From 56575677e2d86a2dbca0074a7c97c6f1cc1c5c3f Mon Sep 17 00:00:00 2001 From: cmoreau <40433177+CedricMoreau@users.noreply.github.com> Date: Mon, 7 Oct 2024 17:50:05 +0200 Subject: [PATCH] UserLocal : Add support of User LDAP/RADIUS/TACACS (#267) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Cédric Moreau --- PowerFGT/Public/cmdb/user/local.ps1 | 80 ++++- Tests/integration/UserLocal.Tests.ps1 | 453 ++++++++++++++++++++++++++ 2 files changed, 519 insertions(+), 14 deletions(-) diff --git a/PowerFGT/Public/cmdb/user/local.ps1 b/PowerFGT/Public/cmdb/user/local.ps1 index 758fd8c47..2920e6f20 100644 --- a/PowerFGT/Public/cmdb/user/local.ps1 +++ b/PowerFGT/Public/cmdb/user/local.ps1 @@ -47,10 +47,15 @@ function Add-FGTUserLocal { [switch]$status, [Parameter (Mandatory = $false, ParameterSetName = "password")] [SecureString]$passwd, - <#[Parameter (Mandatory = $false, ParameterSetName = "radius")] + [Parameter (Mandatory = $false, ParameterSetName = "radius")] + [ValidateLength(1, 35)] [string]$radius_server, [Parameter (Mandatory = $false, ParameterSetName = "tacacs")] - [string]$tacacs_server,#> + [ValidateLength(1, 35)] + [string]$tacacs_server, + [Parameter (Mandatory = $false, ParameterSetName = "ldap")] + [ValidateLength(1, 35)] + [string]$ldap_server, [Parameter (Mandatory = $false)] [ValidateSet("fortitoken", "email", "sms", "disable", "fortitoken-cloud")] [string]$two_factor, @@ -94,6 +99,24 @@ function Add-FGTUserLocal { Throw "Already a Local User object using the same name" } + if ( $PsBoundParameters.ContainsKey('radius_server') ) { + if ( -Not (Get-FGTUserRADIUS @invokeParams -name $radius_server -connection $connection)) { + Throw "There is no RADIUS Server existing using this name" + } + } + + if ( $PsBoundParameters.ContainsKey('tacacs_server') ) { + if ( -Not (Get-FGTUserTACACS @invokeParams -name $tacacs_server -connection $connection)) { + Throw "There is no TACACS Server existing using this name" + } + } + + if ( $PsBoundParameters.ContainsKey('ldap_server') ) { + if ( -Not (Get-FGTUserLDAP @invokeParams -name $ldap_server -connection $connection)) { + Throw "There is no LDAP Server existing using this name" + } + } + $uri = "api/v2/cmdb/user/local" $local = New-Object -TypeName PSObject @@ -112,15 +135,18 @@ function Add-FGTUserLocal { $local | add-member -name "type" -membertype NoteProperty -Value "password" $local | add-member -name "passwd" -membertype NoteProperty -Value $password } - <# "radius" { $local | add-member -name "type" -membertype NoteProperty -Value "radius" $local | add-member -name "radius-server" -membertype NoteProperty -Value $radius_server } "tacacs" { - $local | add-member -name "type" -membertype NoteProperty -Value "tacacs" + $local | add-member -name "type" -membertype NoteProperty -Value "tacacs+" $local | add-member -name "tacacs+-server" -membertype NoteProperty -Value $tacacs_server - }#> + } + "ldap" { + $local | add-member -name "type" -membertype NoteProperty -Value "ldap" + $local | add-member -name "ldap-server" -membertype NoteProperty -Value $ldap_server + } default { } } @@ -323,10 +349,15 @@ function Set-FGTUserLocal { [switch]$status, [Parameter (Mandatory = $false, ParameterSetName = "password")] [SecureString]$passwd, - <#[Parameter (Mandatory = $false, ParameterSetName = "radius")] + [Parameter (Mandatory = $false, ParameterSetName = "radius")] + [ValidateLength(1, 35)] [string]$radius_server, [Parameter (Mandatory = $false, ParameterSetName = "tacacs")] - [string]$tacacs_server,#> + [ValidateLength(1, 35)] + [string]$tacacs_server, + [Parameter (Mandatory = $false, ParameterSetName = "ldap")] + [ValidateLength(1, 35)] + [string]$ldap_server, [Parameter (Mandatory = $false)] [ValidateSet("fortitoken", "email", "sms", "disable", "fortitoken-cloud")] [string]$two_factor, @@ -356,6 +387,24 @@ function Set-FGTUserLocal { $invokeParams.add( 'vdom', $vdom ) } + if ( $PsBoundParameters.ContainsKey('radius_server') ) { + if ( -Not (Get-FGTUserRADIUS @invokeParams -name $radius_server -connection $connection)) { + Throw "There is no RADIUS Server existing using this name" + } + } + + if ( $PsBoundParameters.ContainsKey('tacacs_server') ) { + if ( -Not (Get-FGTUserTACACS @invokeParams -name $tacacs_server -connection $connection)) { + Throw "There is no TACACS Server existing using this name" + } + } + + if ( $PsBoundParameters.ContainsKey('ldap_server') ) { + if ( -Not (Get-FGTUserLDAP @invokeParams -name $ldap_server -connection $connection)) { + Throw "There is no LDAP Server existing using this name" + } + } + $uri = "api/v2/cmdb/user/local/$($userlocal.name)" $_local = New-Object -TypeName PSObject @@ -379,10 +428,6 @@ function Set-FGTUserLocal { } } - if ( $PSCmdlet.ParameterSetName -ne "default" -and $userlocal.type -ne $PSCmdlet.ParameterSetName ) { - throw "User type ($($userlocal.type)) need to be on the same type ($($PSCmdlet.ParameterSetName))" - } - if ($PsBoundParameters.ContainsKey('status')) { if ($status) { $_local | add-member -name "status" -membertype NoteProperty -Value "enable" @@ -394,14 +439,21 @@ function Set-FGTUserLocal { switch ( $PSCmdlet.ParameterSetName ) { "password" { + $_local | add-member -name "type" -membertype NoteProperty -Value "password" $_local | add-member -name "passwd" -membertype NoteProperty -Value $password } - <#"radius" { + "radius" { + $_local | add-member -name "type" -membertype NoteProperty -Value "radius" $_local | add-member -name "radius-server" -membertype NoteProperty -Value $radius_server } "tacacs" { + $_local | add-member -name "type" -membertype NoteProperty -Value "tacacs+" $_local | add-member -name "tacacs+-server" -membertype NoteProperty -Value $tacacs_server - }#> + } + "ldap" { + $_local | add-member -name "type" -membertype NoteProperty -Value "ldap" + $_local | add-member -name "ldap-server" -membertype NoteProperty -Value $ldap_server + } default { } } @@ -417,7 +469,7 @@ function Set-FGTUserLocal { } elseif ( $two_factor -eq "sms" ) { $_local | add-member -name "two-factor" -membertype NoteProperty -Value $two_factor - $_local | add-member -name "two-factor-authentication" -membertype NoteProperty -Value $two_factor++ + $_local | add-member -name "two-factor-authentication" -membertype NoteProperty -Value $two_factor } } diff --git a/Tests/integration/UserLocal.Tests.ps1 b/Tests/integration/UserLocal.Tests.ps1 index ca6333e7f..ae01b1169 100644 --- a/Tests/integration/UserLocal.Tests.ps1 +++ b/Tests/integration/UserLocal.Tests.ps1 @@ -91,6 +91,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -BeNullOrEmpty $userlocal.'two-factor' | Should -Be "disable" + $userlocal.type | Should -Be "password" } It "Add User Local $pester_userlocal email to" { @@ -100,6 +101,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "disable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "disable" + $userlocal.type | Should -Be "password" } It "Add User Local $pester_userlocal MFA by email" { @@ -109,6 +111,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "email" + $userlocal.type | Should -Be "password" } It "Add User Local $pester_userlocal email with -data" { @@ -118,8 +121,205 @@ Describe "Add User Local" { $userlocal.name | Should -Be $pester_userlocal $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.type | Should -Be "password" } + } + + Context "Local User (RADIUS)" { + + BeforeAll { + Add-FGTUserRADIUS -Name $pester_userradius -server $pester_userradiusserver1 -secret $pester_userradius_secret + } + + It "Add User Local $pester_userlocal as RADIUS user" { + Add-FGTUserLocal -Name $pester_userlocal -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "radius" + $userlocal.'radius-server' | Should -Be $pester_userradius + } + + It "Add User Local $pester_userlocal as RADIUS user enable" { + Add-FGTUserLocal -Name $pester_userlocal -status -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'radius-server' | Should -Be $pester_userradius + } + + It "Add User Local $pester_userlocal as RADIUS user email to" { + Add-FGTUserLocal -Name $pester_userlocal -email_to "powerfgt@power.fgt" -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'radius-server' | Should -Be $pester_userradius + } + + It "Add User Local $pester_userlocal as RADIUS user MFA by email" { + Add-FGTUserLocal -Name $pester_userlocal -status -two_factor email -email_to "powerfgt@power.fgt" -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + $userlocal.'radius-server' | Should -Be $pester_userradius + } + + It "Add User Local $pester_userlocal as RADIUS user email with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Add-FGTUserLocal -Name $pester_userlocal -status -data $data -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'radius-server' | Should -Be $pester_userradius + } + + AfterEach { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + } + + AfterAll { + Get-FGTUserRADIUS -name $pester_userradius | Remove-FGTUserRADIUS -confirm:$false + } + + } + + Context "Local User (TACACS+)" { + + BeforeAll { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + } + + It "Add User Local $pester_userlocal as TACACS user" { + Add-FGTUserLocal -Name $pester_userlocal -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "tacacs+" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs + } + + It "Add User Local $pester_userlocal as TACACS user enable" { + Add-FGTUserLocal -Name $pester_userlocal -status -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs + } + + It "Add User Local $pester_userlocal as TACACS user email to" { + Add-FGTUserLocal -Name $pester_userlocal -email_to "powerfgt@power.fgt" -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs + } + + It "Add User Local $pester_userlocal as TACACS user MFA by email" { + Add-FGTUserLocal -Name $pester_userlocal -status -two_factor email -email_to "powerfgt@power.fgt" -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs + } + + It "Add User Local $pester_userlocal as TACACS user email with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Add-FGTUserLocal -Name $pester_userlocal -status -data $data -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs + } + + AfterEach { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + } + + AfterAll { + Get-FGTUserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + + } + + Context "Local User (LDAP)" { + + BeforeAll { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + } + + It "Add User Local $pester_userlocal as LDAP user" { + Add-FGTUserLocal -Name $pester_userlocal -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "ldap" + $userlocal.'ldap-server' | Should -Be $pester_userldap + } + + It "Add User Local $pester_userlocal as TACACS user enable" { + Add-FGTUserLocal -Name $pester_userlocal -status -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'ldap-server' | Should -Be $pester_userldap + } + + It "Add User Local $pester_userlocal as TACACS user email to" { + Add-FGTUserLocal -Name $pester_userlocal -email_to "powerfgt@power.fgt" -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'ldap-server' | Should -Be $pester_userldap + } + + It "Add User Local $pester_userlocal as TACACS user MFA by email" { + Add-FGTUserLocal -Name $pester_userlocal -status -two_factor email -email_to "powerfgt@power.fgt" -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + $userlocal.'ldap-server' | Should -Be $pester_userldap + } + + It "Add User Local $pester_userlocal as TACACS user email with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Add-FGTUserLocal -Name $pester_userlocal -status -data $data -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'ldap-server' | Should -Be $pester_userldap + } + + AfterEach { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + } + + AfterAll { + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + } + + Context "Local User (Existing entry)" { + It "Try to Add User Local $pester_userlocal (but there is already a object with same name)" { #Add first userlocal Add-FGTUserLocal -Name $pester_userlocal -status -passwd $pester_userlocalpassword @@ -127,6 +327,10 @@ Describe "Add User Local" { { Add-FGTUserLocal -Name $pester_userlocal -status -passwd $pester_userlocalpassword } | Should -Throw "Already a Local User object using the same name" } + AfterAll { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + } + } } @@ -222,6 +426,255 @@ Describe "Configure User Local" { } } + + Context "Change name, email, MFA, etc as RADIUS User" { + + BeforeAll { + Add-FGTUserRADIUS -Name $pester_userradius -server $pester_userradiusserver1 -secret $pester_userradius_secret + Add-FGTUserLocal -Name $pester_userlocal -radius_server $pester_userradius + } + + It "Change status User Local to disable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status:$false + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change status User Local to enable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change email to" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -email_to "powerfgt@power.fgt" + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Enable MFA by email" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -two_factor email + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change Name" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -name "pester_userlocal_change" + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change email to with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Get-FGTUserLocal -name "pester_userlocal_change" | Set-FGTUserLocal -data $data + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + AfterAll { + Get-FGTUserLocal -name "pester_userlocal_change" | Remove-FGTUserLocal -confirm:$false + Get-FGTUserRADIUS -name $pester_userradius | Remove-FGTUserRADIUS -confirm:$false + } + + } + + Context "Change name, email, MFA, etc as TACACS+ User" { + + BeforeAll { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + Add-FGTUserLocal -Name $pester_userlocal -tacacs_server $pester_usertacacs + } + + It "Change status User Local to disable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status:$false + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change status User Local to enable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change email to" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -email_to "powerfgt@power.fgt" + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Enable MFA by email" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -two_factor email + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change Name" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -name "pester_userlocal_change" + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change email to with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Get-FGTUserLocal -name "pester_userlocal_change" | Set-FGTUserLocal -data $data + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + AfterAll { + Get-FGTUserLocal -name "pester_userlocal_change" | Remove-FGTUserLocal -confirm:$false + Get-FGTUserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + + } + + Context "Change name, email, MFA, etc as LDAP User" { + + BeforeAll { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + Add-FGTUserLocal -Name $pester_userlocal -ldap_server $pester_userldap + } + + It "Change status User Local to disable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status:$false + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change status User Local to enable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change email to" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -email_to "powerfgt@power.fgt" + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Enable MFA by email" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -two_factor email + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change Name" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -name "pester_userlocal_change" + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change email to with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Get-FGTUserLocal -name "pester_userlocal_change" | Set-FGTUserLocal -data $data + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + AfterAll { + Get-FGTUserLocal -name "pester_userlocal_change" | Remove-FGTUserLocal -confirm:$false + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + } + + Context "Change type" { + + BeforeAll { + Add-FGTUserRADIUS -Name $pester_userradius -server $pester_userradiusserver1 -secret $pester_userradius_secret + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + Add-FGTUserLocal -Name $pester_userlocal -passwd $pester_userlocalpassword + } + + It "Change type to RADIUS from Local" -skip:($fgt_version -lt "6.4.0") { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "radius" + $userlocal."radius-server" | Should -Be $pester_userradius + } + + It "Change type to TACACS from RADIUS" -skip:($fgt_version -lt "6.4.0") { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "tacacs+" + $userlocal."tacacs+-server" | Should -Be $pester_usertacacs + } + + It "Change type to LDAP from TACACS" -skip:($fgt_version -lt "6.4.0") { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "ldap" + $userlocal."ldap-server" | Should -Be $pester_userldap + } + + AfterAll { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + Get-FGTUserRADIUS -name $pester_userradius | Remove-FGTUserRADIUS -confirm:$false + Get-FGTUserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + } } Describe "Remove User Local" {