Tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1
Import-Module -Name (Join-Path -Path $PSScriptRoot -ChildPath '..\TestHelpers\ActiveDirectoryDsc.TestHelper.psm1') if (-not (Test-RunForCITestCategory -Type 'Unit' -Category 'Tests')) { return } $script:dscModuleName = 'ActiveDirectoryDsc' $script:dscResourceName = 'MSFT_ADManagedServiceAccount' #region HEADER # Unit Test Template Version: 1.2.4 $script:moduleRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot) if ( (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests'))) -or ` (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1'))) ) { & git @('clone', 'https://github.com/PowerShell/DscResource.Tests.git', (Join-Path -Path $script:moduleRoot -ChildPath 'DscResource.Tests')) } Import-Module -Name (Join-Path -Path $script:moduleRoot -ChildPath (Join-Path -Path 'DSCResource.Tests' -ChildPath 'TestHelper.psm1')) -Force $TestEnvironment = Initialize-TestEnvironment ` -DSCModuleName $script:dscModuleName ` -DSCResourceName $script:dscResourceName ` -ResourceType 'Mof' ` -TestType Unit #endregion HEADER function Invoke-TestSetup { } function Invoke-TestCleanup { Restore-TestEnvironment -TestEnvironment $TestEnvironment } # Begin Testing try { Invoke-TestSetup InModuleScope $script:dscResourceName { # Load stub cmdlets and classes. Import-Module (Join-Path -Path $PSScriptRoot -ChildPath 'Stubs\ActiveDirectory_2019.psm1') -Force # Need to do a deep copy of the Array of objects that compare returns function Copy-ArrayObjects { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Array] $DeepCopyObject ) $memStream = New-Object -TypeName 'IO.MemoryStream' $formatter = New-Object -TypeName 'Runtime.Serialization.Formatters.Binary.BinaryFormatter' $formatter.Serialize($memStream,$DeepCopyObject) $memStream.Position=0 $formatter.Deserialize($memStream) } $mockPath = 'OU=Fake,DC=contoso,DC=com' $mockDomainController = 'MockDC' $mockCredentials = New-Object -TypeName 'System.Management.Automation.PSCredential' -ArgumentList @( 'DummyUser', (ConvertTo-SecureString -String 'DummyPassword' -AsPlainText -Force) ) $mockADUSer = @{ SamAccountName = 'User1' DistinguishedName = 'CN=User1,OU=Fake,DC=contoso,DC=com' Enabled = $true SID = 'S-1-5-21-1409167834-891301383-2860967316-1142' ObjectGUID = '91bffe90-4c84-4026-b1fc-d03671ff56ab' GivenName = '' Name = 'User1' } $mockADComputer = @{ SamAccountName = 'Node1$' DistinguishedName = 'CN=Node1,OU=Fake,DC=contoso,DC=com' Enabled = $true SID = 'S-1-5-21-1409167834-891301383-2860967316-1143' ObjectClass = 'computer' ObjectGUID = '91bffe90-4c84-4026-b1fc-d03671ff56ac' DnsHostName = 'Node1.fake.contoso.com' } $mockSingleServiceAccount = @{ Name = 'TestSMSA' DistinguishedName = "CN={0},{1}" -f ('TestSMSA', $mockPath) Description = 'Dummy single service account for unit testing' DisplayName = '' ObjectClass = 'msDS-ManagedServiceAccount' Enabled = $true SamAccountName = 'TestSMSA' SID = 'S-1-5-21-1409167834-891301383-2860967316-1144' ObjectGUID = '91bffe90-4c84-4026-b1fc-d03671ff56ad' } $mockGroupServiceAccount = @{ Name = 'TestGMSA' DistinguishedName = "CN={0},{1}" -f ('TestGMSA', $mockPath) Description = 'Dummy group service account for unit testing' DisplayName = '' ObjectClass = 'msDS-GroupManagedServiceAccount' Enabled = $true SID = 'S-1-5-21-1409167834-891301383-2860967316-1145' ObjectGUID = '91bffe90-4c84-4026-b1fc-d03671ff56ae' PrincipalsAllowedToRetrieveManagedPassword = @($mockADUSer.SamAccountName, $mockADComputer.SamAccountName) } $mockGetSingleServiceAccount = @{ ServiceAccountName = $mockSingleServiceAccount.Name DistinguishedName = $mockSingleServiceAccount.DistinguishedName Path = $mockPath Description = $mockSingleServiceAccount.Description DisplayName = $mockSingleServiceAccount.DisplayName AccountType = 'Single' AccountTypeForce = $false Ensure = 'Present' Enabled = $true Members = @() MembershipAttribute = 'sAMAccountName' Credential = $mockCredentials DomainController = $mockDomainController } $mockGetGroupServiceAccount = @{ ServiceAccountName = $mockGroupServiceAccount.Name DistinguishedName = $mockGroupServiceAccount.DistinguishedName Path = $mockPath Description = $mockGroupServiceAccount.Description DisplayName = $mockGroupServiceAccount.DisplayName AccountType = 'Group' AccountTypeForce = $false Ensure = 'Present' Enabled = $true Members = $mockGroupServiceAccount.PrincipalsAllowedToRetrieveManagedPassword MembershipAttribute = 'sAMAccountName' Credential = $mockCredentials DomainController = $mockDomainController } $mockCompareSingleServiceAccount = @( [pscustomobject] @{ Parameter = 'ServiceAccountName' Expected = $mockGetSingleServiceAccount.ServiceAccountName Actual = $mockGetSingleServiceAccount.ServiceAccountName Pass = $true } [pscustomobject] @{ Parameter = 'AccountType' Expected = $mockGetSingleServiceAccount.AccountType Actual = $mockGetSingleServiceAccount.AccountType Pass = $true } [pscustomobject] @{ Parameter = 'AccountTypeForce' Expected = $mockGetSingleServiceAccount.AccountTypeForce Actual = $mockGetSingleServiceAccount.AccountTypeForce Pass = $true } [pscustomobject] @{ Parameter = 'Path' Expected = $mockGetSingleServiceAccount.Path Actual = $mockGetSingleServiceAccount.Path Pass = $true } [pscustomobject] @{ Parameter = 'Ensure' Expected = $mockGetSingleServiceAccount.Ensure Actual = $mockGetSingleServiceAccount.Ensure Pass = $true } [pscustomobject] @{ Parameter = 'Enabled' Expected = $mockGetSingleServiceAccount.Enabled Actual = $mockGetSingleServiceAccount.Enabled Pass = $true } [pscustomobject] @{ Parameter = 'Description' Expected = $mockGetSingleServiceAccount.Description Actual = $mockGetSingleServiceAccount.Description Pass = $true } [pscustomobject] @{ Parameter = 'DisplayName' Expected = $mockGetSingleServiceAccount.DisplayName Actual = $mockGetSingleServiceAccount.DisplayName Pass = $true } [pscustomobject] @{ Parameter = 'DistinguishedName' Expected = $mockGetSingleServiceAccount.DistinguishedName Actual = $mockGetSingleServiceAccount.DistinguishedName Pass = $true } [pscustomobject] @{ Parameter = 'MembershipAttribute' Expected = $mockGetSingleServiceAccount.MembershipAttribute Actual = $mockGetSingleServiceAccount.MembershipAttribute Pass = $true } [pscustomobject] @{ Parameter = 'Credential' Expected = $mockGetSingleServiceAccount.Credential Actual = $mockGetSingleServiceAccount.Credential Pass = $true } [pscustomobject] @{ Parameter = 'DomainController' Expected = $mockGetSingleServiceAccount.DomainController Actual = $mockGetSingleServiceAccount.DomainController Pass = $true } ) $mockCompareGroupServiceAccount = @( [pscustomobject] @{ Parameter = 'ServiceAccountName' Expected = $mockGetGroupServiceAccount.ServiceAccountName Actual = $mockGetGroupServiceAccount.ServiceAccountName Pass = $true } [pscustomobject] @{ Parameter = 'AccountType' Expected = $mockGetGroupServiceAccount.AccountType Actual = $mockGetGroupServiceAccount.AccountType Pass = $true } [pscustomobject] @{ Parameter = 'AccountTypeForce' Expected = $mockGetGroupServiceAccount.AccountTypeForce Actual = $mockGetGroupServiceAccount.AccountTypeForce Pass = $true } [pscustomobject] @{ Parameter = 'Path' Expected = $mockGetGroupServiceAccount.Path Actual = $mockGetGroupServiceAccount.Path Pass = $true } [pscustomobject] @{ Parameter = 'Ensure' Expected = $mockGetGroupServiceAccount.Ensure Actual = $mockGetGroupServiceAccount.Ensure Pass = $true } [pscustomobject] @{ Parameter = 'Enabled' Expected = $mockGetGroupServiceAccount.Enabled Actual = $mockGetGroupServiceAccount.Enabled Pass = $true } [pscustomobject] @{ Parameter = 'Description' Expected = $mockGetGroupServiceAccount.Description Actual = $mockGetGroupServiceAccount.Description Pass = $true } [pscustomobject] @{ Parameter = 'DisplayName' Expected = $mockGetGroupServiceAccount.DisplayName Actual = $mockGetGroupServiceAccount.DisplayName Pass = $true } [pscustomobject] @{ Parameter = 'Members' Expected = $mockGetGroupServiceAccount.Members Actual = $mockGetGroupServiceAccount.Members Pass = $true } [pscustomobject] @{ Parameter = 'Credential' Expected = $mockGetGroupServiceAccount.MembershipAttribute Actual = $mockGetGroupServiceAccount.MembershipAttribute Pass = $true } [pscustomobject] @{ Parameter = 'DistinguishedName' Expected = $mockGetGroupServiceAccount.DistinguishedName Actual = $mockGetGroupServiceAccount.DistinguishedName Pass = $true } [pscustomobject] @{ Parameter = 'Credential' Expected = $mockGetGroupServiceAccount.Credential Actual = $mockGetGroupServiceAccount.Credential Pass = $true } [pscustomobject] @{ Parameter = 'DomainController' Expected = $mockGetGroupServiceAccount.DomainController Actual = $mockGetGroupServiceAccount.DomainController Pass = $true } ) #region Function Get-TargetResource Describe -Name 'MSFT_ADManagedServiceAccount\Get-TargetResource' -Tag 'Get' { BeforeAll { Mock -CommandName Assert-Module -ParameterFilter { $ModuleName -eq 'ActiveDirectory' } Mock -CommandName Get-ADObjectParentDN -MockWith { return $mockPath } } Context 'When the system uses specific parameters' { Mock -CommandName Get-ADServiceAccount -MockWith { return $mockSingleServiceAccount } It 'Should call "Assert-Module" to check AD module is installed' { $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name } { Get-TargetResource @testResourceParametersSingle } | Should -Not -Throw Assert-MockCalled -CommandName Assert-Module -ParameterFilter { $ModuleName -eq 'ActiveDirectory' } -Scope It -Exactly -Times 1 } It 'Should call "Get-ADServiceAccount" with "Server" parameter when "DomainController" specified' { $testResourceParametersWithServer = @{ ServiceAccountName = $mockSingleServiceAccount.Name DomainController = $mockDomainController } { Get-TargetResource @testResourceParametersWithServer } | Should -Not -Throw Assert-MockCalled -CommandName Get-ADServiceAccount -ParameterFilter { $Server -eq $mockDomainController } -Scope It -Exactly -Times 1 } It 'Should call "Get-ADServiceAccount" with "Credential" parameter when specified' { $testResourceParametersWithCredentials = @{ ServiceAccountName = $mockSingleServiceAccount.Name Credential = $mockCredentials } { Get-TargetResource @testResourceParametersWithCredentials } | Should -Not -Throw Assert-MockCalled -CommandName Get-ADServiceAccount -ParameterFilter { $Credential -eq $mockCredentials } -Scope It -Exactly -Times 1 } } Context 'When system cannot connect to domain or other errors' { Mock -CommandName Get-ADServiceAccount -MockWith { throw 'Microsoft.ActiveDirectory.Management.ADServerDownException' } It 'Should call "Get-ADServiceAccount" and throw an error when catching any other errors besides "Account Not Found"'{ $getTargetResourceParameters = @{ ServiceAccountName = $mockSingleServiceAccount.Name } { Get-TargetResource @getTargetResourceParameters -ErrorAction 'SilentlyContinue' } | Should -Throw ($script:localizedData.RetrievingServiceAccountError -f $getTargetResourceParameters.ServiceAccountName) } } Context 'When the system is in desired state (sMSA)' { Mock -CommandName Get-ADServiceAccount -ParameterFilter { $mockSingleServiceAccount.Name -eq $Identity } -MockWith { Write-Verbose "Call Get-ADServiceAccount with $($mockSingleServiceAccount.Name)" return $mockSingleServiceAccount } It 'Should mock call to Get-ADServiceAccount return identical information' { $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name } $getTargetResourceResult = Get-TargetResource @testResourceParametersSingle $getTargetResourceResult.ServiceAccountName | Should -Be $mockSingleServiceAccount.Name $getTargetResourceResult.Ensure | Should -Be 'Present' $getTargetResourceResult.AccountType | Should -Be 'Single' $getTargetResourceResult.Description | Should -Be $mockSingleServiceAccount.Description $getTargetResourceResult.DisplayName | Should -Be $mockSingleServiceAccount.DisplayName $getTargetResourceResult.Members | Should -Be @() $getTargetResourceResult.Path | Should -Be $mockPath } } Context 'When the system is in desired state (gMSA)' { Mock -CommandName Get-ADServiceAccount -ParameterFilter { $mockGroupServiceAccount.Name -eq $Identity } -MockWith { Write-Verbose "Call Get-ADServiceAccount with $($mockGroupServiceAccount.Name)" return $mockGroupServiceAccount } Mock -CommandName Get-ADObject -ParameterFilter { $mockADComputer.SamAccountName -eq $Identity } -MockWith { Write-Verbose "Call Get-ADObject with $($mockADComputer.SamAccountName)" return $mockADComputer } Mock -CommandName Get-ADObject -ParameterFilter { $mockADUSer.SamAccountName -eq $Identity } -MockWith { Write-Verbose "Call Get-ADObject with $($mockADUser.SamAccountName)" return $mockADUser } It 'Should mock call to Get-ADServiceAccount return identical information' { $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SamAccountName' } $getTargetResourceResult = Get-TargetResource @testResourceParametersGroup $getTargetResourceResult.ServiceAccountName | Should -Be $mockGroupServiceAccount.Name $getTargetResourceResult.Ensure | Should -Be 'Present' $getTargetResourceResult.AccountType | Should -Be 'Group' $getTargetResourceResult.Description | Should -Be $mockGroupServiceAccount.Description $getTargetResourceResult.DisplayName | Should -Be $mockGroupServiceAccount.DisplayName $getTargetResourceResult.Members | Should -Be ` @($mockADUSer.($testResourceParametersGroup.MembershipAttribute), ` $mockADComputer.($testResourceParametersGroup.MembershipAttribute)) $getTargetResourceResult.Path | Should -Be $mockPath } } Context -Name 'When the system is NOT in the desired state (Both)' { Mock -CommandName Get-ADServiceAccount -MockWith { throw New-Object Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException } $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name } $getTargetResourceResult = Get-TargetResource @testResourceParametersSingle It "Should return 'Ensure' is 'Absent'" { $getTargetResourceResult.Ensure | Should -Be 'Absent' } It "Should return 'ServiceAccountName' when 'Absent'" { $getTargetResourceResult.ServiceAccountName | Should -Not -BeNullOrEmpty $getTargetResourceResult.ServiceAccountName | Should -BeExactly $testResourceParametersSingle.ServiceAccountName } } } #endregion Function Get-TargetResource #region Function Compare-TargetResourceState Describe -Name 'MSFT_ADManagedServiceAccount\Compare-TargetResourceState' -Tag 'Compare' { Context -Name 'When the system is in the desired state (sMSA)' { Mock -CommandName Get-TargetResource -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Get-TargetResource with $($mockSingleServiceAccount.Name)" return $mockGetSingleServiceAccount } $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name AccountType = 'Single' Path = $mockPath Description = $mockSingleServiceAccount.Description Ensure = 'Present' DisplayName = $mockSingleServiceAccount.DisplayName } $getTargetResourceResult = Compare-TargetResourceState @testResourceParametersSingle $testCases = @() $getTargetResourceResult | ForEach-Object { $testCases += @{ Parameter = $_.Parameter Expected = $_.Expected Actual = $_.Actual Pass = $_.Pass } } It "Should return identical information for <Parameter>" -TestCases $testCases { param ( [Parameter()] $Parameter, [Parameter()] $Expected, [Parameter()] $Actual, [Parameter()] $Pass ) $Expected | Should -BeExactly $Actual $Pass | Should -BeTrue } } Context -Name 'When the system is in the desired state (gMSA)' { Mock -CommandName Get-TargetResource -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $MembershipAttribute -eq 'SamAccountName' } -MockWith { Write-Verbose 'Group MSA using sAMAccountName' return $mockGetGroupServiceAccount } $mockGetGroupServiceAccountDN = $mockGetGroupServiceAccount.Clone() $mockGetGroupServiceAccountDN['MembershipAttribute'] = 'DistinguishedName' $mockGetGroupServiceAccountDN['Members'] = @($mockADUSer.DistinguishedName, $mockADComputer.DistinguishedName) Mock -CommandName Get-TargetResource -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $MembershipAttribute -eq 'DistinguishedName' } -MockWith { Write-Verbose 'Group MSA using DistinguishedName' return $mockGetGroupServiceAccountDN } $mockGetGroupServiceAccountSID = $mockGetGroupServiceAccount.Clone() $mockGetGroupServiceAccountSID['MembershipAttribute'] = 'SID' $mockGetGroupServiceAccountSID['Members'] = @($mockADUSer.SID, $mockADComputer.SID) Mock -CommandName Get-TargetResource -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $MembershipAttribute -eq 'SID' } -MockWith { Write-Verbose 'Group MSA using SID' return $mockGetGroupServiceAccountSID } $mockGetGroupServiceAccountOID = $mockGetGroupServiceAccount.Clone() $mockGetGroupServiceAccountOID['MembershipAttribute'] = 'ObjectGUID' $mockGetGroupServiceAccountOID['Members'] = @($mockADUSer.ObjectGUID, $mockADComputer.ObjectGUID) Mock -CommandName Get-TargetResource -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $MembershipAttribute -eq 'ObjectGUID' } -MockWith { Write-Verbose 'Group MSA using ObjectGUID' return $mockGetGroupServiceAccountOID } $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SamAccountName' AccountType = 'Group' Path = $mockPath Description = $mockGroupServiceAccount.Description Ensure = 'Present' Members = 'Node1$', 'User1' DisplayName = $mockGroupServiceAccount.DisplayName } $getTargetResourceResult = Compare-TargetResourceState @testResourceParametersGroup $testCases = @() $getTargetResourceResult | ForEach-Object { $testCases += @{ Parameter = $_.Parameter Expected = $_.Expected Actual = $_.Actual Pass = $_.Pass } } It "Should return identical information for <Parameter>" -TestCases $testCases { param ( [Parameter()] $Parameter, [Parameter()] $Expected, [Parameter()] $Actual, [Parameter()] $Pass ) $Expected | Should -BeExactly $Actual $Pass | Should -BeTrue } It "Should return identical information for 'Members' when using 'SamAccountName'" { $testResourceParametersGroupSAM = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SamAccountName' Members = 'Node1$', 'User1' AccountType = 'Group' } $getTargetResourceResultSAM = Compare-TargetResourceState @testResourceParametersGroupSAM $getTargetResourceResultSAM.Expected | Should -BeExactly $getTargetResourceResultSAM.Actual $getTargetResourceResultSAM.Pass | Should -BeTrue } It "Should return identical information for 'Members' when using 'DistinguishedName'" { $testResourceParametersGroupDN = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'DistinguishedName' Members = 'CN=Node1,OU=Fake,DC=contoso,DC=com', 'CN=User1,OU=Fake,DC=contoso,DC=com' AccountType = 'Group' } $getTargetResourceResultDN = Compare-TargetResourceState @testResourceParametersGroupDN $getTargetResourceResultDN.Expected | Should -BeExactly $getTargetResourceResultDN.Actual $getTargetResourceResultDN.Pass | Should -BeTrue } It "Should return identical information for 'Members' when using 'SID'" { $testResourceParametersGroupSID = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SID' Members = 'S-1-5-21-1409167834-891301383-2860967316-1143', 'S-1-5-21-1409167834-891301383-2860967316-1142' AccountType = 'Group' } $getTargetResourceResultSID = Compare-TargetResourceState @testResourceParametersGroupSID $getTargetResourceResultSID.Expected | Should -BeExactly $getTargetResourceResultSID.Actual $getTargetResourceResultSID.Pass | Should -BeTrue } It "Should return identical information for 'Members' when using 'ObjectGUID'" { $testResourceParametersGroupGUID = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'ObjectGUID' Members = '91bffe90-4c84-4026-b1fc-d03671ff56ac', '91bffe90-4c84-4026-b1fc-d03671ff56ab' AccountType = 'Group' } $getTargetResourceResultGUID = Compare-TargetResourceState @testResourceParametersGroupGUID $getTargetResourceResultGUID.Expected | Should -BeExactly $getTargetResourceResultGUID.Actual $getTargetResourceResultGUID.Pass | Should -BeTrue } } Context -Name 'When the system is NOT in the desired state (sMSA)' { Mock -CommandName Get-TargetResource -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName } -MockWith { return $mockGetSingleServiceAccount } $testResourceParametersSingleNotCompliant = @{ ServiceAccountName = $mockSingleServiceAccount.Name AccountType = 'Group' Path = 'OU=FakeWrong,DC=contoso,DC=com' Description = 'Test MSA description Wrong' Ensure = 'Absent' DisplayName = 'WrongDisplayName' } $getTargetResourceResult = Compare-TargetResourceState @testResourceParametersSingleNotCompliant $testCases = @() # Need to remove parameters that will always be true $getTargetResourceResult = $getTargetResourceResult | Where-Object -FilterScript { $_.Parameter -ne 'ServiceAccountName' -and $_.Parameter -ne 'DistinguishedName' -and $_.Parameter -ne 'MembershipAttribute' } $getTargetResourceResult | ForEach-Object { $testCases += @{ Parameter = $_.Parameter Expected = $_.Expected Actual = $_.Actual Pass = $_.Pass } } It "Should return false for <Parameter>" -TestCases $testCases { param ( [Parameter()] $Parameter, [Parameter()] $Expected, [Parameter()] $Actual, [Parameter()] $Pass ) $Expected | Should -Not -Be $Actual $Pass | Should -BeFalse } } Context -Name 'When the system is NOT in the desired state (gMSA)' { Mock -CommandName Get-TargetResource -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $MembershipAttribute -eq 'SamAccountName' } -MockWith { Write-Verbose 'Group MSA using sAMAccountName' return $mockGetGroupServiceAccount } $mockGetGroupServiceAccountDN = $mockGetGroupServiceAccount.Clone() $mockGetGroupServiceAccountDN['MembershipAttribute'] = 'DistinguishedName' $mockGetGroupServiceAccountDN['Members'] = @($mockADUSer.DistinguishedName, $mockADComputer.DistinguishedName) Mock -CommandName Get-TargetResource -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $MembershipAttribute -eq 'DistinguishedName' } -MockWith { Write-Verbose 'Group MSA using DistinguishedName' return $mockGetGroupServiceAccountDN } $mockGetGroupServiceAccountSID = $mockGetGroupServiceAccount.Clone() $mockGetGroupServiceAccountSID['MembershipAttribute'] = 'SID' $mockGetGroupServiceAccountSID['Members'] = @($mockADUSer.SID, $mockADComputer.SID) Mock -CommandName Get-TargetResource -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $MembershipAttribute -eq 'SID' } -MockWith { Write-Verbose 'Group MSA using SID' return $mockGetGroupServiceAccountSID } $mockGetGroupServiceAccountOID = $mockGetGroupServiceAccount.Clone() $mockGetGroupServiceAccountOID['MembershipAttribute'] = 'ObjectGUID' $mockGetGroupServiceAccountOID['Members'] = @($mockADUSer.ObjectGUID, $mockADComputer.ObjectGUID) Mock -CommandName Get-TargetResource -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $MembershipAttribute -eq 'ObjectGUID' } -MockWith { Write-Verbose 'Group MSA using ObjectGUID' return $mockGetGroupServiceAccountOID } $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name AccountType = 'Single' Path = 'OU=FakeWrong,DC=contoso,DC=com' Description = 'Test MSA description Wrong' Ensure = 'Absent' DisplayName = 'WrongDisplayName' MembershipAttribute = 'SamAccountName' } $getTargetResourceResult = Compare-TargetResourceState @testResourceParametersGroup $testCases = @() # Need to remove parameters that will always be true $getTargetResourceResult = $getTargetResourceResult | Where-Object -FilterScript { $_.Parameter -ne 'ServiceAccountName' -and $_.Parameter -ne 'DistinguishedName' -and $_.Parameter -ne 'MembershipAttribute' } $getTargetResourceResult | ForEach-Object { $testCases += @{ Parameter = $_.Parameter Expected = $_.Expected Actual = $_.Actual Pass = $_.Pass } } It "Should return false for <Parameter>" -TestCases $testCases { param ( [Parameter()] $Parameter, [Parameter()] $Expected, [Parameter()] $Actual, [Parameter()] $Pass ) $Expected | Should -Not -Be $Actual $Pass | Should -BeFalse } It "Should return false for 'Members' when using 'SamAccountName'" { $testResourceParametersGroupSAM = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SamAccountName' Members = 'Node1$' AccountType = 'Group' } $getTargetResourceResultSAM = Compare-TargetResourceState @testResourceParametersGroupSAM $membersState = $getTargetResourceResultSAM | Where-Object -FilterScript {$_.Parameter -eq 'Members'} $membersState.Expected | Should -Not -BeExactly $membersState.Actual $membersState.Pass | Should -BeFalse } It "Should return false for 'Members' when using 'DistinguishedName'" { $testResourceParametersGroupDN = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'DistinguishedName' Members = 'CN=Node1,OU=Fake,DC=contoso,DC=com' AccountType = 'Group' } $getTargetResourceResultDN = Compare-TargetResourceState @testResourceParametersGroupDN $membersState = $getTargetResourceResultDN | Where-Object -FilterScript {$_.Parameter -eq 'Members'} $membersState.Expected | Should -Not -BeExactly $membersState.Actual $membersState.Pass | Should -BeFalse } It "Should return false for 'Members' when using 'SID'" { $testResourceParametersGroupSID = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SID' Members = 'S-1-5-21-1409167834-891301383-2860967316-1143' AccountType = 'Group' } $getTargetResourceResultSID = Compare-TargetResourceState @testResourceParametersGroupSID $membersState = $getTargetResourceResultSID | Where-Object -FilterScript {$_.Parameter -eq 'Members'} $membersState.Expected | Should -Not -BeExactly $membersState.Actual $membersState.Pass | Should -BeFalse } It "Should return false for 'Members' when using 'ObjectGUID'" { $testResourceParametersGroupGUID = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'ObjectGUID' Members = '91bffe90-4c84-4026-b1fc-d03671ff56ac' AccountType = 'Group' } $getTargetResourceResultGUID = Compare-TargetResourceState @testResourceParametersGroupGUID $membersState = $getTargetResourceResultGUID | Where-Object -FilterScript {$_.Parameter -eq 'Members'} $membersState.Expected | Should -Not -BeExactly $membersState.Actual $membersState.Pass | Should -BeFalse } } } #endregion Function Compare-TargetResourceState #region Function Test-TargetResource Describe -Name 'MSFT_ADManagedServiceAccount\Test-TargetResource' -Tag 'Test' { Context -Name "When the system is in the desired state and 'Ensure' is 'Present' (sMSA)" { It "Should pass when the Parameters are properly set" { Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name)" return $mockCompareSingleServiceAccount } $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name AccountType = 'Single' Path = $mockPath Description = $mockSingleServiceAccount.Description Ensure = 'Present' DisplayName = '' } Test-TargetResource @testResourceParametersSingle | Should -BeTrue } } Context -Name "When the system is in the desired state and 'Ensure' is 'Present' (gMSA)" { It "Should pass when the Parameters are properly set" { Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockGroupServiceAccount.Name)" return $mockCompareGroupServiceAccount } $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SamAccountName' AccountType = 'Group' Path = $mockPath Description = $mockGroupServiceAccount.Description Ensure = 'Present' Members = 'Node1$', 'User1' DisplayName = '' } Test-TargetResource @testResourceParametersGroup | Should -BeTrue } } Context -Name "When the system is in the desired state and 'Ensure' is 'Absent' (Both)" { It "Should pass when 'Ensure' is set to 'Absent" { $mockCompareSingleServiceAccountEnsureAbsent = $mockCompareSingleServiceAccount.Clone() $objectEnsure = $mockCompareSingleServiceAccountEnsureAbsent | Where-Object -FilterScript {$_.Parameter -eq 'Ensure'} $objectEnsure.Actual = 'Absent' $objectEnsure.Pass = $true Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name)" return $mockCompareSingleServiceAccountEnsureAbsent } $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name Ensure = 'Absent' } Test-TargetResource @testResourceParametersSingle | Should -BeTrue } } Context -Name "When the system is NOT in the desired state and 'Ensure' is 'Present' (sMSA)" { $mockCompareSingleServiceAccountNotCompliant = Copy-ArrayObjects $mockCompareSingleServiceAccount $testIncorrectParameters = @{ AccountType = 'Group' Path = 'WrongPath' Description = 'WrongDescription' Ensure = 'Absent' DisplayName = 'DisplayNameWrong' } $testCases = @() foreach($incorrectParameter in $testIncorrectParameters.GetEnumerator()) { $objectParameter = $mockCompareSingleServiceAccountNotCompliant | Where-Object -FilterScript { $_.Parameter -eq $incorrectParameter.Name } $objectParameter.Expected = $incorrectParameter.Value $objectParameter.Pass = $false $testCases += @{ Parameter = $incorrectParameter.Name; Value = $incorrectParameter.Value } } Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name)" return $mockCompareSingleServiceAccountNotCompliant } It "Should return $false when <Parameter> is incorrect" -TestCases $testCases { param ( [Parameter()] $Parameter, [Parameter()] $Value ) $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name AccountType = 'Single' Path = $mockPath Description = $mockSingleServiceAccount.Description Ensure = 'Present' DisplayName = '' } $testResourceParametersSingle[$Parameter] = $value Test-TargetResource @testResourceParametersSingle | Should -BeFalse } } Context -Name "When the system is NOT in the desired state and 'Ensure' is 'Present' (gMSA)" { $mockCompareGroupServiceAccountNotCompliant = Copy-ArrayObjects $mockCompareGroupServiceAccount $testIncorrectParameters = @{ AccountType = 'Single' Path = 'WrongPath' Description = 'WrongDescription' Ensure = 'Absent' Members = '' DisplayName = 'DisplayNameWrong' } $testCases = @() foreach($incorrectParameter in $testIncorrectParameters.GetEnumerator()) { $objectParameter = $mockCompareGroupServiceAccountNotCompliant | Where-Object -FilterScript { $_.Parameter -eq $incorrectParameter.Name } $objectParameter.Expected = $incorrectParameter.Value $objectParameter.Pass = $false $testCases += @{ Parameter = $incorrectParameter.Name; Value = $incorrectParameter.Value } } Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockGroupServiceAccount.Name)" return $mockCompareGroupServiceAccountNotCompliant } It "Should return $false when <Parameter> is incorrect" -TestCases $testCases { param ( [Parameter()] $Parameter, [Parameter()] $Value ) $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SamAccountName' AccountType = 'Group' Path = $mockPath Description = $mockGroupServiceAccount.Description Ensure = 'Present' Members = 'Node1$', 'User1' DisplayName = '' } $testResourceParametersGroup[$Parameter] = $value Test-TargetResource @testResourceParametersGroup | Should -BeFalse } } } #endregion Function Test-TargetResource Describe -Name 'MSFT_ADManagedServiceAccount\New-ADServiceAccountHelper' { BeforeAll { Mock -CommandName New-ADServiceAccount } Context -Name "When the system is NOT in the desired state and 'Ensure' is 'Present' (sMSA)" { $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name AccountType = 'Single' Path = $mockPath Description = $mockSingleServiceAccount.Description Ensure = 'Present' DisplayName = 'NewDisplayName' } It 'Should call New-ADServiceAccount' { New-ADServiceAccountHelper @testResourceParametersSingle Assert-MockCalled -CommandName New-ADServiceAccount -Scope It -Exactly -Times 1 } } Context -Name "When the system is NOT in the desired state and 'Ensure' is 'Present' (gMSA)" { $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SamAccountName' AccountType = 'Group' Path = $mockPath Description = $mockGroupServiceAccount.Description Ensure = 'Present' Members = 'Node1$', 'User1' DisplayName = '' } It 'Should call New-ADServiceAccount' { New-ADServiceAccountHelper @testResourceParametersGroup Assert-MockCalled -CommandName New-ADServiceAccount -Scope It -Exactly -Times 1 } } } #region Function Set-TargetResource Describe -Name 'MSFT_ADManagedServiceAccount\Set-TargetResource' -Tag 'Set' { BeforeAll { Mock -CommandName New-ADServiceAccountHelper Mock -CommandName Remove-ADServiceAccount Mock -CommandName Move-ADObject Mock -CommandName Set-ADServiceAccount } Context -Name "When the system is in the desired state and 'Ensure' is 'Present' (sMSA)" { Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name)" return $mockCompareSingleServiceAccount } $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name AccountType = 'Single' Path = $mockPath Description = $mockSingleServiceAccount.Description Ensure = 'Present' DisplayName = '' } It 'Should NOT take any action when all parameters are correct' { Set-TargetResource @testResourceParametersSingle Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } } Context -Name "When the system is in the desired state and 'Ensure' is 'Present' (gMSA)" { Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockGroupServiceAccount.Name)" return $mockCompareGroupServiceAccount } $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name MembershipAttribute = 'SamAccountName' AccountType = 'Group' Path = $mockPath Description = $mockGroupServiceAccount.Description Ensure = 'Present' Members = 'Node1$', 'User1' DisplayName = '' } It 'Should NOT take any action when all parameters are correct' { Set-TargetResource @testResourceParametersGroup Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } } Context -Name "When the system is in the desired state and 'Ensure' is 'Absent' (Both)" { $mockCompareSingleServiceAccountEnsureAbsent = $mockCompareSingleServiceAccount.Clone() $objectEnsure = $mockCompareSingleServiceAccountEnsureAbsent | Where-Object -FilterScript {$_.Parameter -eq 'Ensure'} $objectEnsure.Actual = 'Absent' $objectEnsure.Pass = $true Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name)" return $mockCompareSingleServiceAccountEnsureAbsent } $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name Ensure = 'Absent' } It "Should pass when 'Ensure' is set to 'Absent" { Set-TargetResource @testResourceParametersSingle Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } } Context -Name "When the system is NOT in the desired state and 'Ensure' is 'Present' (sMSA)" { $mockCompareSingleServiceAccountNotCompliantPath = Copy-ArrayObjects $mockCompareSingleServiceAccount $mockCompareSingleServiceAccountNotCompliantOtherParameters = Copy-ArrayObjects $mockCompareSingleServiceAccount $mockCompareSingleServiceAccountNotCompliantAccountType = Copy-ArrayObjects $mockCompareSingleServiceAccount $mockCompareSingleServiceAccountNotCompliantEnsure = Copy-ArrayObjects $mockCompareSingleServiceAccount #region Incorrect Path setup $objectPath = $mockCompareSingleServiceAccountNotCompliantPath | Where-Object -FilterScript {$_.Parameter -eq 'Path'} $objectPath.Expected = 'WrongPath' $objectPath.Pass = $false Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName -and $Path -eq $objectPath.Expected } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name) and Path '$($objectPath.Expected)'" return $mockCompareSingleServiceAccountNotCompliantPath } #endregion Incorrect Path setup It "Should call 'Move-ADObject' when 'Path' is incorrect" { $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name Path = $objectPath.Expected } Set-TargetResource @testResourceParametersSingle Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 1 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } #region Incorrect parameter test setup $testIncorrectParameters = @{ Description = 'WrongDescription' DisplayName = 'WrongDisplayName' } $testCases = @() foreach($incorrectParameter in $testIncorrectParameters.GetEnumerator()) { $objectParameter = $mockCompareSingleServiceAccountNotCompliantOtherParameters | Where-Object -FilterScript { $_.Parameter -eq $incorrectParameter.Name } $objectParameter.Expected = $incorrectParameter.Value $objectParameter.Pass = $false $testCases += @{ Parameter = $incorrectParameter.Name; Value = $incorrectParameter.Value } } Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName -and ( $Description -eq $testIncorrectParameters.Description -or $DisplayName -eq $testIncorrectParameters.DisplayName ) } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name) and incorrect parameters" return $mockCompareSingleServiceAccountNotCompliantOtherParameters } #endregion Incorrect parameter test setup It "Should call 'Set-ADServiceAccount' when '<Parameter>' is incorrect" -TestCases $testCases { param ( [Parameter()] $Parameter, [Parameter()] $Value ) $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name } $testResourceParametersSingle[$Parameter] = $Value Set-TargetResource @testResourceParametersSingle Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 1 } #region Incorrect Account type setup $objectAccountType = $mockCompareSingleServiceAccountNotCompliantAccountType | Where-Object -FilterScript {$_.Parameter -eq 'AccountType'} $objectAccountType.Expected = 'Group' $objectAccountType.Pass = $false Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName -and $AccountType -eq $objectAccountType.Expected } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name) and AccountType '$($objectAccountType.Expected)'" return $mockCompareSingleServiceAccountNotCompliantAccountType } #endregion Incorrect Account type setup It "Should NOT call 'Remove-ADServiceAccount, New-ADServiceAccountHelper' when 'AccountType' is incorrect and 'AccountTypeForce' is false" { $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name AccountType = $objectAccountType.Expected AccountTypeForce = $false } # Check if Warning is returned Set-TargetResource @testResourceParametersSingle 3>&1 | Should -Not -Be $null Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } It "Should call 'Remove-ADServiceAccount, New-ADServiceAccountHelper' when 'AccountType' is incorrect and 'AccountTypeForce' is true" { $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name AccountType = 'Group' AccountTypeForce = $true } Set-TargetResource @testResourceParametersSingle Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 1 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 1 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } #region Incorrect Ensure setup $objectEnsure = $mockCompareSingleServiceAccountNotCompliantEnsure | Where-Object -FilterScript {$_.Parameter -eq 'Ensure'} $objectEnsure.Expected = 'Absent' $objectEnsure.Pass = $false Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName -and $Ensure -eq $objectEnsure.Expected } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name) and Ensure '$($objectEnsure.Expected)'" return $mockCompareSingleServiceAccountNotCompliantEnsure } #endregion Incorrect Ensure type setup It "Should call 'Remove-ADServiceAccount' when 'Ensure' is set to 'Absent'" { $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name Ensure = $objectEnsure.Expected } Set-TargetResource @testResourceParametersSingle Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 1 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } } Context -Name "When the system is NOT in the desired state and 'Ensure' is 'Present' (gMSA)" { $mockCompareGroupServiceAccountNotCompliantPath = Copy-ArrayObjects $mockCompareGroupServiceAccount $mockCompareGroupServiceAccountNotCompliantOtherParameters = Copy-ArrayObjects $mockCompareGroupServiceAccount $mockCompareGroupServiceAccountNotCompliantAccountType = Copy-ArrayObjects $mockCompareGroupServiceAccount $mockCompareGroupServiceAccountNotCompliantEnsure = Copy-ArrayObjects $mockCompareGroupServiceAccount #region Incorrect Path setup $objectPath = $mockCompareGroupServiceAccountNotCompliantPath | Where-Object -FilterScript {$_.Parameter -eq 'Path'} $objectPath.Expected = 'WrongPath' $objectPath.Pass = $false Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $Path -eq $objectPath.Expected } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockGroupServiceAccount.Name) and Path '$($objectPath.Expected)'" return $mockCompareGroupServiceAccountNotCompliantPath } #endregion Incorrect Path setup It "Should call 'Move-ADObject' when 'Path' is incorrect" { $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name AccountType = 'Group' Path = $objectPath.Expected } Set-TargetResource @testResourceParametersGroup Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 1 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } #region Incorrect parameter test setup $testIncorrectParameters = @{ Description = 'WrongDescription' DisplayName = 'WrongDisplayName' Members = 'WrongUser' } $testCases = @() foreach($incorrectParameter in $testIncorrectParameters.GetEnumerator()) { $objectParameter = $mockCompareGroupServiceAccountNotCompliantOtherParameters | Where-Object -FilterScript { $_.Parameter -eq $incorrectParameter.Name } $objectParameter.Expected = $incorrectParameter.Value $objectParameter.Pass = $false $testCases += @{ Parameter = $incorrectParameter.Name; Value = $incorrectParameter.Value } } Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and ( $Description -eq $testIncorrectParameters.Description -or $DisplayName -eq $testIncorrectParameters.DisplayName -or $Members -eq $testIncorrectParameters.Members ) } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockGroupServiceAccount.Name) and incorrect parameters" return $mockCompareGroupServiceAccountNotCompliantOtherParameters } #endregion Incorrect parameter test setup It "Should call 'Set-ADServiceAccount' when '<Parameter>' is incorrect" -TestCases $testCases { param ( [Parameter()] $Parameter, [Parameter()] $Value ) $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name AccountType = 'Group' } $testResourceParametersGroup[$Parameter] = $Value Set-TargetResource @testResourceParametersGroup Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 1 } #region Incorrect Account type setup $objectAccountType = $mockCompareGroupServiceAccountNotCompliantAccountType | Where-Object -FilterScript {$_.Parameter -eq 'AccountType'} $objectAccountType.Expected = 'Single' $objectAccountType.Pass = $false Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $AccountType -eq $objectAccountType.Expected } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockGroupServiceAccount.Name) and AccountType '$($objectAccountType.Expected)'" return $mockCompareGroupServiceAccountNotCompliantAccountType } #endregion Incorrect Account type setup It "Should NOT call 'Remove-ADServiceAccount, New-ADServiceAccountHelper' when 'AccountType' is incorrect and 'AccountTypeForce' is false" { $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name AccountType = $objectAccountType.Expected AccountTypeForce = $false } # Check if Warning is returned Set-TargetResource @testResourceParametersGroup 3>&1 | Should -Not -Be $null Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } It "Should call 'Remove-ADServiceAccount, New-ADServiceAccountHelper' when 'AccountType' is incorrect and 'AccountTypeForce' is true" { $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name AccountType = 'Single' AccountTypeForce = $true } Set-TargetResource @testResourceParametersGroup Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 1 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 1 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } #region Incorrect Ensure setup $objectEnsure = $mockCompareGroupServiceAccountNotCompliantEnsure | Where-Object -FilterScript {$_.Parameter -eq 'Ensure'} $objectEnsure.Expected = 'Absent' $objectEnsure.Pass = $false Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockGroupServiceAccount.Name -eq $ServiceAccountName -and $Ensure -eq $objectEnsure.Expected } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockGroupServiceAccount.Name) and Ensure '$($objectEnsure.Expected)'" return $mockCompareGroupServiceAccountNotCompliantEnsure } #endregion Incorrect Ensure type setup It "Should call 'Remove-ADServiceAccount' when 'Ensure' is set to 'Absent'" { $testResourceParametersGroup = @{ ServiceAccountName = $mockGroupServiceAccount.Name AccountType = 'Group' Ensure = $objectEnsure.Expected } Set-TargetResource @testResourceParametersGroup Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 0 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 1 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } } Context -Name "When the system is NOT in the desired state and 'Ensure' is 'Present' (Both)" { $mockCompareSingleServiceAccountNotEnsure = Copy-ArrayObjects $mockCompareSingleServiceAccount #region Incorrect Ensure setup $objectEnsure = $mockCompareSingleServiceAccountNotEnsure | Where-Object -FilterScript {$_.Parameter -eq 'Ensure'} $objectEnsure.Expected = 'Present' $objectEnsure.Actual = 'Absent' $objectEnsure.Pass = $false Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name)" return $mockCompareSingleServiceAccountNotEnsure } #endregion Incorrect Ensure setup It "Should call 'New-AdServiceAccount' when 'Ensure' is set to 'Present" { $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name Ensure = $objectEnsure.Expected } Set-TargetResource @testResourceParametersSingle Assert-MockCalled -CommandName Compare-TargetResourceState -Scope It -Times 1 Assert-MockCalled -CommandName New-ADServiceAccountHelper -Scope It -Times 1 Assert-MockCalled -CommandName Remove-ADServiceAccount -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Move-ADObject -Scope It -Exactly -Times 0 Assert-MockCalled -CommandName Set-ADServiceAccount -Scope It -Exactly -Times 0 } } Context 'When system cannot connect to domain or other errors' { Mock -CommandName Move-ADObject -MockWith { Write-Verbose "Calling 'Move-ADObject' and throwing an error" throw 'Microsoft.ActiveDirectory.Management.ADServerDownException' } $mockCompareSingleServiceAccountNotCompliantPath = Copy-ArrayObjects $mockCompareSingleServiceAccount #region Incorrect Path setup $objectPath = $mockCompareSingleServiceAccountNotCompliantPath | Where-Object -FilterScript {$_.Parameter -eq 'Path'} $objectPath.Expected = 'WrongPath' $objectPath.Pass = $false Mock -CommandName Compare-TargetResourceState -ParameterFilter { $mockSingleServiceAccount.Name -eq $ServiceAccountName -and $Path -eq $objectPath.Expected } -MockWith { Write-Verbose "Calling Compare-TargetResourceState with $($mockSingleServiceAccount.Name) and Path '$($objectPath.Expected)'" return $mockCompareSingleServiceAccountNotCompliantPath } #endregion Incorrect Path setup It 'Should call "Move-ADObject" and throw an error when catching any other errors besides "Account Not Found"'{ $testResourceParametersSingle = @{ ServiceAccountName = $mockSingleServiceAccount.Name Path = $objectPath.Expected } { Set-TargetResource @testResourceParametersSingle -ErrorAction 'SilentlyContinue' } | Should -Throw ($script:localizedData.AddingManagedServiceAccountError -f $testResourceParametersSingle.ServiceAccountName) } } } #endregion Function Set-TargetResource } } finally { Invoke-TestCleanup } |