Skip to content

Commit

Permalink
fix all unit tests; added mock function for Invoke-MgGraphRequest
Browse files Browse the repository at this point in the history
  • Loading branch information
@mitchelbaker-cisa
mitchelbaker-cisa committed Jan 18, 2025
1 parent 27e0f2a commit 9569e18
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 128 deletions.
5 changes: 2 additions & 3 deletions ...ders/AADProvider/AADRiskyPermissionsHelper/Get-ApplicationsWithRiskyPermissions.Tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,10 @@ InModuleScope AADRiskyPermissionsHelper {
Describe "Get-ApplicationsWithRiskyPermissions" {
BeforeAll {
# Import mock data
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'MockApplications')]
$MockApplications = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockApplications.json") | ConvertFrom-Json
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'MockFederatedCredentials')]
$MockFederatedCredentials = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockFederatedCredentials.json") | ConvertFrom-Json

function Get-MgBetaApplication { $MockApplications }
function Get-MgBetaApplicationFederatedIdentityCredential { $MockFederatedCredentials }
}

It "returns a list of applications with valid properties" {
Expand Down
146 changes: 27 additions & 119 deletions ...AADProvider/AADRiskyPermissionsHelper/Get-ServicePrincipalsWithRiskyPermissions.Tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,19 +12,16 @@ InModuleScope AADRiskyPermissionsHelper {
$MockServicePrincipalAppRoleAssignments = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockServicePrincipalAppRoleAssignments.json") | ConvertFrom-Json
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'MockSafePermissions')]
$MockSafePermissions = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockSafePermissions.json") | ConvertFrom-Json

function New-MockMgGraphResponse {
param (
[int]
$Size,

[array]
$MockBody
[int] $Size,
[array] $MockBody
)

$data = @()
for ($i = 1; $i -le $Size; $i++) {
$id = "00000000-0000-0000-0000-0000000000{0:D3}" -f ($i * 10)
$id = "00000000-0000-0000-0000-0000000000{0:D2}" -f ($i * 10)
$mockResponse = @{
id = $id
status = 200
Expand All @@ -41,76 +38,51 @@ InModuleScope AADRiskyPermissionsHelper {

It "returns a list of service principals with valid properties" {
Mock Get-MgBetaServicePrincipal { $MockServicePrincipals }
$Responses = New-MockMgGraphResponse -Size 5 -MockBody $MockServicePrincipalAppRoleAssignments
Mock Invoke-MgGraphRequest {
return @{
responses = @(
@{
id = "00000000-0000-0000-0000-000000000010"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000020"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000030"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000040"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000050"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
}
)
responses = $Responses
}
}

$RiskySPs = Get-ServicePrincipalsWithRiskyPermissions
$RiskySPs | Should -HaveCount 5

$RiskySPs[0].DisplayName | Should -Match "Test SP 1"
$RiskySPs[0].ObjectId | Should -Match "00000000-0000-0000-0000-000000000010"
$RiskySPs[0].AppId | Should -Match "10000000-0000-0000-0000-000000000000"
$RiskySPs[0].KeyCredentials | Should -HaveCount 1
$RiskySPs[0].PasswordCredentials | Should -HaveCount 1
$RiskySPs[0].FederatedCredentials | Should -BeNullOrEmpty
$RiskySPs[0].RiskyPermissions | Should -HaveCount 8

$RiskySPs[1].DisplayName | Should -Match "Test SP 2"
$RiskySPs[1].ObjectId | Should -Match "00000000-0000-0000-0000-000000000020"
$RiskySPs[1].AppId | Should -Match "20000000-0000-0000-0000-000000000000"
$RiskySPs[1].KeyCredentials | Should -HaveCount 1
$RiskySPs[1].PasswordCredentials | Should -BeNullOrEmpty
$RiskySPs[1].FederatedCredentials | Should -BeNullOrEmpty
$RiskySPs[1].RiskyPermissions | Should -HaveCount 8

$RiskySPs[2].DisplayName | Should -Match "Test SP 3"
$RiskySPs[2].ObjectId | Should -Match "00000000-0000-0000-0000-000000000030"
$RiskySPs[2].AppId | Should -Match "40000000-0000-0000-0000-000000000000"
$RiskySPs[2].KeyCredentials | Should -BeNullOrEmpty
$RiskySPs[2].PasswordCredentials | Should -BeNullOrEmpty
$RiskySPs[2].FederatedCredentials | Should -BeNullOrEmpty
$RiskySPs[2].RiskyPermissions | Should -HaveCount 8

$RiskySPs[3].DisplayName | Should -Match "Test SP 4"
$RiskySPs[3].ObjectId | Should -Match "00000000-0000-0000-0000-000000000040"
$RiskySPs[3].AppId | Should -Match "50000000-0000-0000-0000-000000000000"
$RiskySPs[3].KeyCredentials | Should -BeNullOrEmpty
$RiskySPs[3].PasswordCredentials | Should -HaveCount 2
$RiskySPs[3].FederatedCredentials | Should -BeNullOrEmpty
$RiskySPs[3].RiskyPermissions | Should -HaveCount 8

$RiskySPs[4].DisplayName | Should -Match "Test SP 5"
$RiskySPs[4].ObjectId | Should -Match "00000000-0000-0000-0000-000000000050"
$RiskySPs[4].AppId | Should -Match "60000000-0000-0000-0000-000000000000"
$RiskySPs[4].KeyCredentials | Should -HaveCount 1
$RiskySPs[4].PasswordCredentials | Should -BeNullOrEmpty
$RiskySPs[4].FederatedCredentials | Should -BeNullOrEmpty
Expand All @@ -121,45 +93,10 @@ InModuleScope AADRiskyPermissionsHelper {
Mock Get-MgBetaServicePrincipal { $MockServicePrincipals }
# Set to $SafePermissions instead of $MockServicePrincipalAppRoleAssignments
# to simulate service principals assigned to safe permissions
$Responses = New-MockMgGraphResponse -Size 5 -MockBody $MockSafePermissions
Mock Invoke-MgGraphRequest {
return @{
responses = @(
@{
id = "00000000-0000-0000-0000-000000000010"
status = 200
body = @{
value = $MockSafePermissions
}
},
@{
id = "00000000-0000-0000-0000-000000000020"
status = 200
body = @{
value = $MockSafePermissions
}
},
@{
id = "00000000-0000-0000-0000-000000000030"
status = 200
body = @{
value = $MockSafePermissions
}
},
@{
id = "00000000-0000-0000-0000-000000000040"
status = 200
body = @{
value = $MockSafePermissions
}
},
@{
id = "00000000-0000-0000-0000-000000000050"
status = 200
body = @{
value = $MockSafePermissions
}
}
)
responses = $Responses
}
}

Expand All @@ -170,51 +107,22 @@ InModuleScope AADRiskyPermissionsHelper {
It "excludes permissions not included in the RiskyPermissions.json mapping" {
$MockServicePrincipalAppRoleAssignments += $MockSafePermissions
$MockServicePrincipalAppRoleAssignments | Should -HaveCount 11

Mock Get-MgBetaServicePrincipal { $MockServicePrincipals }
$Responses = New-MockMgGraphResponse -Size 5 -MockBody $MockServicePrincipalAppRoleAssignments
Mock Invoke-MgGraphRequest {
return @{
responses = @(
@{
id = "00000000-0000-0000-0000-000000000010"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000020"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000030"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000040"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000050"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
}
)
responses = $Responses
}
}

$RiskySPs = Get-ServicePrincipalsWithRiskyPermissions
$RiskySPs[0].DisplayName | Should -Match "Test SP 1"
$RiskySPs[0].ObjectId | Should -Match "00000000-0000-0000-0000-000000000010"
$RiskySPs[0].AppId | Should -Match "10000000-0000-0000-0000-000000000000"
$RiskySPs[0].KeyCredentials | Should -HaveCount 1
$RiskySPs[0].PasswordCredentials | Should -HaveCount 1
$RiskySPs[0].FederatedCredentials | Should -BeNullOrEmpty
$RiskySPs[0].RiskyPermissions | Should -HaveCount 8
}
}
Expand Down
33 changes: 27 additions & 6 deletions ...ders/AADProvider/AADRiskyPermissionsHelper/Get-ThirdPartyRiskyServicePrincipals.Tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,36 @@ InModuleScope AADRiskyPermissionsHelper {
$MockServicePrincipals = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockServicePrincipals.json") | ConvertFrom-Json
$MockServicePrincipalAppRoleAssignments = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockServicePrincipalAppRoleAssignments.json") | ConvertFrom-Json

function Get-MgBetaApplication { $MockApplications }
function Get-MgBetaApplicationFederatedIdentityCredential { $MockFederatedCredentials }
function Get-MgBetaServicePrincipal { $MockServicePrincipals }
function Get-MgBetaServicePrincipalAppRoleAssignment { $MockServicePrincipalAppRoleAssignments }

Mock Get-MgBetaApplication { $MockApplications }
Mock Get-MgBetaApplicationFederatedIdentityCredential { $MockFederatedCredentials }
Mock Get-MgBetaServicePrincipal { $MockServicePrincipals }
Mock Get-MgBetaServicePrincipalAppRoleAssignment { $MockServicePrincipalAppRoleAssignments }
Mock Invoke-MgGraphRequest {
return @{
responses = @(
@{
id = "00000000-0000-0000-0000-000000000030"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000040"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
},
@{
id = "00000000-0000-0000-0000-000000000050"
status = 200
body = @{
value = $MockServicePrincipalAppRoleAssignments
}
}
)
}
}

$RiskyApps = Get-ApplicationsWithRiskyPermissions
$RiskySPs = Get-ServicePrincipalsWithRiskyPermissions
Expand Down

0 comments on commit 9569e18

Please sign in to comment.