Tests/Unit/MSFT_AdcsEnrollmentPolicyWebService.Tests.ps1

$script:DSCModuleName = 'ActiveDirectoryCSDsc'
$script:DSCResourceName = 'MSFT_AdcsEnrollmentPolicyWebService'

Import-Module -Name (Join-Path -Path (Join-Path -Path (Split-Path $PSScriptRoot -Parent) -ChildPath 'TestHelpers') -ChildPath 'CommonTestHelper.psm1') -Global

#region HEADER
# Unit Test Template Version: 1.1.0
$script:moduleRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
if ( (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests'))) -or `
    (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1'))) )
{
    & git @('clone', 'https://github.com/PowerShell/DscResource.Tests.git', (Join-Path -Path $script:moduleRoot -ChildPath '\DSCResource.Tests\'))
}

Import-Module -Name (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1') -Force
$TestEnvironment = Initialize-TestEnvironment `
    -DSCModuleName $script:DSCModuleName `
    -DSCResourceName $script:DSCResourceName `
    -TestType Unit
#endregion

try
{
    InModuleScope $script:DSCResourceName {
        if (-not ([System.Management.Automation.PSTypeName]'Microsoft.CertificateServices.Deployment.Commands.CEP.EnrollmentPolicyServiceSetupException').Type)
        {
            # Define the exception class:
            # Microsoft.CertificateServices.Deployment.Commands.CEP.EnrollmentPolicyServiceSetupException
            # so that unit tests can be run without ADCS being installed.

            $ExceptionDefinition = @'
namespace Microsoft.CertificateServices.Deployment.Commands.CEP {
    public class EnrollmentPolicyServiceSetupException: System.Exception {
    }
}
'@

            Add-Type -TypeDefinition $ExceptionDefinition
        }

        $dummyCredential = New-Object `
            -TypeName System.Management.Automation.PSCredential `
            -ArgumentList ('Administrator', (New-Object -TypeName SecureString))

        $testParametersPresent = @{
            AuthenticationType = 'Certificate'
            SslCertThumbprint  = 'B2E43FF3E02D1EE767C06BD905F292E33BD14C1A'
            Credential         = $dummyCredential
            KeyBasedRenewal    = $true
            Ensure             = 'Present'
            Verbose            = $true
        }

        $testParametersAbsent = $testParametersPresent.Clone()
        $testParametersAbsent.Ensure = 'Absent'

        $testParametersGet = @{
            AuthenticationType = 'Certificate'
            SslCertThumbprint  = 'B2E43FF3E02D1EE767C06BD905F292E33BD14C1A'
            Credential         = $dummyCredential
            KeyBasedRenewal    = $true
            Verbose            = $true
        }

        $invalidThumbprint = 'Zebra'

        # This thumbprint is valid (but not FIPS valid)
        $validThumbprint = (
            [System.AppDomain]::CurrentDomain.GetAssemblies().GetTypes() | Where-Object {
                $_.BaseType.BaseType -eq [System.Security.Cryptography.HashAlgorithm] -and
                ($_.Name -cmatch 'Managed$' -or $_.Name -cmatch 'Provider$')
            } | Select-Object -First 1 | ForEach-Object {
                (New-Object $_).ComputeHash([String]::Empty) | ForEach-Object {
                    '{0:x2}' -f $_
                }
            }
        ) -join ''

        # This thumbprint is valid for FIPS
        $validFipsThumbprint = (
            [System.AppDomain]::CurrentDomain.GetAssemblies().GetTypes() | Where-Object {
                $_.BaseType.BaseType -eq [System.Security.Cryptography.HashAlgorithm] -and
                ($_.Name -cmatch 'Provider$' -and $_.Name -cnotmatch 'MD5')
            } | Select-Object -First 1 | ForEach-Object {
                (New-Object $_).ComputeHash([String]::Empty) | ForEach-Object {
                    '{0:x2}' -f $_
                }
            }
        ) -join ''

        function Install-AdcsEnrollmentPolicyWebService
        {
            [CmdletBinding()]
            param
            (
                [Parameter()]
                [ValidateSet('Certificate', 'Kerberos', 'UserName')]
                [System.String]
                $AuthenticationType,

                [Parameter()]
                [System.String]
                $SslCertThumbprint,

                [Parameter()]
                [System.Management.Automation.PSCredential]
                $Credential,

                [Parameter()]
                [System.Boolean]
                $KeyBasedRenewal = $false,

                [Parameter()]
                [Switch]
                $Force,

                [Parameter()]
                [Switch]
                $WhatIf
            )
        }

        function Uninstall-AdcsEnrollmentPolicyWebService
        {
            [CmdletBinding()]
            param
            (
                [ValidateSet('Certificate', 'Kerberos', 'UserName')]
                [String]
                $AuthenticationType,

                [Parameter()]
                [System.Boolean]
                $KeyBasedRenewal,

                [Parameter()]
                [Switch]
                $Force
            )
        }

        Describe 'MSFT_AdcsEnrollmentPolicyWebService\Get-TargetResource' {
            Context 'When the Enrollment Policy Web Service is installed' {
                Mock `
                    -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                    -MockWith { $true }

                $result = Get-TargetResource @testParametersGet

                It 'Should return Ensure set to Present' {
                    $result.Ensure | Should -Be 'Present'
                }

                It 'Should call expected mocks' {
                    Assert-VerifiableMock

                    Assert-MockCalled `
                        -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                        -Exactly `
                        -Times 1
                }
            }

            Context 'When the Enrollment Policy Web Service is not installed' {
                Mock `
                    -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                    -MockWith { $false }

                $result = Get-TargetResource @testParametersGet

                It 'Should return Ensure set to Absent' {
                    $result.Ensure | Should -Be 'Absent'
                }

                It 'Should call expected mocks' {
                    Assert-MockCalled `
                        -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                        -Exactly `
                        -Times 1
                }
            }
        }

        Describe 'MSFT_AdcsEnrollmentPolicyWebService\Set-TargetResource' {
            Context 'When the Enrollment Policy Web Service is not installed but should be' {
                Mock -CommandName Install-AdcsEnrollmentPolicyWebService
                Mock -CommandName Uninstall-AdcsEnrollmentPolicyWebService

                It 'Should not throw an exception' {
                    { Set-TargetResource @testParametersPresent } | Should -Not -Throw
                }

                It 'Should call expected mocks' {
                    Assert-MockCalled `
                        -CommandName Install-AdcsEnrollmentPolicyWebService `
                        -Exactly `
                        -Times 1

                    Assert-MockCalled `
                        -CommandName Uninstall-AdcsEnrollmentPolicyWebService `
                        -Exactly `
                        -Times 0
                }
            }

            Context 'When the Enrollment Policy Web Service is not installed but should be but an error string is returned installing it' {
                Mock -CommandName Install-AdcsEnrollmentPolicyWebService `
                    -MockWith {
                    [PSObject] @{ ErrorString = 'Something went wrong' }
                }

                Mock -CommandName Uninstall-AdcsEnrollmentPolicyWebService

                It 'Should not throw an exception' {
                    $errorRecord = Get-InvalidOperationRecord -Message 'Something went wrong'

                    { Set-TargetResource @testParametersPresent } | Should -Throw $errorRecord
                }

                It 'Should call expected mocks' {
                    Assert-MockCalled `
                        -CommandName Install-AdcsEnrollmentPolicyWebService `
                        -Exactly `
                        -Times 1

                    Assert-MockCalled `
                        -CommandName Uninstall-AdcsEnrollmentPolicyWebService `
                        -Exactly `
                        -Times 0
                }
            }

            Context 'When the Enrollment Policy Web Service is not installed but should be but an exception is thrown installing it' {
                Mock -CommandName Install-AdcsEnrollmentPolicyWebService `
                    -MockWith { throw 'Something went wrong' }

                Mock -CommandName Uninstall-AdcsEnrollmentPolicyWebService

                It 'Should not throw an exception' {
                    $errorRecord = Get-InvalidOperationRecord -Message 'Something went wrong'

                    { Set-TargetResource @testParametersPresent } | Should -Throw $errorRecord
                }

                It 'Should call expected mocks' {
                    Assert-MockCalled `
                        -CommandName Install-AdcsEnrollmentPolicyWebService `
                        -Exactly `
                        -Times 1

                    Assert-MockCalled `
                        -CommandName Uninstall-AdcsEnrollmentPolicyWebService `
                        -Exactly `
                        -Times 0
                }
            }

            Context 'When the Enrollment Policy Web Service is installed but should not be' {
                Mock -CommandName Install-AdcsEnrollmentPolicyWebService
                Mock -CommandName Uninstall-AdcsEnrollmentPolicyWebService

                It 'Should not throw an exception' {
                    { Set-TargetResource @testParametersAbsent } | Should -Not -Throw
                }

                It 'Should call expected mocks' {
                    Assert-MockCalled `
                        -CommandName Install-AdcsEnrollmentPolicyWebService `
                        -Exactly `
                        -Times 0

                    Assert-MockCalled `
                        -CommandName Uninstall-AdcsEnrollmentPolicyWebService `
                        -Exactly `
                        -Times 1
                }
            }
        }

        Describe 'MSFT_AdcsEnrollmentPolicyWebService\Test-TargetResource' {
            Context 'When the Enrollment Policy Web Service is installed' {
                Context 'When the Enrollment Policy Web Service should be installed' {
                    Mock `
                        -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                        -MockWith { $true }

                    $result = Test-TargetResource @testParametersPresent

                    It 'Should return true' {
                        $result | Should -Be $True
                    }

                    It 'Should call expected mocks' {
                        Assert-MockCalled `
                            -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                            -Exactly `
                            -Times 1
                    }
                }

                Context 'When the Enrollment Policy Web Service should not be installed' {
                    Mock `
                        -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                        -MockWith { $true }

                    $result = Test-TargetResource @testParametersAbsent

                    It 'Should return false' {
                        $result | Should -Be $False
                    }

                    It 'Should call expected mocks' {
                        Assert-MockCalled `
                            -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                            -Exactly `
                            -Times 1
                    }
                }
            }

            Context 'When the Enrollment Policy Web Service is not installed' {
                Context 'When the Enrollment Policy Web Service should be installed' {
                    Mock `
                        -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                        -MockWith { $false }

                    $result = Test-TargetResource @testParametersPresent

                    It 'Should return false' {
                        $result | Should -Be $false
                    }

                    It 'Should call expected mocks' {
                        Assert-MockCalled `
                            -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                            -Exactly `
                            -Times 1
                    }
                }

                Context 'When the Enrollment Policy Web Service should not be installed' {
                    Mock `
                        -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                        -MockWith { $false }

                    $result = Test-TargetResource @testParametersAbsent

                    It 'Should return true' {
                        $result | Should -Be $True
                    }

                    It 'Should call expected mocks' {
                        Assert-MockCalled `
                            -CommandName Test-AdcsEnrollmentPolicyWebServiceInstallState `
                            -Exactly `
                            -Times 1
                    }
                }
            }
        }

        Describe 'MSFT_AdcsEnrollmentPolicyWebService\Test-AdcsEnrollmentPolicyWebServiceInstallState' {
            $testAdcsEnrollmentPolicyWebServiceInstallStateTestCases = @(
                @{
                    AuthenticationType = 'Certificate'
                    KeyBasedRenewal    = $false
                    WebAppName         = 'ADPolicyProvider_CEP_Certificate'
                    Applicationpool    = 'WSEnrollmentPolicyServer'
                    PhysicalPath       = "C:\Windows\SystemData\CEP\ADPolicyProvider_CEP_Certificate"
                },
                @{
                    AuthenticationType = 'Certificate'
                    KeyBasedRenewal    = $true
                    WebAppName         = 'KeyBasedRenewal_ADPolicyProvider_CEP_Certificate'
                    Applicationpool    = 'WSEnrollmentPolicyServer'
                    PhysicalPath       = "C:\Windows\SystemData\CEP\KeyBasedRenewal_ADPolicyProvider_CEP_Certificate"
                },
                @{
                    AuthenticationType = 'Kerberos'
                    KeyBasedRenewal    = $false
                    WebAppName         = 'ADPolicyProvider_CEP_Kerberos'
                    Applicationpool    = 'WSEnrollmentPolicyServer'
                    PhysicalPath       = "C:\Windows\SystemData\CEP\ADPolicyProvider_CEP_Kerberos"
                },
                @{
                    AuthenticationType = 'UserName'
                    KeyBasedRenewal    = $false
                    WebAppName         = 'ADPolicyProvider_CEP_UsernamePassword'
                    Applicationpool    = 'WSEnrollmentPolicyServer'
                    PhysicalPath       = "C:\Windows\SystemData\CEP\ADPolicyProvider_CEP_UsernamePassword"
                },
                @{
                    AuthenticationType = 'UserName'
                    KeyBasedRenewal    = $true
                    WebAppName         = 'KeyBasedRenewal_ADPolicyProvider_CEP_UsernamePassword'
                    Applicationpool    = 'WSEnrollmentPolicyServer'
                    PhysicalPath       = "C:\Windows\SystemData\CEP\KeyBasedRenewal_ADPolicyProvider_CEP_UsernamePassword"
                }
            )
            $mockAdcsEnrollmentPolicyWebServiceInstallStateAllInstalled = {
                $testAdcsEnrollmentPolicyWebServiceInstallStateTestCases
            }
            $mockAdcsEnrollmentPolicyWebServiceInstallStateNoneInstalled = {
                @()
            }

            Context 'When matching Enrollment Policy Web Service is installed' {
                BeforeEach {
                    Mock `
                        -CommandName Get-WebApplication `
                        -MockWith $mockAdcsEnrollmentPolicyWebServiceInstallStateAllInstalled
                }

                It 'Given AuthenticationType <AuthenticationType> and KeyBasedRenewal <KeyBasedRenewal> it should return $true' -TestCases $testAdcsEnrollmentPolicyWebServiceInstallStateTestCases {
                    param (
                        [Parameter()]
                        $AuthenticationType,

                        [Parameter()]
                        $KeyBasedRenewal,

                        [Parameter()]
                        $WebAppName,

                        [Parameter()]
                        $Applicationpool,

                        [Parameter()]
                        $PhysicalPath
                    )
                    $result = Test-AdcsEnrollmentPolicyWebServiceInstallState `
                        -AuthenticationType $AuthenticationType `
                        -KeyBasedRenewal:$KeyBasedRenewal `
                        -Verbose

                    $result | Should -Be $true
                }
            }

            Context 'When matching Enrollment Policy Web Service is not installed' {
                BeforeEach {
                    Mock `
                        -CommandName Get-WebApplication `
                        -MockWith $mockAdcsEnrollmentPolicyWebServiceInstallStateNoneInstalled
                }

                It 'Given AuthenticationType <AuthenticationType> and KeyBasedRenewal <KeyBasedRenewal> it should return $false' -TestCases $testAdcsEnrollmentPolicyWebServiceInstallStateTestCases {
                    param (
                        [Parameter()]
                        $AuthenticationType,

                        [Parameter()]
                        $KeyBasedRenewal,

                        [Parameter()]
                        $WebAppName,

                        [Parameter()]
                        $Applicationpool,

                        [Parameter()]
                        $PhysicalPath
                    )
                    $result = Test-AdcsEnrollmentPolicyWebServiceInstallState `
                        -AuthenticationType $AuthenticationType `
                        -KeyBasedRenewal:$KeyBasedRenewal `
                        -Verbose

                    $result | Should -Be $false
                }
            }
        }

        Describe 'MSFT_AdcsEnrollmentPolicyWebService\Test-Thumbprint' {
            Context 'When FIPS not set' {
                Context 'When a single valid thumbrpint by parameter is passed' {
                    $result = Test-Thumbprint -Thumbprint $validThumbprint
                    It 'Should return true' {
                        $result | Should -BeOfType [System.Boolean]
                        $result | Should -Be $true
                    }
                }

                Context 'When a single invalid thumbprint by parameter is passed' {
                    It 'Should throw an exception' {
                        { Test-Thumbprint -Thumbprint $invalidThumbprint } | Should -Throw
                    }
                }

                Context 'When a single invalid thumbprint by parameter with -Quiet is passed' {
                    $result = Test-Thumbprint $invalidThumbprint -Quiet
                    It 'Should return false' {
                        $result | Should -BeOfType [System.Boolean]
                        $result | Should -Be $false
                    }
                }

                Context 'When a single valid thumbprint by pipeline is passed' {
                    $result = $validThumbprint | Test-Thumbprint
                    It 'Should return true' {
                        $result | Should -BeOfType [System.Boolean]
                        $result | Should -Be $true
                    }
                }

                Context 'When a single invalid thumbprint by pipeline is passed' {
                    It 'Should throw an exception' {
                        { $invalidThumbprint | Test-Thumbprint } | Should -Throw
                    }
                }

                Context 'When a single invalid thumbprint by pipeline with -Quiet is passed' {
                    $result = $invalidThumbprint | Test-Thumbprint -Quiet
                    It 'Should return false' {
                        $result | Should -BeOfType [System.Boolean]
                        $result | Should -Be $false
                    }
                }
            }

            Context 'When FIPS is enabled' {
                Mock -CommandName Get-ItemProperty -MockWith { @{ Enabled = 1 } }

                Context 'When a single valid FIPS thumbrpint by parameter is passed' {
                    $result = Test-Thumbprint -Thumbprint $validFipsThumbprint
                    It 'Should return true' {
                        $result | Should -BeOfType [System.Boolean]
                        $result | Should -Be $true
                    }
                }

                Context 'When a single invalid FIPS thumbprint by parameter is passed' {
                    It 'Should throw an exception' {
                        { Test-Thumbprint -Thumbprint $validThumbprint } | Should -Throw
                    }
                }

                Context 'When a single invalid FIPS thumbprint by parameter with -Quiet is passed' {
                    $result = Test-Thumbprint $validThumbprint -Quiet
                    It 'Should return false' {
                        $result | Should -BeOfType [System.Boolean]
                        $result | Should -Be $false
                    }
                }

                Context 'When a single valid FIPS thumbprint by pipeline is passed' {
                    $result = $validFipsThumbprint | Test-Thumbprint
                    It 'Should return true' {
                        $result | Should -BeOfType [System.Boolean]
                        $result | Should -Be $true
                    }
                }

                Context 'When a single invalid FIPS thumbprint by pipeline is passed' {
                    It 'Should throw an exception' {
                        { $validThumbprint | Test-Thumbprint } | Should -Throw
                    }
                }

                Context 'When a single invalid FIPS thumbprint by pipeline with -Quiet is passed' {
                    $result = $validThumbprint | Test-Thumbprint -Quiet
                    It 'Should return false' {
                        $result | Should -BeOfType [System.Boolean]
                        $result | Should -Be $false
                    }
                }
            }
        }
    }
    #endregion
}
finally
{
    #region FOOTER
    Restore-TestEnvironment -TestEnvironment $TestEnvironment
    #endregion
}