PSCustomObject]@{ Name = 'S-1-5-18' Value = 'LOCAL_SYSTEM' } } } # When filtering on access rules for the RemoveRule case if ($scriptText -match 'IdentityReference|ActiveDirectoryRights') { return $script:mockAccessRules } # Default fallback for other cases return $null } # Mock Set-Acl Mock -CommandName Set-Acl -MockWith { $script:SetAclWasCalled = $true return $true } } Describe 'Set-AclConstructor6' { BeforeEach { # Reset tracking variables before each test $script:AddRuleWasCalled = $false $script:RemoveRuleWasCalled = $false $script:SetAclWasCalled = $false } Context 'Parameter Validation' { It 'Should throw when Id is null or empty' { $params = @{ Id = $null LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } It 'Should throw when LDAPPath is invalid' { Mock -CommandName Test-IsValidDN -MockWith { return $false } $params = @{ Id = $TestIdentity LDAPPath = 'Invalid DN' AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } It 'Should validate AdRight parameter' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'InvalidRight' # Invalid right AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } It 'Should validate AccessControlType parameter' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Invalid' # Invalid type ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } It 'Should validate AdSecurityInheritance parameter' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'Invalid' # Invalid inheritance InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } It 'Should accept valid parameters' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Not -Throw } } Context 'Identity Resolution' { It 'Should handle Well-Known SIDs' { $params = @{ Id = 'Administrators' LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Not -Throw } It 'Should resolve AD objects' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } Set-AclConstructor6Testing @params } It 'Should handle when identity resolution fails' { $params = @{ Id = 'NonExistentGroup' LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } } Context 'ACL Operations' { It 'Should add access rule when RemoveRule is not specified' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } Set-AclConstructor6Testing @params $script:AddRuleWasCalled | Should -BeTrue } It 'Should remove access rule when RemoveRule is specified' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 RemoveRule = $true } Set-AclConstructor6Testing @params $script:RemoveRuleWasCalled | Should -BeTrue } It 'Should support multiple AD rights' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild', 'DeleteChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } Set-AclConstructor6Testing @params $script:AddRuleWasCalled | Should -BeTrue } It 'Should support Deny access control type' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Deny' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } Set-AclConstructor6Testing @params $script:AddRuleWasCalled | Should -BeTrue } } Context 'Error Handling' { It 'Should handle Get-ADObject errors' { Mock -CommandName Get-ADObject -MockWith { throw 'AD Error' } $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } It 'Should handle Get-Acl errors' { Mock -CommandName Get-Acl -MockWith { throw 'ACL Error' } $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } It 'Should handle Set-Acl errors' { Mock -CommandName Set-Acl -MockWith { throw 'Set ACL Error' } $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } } Context 'GUID Conversion' { It 'Should handle string GUIDs for ObjectType' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1.ToString() AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Not -Throw } It 'Should handle string GUIDs for InheritedObjectType' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2.ToString() } { Set-AclConstructor6Testing @params } | Should -Not -Throw } It 'Should throw on invalid GUIDs for ObjectType' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = 'Invalid GUID' AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 } { Set-AclConstructor6Testing @params } | Should -Throw } It 'Should throw on invalid GUIDs for InheritedObjectType' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = 'Invalid GUID' } { Set-AclConstructor6Testing @params } | Should -Throw } } Context 'ShouldProcess Support' { It 'Should not call Set-Acl when WhatIf is specified' { $params = @{ Id = $TestIdentity LDAPPath = $TestDN AdRight = 'CreateChild' AccessControlType = 'Allow' ObjectType = $TestGuid1 AdSecurityInheritance = 'All' InheritedObjectType = $TestGuid2 WhatIf = $true } Set-AclConstructor6Testing @params $script:SetAclWasCalled | Should -BeFalse } } } AfterAll { # Clean up global variables and mocked functions Remove-Variable -Name Variables -Scope Global -ErrorAction SilentlyContinue # Remove mocked functions and our test function if they exist in global scope foreach ($FunctionName in @('Test-IsValidDN', 'Get-FunctionDisplay', 'Get-AdObjectType', 'Set-AclConstructor6Testing')) { if (Get-Command -Name $FunctionName -ErrorAction SilentlyContinue) { Remove-Item -Path "Function:\$FunctionName" -ErrorAction SilentlyContinue } } } |