Mail.Protocols

0.1.4.2

Analyzers.Tests.ps1

                                using module .\Analyzers.psm1

Describe "AccessTokenAnalyzer" -Tags "Unit" {

  It "good access token returns empty analyses" {

    $analyzer = Get-Analyzer -Name "AccessTokenAnalyzer"

    $upn = "AdeleV@M365x43963602.OnMicrosoft.com"

    $accessToken = "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjlJcFh2d3c2LTB1a0I5M3VXWjlfSUwtTC1ZdU5jNGY0LWRYTFVRWVZvRVUiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2E0NDVmYjA4LTUwODQtNGYxZi1hNjQ1LTZiZGUxNTNlZDEzNy8iLCJpYXQiOjE2ODExNzg1NjIsIm5iZiI6MTY4MTE3ODU2MiwiZXhwIjoxNjgxMTg0MTY4LCJhY2N0IjowLCJhY3IiOiIxIiwiYWlvIjoiQVRRQXkvOFRBQUFBTGw1MDQ0Q1F2d1FqOE9oTk00MzQ3YUtUZ3JUUkJRY0REbDl5RlJZMHFxZ2NlSDlXejd1R3ZOcDBmdytDcFRudiIsImFtciI6WyJwd2QiXSwiYXBwX2Rpc3BsYXluYW1lIjoiUG9wSW1hcCIsImFwcGlkIjoiMjEzZGMwYzItYTNkNi00MDE1LTljMGUtNzZlZWM2M2VkYTM4IiwiYXBwaWRhY3IiOiIwIiwiZW5mcG9saWRzIjpbXSwiZmFtaWx5X25hbWUiOiJWYW5jZSIsImdpdmVuX25hbWUiOiJBZGVsZSIsImlwYWRkciI6IjE2Ny4yMjAuMjU1LjEwIiwibmFtZSI6IkFkZWxlIFZhbmNlIiwib2lkIjoiY2ExODA5YjctYjYxOC00OWU1LWE1ZjgtZGQyZDE5MGVkNTVkIiwicHVpZCI6IjEwMDMyMDAyMzNGMTNEOUEiLCJyaCI6IjAuQVZZQUNQdEZwSVJRSDAtbVJXdmVGVDdSTndJQUFBQUFBUEVQemdBQUFBQUFBQUNmQU5BLiIsInNjcCI6IklNQVAuQWNjZXNzQXNVc2VyLkFsbCBVc2VyLlJlYWQiLCJzaWQiOiI2NTBiNzUwYi03Y2ZmLTQ0Y2ItOWUzOS02ZDM0M2ZkMjg0ZTciLCJzdWIiOiJHa3MtMjJoeGhaYkZlQmNuaDR4T0RIMi0tNXU5bUpoaWV0MXFUc3dSOTU0IiwidGlkIjoiYTQ0NWZiMDgtNTA4NC00ZjFmLWE2NDUtNmJkZTE1M2VkMTM3IiwidW5pcXVlX25hbWUiOiJBZGVsZVZATTM2NXg0Mzk2MzYwMi5Pbk1pY3Jvc29mdC5jb20iLCJ1cG4iOiJBZGVsZVZATTM2NXg0Mzk2MzYwMi5Pbk1pY3Jvc29mdC5jb20iLCJ1dGkiOiJIWHBtUGJEX2QwdVA0QXY3Qmp3c0FRIiwidmVyIjoiMS4wIiwid2lkcyI6WyJiNzlmYmY0ZC0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXX0.MaTH3mKgSaQdo_x0i2-vjrapFjY9AWsRZZIZqm5gO6fIQgNbEJokvQuPcKI1XaJ91qegms_PW19w66t9DC4QCEN2VfeBJPn9xvdXt2P31Yb9_XtWvjeWWEB6PtVwbABMTGouWve4-Yq4dEEzZjVAzVWvoh-zjAw7QKGL4RxT-wOzfhj_4ZrHiePGdRCApjxQbL0OEYEcmKD8UxstkTMxzspoLVfmgyJeZ7IAsGsqiZm8j7wb9-QPqji_a8To2Ch0k9vEliODi45zPdtMciIOw1-cINh3ZOcJg8uQejP3NzLco9nXI3oJ34xq7o2uaIOK0P15RWkFsR7aQ7vA5J9EyA"

    $scp = "IMAP.AccessAsUser.All"

    $aud = "https://outlook.office365.com"

    $analyses = $analyzer.Analyze($upn, $accessToken, $scp, $aud)

    $analyses.Count | Should be 0

  }

  It "return warning if aud does not match" {

    $analyzer = Get-Analyzer -Name "AccessTokenAnalyzer"

    $upn = "AdeleV@M365x43963602.OnMicrosoft.com"

    $accessToken = "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjlJcFh2d3c2LTB1a0I5M3VXWjlfSUwtTC1ZdU5jNGY0LWRYTFVRWVZvRVUiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2E0NDVmYjA4LTUwODQtNGYxZi1hNjQ1LTZiZGUxNTNlZDEzNy8iLCJpYXQiOjE2ODExNzg1NjIsIm5iZiI6MTY4MTE3ODU2MiwiZXhwIjoxNjgxMTg0MTY4LCJhY2N0IjowLCJhY3IiOiIxIiwiYWlvIjoiQVRRQXkvOFRBQUFBTGw1MDQ0Q1F2d1FqOE9oTk00MzQ3YUtUZ3JUUkJRY0REbDl5RlJZMHFxZ2NlSDlXejd1R3ZOcDBmdytDcFRudiIsImFtciI6WyJwd2QiXSwiYXBwX2Rpc3BsYXluYW1lIjoiUG9wSW1hcCIsImFwcGlkIjoiMjEzZGMwYzItYTNkNi00MDE1LTljMGUtNzZlZWM2M2VkYTM4IiwiYXBwaWRhY3IiOiIwIiwiZW5mcG9saWRzIjpbXSwiZmFtaWx5X25hbWUiOiJWYW5jZSIsImdpdmVuX25hbWUiOiJBZGVsZSIsImlwYWRkciI6IjE2Ny4yMjAuMjU1LjEwIiwibmFtZSI6IkFkZWxlIFZhbmNlIiwib2lkIjoiY2ExODA5YjctYjYxOC00OWU1LWE1ZjgtZGQyZDE5MGVkNTVkIiwicHVpZCI6IjEwMDMyMDAyMzNGMTNEOUEiLCJyaCI6IjAuQVZZQUNQdEZwSVJRSDAtbVJXdmVGVDdSTndJQUFBQUFBUEVQemdBQUFBQUFBQUNmQU5BLiIsInNjcCI6IklNQVAuQWNjZXNzQXNVc2VyLkFsbCBVc2VyLlJlYWQiLCJzaWQiOiI2NTBiNzUwYi03Y2ZmLTQ0Y2ItOWUzOS02ZDM0M2ZkMjg0ZTciLCJzdWIiOiJHa3MtMjJoeGhaYkZlQmNuaDR4T0RIMi0tNXU5bUpoaWV0MXFUc3dSOTU0IiwidGlkIjoiYTQ0NWZiMDgtNTA4NC00ZjFmLWE2NDUtNmJkZTE1M2VkMTM3IiwidW5pcXVlX25hbWUiOiJBZGVsZVZATTM2NXg0Mzk2MzYwMi5Pbk1pY3Jvc29mdC5jb20iLCJ1cG4iOiJBZGVsZVZATTM2NXg0Mzk2MzYwMi5Pbk1pY3Jvc29mdC5jb20iLCJ1dGkiOiJIWHBtUGJEX2QwdVA0QXY3Qmp3c0FRIiwidmVyIjoiMS4wIiwid2lkcyI6WyJiNzlmYmY0ZC0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXX0.MaTH3mKgSaQdo_x0i2-vjrapFjY9AWsRZZIZqm5gO6fIQgNbEJokvQuPcKI1XaJ91qegms_PW19w66t9DC4QCEN2VfeBJPn9xvdXt2P31Yb9_XtWvjeWWEB6PtVwbABMTGouWve4-Yq4dEEzZjVAzVWvoh-zjAw7QKGL4RxT-wOzfhj_4ZrHiePGdRCApjxQbL0OEYEcmKD8UxstkTMxzspoLVfmgyJeZ7IAsGsqiZm8j7wb9-QPqji_a8To2Ch0k9vEliODi45zPdtMciIOw1-cINh3ZOcJg8uQejP3NzLco9nXI3oJ34xq7o2uaIOK0P15RWkFsR7aQ7vA5J9EyA"

    $scp = "IMAP.AccessAsUser.All"

    $aud = "https://outlook.office365.us"

    $analyses = $analyzer.Analyze($upn, $accessToken, $scp, $aud)

    $analyses.Count | Should be 1

    $analyses[0] | Should be "The AccessToken is issued for audience https://outlook.office365.com, not https://outlook.office365.us as expected."

  }

  It "return warning if upn does not match" {

    $analyzer = Get-Analyzer -Name "AccessTokenAnalyzer"

    $upn = "AdelV@M365x43963602.OnMicrosoft.com"

    $accessToken = "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjlJcFh2d3c2LTB1a0I5M3VXWjlfSUwtTC1ZdU5jNGY0LWRYTFVRWVZvRVUiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2E0NDVmYjA4LTUwODQtNGYxZi1hNjQ1LTZiZGUxNTNlZDEzNy8iLCJpYXQiOjE2ODExNzg1NjIsIm5iZiI6MTY4MTE3ODU2MiwiZXhwIjoxNjgxMTg0MTY4LCJhY2N0IjowLCJhY3IiOiIxIiwiYWlvIjoiQVRRQXkvOFRBQUFBTGw1MDQ0Q1F2d1FqOE9oTk00MzQ3YUtUZ3JUUkJRY0REbDl5RlJZMHFxZ2NlSDlXejd1R3ZOcDBmdytDcFRudiIsImFtciI6WyJwd2QiXSwiYXBwX2Rpc3BsYXluYW1lIjoiUG9wSW1hcCIsImFwcGlkIjoiMjEzZGMwYzItYTNkNi00MDE1LTljMGUtNzZlZWM2M2VkYTM4IiwiYXBwaWRhY3IiOiIwIiwiZW5mcG9saWRzIjpbXSwiZmFtaWx5X25hbWUiOiJWYW5jZSIsImdpdmVuX25hbWUiOiJBZGVsZSIsImlwYWRkciI6IjE2Ny4yMjAuMjU1LjEwIiwibmFtZSI6IkFkZWxlIFZhbmNlIiwib2lkIjoiY2ExODA5YjctYjYxOC00OWU1LWE1ZjgtZGQyZDE5MGVkNTVkIiwicHVpZCI6IjEwMDMyMDAyMzNGMTNEOUEiLCJyaCI6IjAuQVZZQUNQdEZwSVJRSDAtbVJXdmVGVDdSTndJQUFBQUFBUEVQemdBQUFBQUFBQUNmQU5BLiIsInNjcCI6IklNQVAuQWNjZXNzQXNVc2VyLkFsbCBVc2VyLlJlYWQiLCJzaWQiOiI2NTBiNzUwYi03Y2ZmLTQ0Y2ItOWUzOS02ZDM0M2ZkMjg0ZTciLCJzdWIiOiJHa3MtMjJoeGhaYkZlQmNuaDR4T0RIMi0tNXU5bUpoaWV0MXFUc3dSOTU0IiwidGlkIjoiYTQ0NWZiMDgtNTA4NC00ZjFmLWE2NDUtNmJkZTE1M2VkMTM3IiwidW5pcXVlX25hbWUiOiJBZGVsZVZATTM2NXg0Mzk2MzYwMi5Pbk1pY3Jvc29mdC5jb20iLCJ1cG4iOiJBZGVsZVZATTM2NXg0Mzk2MzYwMi5Pbk1pY3Jvc29mdC5jb20iLCJ1dGkiOiJIWHBtUGJEX2QwdVA0QXY3Qmp3c0FRIiwidmVyIjoiMS4wIiwid2lkcyI6WyJiNzlmYmY0ZC0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXX0.MaTH3mKgSaQdo_x0i2-vjrapFjY9AWsRZZIZqm5gO6fIQgNbEJokvQuPcKI1XaJ91qegms_PW19w66t9DC4QCEN2VfeBJPn9xvdXt2P31Yb9_XtWvjeWWEB6PtVwbABMTGouWve4-Yq4dEEzZjVAzVWvoh-zjAw7QKGL4RxT-wOzfhj_4ZrHiePGdRCApjxQbL0OEYEcmKD8UxstkTMxzspoLVfmgyJeZ7IAsGsqiZm8j7wb9-QPqji_a8To2Ch0k9vEliODi45zPdtMciIOw1-cINh3ZOcJg8uQejP3NzLco9nXI3oJ34xq7o2uaIOK0P15RWkFsR7aQ7vA5J9EyA"

    $scp = "POP.AccessAsUser.All"

    $aud = "https://outlook.office365.com"

    $analyses = $analyzer.Analyze($upn, $accessToken, $scp, $aud)

    $analyses.Count | Should be 2

    $analyses[0] | Should be "The AccessToken's scp is 'IMAP.AccessAsUser.All User.Read', which doesn't have the required scope 'POP.AccessAsUser.All'."

    $analyses[1] | Should be "The AccessToken is issued for AdeleV@M365x43963602.OnMicrosoft.com, while the target mailbox is AdelV@M365x43963602.OnMicrosoft.com. Please make sure the user has permission to access it."

  }

  It "return warning of oid for app" {

    $analyzer = Get-Analyzer -Name "AccessTokenAnalyzer"

    $upn = "AdelV@M365x43963602.OnMicrosoft.com"

    $accessToken = "eyJ0eXAiOiJKV1QiLCJub25jZSI6Ikg3TUlZV0hPc3gxOVB3UmpGdjRWUGtyY2gtMWZhQVZDaTBTUExHZDdncmMiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2E0NDVmYjA4LTUwODQtNGYxZi1hNjQ1LTZiZGUxNTNlZDEzNy8iLCJpYXQiOjE2ODExNDIzNzQsIm5iZiI6MTY4MTE0MjM3NCwiZXhwIjoxNjgxMTQ2Mjc0LCJhaW8iOiJFMlpnWUZoeW42SEEvTkxQT05XUElVdW1XUXFsQXdBPSIsImFwcF9kaXNwbGF5bmFtZSI6IlBvcEltYXAiLCJhcHBpZCI6IjIxM2RjMGMyLWEzZDYtNDAxNS05YzBlLTc2ZWVjNjNlZGEzOCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2E0NDVmYjA4LTUwODQtNGYxZi1hNjQ1LTZiZGUxNTNlZDEzNy8iLCJvaWQiOiI3OTY1NTIwYy01YmRmLTQ3MDAtODVjNi0xMDZjYThmOWZmMzAiLCJyaCI6IjAuQVZZQUNQdEZwSVJRSDAtbVJXdmVGVDdSTndJQUFBQUFBUEVQemdBQUFBQUFBQUNmQUFBLiIsInJvbGVzIjpbIlBPUC5BY2Nlc3NBc0FwcCIsIklNQVAuQWNjZXNzQXNBcHAiXSwic2lkIjoiNjFiY2QzZTEtM2FmMS00MGQyLWJhMTQtNTVjZmFhYjA5ZjMzIiwic3ViIjoiNzk2NTUyMGMtNWJkZi00NzAwLTg1YzYtMTA2Y2E4ZjlmZjMwIiwidGlkIjoiYTQ0NWZiMDgtNTA4NC00ZjFmLWE2NDUtNmJkZTE1M2VkMTM3IiwidXRpIjoidWhBeG42ZHRORUtoNF9pUWowZ0RBUSIsInZlciI6IjEuMCIsIndpZHMiOlsiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl19.YSVp914tiLU80AYZm_mIQZnwPX7bVrcyaTYVoljroMTVcix70c5ULsJFJoX0dX8pDTqXNs2HUkxIeSZLnLmZXEedefODTl944FLN0EoXCHEbaPsM_XcVez-3iMTLsDpVkdvVMmiI9d1i1TKEySbCilET9-UAgXSqGW1WWBmmEarfai5p_YDQUDWK97grewRnzYiSSHc8W_6axyFJw4dIyryfB6yoGRc8I-Vnnk1QNOY7AvieQll5aR0XRiOSpiqB2e5cn-rSXyLRIZS3z2g3foBQ86yA926wqXdfQ-QFCCzZvTMDdDxUJ27UagEer2tspijrzAFZktpmQ4QoowBI5Q"

    $scp = "POP.AccessAsApp"

    $aud = "https://outlook.office365.com"

    $analyses = $analyzer.Analyze($upn, $accessToken, $scp, $aud)

    $analyses.Count | Should be 1

    $msg = "The AccessToken's oid is 7965520c-5bdf-4700-85c6-106ca8f9ff30 and appId is 213dc0c2-a3d6-4015-9c0e-76eec63eda38. Please make sure you have a service principal in Exchange with the same Ids, " -f $token.oid, $token.appid

    $msg += "and the service principal has been granted access to the target mailbox {0}, as described on " -f  $upn

    $msg += "https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth."

    $analyses[0] | Should be $msg

  }

  It "return warning of oid for app" {

    $analyzer = Get-Analyzer -Name "AccessTokenAnalyzer"

    $upn = "AdelV@M365x43963602.OnMicrosoft.com"

    $accessToken = "eyJ0eXAiOiJKV1QiLCJub25jZSI6Ikg3TUlZV0hPc3gxOVB3UmpGdjRWUGtyY2gtMWZhQVZDaTBTUExHZDdncmMiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2E0NDVmYjA4LTUwODQtNGYxZi1hNjQ1LTZiZGUxNTNlZDEzNy8iLCJpYXQiOjE2ODExNDIzNzQsIm5iZiI6MTY4MTE0MjM3NCwiZXhwIjoxNjgxMTQ2Mjc0LCJhaW8iOiJFMlpnWUZoeW42SEEvTkxQT05XUElVdW1XUXFsQXdBPSIsImFwcF9kaXNwbGF5bmFtZSI6IlBvcEltYXAiLCJhcHBpZCI6IjIxM2RjMGMyLWEzZDYtNDAxNS05YzBlLTc2ZWVjNjNlZGEzOCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2E0NDVmYjA4LTUwODQtNGYxZi1hNjQ1LTZiZGUxNTNlZDEzNy8iLCJvaWQiOiI3OTY1NTIwYy01YmRmLTQ3MDAtODVjNi0xMDZjYThmOWZmMzAiLCJyaCI6IjAuQVZZQUNQdEZwSVJRSDAtbVJXdmVGVDdSTndJQUFBQUFBUEVQemdBQUFBQUFBQUNmQUFBLiIsInJvbGVzIjpbIlBPUC5BY2Nlc3NBc0FwcCIsIklNQVAuQWNjZXNzQXNBcHAiXSwic2lkIjoiNjFiY2QzZTEtM2FmMS00MGQyLWJhMTQtNTVjZmFhYjA5ZjMzIiwic3ViIjoiNzk2NTUyMGMtNWJkZi00NzAwLTg1YzYtMTA2Y2E4ZjlmZjMwIiwidGlkIjoiYTQ0NWZiMDgtNTA4NC00ZjFmLWE2NDUtNmJkZTE1M2VkMTM3IiwidXRpIjoidWhBeG42ZHRORUtoNF9pUWowZ0RBUSIsInZlciI6IjEuMCIsIndpZHMiOlsiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl19.YSVp914tiLU80AYZm_mIQZnwPX7bVrcyaTYVoljroMTVcix70c5ULsJFJoX0dX8pDTqXNs2HUkxIeSZLnLmZXEedefODTl944FLN0EoXCHEbaPsM_XcVez-3iMTLsDpVkdvVMmiI9d1i1TKEySbCilET9-UAgXSqGW1WWBmmEarfai5p_YDQUDWK97grewRnzYiSSHc8W_6axyFJw4dIyryfB6yoGRc8I-Vnnk1QNOY7AvieQll5aR0XRiOSpiqB2e5cn-rSXyLRIZS3z2g3foBQ86yA926wqXdfQ-QFCCzZvTMDdDxUJ27UagEer2tspijrzAFZktpmQ4QoowBI5Q"

    $scp = "User.Read"

    $aud = "https://outlook.office365.com"

    $analyses = $analyzer.Analyze($upn, $accessToken, $scp, $aud)

    $analyses.Count | Should be 2

    $analyses[0] | Should be "The AccessToken's roles are 'POP.AccessAsApp,IMAP.AccessAsApp', which doesn't have the required scope 'User.Read'."

    $msg = "The AccessToken's oid is 7965520c-5bdf-4700-85c6-106ca8f9ff30 and appId is 213dc0c2-a3d6-4015-9c0e-76eec63eda38. Please make sure you have a service principal in Exchange with the same Ids, " -f $token.oid, $token.appid

    $msg += "and the service principal has been granted access to the target mailbox {0}, as described on " -f  $upn

    $msg += "https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth."

    $analyses[1] | Should be $msg

  }

}