93 lines
4.4 KiB
PowerShell
93 lines
4.4 KiB
PowerShell
. $PSScriptRoot\..\..\Load-PesterModules.ps1
|
|
$here = Split-Path -Parent $MyInvocation.MyCommand.Path
|
|
$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.tests\.', '.'
|
|
$functionPath = Join-Path -Path $here -ChildPath $sut
|
|
Write-Host "Overriding SUT: $functionPath"
|
|
Import-Module $functionPath -Force
|
|
$moduleForMock = ""
|
|
|
|
Import-Module ActiveDirectory
|
|
|
|
Describe "Disable-ActiveDirectoryAccount" {
|
|
|
|
$fakeAccountName = "FakeyMcFakeAccount"
|
|
|
|
function Get-CleanTestUser {
|
|
|
|
$fakeAccountName = "FakeyMcFakeAccount"
|
|
$testUser = New-Object Microsoft.ActiveDirectory.Management.ADUser
|
|
$testUser.DistinguishedName = "CN=$fakeAccountName,CN=Managed Service Accounts,DC=foo,DC=bar"
|
|
$testUser.Enabled = $false
|
|
$testUser.ObjectClass = "msDS-GroupManagedServiceAccount"
|
|
$testUser.ObjectGUID = "deadbeef-dead-beef-dead-beef00000075"
|
|
$testUser.SamAccountName = "fake.mcfakeuser$"
|
|
$testUser.SID = "S-1-2-34-5678901234-5678901234-5678901234-56789"
|
|
$testUser.UserPrincipalName = ""
|
|
|
|
# This property is 'read-only'
|
|
$testUser.Item('Name').Value = $fakeAccountName
|
|
return $testUser
|
|
}
|
|
|
|
Mock -CommandName Get-LogLeadName -ModuleName $moduleForMock -MockWith { return 'Disable-ActiveDirectoryAccount.tests' }
|
|
Mock -CommandName Set-ADUser -ModuleName $moduleForMock -MockWith { }
|
|
Mock -CommandName Set-ADServiceAccount -ModuleName $moduleForMock -MockWith { }
|
|
Mock -CommandName Write-Warning -ModuleName $moduleForMock -MockWith { }
|
|
|
|
Context "User Permissions" {
|
|
|
|
It "Writes a Warning and Exits Early if the User Does Not Have Domain Admin Rights" {
|
|
|
|
Mock Test-IsUserDomainAdmin -ModuleName $moduleForMock -MockWith { return $false }
|
|
|
|
$testUser = Get-CleanTestUser
|
|
Disable-ActiveDirectoryAccount $testUser
|
|
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Write-Warning `
|
|
-ParameterFilter { $Message -match "You must have domain administrative privileges" } -Times 1 -Exactly -Scope It
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADServiceAccount -Times 0 -Exactly -Scope It
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADUser -Times 0 -Exactly -Scope It
|
|
}
|
|
}
|
|
|
|
Context "Logic" {
|
|
|
|
Mock Test-IsUserDomainAdmin -ModuleName $moduleForMock -MockWith { return $true }
|
|
|
|
It "Writes a Warning and Does Not Disable the User if it is Already Disabled" {
|
|
|
|
$testUser = Get-CleanTestUser
|
|
Disable-ActiveDirectoryAccount $testUser
|
|
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Write-Warning `
|
|
-ParameterFilter { $Message -match "already disabled" } -Times 1 -Exactly -Scope It
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADServiceAccount -Times 0 -Exactly -Scope It
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADUser -Times 0 -Exactly -Scope It
|
|
}
|
|
|
|
It "Disables the Service Account User if they are Enabled" {
|
|
|
|
$testUser = Get-CleanTestUser
|
|
$testUser.Enabled = $true
|
|
Disable-ActiveDirectoryAccount $testUser
|
|
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADServiceAccount -Times 1 -Exactly -Scope It `
|
|
-ParameterFilter { ($Identity -match "$fakeAccountName") -and ($Enabled -eq $false) }
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Write-Warning -Times 0 -Exactly -Scope It
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADUser -Times 0 -Exactly -Scope It
|
|
}
|
|
|
|
It "Disables the Standard Account User if they are Enabled" {
|
|
|
|
$testUser = Get-CleanTestUser
|
|
$testUser.Enabled = $true
|
|
$testUser.DistinguishedName = "CN=$fakeAccountName,CN=Users,DC=foo,DC=bar"
|
|
Disable-ActiveDirectoryAccount $testUser
|
|
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADUser -Times 1 -Exactly -Scope It `
|
|
-ParameterFilter { ($Identity -match "$fakeAccountName") -and ($Enabled -eq $false) }
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Write-Warning -Times 0 -Exactly -Scope It
|
|
Assert-MockCalled -ModuleName $moduleForMock -CommandName Set-ADServiceAccount -Times 0 -Exactly -Scope It
|
|
}
|
|
}
|
|
} |