diff --git a/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ApplicationsWithRiskyPermissions.Tests.ps1 b/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ApplicationsWithRiskyPermissions.Tests.ps1 index 9d193ab77..3b0409358 100644 --- a/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ApplicationsWithRiskyPermissions.Tests.ps1 +++ b/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ApplicationsWithRiskyPermissions.Tests.ps1 @@ -6,11 +6,10 @@ InModuleScope AADRiskyPermissionsHelper { Describe "Get-ApplicationsWithRiskyPermissions" { BeforeAll { # Import mock data + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'MockApplications')] $MockApplications = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockApplications.json") | ConvertFrom-Json + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'MockFederatedCredentials')] $MockFederatedCredentials = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockFederatedCredentials.json") | ConvertFrom-Json - - function Get-MgBetaApplication { $MockApplications } - function Get-MgBetaApplicationFederatedIdentityCredential { $MockFederatedCredentials } } It "returns a list of applications with valid properties" { diff --git a/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ServicePrincipalsWithRiskyPermissions.Tests.ps1 b/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ServicePrincipalsWithRiskyPermissions.Tests.ps1 index 1db2e39ed..09fd43359 100644 --- a/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ServicePrincipalsWithRiskyPermissions.Tests.ps1 +++ b/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ServicePrincipalsWithRiskyPermissions.Tests.ps1 @@ -12,19 +12,16 @@ InModuleScope AADRiskyPermissionsHelper { $MockServicePrincipalAppRoleAssignments = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockServicePrincipalAppRoleAssignments.json") | ConvertFrom-Json [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'MockSafePermissions')] $MockSafePermissions = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockSafePermissions.json") | ConvertFrom-Json - + function New-MockMgGraphResponse { param ( - [int] - $Size, - - [array] - $MockBody + [int] $Size, + [array] $MockBody ) $data = @() for ($i = 1; $i -le $Size; $i++) { - $id = "00000000-0000-0000-0000-0000000000{0:D3}" -f ($i * 10) + $id = "00000000-0000-0000-0000-0000000000{0:D2}" -f ($i * 10) $mockResponse = @{ id = $id status = 200 @@ -41,45 +38,10 @@ InModuleScope AADRiskyPermissionsHelper { It "returns a list of service principals with valid properties" { Mock Get-MgBetaServicePrincipal { $MockServicePrincipals } + $Responses = New-MockMgGraphResponse -Size 5 -MockBody $MockServicePrincipalAppRoleAssignments Mock Invoke-MgGraphRequest { return @{ - responses = @( - @{ - id = "00000000-0000-0000-0000-000000000010" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - }, - @{ - id = "00000000-0000-0000-0000-000000000020" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - }, - @{ - id = "00000000-0000-0000-0000-000000000030" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - }, - @{ - id = "00000000-0000-0000-0000-000000000040" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - }, - @{ - id = "00000000-0000-0000-0000-000000000050" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - } - ) + responses = $Responses } } @@ -87,30 +49,40 @@ InModuleScope AADRiskyPermissionsHelper { $RiskySPs | Should -HaveCount 5 $RiskySPs[0].DisplayName | Should -Match "Test SP 1" + $RiskySPs[0].ObjectId | Should -Match "00000000-0000-0000-0000-000000000010" + $RiskySPs[0].AppId | Should -Match "10000000-0000-0000-0000-000000000000" $RiskySPs[0].KeyCredentials | Should -HaveCount 1 $RiskySPs[0].PasswordCredentials | Should -HaveCount 1 $RiskySPs[0].FederatedCredentials | Should -BeNullOrEmpty $RiskySPs[0].RiskyPermissions | Should -HaveCount 8 $RiskySPs[1].DisplayName | Should -Match "Test SP 2" + $RiskySPs[1].ObjectId | Should -Match "00000000-0000-0000-0000-000000000020" + $RiskySPs[1].AppId | Should -Match "20000000-0000-0000-0000-000000000000" $RiskySPs[1].KeyCredentials | Should -HaveCount 1 $RiskySPs[1].PasswordCredentials | Should -BeNullOrEmpty $RiskySPs[1].FederatedCredentials | Should -BeNullOrEmpty $RiskySPs[1].RiskyPermissions | Should -HaveCount 8 $RiskySPs[2].DisplayName | Should -Match "Test SP 3" + $RiskySPs[2].ObjectId | Should -Match "00000000-0000-0000-0000-000000000030" + $RiskySPs[2].AppId | Should -Match "40000000-0000-0000-0000-000000000000" $RiskySPs[2].KeyCredentials | Should -BeNullOrEmpty $RiskySPs[2].PasswordCredentials | Should -BeNullOrEmpty $RiskySPs[2].FederatedCredentials | Should -BeNullOrEmpty $RiskySPs[2].RiskyPermissions | Should -HaveCount 8 $RiskySPs[3].DisplayName | Should -Match "Test SP 4" + $RiskySPs[3].ObjectId | Should -Match "00000000-0000-0000-0000-000000000040" + $RiskySPs[3].AppId | Should -Match "50000000-0000-0000-0000-000000000000" $RiskySPs[3].KeyCredentials | Should -BeNullOrEmpty $RiskySPs[3].PasswordCredentials | Should -HaveCount 2 $RiskySPs[3].FederatedCredentials | Should -BeNullOrEmpty $RiskySPs[3].RiskyPermissions | Should -HaveCount 8 $RiskySPs[4].DisplayName | Should -Match "Test SP 5" + $RiskySPs[4].ObjectId | Should -Match "00000000-0000-0000-0000-000000000050" + $RiskySPs[4].AppId | Should -Match "60000000-0000-0000-0000-000000000000" $RiskySPs[4].KeyCredentials | Should -HaveCount 1 $RiskySPs[4].PasswordCredentials | Should -BeNullOrEmpty $RiskySPs[4].FederatedCredentials | Should -BeNullOrEmpty @@ -121,45 +93,10 @@ InModuleScope AADRiskyPermissionsHelper { Mock Get-MgBetaServicePrincipal { $MockServicePrincipals } # Set to $SafePermissions instead of $MockServicePrincipalAppRoleAssignments # to simulate service principals assigned to safe permissions + $Responses = New-MockMgGraphResponse -Size 5 -MockBody $MockSafePermissions Mock Invoke-MgGraphRequest { return @{ - responses = @( - @{ - id = "00000000-0000-0000-0000-000000000010" - status = 200 - body = @{ - value = $MockSafePermissions - } - }, - @{ - id = "00000000-0000-0000-0000-000000000020" - status = 200 - body = @{ - value = $MockSafePermissions - } - }, - @{ - id = "00000000-0000-0000-0000-000000000030" - status = 200 - body = @{ - value = $MockSafePermissions - } - }, - @{ - id = "00000000-0000-0000-0000-000000000040" - status = 200 - body = @{ - value = $MockSafePermissions - } - }, - @{ - id = "00000000-0000-0000-0000-000000000050" - status = 200 - body = @{ - value = $MockSafePermissions - } - } - ) + responses = $Responses } } @@ -170,51 +107,22 @@ InModuleScope AADRiskyPermissionsHelper { It "excludes permissions not included in the RiskyPermissions.json mapping" { $MockServicePrincipalAppRoleAssignments += $MockSafePermissions $MockServicePrincipalAppRoleAssignments | Should -HaveCount 11 - + Mock Get-MgBetaServicePrincipal { $MockServicePrincipals } + $Responses = New-MockMgGraphResponse -Size 5 -MockBody $MockServicePrincipalAppRoleAssignments Mock Invoke-MgGraphRequest { return @{ - responses = @( - @{ - id = "00000000-0000-0000-0000-000000000010" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - }, - @{ - id = "00000000-0000-0000-0000-000000000020" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - }, - @{ - id = "00000000-0000-0000-0000-000000000030" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - }, - @{ - id = "00000000-0000-0000-0000-000000000040" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - }, - @{ - id = "00000000-0000-0000-0000-000000000050" - status = 200 - body = @{ - value = $MockServicePrincipalAppRoleAssignments - } - } - ) + responses = $Responses } } $RiskySPs = Get-ServicePrincipalsWithRiskyPermissions + $RiskySPs[0].DisplayName | Should -Match "Test SP 1" + $RiskySPs[0].ObjectId | Should -Match "00000000-0000-0000-0000-000000000010" + $RiskySPs[0].AppId | Should -Match "10000000-0000-0000-0000-000000000000" + $RiskySPs[0].KeyCredentials | Should -HaveCount 1 + $RiskySPs[0].PasswordCredentials | Should -HaveCount 1 + $RiskySPs[0].FederatedCredentials | Should -BeNullOrEmpty $RiskySPs[0].RiskyPermissions | Should -HaveCount 8 } } diff --git a/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ThirdPartyRiskyServicePrincipals.Tests.ps1 b/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ThirdPartyRiskyServicePrincipals.Tests.ps1 index 660072014..8ca0303e6 100644 --- a/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ThirdPartyRiskyServicePrincipals.Tests.ps1 +++ b/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/AADRiskyPermissionsHelper/Get-ThirdPartyRiskyServicePrincipals.Tests.ps1 @@ -11,15 +11,36 @@ InModuleScope AADRiskyPermissionsHelper { $MockServicePrincipals = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockServicePrincipals.json") | ConvertFrom-Json $MockServicePrincipalAppRoleAssignments = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "../RiskyPermissionsSnippets/MockServicePrincipalAppRoleAssignments.json") | ConvertFrom-Json - function Get-MgBetaApplication { $MockApplications } - function Get-MgBetaApplicationFederatedIdentityCredential { $MockFederatedCredentials } - function Get-MgBetaServicePrincipal { $MockServicePrincipals } - function Get-MgBetaServicePrincipalAppRoleAssignment { $MockServicePrincipalAppRoleAssignments } - Mock Get-MgBetaApplication { $MockApplications } Mock Get-MgBetaApplicationFederatedIdentityCredential { $MockFederatedCredentials } Mock Get-MgBetaServicePrincipal { $MockServicePrincipals } - Mock Get-MgBetaServicePrincipalAppRoleAssignment { $MockServicePrincipalAppRoleAssignments } + Mock Invoke-MgGraphRequest { + return @{ + responses = @( + @{ + id = "00000000-0000-0000-0000-000000000030" + status = 200 + body = @{ + value = $MockServicePrincipalAppRoleAssignments + } + }, + @{ + id = "00000000-0000-0000-0000-000000000040" + status = 200 + body = @{ + value = $MockServicePrincipalAppRoleAssignments + } + }, + @{ + id = "00000000-0000-0000-0000-000000000050" + status = 200 + body = @{ + value = $MockServicePrincipalAppRoleAssignments + } + } + ) + } + } $RiskyApps = Get-ApplicationsWithRiskyPermissions $RiskySPs = Get-ServicePrincipalsWithRiskyPermissions