Testing/Unit/PowerShell/Providers/AADProvider/Export-Caps.Tests.ps1
|
BeforeAll { $ClassPath = (Join-Path -Path $PSScriptRoot -ChildPath "./../../../../../Modules/Providers/ProviderHelpers/AADConditionalAccessHelper.psm1") Import-Module $ClassPath [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'CapHelper')] $CapHelper = Get-CapTracker } Describe "GetIncludedUsers" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Users.json") | ConvertFrom-Json } It "returns 'None' when no users are included" { $Cap.Conditions.Users.IncludeUsers += "None" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "None" } It "handles including single users" { $Cap.Conditions.Users.IncludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "1 specific user" } It "handles including multiple users" { $Cap.Conditions.Users.IncludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeUsers += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "2 specific users" } It "handles including single groups" { $Cap.Conditions.Users.IncludeGroups += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "1 specific group" } It "handles including multiple groups" { $Cap.Conditions.Users.IncludeGroups += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeGroups += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "2 specific groups" } It "handles including single roles" { $Cap.Conditions.Users.IncludeRoles += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "1 specific role" } It "handles including multiple roles" { $Cap.Conditions.Users.IncludeRoles += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeRoles += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "2 specific roles" } It "handles including users, groups, and roles simultaneously" { $Cap.Conditions.Users.IncludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeRoles += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeRoles += "caaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeGroups += "daaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeGroups += "eaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" #gitleaks:allow $Cap.Conditions.Users.IncludeGroups += "faaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "1 specific user, 2 specific roles, 3 specific groups" } It "returns 'All' when all users are included" { $Cap.Conditions.Users.IncludeUsers += "all" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "All" } It "handles including single type of external user" { $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.ExternalTenants.MembershipKind = "all" $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.GuestOrExternalUserTypes = "internalGuest" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "Local guest users" } It "handles including all types of guest users" { $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.ExternalTenants.MembershipKind = "all" $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.GuestOrExternalUserTypes = "b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,serviceProvider,otherExternalUser" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "B2B collaboration guest users, B2B collaboration member users, B2B direct connect users, Local guest users, Service provider users, Other external users" } It "handles empty input" { $Cap = @{} $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $UsersIncluded | Should -Be "" } } Describe "GetExcludedUsers" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Users.json") | ConvertFrom-Json } It "returns 'None' when no users are included" { $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "None" } It "handles excluding single users" { $Cap.Conditions.Users.ExcludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "1 specific user" } It "handles excluding multiple users" { $Cap.Conditions.Users.ExcludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeUsers += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "2 specific users" } It "handles excluding single groups" { $Cap.Conditions.Users.ExcludeGroups += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "1 specific group" } It "handles excluding multiple groups" { $Cap.Conditions.Users.ExcludeGroups += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeGroups += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "2 specific groups" } It "handles excluding single roles" { $Cap.Conditions.Users.ExcludeRoles += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "1 specific role" } It "handles excluding multiple roles" { $Cap.Conditions.Users.ExcludeRoles += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeRoles += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "2 specific roles" } It "handles excluding users, groups, and roles simultaneously" { $Cap.Conditions.Users.ExcludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeRoles += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeRoles += "caaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeGroups += "daaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeGroups += "eaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" #gitleaks:allow $Cap.Conditions.Users.ExcludeGroups += "faaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "1 specific user, 2 specific roles, 3 specific groups" } It "handles excluding all types of external users" { $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind = "all" $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.GuestOrExternalUserTypes = "b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,serviceProvider,otherExternalUser" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "B2B collaboration guest users, B2B collaboration member users, B2B direct connect users, Local guest users, Service provider users, Other external users" } It "handles excluding a single type of external user" { $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind = "all" $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.GuestOrExternalUserTypes = "serviceProvider" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "Service provider users" } It "handles empty input" { $Cap = @{} $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $UsersExcluded | Should -Be "" } } Describe "GetApplications" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Apps.json") | ConvertFrom-Json } It "handles including all apps" { $Cap.Conditions.Applications.IncludeApplications += "All" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: All" $Apps[2] | Should -Be "Apps excluded: None" } It "handles including/excluding no apps" { $Cap.Conditions.Applications.IncludeApplications += "None" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: None" $Apps[2] | Should -Be "Apps excluded: None" } It "handles including/excluding single specific apps" { $Cap.Conditions.Applications.IncludeApplications += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.ExcludeApplications += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: 1 specific app" $Apps[2] | Should -Be "Apps excluded: 1 specific app" } It "handles including/excluding multiple specific apps" { $Cap.Conditions.Applications.IncludeApplications += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.IncludeApplications += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.IncludeApplications += "caaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.ExcludeApplications += "daaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.ExcludeApplications += "eaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" #gitleaks:allow $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: 3 specific apps" $Apps[2] | Should -Be "Apps excluded: 2 specific apps" } It "handles app filter in include mode" { $Cap.Conditions.Applications.ApplicationFilter.Mode = "include" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: custom application filter" $Apps[2] | Should -Be "Apps excluded: None" } It "handles app filter in exclude mode" { $Cap.Conditions.Applications.ApplicationFilter.Mode = "exclude" $Cap.Conditions.Applications.IncludeApplications += "All" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: All" $Apps[2] | Should -Be "Apps excluded: custom application filter" } It "handles including app filter and specific apps" { $Cap.Conditions.Applications.ApplicationFilter.Mode = "include" $Cap.Conditions.Applications.IncludeApplications += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: 1 specific app" $Apps[2] | Should -Be "Apps included: custom application filter" $Apps[3] | Should -Be "Apps excluded: None" } It "handles excluding app filter and specific apps" { $Cap.Conditions.Applications.ApplicationFilter.Mode = "exclude" $Cap.Conditions.Applications.IncludeApplications += "All" $Cap.Conditions.Applications.ExcludeApplications += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: All" $Apps[2] | Should -Be "Apps excluded: 1 specific app" $Apps[3] | Should -Be "Apps excluded: custom application filter" } It "handles registering a device" { $Cap.Conditions.Applications.IncludeUserActions += "urn:user:registerdevice" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: actions" $Apps[1] | Should -Be "User action: Register or join devices" } It "handles registering security info" { $Cap.Conditions.Applications.IncludeUserActions += "urn:user:registersecurityinfo" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: actions" $Apps[1] | Should -Be "User action: Register security info" } It "handles registering security info" { $Cap.Conditions.Applications.IncludeAuthenticationContextClassReferences += "c1" $Cap.Conditions.Applications.IncludeAuthenticationContextClassReferences += "c3" $Apps = $($CapHelper.GetApplications($Cap)) $Apps | Should -Be "Policy applies to: 2 authentication contexts" } It "handles empty input" { $Cap = @{} $Apps = $($CapHelper.GetApplications($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $Apps | Should -Be "" } } Describe "GetConditions" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Conditions.json") | ConvertFrom-Json } It "handles user risk levels" { $Cap.Conditions.UserRiskLevels += "high" $Cap.Conditions.UserRiskLevels += "medium" $Cap.Conditions.UserRiskLevels += "low" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "User risk levels: high, medium, low" } It "handles sign-in risk levels" { $Cap.Conditions.SignInRiskLevels += "low" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Sign-in risk levels: low" } It "handles including all device platforms" { $Cap.Conditions.Platforms.ExcludePlatforms = @() $Cap.Conditions.Platforms.IncludePlatforms = @("all") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Device platforms included: all" $Conditions[1] | Should -Be "Device platforms excluded: none" } It "handles including/excluding specific device platforms" { $Cap.Conditions.Platforms.ExcludePlatforms = @("iOS", "macOS", "linux") $Cap.Conditions.Platforms.IncludePlatforms = @("android") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Device platforms included: android" $Conditions[1] | Should -Be "Device platforms excluded: iOS, macOS, linux" } It "handles including all locations" { $Cap.Conditions.Locations.ExcludeLocations = @() $Cap.Conditions.Locations.IncludeLocations = @("All") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: all locations" $Conditions[1] | Should -Be "Locations excluded: none" } It "handles excluding trusted locations" { $Cap.Conditions.Locations.ExcludeLocations = @("AllTrusted") $Cap.Conditions.Locations.IncludeLocations = @("All") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: all locations" $Conditions[1] | Should -Be "Locations excluded: all trusted locations" } It "handles including/excluding single custom locations" { $Cap.Conditions.Locations.ExcludeLocations = @("00000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.IncludeLocations = @("10000000-0000-0000-0000-000000000000") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: 1 specific location" $Conditions[1] | Should -Be "Locations excluded: 1 specific location" } It "handles including/excluding multiple custom locations" { $Cap.Conditions.Locations.ExcludeLocations = @() $Cap.Conditions.Locations.ExcludeLocations += @("00000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.ExcludeLocations += @("10000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.ExcludeLocations += @("20000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.IncludeLocations = @() $Cap.Conditions.Locations.IncludeLocations += @("30000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.IncludeLocations += @("40000000-0000-0000-0000-000000000000") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: 2 specific locations" $Conditions[1] | Should -Be "Locations excluded: 3 specific locations" } It "handles including trusted locations" { $Cap.Conditions.Locations.IncludeLocations = @("AllTrusted") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: all trusted locations" $Conditions[1] | Should -Be "Locations excluded: none" } It "handles including all client apps" { $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions | Should -Be "Client apps included: all" } It "handles including specific client apps" { $Cap.Conditions.ClientAppTypes = @("exchangeActiveSync", "browser", "mobileAppsAndDesktopClients", "other") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions | Should -Be "Client apps included: Exchange ActiveSync Clients, Browser, Mobile apps and desktop clients, Other clients" } It "handles custom client app filter in include mode" { $Cap.Conditions.Devices.DeviceFilter.Mode = "include" $Cap.Conditions.Devices.DeviceFilter.Rule = "device.manufacturer -eq 'helloworld'" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[1] | Should -Be "Custom device filter in include mode active" } It "handles custom client app filter in exclude mode" { $Cap.Conditions.Devices.DeviceFilter.Mode = "exclude" $Cap.Conditions.Devices.DeviceFilter.Rule = "device.manufacturer -eq 'helloworld'" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[1] | Should -Be "Custom device filter in exclude mode active" } It "handles many conditions simultaneously" { $Cap.Conditions.UserRiskLevels += "low" $Cap.Conditions.SignInRiskLevels += "high" $Cap.Conditions.Platforms.ExcludePlatforms = @("android", "iOS", "macOS", "linux") $Cap.Conditions.Platforms.IncludePlatforms = @("all") $Cap.Conditions.Locations.IncludeLocations = @("AllTrusted") $Cap.Conditions.Locations.ExcludeLocations = @() $Cap.Conditions.ClientAppTypes = @("exchangeActiveSync") $Cap.Conditions.Devices.DeviceFilter.Mode = "exclude" $Cap.Conditions.Devices.DeviceFilter.Rule = "device.manufacturer -eq 'helloworld'" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "User risk levels: low" $Conditions[1] | Should -Be "Sign-in risk levels: high" $Conditions[2] | Should -Be "Device platforms included: all" $Conditions[3] | Should -Be "Device platforms excluded: android, iOS, macOS, linux" $Conditions[4] | Should -Be "Locations included: all trusted locations" $Conditions[5] | Should -Be "Locations excluded: none" $Conditions[6] | Should -Be "Client apps included: Exchange ActiveSync Clients" $Conditions[7] | Should -Be "Custom device filter in exclude mode active" } It "handles empty input" { $Cap = @{} $Conditions = $($CapHelper.GetConditions($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $Conditions | Should -Be "" } } Describe "GetAccessControls" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/AccessControls.json") | ConvertFrom-Json } It "handles blocking access" { $Cap.GrantControls.BuiltInControls = @("block") $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Block access" } It "handles requiring single control" { $Cap.GrantControls.BuiltInControls = @("mfa") $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require multifactor authentication" } It "handles requiring terms of use" { $Cap.GrantControls.TermsOfUse = @("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa") $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require terms of use" } It "handles requiring multiple controls in AND mode" { $Cap.GrantControls.BuiltInControls = @("mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange") $Cap.GrantControls.Operator = "AND" $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require multifactor authentication, device to be marked compliant, Hybrid Azure AD joined device, approved client app, app protection policy, AND password change" } It "handles requiring multiple controls in OR mode" { $Cap.GrantControls.BuiltInControls = @("mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange") $Cap.GrantControls.Operator = "OR" $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require multifactor authentication, device to be marked compliant, Hybrid Azure AD joined device, approved client app, app protection policy, OR password change" } It "handles using authentication strength (phishing resistant MFA)" { $Cap.GrantControls.AuthenticationStrength.DisplayName = "Phishing resistant MFA" $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require authentication strength (Phishing resistant MFA)" } It "handles using both authentication strength and a traditional control" { $Cap.GrantControls.AuthenticationStrength.DisplayName = "Multi-factor authentication" $Cap.GrantControls.BuiltInControls = @("passwordChange") $Cap.GrantControls.Operator = "AND" $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require password change, AND authentication strength (Multi-factor authentication)" } It "handles using no access controls" { $Cap.GrantControls.BuiltInControls = $null $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "None" } It "handles empty input" { $Cap = @{} $Controls = $($CapHelper.GetAccessControls($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $Controls | Should -Be "" } } Describe "GetSessionControls" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/SessionControls.json") | ConvertFrom-Json } It "handles using no session controls" { $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "None" } It "handles using app enforced restrictions" { $Cap.SessionControls.ApplicationEnforcedRestrictions.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Use app enforced restrictions" } It "handles using conditional access app control with custom policy" { $Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType = "mcasConfigured" $Cap.SessionControls.CloudAppSecurity.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Use Conditional Access App Control (Use custom policy)" } It "handles using conditional access app control in monitor mode" { $Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType = "monitorOnly" $Cap.SessionControls.CloudAppSecurity.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Use Conditional Access App Control (Monitor only)" } It "handles using conditional access app control in block mode" { $Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType = "blockDownloads" $Cap.SessionControls.CloudAppSecurity.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Use Conditional Access App Control (Block downloads)" } It "handles using sign-in frequency every time" { $Cap.SessionControls.SignInFrequency.FrequencyInterval = "everyTime" $Cap.SessionControls.SignInFrequency.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Sign-in frequency (every time)" } It "handles using sign-in frequency time based" { $Cap.SessionControls.SignInFrequency.FrequencyInterval = "timeBased" $Cap.SessionControls.SignInFrequency.Type = "days" $Cap.SessionControls.SignInFrequency.Value = 10 $Cap.SessionControls.SignInFrequency.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Sign-in frequency (every 10 days)" } It "handles using persistent browser session" { $Cap.SessionControls.PersistentBrowser.IsEnabled = $true $Cap.SessionControls.PersistentBrowser.Mode = "never" $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Persistent browser session (never persistent)" } It "handles using customized continuous access evaluation" { $Cap.SessionControls.ContinuousAccessEvaluation.Mode = "disabled" $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Customize continuous access evaluation" } It "handles disabling resilience defaults" { $Cap.SessionControls.DisableResilienceDefaults = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Disable resilience defaults" } It "handles multiple controls simultaneously" { $Cap.SessionControls.PersistentBrowser.IsEnabled = $true $Cap.SessionControls.PersistentBrowser.Mode = "never" $Cap.SessionControls.DisableResilienceDefaults = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls[0] | Should -Be "Persistent browser session (never persistent)" $Controls[1] | Should -Be "Disable resilience defaults" } It "handles empty input" { $Cap = @{} $Controls = $($CapHelper.GetSessionControls($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $Controls | Should -Be "" } } Describe "ExportCapPolicies Sorting" { BeforeEach { # Load base CAP structure from existing snippets [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'BaseCap')] $BaseCap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Users.json") | ConvertFrom-Json # Create test policies with different states and names for sorting [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Caps')] $Caps = @() # Create "Off" policy (should be last) $OffPolicy = $BaseCap.PSObject.Copy() $OffPolicy | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value "Z Policy" $OffPolicy | Add-Member -MemberType NoteProperty -Name "State" -Value "disabled" $Caps += $OffPolicy # Create "On" policy (should be first) $OnPolicy = $BaseCap.PSObject.Copy() $OnPolicy | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value "A Policy" $OnPolicy | Add-Member -MemberType NoteProperty -Name "State" -Value "enabled" $Caps += $OnPolicy # Create "On" second policy (should be first) $OnPolicy = $BaseCap.PSObject.Copy() $OnPolicy | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value "A Policy 2" $OnPolicy | Add-Member -MemberType NoteProperty -Name "State" -Value "enabled" $Caps += $OnPolicy # Create "Report-only" policy (should be middle) $ReportPolicy = $BaseCap.PSObject.Copy() $ReportPolicy | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value "B Policy" $ReportPolicy | Add-Member -MemberType NoteProperty -Name "State" -Value "enabledForReportingButNotEnforced" $Caps += $ReportPolicy } It "sorts policies by State first (On, Report-only, Off), then by Name alphabetically" { # Suppress warnings since we're using incomplete CAP structures for testing $Result = $CapHelper.ExportCapPolicies($Caps) 3>$null $ParsedResult = ConvertFrom-Json $Result # Verify the order: "A Policy" (On) -> "A Policy 2" (On) -> "B Policy" (Report-only) -> "Z Policy" (Off) $ParsedResult[0].Name | Should -Be "A Policy" $ParsedResult[0].State | Should -Be "On" $ParsedResult[1].Name | Should -Be "A Policy 2" $ParsedResult[1].State | Should -Be "On" $ParsedResult[2].Name | Should -Be "B Policy" $ParsedResult[2].State | Should -Be "Report-only" $ParsedResult[3].Name | Should -Be "Z Policy" $ParsedResult[3].State | Should -Be "Off" } } # SIG # Begin signature block # MIIu9wYJKoZIhvcNAQcCoIIu6DCCLuQCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDbtzssAnfrUe9t # dtOXD2Oe0hc86x+UOrgd313cw2RyfaCCE6MwggWQMIIDeKADAgECAhAFmxtXno4h # MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV # BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z # ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z # G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ # anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s # Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL # 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb # BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3 # JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c # AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx # YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0 # viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL # T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud # EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf # Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk # aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS # PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK # 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB # cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp # 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg # dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri # RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7 # 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5 # nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3 # i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H # EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G # CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C # 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce # 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da # E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T # SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA # FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh # D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM # 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z # 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05 # huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY # mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP # /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T # AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD # VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV # HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN # BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry # sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL # IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf # Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh # OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh # dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV # 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j # wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH # Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC # XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l # /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW # eE4wggdXMIIFP6ADAgECAhAMM6tnPejLgA9WVhXroQvSMA0GCSqGSIb3DQEBCwUA # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwHhcNMjYwMTE0MDAwMDAwWhcNMjcwMTEzMjM1OTU5WjBfMQsw # CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV # BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuXYolNHqlh6smLTE592waXheZ # 8VHzxeds4pMaepGuwmjf8d1jG9wUNuJX9/qb0a1dgGz5D/EAz5NRTIin4SZYQEE8 # qvdl2yQJ5uWxXIjsFbrOyc1fWscUXw0Kt7OPLOafcEkdDoe8K0tO4h2GL3RWRzjp # uLfQhhnAmD6NT1l+ughnfmarV/ODgIn/RFR4YORlu4YP2xQX6KRxeTDslg7F+z6X # +t87/U8m8gQ9XTm5kBmteP4GcE/ytnyI+ScIxNRybzGomWIBm848XDE5yYhlYQ2R # SnCoo6M4CRqp9WFGVyoLkoPP0OlxzryKWaE1/nuPbYG/kf/rUB1OhqxvSSGwmNhs # vkkjsC0Z9H5Jy6heFdoxOu/+ZQksKoP/fMvHxuCCtkIJbV8tk0oT6MQ8EJbgsWDZ # TKhui1wxW6JIZyBOMPWoZUOouOzo2h5Cz7LBPKME5FkcUzcs47lpRlDkJco4PLcj # wJSo4XPnx3G/2DIjNEFNyfKCWfH8uW6nJjmDBiveFZ2j0YvgdQ+7MOjQnw7R/MAD # DTagrKl3rLV60+X2TY6/onKhCUuU3pMAjVbOwZ3PkzDLZnsEGRfm6hgp6014aXml # t8h4nu+uC41U8vUSGHl0vqKuzvmShLmnI+Iv0l95pmnqomuCZzRDrjEoaLPx7OxL # Dy/Id9E7yQDip4jBdQIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R # hvv+YXsIiGX0TkIwHQYDVR0OBBYEFN30sVU+fpfQQfPQWMhkO1qd+MxoMD4GA1Ud # IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl # cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw # gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j # cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0 # ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF # BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t # MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ # BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQA77T42YiOx5wWPItgo+kvB+Gzb # ZFCRHRFfTAZZNQt9o/0CqNmyA2xFklX4t5Z9VNdiIOx14AnmJdQkcRdk3vsU5gby # jKEup7LTWtvcWrl6hQwGNt3l892BgUbPKsPBE+AriktVqn5yMSXVVzeboqsqAG8e # Syei0B54/QdgR4whfHvQ/qpCACsJTlJgAykXVgDPJNKnQ7wc17loLQutqF1JUcbO # XKWt1AA9Zas5q30LDZzZeK4B56yojK68CTQXN7toSRFIuZDMKKDfIZpCX8cmbaaO # DFOOu44/QWMv+Xc6+ISYGkrTTzqWhOqiXgLVBeXGn/WrOJJ8R29mZMneCpBesCLs # YII1gCFOo7Vt6mvOKxAPQ3KhJYBFEHkp+GI65koaQkO2xv50iLS0+/j2YC66uviU # MFe0JEOdXuE7Rn/OmWNSzQ+6kPNYDJQASQ974C3wUejJoMtGZEzoTbly/HufQTrd # rhcL2aC69CxSN+idTXPLC9UT3xo4sFdOw+hXkmbXtoB1GDsd5p1TWFgRbnTXDkbM # YMBWYVB6/Tk1bzwj4iTp4g0YrtB628FXPX/ko+JWZlv0Ea865S23w1uGlnDNVxIi # +8oi74G5DM66Q6ENt6+3WoRGRrdoyE6uCh1haY+oPYSgumb0ozzrp8tw89TRKVrK # KSXGBxlExEvjQ6dYwjGCGqowghqmAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDDOrZz3oy4AP # VlYV66EL0jANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh # AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM # BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCDo7lseo70zylAJ8osaWdgiBhz/ # syYHchheYyy0ewTwUTANBgkqhkiG9w0BAQEFAASCAgBzEyha6XFmp/Al8fdhXPGJ # 5FA6XShWR+1FcuuD5sURF2SV2IAPQs+iz/Tu6odZvSMRdrmfW1HYAjUfzhhdmjVa # dRS+e8iHHdbeqxnd4kEuSHSjDNPEStpwfCMSnZo36IC0kr0RXLRpFW/Ry/CHfS5P # v5DwEqZOSnMKpGSa63u8VbNx6gnv2gtuvnkx8FG2TsF0zWIQboqRYy5kHjhxWnUd # b4u39BrIiTjBn5/URmfmkBwy6PHWywPPX/pSe0mDiwVtnKon7RJHl8XikMU2EDV9 # m8Pr0hwbmtDtrP4Gw/Hs1ON6MRG4+8BqPD2nAVaUGeU4uGP+C1wJdBbtOzTnmIVP # JYjfF3yrw4ANEs8FAaXhttZc17Oto8H2xliOKxNAFsROtM78wX8WwgdlTBAIngBc # gY+CgFO/0tbx3NZZ/DP5rZkf0CwhDeaYTos/EHz8POVRb/hZEtZA59TrwQTsWAGR # hG82RiVjDbBdNmbjpEFWG70arbsmG6vkcv0zbQGFAViyO1P8mKvCpcON5A1qJK/f # 87PAV/2JiMeukmk9SCCnTrk8WoZXFzC9g14mg+/HfuVV7a6YSulv9kI0iu1wNNJa # CLOj7WDHU7lzHxu4w4GoWk0C4XjDbAHET4Lg6TZQOEmDWXdl+DX08cCDbB2ynCUH # JcF5jDtrsNdjBaz/ykglraGCF3cwghdzBgorBgEEAYI3AwMBMYIXYzCCF18GCSqG # SIb3DQEHAqCCF1AwghdMAgEDMQ8wDQYJYIZIAWUDBAIBBQAweAYLKoZIhvcNAQkQ # AQSgaQRnMGUCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCC2v3eEBuyW # kpc5ACy9qJczSujpox9lyRKdLc24nOgk1wIRANEq8ZWPgRofRPr1rlQh+u4YDzIw # MjYwMjExMTk1NzQ4WqCCEzowggbtMIIE1aADAgECAhAKgO8YS43xBYLRxHanlXRo # MA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2Vy # dCwgSW5jLjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBUaW1lU3RhbXBp # bmcgUlNBNDA5NiBTSEEyNTYgMjAyNSBDQTEwHhcNMjUwNjA0MDAwMDAwWhcNMzYw # OTAzMjM1OTU5WjBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIElu # Yy4xOzA5BgNVBAMTMkRpZ2lDZXJ0IFNIQTI1NiBSU0E0MDk2IFRpbWVzdGFtcCBS # ZXNwb25kZXIgMjAyNSAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA # 0EasLRLGntDqrmBWsytXum9R/4ZwCgHfyjfMGUIwYzKomd8U1nH7C8Dr0cVMF3Bs # fAFI54um8+dnxk36+jx0Tb+k+87H9WPxNyFPJIDZHhAqlUPt281mHrBbZHqRK71E # m3/hCGC5KyyneqiZ7syvFXJ9A72wzHpkBaMUNg7MOLxI6E9RaUueHTQKWXymOtRw # JXcrcTTPPT2V1D/+cFllESviH8YjoPFvZSjKs3SKO1QNUdFd2adw44wDcKgH+JRJ # E5Qg0NP3yiSyi5MxgU6cehGHr7zou1znOM8odbkqoK+lJ25LCHBSai25CFyD23DZ # gPfDrJJJK77epTwMP6eKA0kWa3osAe8fcpK40uhktzUd/Yk0xUvhDU6lvJukx7jp # hx40DQt82yepyekl4i0r8OEps/FNO4ahfvAk12hE5FVs9HVVWcO5J4dVmVzix4A7 # 7p3awLbr89A90/nWGjXMGn7FQhmSlIUDy9Z2hSgctaepZTd0ILIUbWuhKuAeNIeW # rzHKYueMJtItnj2Q+aTyLLKLM0MheP/9w6CtjuuVHJOVoIJ/DtpJRE7Ce7vMRHoR # on4CWIvuiNN1Lk9Y+xZ66lazs2kKFSTnnkrT3pXWETTJkhd76CIDBbTRofOsNyEh # zZtCGmnQigpFHti58CSmvEyJcAlDVcKacJ+A9/z7eacCAwEAAaOCAZUwggGRMAwG # A1UdEwEB/wQCMAAwHQYDVR0OBBYEFOQ7/PIx7f391/ORcWMZUEPPYYzoMB8GA1Ud # IwQYMBaAFO9vU0rp5AZ8esrikFb2L9RJ7MtOMA4GA1UdDwEB/wQEAwIHgDAWBgNV # HSUBAf8EDDAKBggrBgEFBQcDCDCBlQYIKwYBBQUHAQEEgYgwgYUwJAYIKwYBBQUH # MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBdBggrBgEFBQcwAoZRaHR0cDov # L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0VGltZVN0YW1w # aW5nUlNBNDA5NlNIQTI1NjIwMjVDQTEuY3J0MF8GA1UdHwRYMFYwVKBSoFCGTmh0 # dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNFRpbWVTdGFt # cGluZ1JTQTQwOTZTSEEyNTYyMDI1Q0ExLmNybDAgBgNVHSAEGTAXMAgGBmeBDAEE # AjALBglghkgBhv1sBwEwDQYJKoZIhvcNAQELBQADggIBAGUqrfEcJwS5rmBB7NEI # RJ5jQHIh+OT2Ik/bNYulCrVvhREafBYF0RkP2AGr181o2YWPoSHz9iZEN/FPsLST # wVQWo2H62yGBvg7ouCODwrx6ULj6hYKqdT8wv2UV+Kbz/3ImZlJ7YXwBD9R0oU62 # PtgxOao872bOySCILdBghQ/ZLcdC8cbUUO75ZSpbh1oipOhcUT8lD8QAGB9lctZT # TOJM3pHfKBAEcxQFoHlt2s9sXoxFizTeHihsQyfFg5fxUFEp7W42fNBVN4ueLace # Rf9Cq9ec1v5iQMWTFQa0xNqItH3CPFTG7aEQJmmrJTV3Qhtfparz+BW60OiMEgV5 # GWoBy4RVPRwqxv7Mk0Sy4QHs7v9y69NBqycz0BZwhB9WOfOu/CIJnzkQTwtSSpGG # hLdjnQ4eBpjtP+XB3pQCtv4E5UCSDag6+iX8MmB10nfldPF9SVD7weCC3yXZi/uu # hqdwkgVxuiMFzGVFwYbQsiGnoa9F5AaAyBjFBtXVLcKtapnMG3VH3EmAp/jsJ3FV # F3+d1SVDTmjFjLbNFZUWMXuZyvgLfgyPehwJVxwC+UpX2MSey2ueIu9THFVkT+um # 1vshETaWyQo8gmBto/m3acaP9QsuLj3FNwFlTxq25+T4QwX9xa6ILs84ZPvmpovq # 90K8eWyG2N01c4IhSOxqt81nMIIGtDCCBJygAwIBAgIQDcesVwX/IZkuQEMiDDpJ # hjANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNl # cnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdp # Q2VydCBUcnVzdGVkIFJvb3QgRzQwHhcNMjUwNTA3MDAwMDAwWhcNMzgwMTE0MjM1 # OTU5WjBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/ # BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgVGltZVN0YW1waW5nIFJTQTQwOTYg # U0hBMjU2IDIwMjUgQ0ExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA # tHgx0wqYQXK+PEbAHKx126NGaHS0URedTa2NDZS1mZaDLFTtQ2oRjzUXMmxCqvkb # sDpz4aH+qbxeLho8I6jY3xL1IusLopuW2qftJYJaDNs1+JH7Z+QdSKWM06qchUP+ # AbdJgMQB3h2DZ0Mal5kYp77jYMVQXSZH++0trj6Ao+xh/AS7sQRuQL37QXbDhAkt # VJMQbzIBHYJBYgzWIjk8eDrYhXDEpKk7RdoX0M980EpLtlrNyHw0Xm+nt5pnYJU3 # Gmq6bNMI1I7Gb5IBZK4ivbVCiZv7PNBYqHEpNVWC2ZQ8BbfnFRQVESYOszFI2Wv8 # 2wnJRfN20VRS3hpLgIR4hjzL0hpoYGk81coWJ+KdPvMvaB0WkE/2qHxJ0ucS638Z # xqU14lDnki7CcoKCz6eum5A19WZQHkqUJfdkDjHkccpL6uoG8pbF0LJAQQZxst7V # vwDDjAmSFTUms+wV/FbWBqi7fTJnjq3hj0XbQcd8hjj/q8d6ylgxCZSKi17yVp2N # L+cnT6Toy+rN+nM8M7LnLqCrO2JP3oW//1sfuZDKiDEb1AQ8es9Xr/u6bDTnYCTK # IsDq1BtmXUqEG1NqzJKS4kOmxkYp2WyODi7vQTCBZtVFJfVZ3j7OgWmnhFr4yUoz # ZtqgPrHRVHhGNKlYzyjlroPxul+bgIspzOwbtmsgY1MCAwEAAaOCAV0wggFZMBIG # A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO9vU0rp5AZ8esrikFb2L9RJ7MtO # MB8GA1UdIwQYMBaAFOzX44LScV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIB # hjATBgNVHSUEDDAKBggrBgEFBQcDCDB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUH # MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDov # L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQw # QwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lD # ZXJ0VHJ1c3RlZFJvb3RHNC5jcmwwIAYDVR0gBBkwFzAIBgZngQwBBAIwCwYJYIZI # AYb9bAcBMA0GCSqGSIb3DQEBCwUAA4ICAQAXzvsWgBz+Bz0RdnEwvb4LyLU0pn/N # 0IfFiBowf0/Dm1wGc/Do7oVMY2mhXZXjDNJQa8j00DNqhCT3t+s8G0iP5kvN2n7J # d2E4/iEIUBO41P5F448rSYJ59Ib61eoalhnd6ywFLerycvZTAz40y8S4F3/a+Z1j # EMK/DMm/axFSgoR8n6c3nuZB9BfBwAQYK9FHaoq2e26MHvVY9gCDA/JYsq7pGdog # P8HRtrYfctSLANEBfHU16r3J05qX3kId+ZOczgj5kjatVB+NdADVZKON/gnZruMv # NYY2o1f4MXRJDMdTSlOLh0HCn2cQLwQCqjFbqrXuvTPSegOOzr4EWj7PtspIHBld # NE2K9i697cvaiIo2p61Ed2p8xMJb82Yosn0z4y25xUbI7GIN/TpVfHIqQ6Ku/qjT # Y6hc3hsXMrS+U0yy+GWqAXam4ToWd2UQ1KYT70kZjE4YtL8Pbzg0c1ugMZyZZd/B # dHLiRu7hAWE6bTEm4XYRkA6Tl4KSFLFk43esaUeqGkH/wyW4N7OigizwJWeukcyI # PbAvjSabnf7+Pu0VrFgoiovRDiyx3zEdmcif/sYQsfch28bZeUz2rtY/9TCA6TD8 # dC3JE3rYkrhLULy7Dc90G6e8BlqmyIjlgp2+VqsS9/wQD7yFylIz0scmbKvFoW2j # NrbM1pD2T7m3XDCCBY0wggR1oAMCAQICEA6bGI750C3n79tQ4ghAGFowDQYJKoZI # hvcNAQEMBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ # MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNz # dXJlZCBJRCBSb290IENBMB4XDTIyMDgwMTAwMDAwMFoXDTMxMTEwOTIzNTk1OVow # YjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQ # d3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgVHJ1c3RlZCBSb290 # IEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv+aQc2jeu+RdSjww # IjBpM+zCpyUuySE98orYWcLhKac9WKt2ms2uexuEDcQwH/MbpDgW61bGl20dq7J5 # 8soR0uRf1gU8Ug9SH8aeFaV+vp+pVxZZVXKvaJNwwrK6dZlqczKU0RBEEC7fgvMH # hOZ0O21x4i0MG+4g1ckgHWMpLc7sXk7Ik/ghYZs06wXGXuxbGrzryc/NrDRAX7F6 # Zu53yEioZldXn1RYjgwrt0+nMNlW7sp7XeOtyU9e5TXnMcvak17cjo+A2raRmECQ # ecN4x7axxLVqGDgDEI3Y1DekLgV9iPWCPhCRcKtVgkEy19sEcypukQF8IUzUvK4b # A3VdeGbZOjFEmjNAvwjXWkmkwuapoGfdpCe8oU85tRFYF/ckXEaPZPfBaYh2mHY9 # WV1CdoeJl2l6SPDgohIbZpp0yt5LHucOY67m1O+SkjqePdwA5EUlibaaRBkrfsCU # tNJhbesz2cXfSwQAzH0clcOP9yGyshG3u3/y1YxwLEFgqrFjGESVGnZifvaAsPvo # ZKYz0YkH4b235kOkGLimdwHhD5QMIR2yVCkliWzlDlJRR3S+Jqy2QXXeeqxfjT/J # vNNBERJb5RBQ6zHFynIWIgnffEx1P2PsIV/EIFFrb7GrhotPwtZFX50g/KEexcCP # orF+CiaZ9eRpL5gdLfXZqbId5RsCAwEAAaOCATowggE2MA8GA1UdEwEB/wQFMAMB # Af8wHQYDVR0OBBYEFOzX44LScV1kTN8uZz/nupiuHA9PMB8GA1UdIwQYMBaAFEXr # oq/0ksuCMS1Ri6enIZ3zbcgPMA4GA1UdDwEB/wQEAwIBhjB5BggrBgEFBQcBAQRt # MGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEF # BQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJl # ZElEUm9vdENBLmNydDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vY3JsMy5kaWdp # Y2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3JsMBEGA1UdIAQKMAgw # BgYEVR0gADANBgkqhkiG9w0BAQwFAAOCAQEAcKC/Q1xV5zhfoKN0Gz22Ftf3v1cH # vZqsoYcs7IVeqRq7IviHGmlUIu2kiHdtvRoU9BNKei8ttzjv9P+Aufih9/Jy3iS8 # UgPITtAq3votVs/59PesMHqai7Je1M/RQ0SbQyHrlnKhSLSZy51PpwYDE3cnRNTn # f+hZqPC/Lwum6fI0POz3A8eHqNJMQBk1RmppVLC4oVaO7KTVPeix3P0c2PR3WlxU # jG/voVA9/HYJaISfb8rbII01YBwCA8sgsKxYoA5AY8WYIsGyWfVVa88nq2x2zm8j # LfR+cWojayL/ErhULSd+2DrZ8LaHlv1b0VysGMNNn3O3AamfV6peKOK5lDGCA3ww # ggN4AgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu # MUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0IFRpbWVTdGFtcGluZyBSU0E0 # MDk2IFNIQTI1NiAyMDI1IENBMQIQCoDvGEuN8QWC0cR2p5V0aDANBglghkgBZQME # AgEFAKCB0TAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkF # MQ8XDTI2MDIxMTE5NTc0OFowKwYLKoZIhvcNAQkQAgwxHDAaMBgwFgQU3WIwrIYK # LTBr2jixaHlSMAf7QX4wLwYJKoZIhvcNAQkEMSIEIPjlRsDr877QPtUBpbrBLT5F # g8anzzHTQmShH5qZOdnnMDcGCyqGSIb3DQEJEAIvMSgwJjAkMCIEIEqgP6Is11yE # xVyTj4KOZ2ucrsqzP+NtJpqjNPFGEQozMA0GCSqGSIb3DQEBAQUABIICAEZDoZ0m # yqAqmqXDd+Z65giBEU/OkGJylehbAaZAZH5yqKN+jL87TY6DCYdtkkk8PHpGLB1B # oLEgcMrDHnEhRxNmkKUuCUOWhjAplq6BqD3SJCLJeaO49lklm/SOi57vAIjIcvsT # S+jdg+/kk7ELo16GTm4ECLgzXPdELY/SeYViLdh7xq06NLy4XomjzP8DeNmWdkoW # zHhjJv8k2U8YLhD0zLq13kwogtECFboXYe3ZCT6d+DQhji0xg62xJZAa5uS0jdDJ # nvpfCVeZ50Pks8rw7q/woUKkf/6v69enEVVGQurjCxPM5TUNV5GCoZZe7yhsxsu6 # 0QyxwkmyNb1Ge+vimYe6oW4VoOHPLEg0nvuiMpFCWbncjY3E5fiviCYMPAkZbRuU # PjiTv4czuu7CN2ZGz3qsQpjJ0afL4Y53BkX9gYssW6zIAerPG+Ty1ERIJDLk1Yk4 # DLDoJefyt94F8YArDq3n0oFSt7JmWaxYDX64/Zhc9Yh56TaMsdc5gMaK5bsjOT0W # MlG8b52KGMiy4UlN0EWmCZicDCtLOlYLszVaDyFYjVicaO5JxQxqi9YJ6Y/ULcLB # hsw8nY2mI1jTqhIUQCrwn3UqOmL9cqWZ3rqdipkaZW06wkfQpc8cc9B80ocgrTT3 # 95qVk5MXv6Gw1XhwTEcOcw4KgzdIJbJTC6aP # SIG # End signature block |