diff --git a/PowerFGT/Private/Confirm.ps1 b/PowerFGT/Private/Confirm.ps1 index f1c16470c..1852d3493 100644 --- a/PowerFGT/Private/Confirm.ps1 +++ b/PowerFGT/Private/Confirm.ps1 @@ -233,6 +233,55 @@ Function Confirm-FGTFirewallProxyPolicy { } +Function Confirm-FGTUserLDAP { + + Param ( + [Parameter (Mandatory = $true)] + [object]$argument + ) + + #Check if it looks like a LDAP Server element + + if ( -not ( $argument | get-member -name name -Membertype Properties)) { + throw "Element specified does not contain a name property." + } + if ( -not ( $argument | get-member -name secondary-server -Membertype Properties)) { + throw "Element specified does not contain a secondary-server property." + } + if ( -not ( $argument | get-member -name tertiary-server -Membertype Properties)) { + throw "Element specified does not contain a tertiary-server property." + } + if ( -not ( $argument | get-member -name server-identity-check -Membertype Properties)) { + throw "Element specified does not contain a server-identity-check property." + } + if ( -not ( $argument | get-member -name source-ip -Membertype Properties)) { + throw "Element specified does not contain a source-ip property." + } + if ( -not ( $argument | get-member -name cnid -Membertype Properties)) { + throw "Element specified does not contain a cnid property." + } + if ( -not ( $argument | get-member -name dn -Membertype Properties)) { + throw "Element specified does not contain a dn property." + } + if ( -not ( $argument | get-member -name type -Membertype Properties)) { + throw "Element specified does not contain a type property." + } + if ( -not ( $argument | get-member -name username -Membertype Properties)) { + throw "Element specified does not contain an username property." + } + if ( -not ( $argument | get-member -name password -Membertype Properties)) { + throw "Element specified does not contain a password property." + } + if ( -not ( $argument | get-member -name secure -Membertype Properties)) { + throw "Element specified does not contain a secure property." + } + if ( -not ( $argument | get-member -name port -Membertype Properties)) { + throw "Element specified does not contain a port property." + } + + $true +} + Function Confirm-FGTVip { Param ( diff --git a/PowerFGT/Public/cmdb/user/ldap.ps1 b/PowerFGT/Public/cmdb/user/ldap.ps1 index db8e15cea..9f1a0c362 100644 --- a/PowerFGT/Public/cmdb/user/ldap.ps1 +++ b/PowerFGT/Public/cmdb/user/ldap.ps1 @@ -4,6 +4,167 @@ # SPDX-License-Identifier: Apache-2.0 # +function Add-FGTUserLDAP { + + <# + .SYNOPSIS + Add a FortiGate LDAP Server + + .DESCRIPTION + Add a FortiGate LDAP Server (Server, dc, cnid...) + + .EXAMPLE + Add-FGTUserLDAP -Name MyFGTUserLDAP -server ldap.powerfgt -dn "dc=fgt,dc=power,dc=powerfgt" + + Add a LDAP Server named MyFGTUserLDAP using ldap.powerfgt with Base DN dc=fgt,dc=power,dc=powerfgt + + .EXAMPLE + Add-FGTUserLDAP -Name MyFGTUserLDAP -server ldap.powerfgt -dn "dc=fgt,dc=power,dc=powerfgt" -cnid sAMAccountName + + Add a LDAP Server named MyFGTUserLDAP using ldap.powerfgt with Base DN dc=fgt,dc=power,dc=powerfgt and sAMAccountName as CNID + + .EXAMPLE + $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force + PS C:\>Add-FGTUserLDAP -Name MyFGTUserLDAP -server ldap.powerfgt -dn "dc=fgt,dc=power,dc=powerfgt" -type regular -username svc_powerfgt -password $mypassword + + Add a LDAP Server named MyFGTUserLDAP using ldap.powerfgt with Base DN dc=fgt,dc=power,dc=powerfgt of type regular with specified username and password for binding + + .EXAMPLE + Add-FGTUserLDAP -Name MyFGTUserLDAP -server ldap.powerfgt -dn "dc=fgt,dc=power,dc=powerfgt" -secure ldaps + + Add a LDAP Server named MyFGTUserLDAP using ldap.powerfgt with Base DN dc=fgt,dc=power,dc=powerfgt, and secure connection (LDAPS) + + .EXAMPLE + $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force + Add-FGTUserLDAP -Name MyFGTUserLDAP -server ldap.powerfgt -dn "dc=fgt,dc=power,dc=powerfgt" -secondary_server ldap2.powerfgt -tertiary_server ldap3.powerfgt -cnid SAMAccountName -type simple -username svc_powerfgt -password $mypassword -secure ldaps + + Add a LDAP Server named MyFGTUserLDAP using ldap.powerfgt as primary server, ldap2.powerfgt as secondary server and ldap3.powerfgt as tertiary server with Base DN dc=fgt,dc=power,dc=powerfgt, SAMAccountName as CNID, a regular account and secure connection (LDAPS) + + .EXAMPLE + $data = @{ "port" = 10389 } + PS C:\>Add-FGTUserLDAP -Name MyFGTUserLDAP -server ldap.powerfgt -dn "dc=fgt,dc=power,dc=powerfgt" -data $data + + Add a LDAP Server named MyFGTUserLDAP using ldap.powerfgt with Base DN dc=fgt,dc=power,dc=powerfgt and port 10389 via -data parameter + #> + + Param( + [Parameter (Mandatory = $true)] + [ValidateLength(1, 35)] + [string]$name, + [Parameter (Mandatory = $true)] + [ValidateLength(1, 63)] + [string]$server, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$secondary_server, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$tertiary_server, + [Parameter (Mandatory = $false)] + [ValidateLength(0, 20)] + [string]$cnid, + [Parameter (Mandatory = $true)] + [ValidateLength(0, 511)] + [string]$dn, + [Parameter (Mandatory = $false)] + [ValidateSet("simple", "regular", "anonymous")] + [string]$type, + [Parameter (Mandatory = $false)] + [ValidateLength(0, 511)] + [string]$username, + [Parameter (Mandatory = $false)] + [SecureString]$password, + [Parameter (Mandatory = $false)] + [ValidateSet("disable", "starttls", "ldaps")] + [string]$secure, + [Parameter (Mandatory = $false)] + [hashtable]$data, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + if ( Get-FGTUserLDAP @invokeParams -name $name -connection $connection) { + Throw "Already a LDAP Server using the same name" + } + + $uri = "api/v2/cmdb/user/ldap" + + $ldap = new-Object -TypeName PSObject + + $ldap | add-member -name "name" -membertype NoteProperty -Value $name + + $ldap | add-member -name "server" -membertype NoteProperty -Value $server + + if ( $PsBoundParameters.ContainsKey('secondary_server') ) { + $ldap | add-member -name "secondary-server" -membertype NoteProperty -Value $secondary_server + } + + if ( $PsBoundParameters.ContainsKey('tertiary_server') ) { + $ldap | add-member -name "tertiary-server" -membertype NoteProperty -Value $tertiary_server + } + + if ( $PsBoundParameters.ContainsKey('cnid') ) { + $ldap | add-member -name "cnid" -membertype NoteProperty -Value $cnid + } + + if ( $PsBoundParameters.ContainsKey('dn') ) { + $ldap | add-member -name "dn" -membertype NoteProperty -Value $dn + } + + if ( $PsBoundParameters.ContainsKey('type') ) { + if ($type -eq "regular" -and ($Null -eq $username -or $Null -eq $password)) { + Throw "You need to specify an username and a passord !" + } + elseif ($type -eq "regular") { + $ldap | add-member -name "type" -membertype NoteProperty -Value $type + $ldap | add-member -name "username" -membertype NoteProperty -Value $username + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password); + $passwd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $ldap | add-member -name "password" -membertype NoteProperty -Value $passwd + } + else { + $passwd = ConvertFrom-SecureString -SecureString $password -AsPlainText + $ldap | add-member -name "password" -membertype NoteProperty -Value $passwd + } + } + else { + #$type is equal to simple or anonymous (Doesn't need username and password) + $ldap | add-member -name "type" -membertype NoteProperty -Value $type + } + } + + if ( $PsBoundParameters.ContainsKey('secure') ) { + $ldap | add-member -name "secure" -membertype NoteProperty -Value $secure + } + + if ( $PsBoundParameters.ContainsKey('data') ) { + $data.GetEnumerator() | ForEach-Object { + $ldap | Add-member -name $_.key -membertype NoteProperty -Value $_.value + } + } + + Invoke-FGTRestMethod -method "POST" -body $ldap -uri $uri -connection $connection @invokeParams | out-Null + + Get-FGTUserLDAP -name $name -connection $connection @invokeParams + } + + End { + } +} + function Get-FGTUserLDAP { <# @@ -103,3 +264,253 @@ function Get-FGTUserLDAP { End { } } + +function Set-FGTUserLDAP { + + <# + .SYNOPSIS + Change a FortiGate LDAP Server + + .DESCRIPTION + Set a FortiGate LDAP Server (Server, dc, cnid...) + + .EXAMPLE + $MyFGTUserLDAP = Get-FGTUserLDAP -name MyFGTUserLDAP + PS C:\>$MyFGTUserLDAP | Set-FGTUserLDAP -server mynewldapserver + + Change server of MyFGTUserLDAP to mynewldapserver + + .EXAMPLE + $MyFGTUserLDAP = Get-FGTUserLDAP -name MyFGTUserLDAP + $mypassword = ConvertTo-SecureString mypassword -AsPlainText -Force + PS C:\>$MyFGTUserLDAP | Set-FGTUserLDAP -username myusername -password $mypassword -type regular + + Change type to regular and change username and password + + .EXAMPLE + $MyFGTUserLDAP = Get-FGTUserLDAP -name MyFGTUserLDAP + PS C:\>$MyFGTUserLDAP | Set-FGTUserLDAP -secure ldaps + + Change MyFGTUserLDAP to user secure connection (LDAPS and port 636) + + .EXAMPLE + $data = @{ "port" = "10389" } + PS C:\>$MyFGTUserLDAP = Get-FGTUserLDAP -name MyFGTUserLDAP + PS C:\>$MyFGTUserLDAP | Set-FGTUserLDAP -data $data + + Change MyFGTUserLDAP to port 10389 + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'medium', DefaultParameterSetName = 'default')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTUserLDAP $_ })] + [psobject]$userldap, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 35)] + [string]$name, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$server, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$secondary_server, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$tertiary_server, + [Parameter (Mandatory = $false)] + [ValidateLength(0, 20)] + [string]$cnid, + [Parameter (Mandatory = $false)] + [ValidateLength(0, 511)] + [string]$dn, + [Parameter (Mandatory = $false)] + [ValidateSet("simple", "regular", "anonymous")] + [string]$type, + [Parameter (Mandatory = $false)] + [ValidateLength(0, 511)] + [string]$username, + [Parameter (Mandatory = $false)] + [SecureString]$password, + [Parameter (Mandatory = $false)] + [ValidateSet("disable", "starttls", "ldaps")] + [string]$secure, + [Parameter (Mandatory = $false)] + [hashtable]$data, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/user/ldap/$($userldap.name)" + + $_ldap = New-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('name') ) { + #TODO check if there is no already an object with this name ? + $_ldap | add-member -name "name" -membertype NoteProperty -Value $name + $userldap.name = $name + } + + if ( $PsBoundParameters.ContainsKey('server') ) { + $_ldap | add-member -name "server" -membertype NoteProperty -Value $server + } + + if ( $PsBoundParameters.ContainsKey('secondary_server') ) { + $_ldap | add-member -name "secondary-server" -membertype NoteProperty -Value $secondary_server + } + + if ( $PsBoundParameters.ContainsKey('tertiary_server') ) { + $_ldap | add-member -name "tertiary-server" -membertype NoteProperty -Value $tertiary_server + } + + if ( $PsBoundParameters.ContainsKey('cnid') ) { + $_ldap | add-member -name "cnid" -membertype NoteProperty -Value $cnid + } + + if ( $PsBoundParameters.ContainsKey('dn') ) { + $_ldap | add-member -name "dn" -membertype NoteProperty -Value $dn + } + + if ( $PsBoundParameters.ContainsKey('secure') ) { + $_ldap | add-member -name "secure" -membertype NoteProperty -Value $secure + } + + if ( ($PsBoundParameters.ContainsKey('username') -or $PsBoundParameters.ContainsKey('password')) -and -Not $PsBoundParameters.ContainsKey('type') ) { + if ($userldap.type -eq "regular" -and $PsBoundParameters.ContainsKey('username') -and -Not $PsBoundParameters.ContainsKey('password')) { + $_ldap | add-member -name "username" -membertype NoteProperty -Value $username + } + elseif ($userldap.type -eq "regular" -and $PsBoundParameters.ContainsKey('password') -and -Not $PsBoundParameters.ContainsKey('username')) { + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password); + $passwd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $_ldap | add-member -name "password" -membertype NoteProperty -Value $passwd + } + else { + $passwd = ConvertFrom-SecureString -SecureString $password -AsPlainText + $_ldap | add-member -name "password" -membertype NoteProperty -Value $passwd + } + } + elseif ($userldap.type -eq "regular" -and $PsBoundParameters.ContainsKey('password') -and $PsBoundParameters.ContainsKey('username')) { + $_ldap | add-member -name "username" -membertype NoteProperty -Value $username + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password); + $passwd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $_ldap | add-member -name "password" -membertype NoteProperty -Value $passwd + } + else { + $passwd = ConvertFrom-SecureString -SecureString $password -AsPlainText + $_ldap | add-member -name "password" -membertype NoteProperty -Value $passwd + } + } + else { + Throw "The type need to be regular to specify username or password" + } + } + + if ( $PsBoundParameters.ContainsKey('type') ) { + if ($type -eq "regular" -and (-Not $PsBoundParameters.ContainsKey('username') -or -Not $PsBoundParameters.ContainsKey('password'))) { + Throw "You need to specify an username and a password !" + } + elseif ($type -eq "regular") { + $_ldap | add-member -name "type" -membertype NoteProperty -Value $type + $_ldap | add-member -name "username" -membertype NoteProperty -Value $username + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password); + $passwd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $_ldap | add-member -name "password" -membertype NoteProperty -Value $passwd + } + else { + $passwd = ConvertFrom-SecureString -SecureString $password -AsPlainText + $_ldap | add-member -name "password" -membertype NoteProperty -Value $passwd + } + } + else { + #$type is equal to simple or anonymous (Doesn't need username and password) + $_ldap | add-member -name "type" -membertype NoteProperty -Value $type + } + } + + if ( $PsBoundParameters.ContainsKey('data') ) { + $data.GetEnumerator() | ForEach-Object { + $_ldap | Add-member -name $_.key -membertype NoteProperty -Value $_.value + } + } + + if ($PSCmdlet.ShouldProcess($userldap.name, 'Configure User Local')) { + Invoke-FGTRestMethod -method "PUT" -body $_ldap -uri $uri -connection $connection @invokeParams | out-Null + + Get-FGTUserLDAP -name $userldap.name -connection $connection @invokeParams + } + } + + End { + } +} + +function Remove-FGTUserLDAP { + + <# + .SYNOPSIS + Remove a FortiGate LDAP Server + + .DESCRIPTION + Remove a LDAP Server on the FortiGate + + .EXAMPLE + $MyFGTUserLDAP = Get-FGTUserLDAP -name PowerFGT + PS C:\>$MyFGTUserLDAP | Remove-FGTUserLDAP + + Remove user object $MyFGTUserLDAP + + .EXAMPLE + $MyFGTUserLDAP = Get-FGTUserLDAP -name MyFGTUserLDAP + PS C:\>$MyFGTUserLDAP | Remove-FGTUserLDAP -confirm:$false + + Remove UserLDAP object $MyFGTUserLDAP with no confirmation + + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'high')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTUserLDAP $_ })] + [psobject]$userldap, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/user/ldap/$($userldap.name)" + + if ($PSCmdlet.ShouldProcess($userldap.name, 'Remove User Ldap')) { + $null = Invoke-FGTRestMethod -method "DELETE" -uri $uri -connection $connection @invokeParams + } + } + + End { + } +} \ No newline at end of file diff --git a/Tests/common.ps1 b/Tests/common.ps1 index 5a56d95b2..505585380 100644 --- a/Tests/common.ps1 +++ b/Tests/common.ps1 @@ -46,6 +46,12 @@ $script:pester_zone1 = "pester_zone %/*?1" $script:pester_zone2 = "pester_zone2" $script:pester_userlocal = "pester_userlocal" $script:pester_userlocalpassword = ConvertTo-SecureString "pester_userlocalpassword" -AsPlainText -Force +$script:pester_userldap = "pester_ldapserver" +$script:pester_userldapserver1 = "pesterldapserver1.powerfgt" +$script:pester_userldapserver2 = "pesterldapserver2.powerfgt" +$script:pester_userldapserver3 = "pesterldapserver3.powerfgt" +$script:pester_userldappassword = ConvertTo-SecureString "pester_userldappassword" -AsPlainText -Force +$script:pester_userldappasswordchanged = ConvertTo-SecureString "pester_userldappasswordchanged" -AsPlainText -Force . ../credential.ps1 #TODO: Add check if no ipaddress/login/password info... diff --git a/Tests/integration/UserLdap.Tests.ps1 b/Tests/integration/UserLdap.Tests.ps1 new file mode 100644 index 000000000..3c189bfba --- /dev/null +++ b/Tests/integration/UserLdap.Tests.ps1 @@ -0,0 +1,418 @@ +# +# Copyright 2024, Cedric Moreau +# +# SPDX-License-Identifier: Apache-2.0 +# + +#include common configuration +. ../common.ps1 + +BeforeAll { + Connect-FGT @invokeParams +} + +Describe "Get User LDAP" { + + BeforeAll { + Add-FGTUserLDAP -name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + } + + It "Get User LDAP Does not throw an error" { + { + Get-FGTUserLDAP + } | Should -Not -Throw + } + + It "Get ALL User LDAP" { + $userldap = Get-FGTUserLDAP + @($userldap).count | Should -Not -Be $NULL + } + + It "Get ALL User LDAP with -skip" { + $userldap = Get-FGTUserLDAP -skip + @($userldap).count | Should -Not -Be $NULL + } + + It "Get User LDAP with -name $pester_userldap -meta" { + $userldap = Get-FGTUserLDAP -name $pester_userldap -meta + $userldap.q_ref | Should -Not -BeNullOrEmpty + $userldap.q_static | Should -Not -BeNullOrEmpty + $userldap.q_no_rename | Should -Not -BeNullOrEmpty + $userldap.q_global_entry | Should -Not -BeNullOrEmpty + $userldap.q_type | Should -Not -BeNullOrEmpty + $userldap.q_path | Should -Be "user" + $userldap.q_name | Should -Be "ldap" + $userldap.q_mkey_type | Should -Be "string" + if ($DefaultFGTConnection.version -ge "6.2.0") { + $userldap.q_no_edit | Should -Not -BeNullOrEmpty + } + } + + It "Get User LDAP ($pester_userldap)" { + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + } + + It "Get User LDAP ($pester_userldap) and confirm (via Confirm-FGTUserLDAP)" { + $userldap = Get-FGTUserLDAP -name $pester_userldap + Confirm-FGTUserLDAP ($userldap) | Should -Be $true + } + + Context "Search" { + + It "Search User LDAP by name ($pester_userldap)" { + $userldap = Get-FGTUserLDAP -name $pester_userldap + @($userldap).count | Should -be 1 + $userldap.name | Should -Be $pester_userldap + } + + } + + AfterAll { + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + +} + +Describe "Add User LDAP" { + + Context "LDAP Server (Primary, secondary, tertiary servers, type, secure connection etc ...)" { + + AfterEach { + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + It "Add User LDAP Server $pester_userldap" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + } + + It "Add User LDAP Server $pester_userldap with secondary-server" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -secondary_server $pester_userldapserver2 + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.'secondary-server' | Should -Be $pester_userldapserver2 + } + + It "Add User LDAP Server $pester_userldap with tertiary-server" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -secondary_server $pester_userldapserver2 -tertiary_server $pester_userldapserver3 + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.'secondary-server' | Should -Be $pester_userldapserver2 + $userldap.'tertiary-server' | Should -Be $pester_userldapserver3 + } + + It "Add User LDAP Server $pester_userldap with cnid" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -cnid sAMAccountName + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.cnid | Should -Be "sAMAccountName" + } + + It "Add User LDAP Server $pester_userldap with type simple" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -type simple + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.type | Should -Be "simple" + } + + It "Add User LDAP Server $pester_userldap with type anonymous" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -type anonymous + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.type | Should -Be "anonymous" + } + + It "Add User LDAP Server $pester_userldap with type regular" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -type regular -username powerfgt -password $pester_userldappassword + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.type | Should -Be "regular" + $userldap.username | Should -Be "powerfgt" + } + + It "Add User LDAP Server $pester_userldap with secure connection disabled" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -secure disable + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.secure | Should -Be "disable" + $userldap.port | Should -Be "389" + } + + It "Add User LDAP Server $pester_userldap with secure connection starttls" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -secure starttls + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.secure | Should -Be "starttls" + $userldap.port | Should -Be "389" + } + + It "Add User LDAP Server $pester_userldap with secure connection ldaps" { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -secure ldaps + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.secure | Should -Be "ldaps" + $userldap.port | Should -Be "636" + } + + It "Add User LDAP Server $pester_userldap with port 10389 and secure connection to ldaps via -data" { + $data = @{ "port" = "10389" ; "secure" = "ldaps" } + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" -data $data + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver1 + $userldap.dn | Should -Be "dc=fgt,dc=power,dc=powerfgt" + $userldap.secure | Should -Be "ldaps" + $userldap.port | Should -Be "10389" + } + + It "Try to Add User LDAP Server $pester_userldap (but there is already a object with same name)" { + #Add first userldap + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + #Add Second userldap with same name + { Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" } | Should -Throw "Already a LDAP Server using the same name" + } + + } + +} + +Describe "Configure User LDAP" { + + Context "Change server, CNID, DN, etc..." { + + BeforeAll { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + } + + It "Change name of LDAP Server" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -name "pester_ldapserver_renamed" + $userldap = Get-FGTUserLDAP -name "pester_ldapserver_renamed" + $userldap.name | Should -Be "pester_ldapserver_renamed" + $userldap.server | Should -Be $pester_userldapserver1 + } + + It "Change name of LDAP Server back to initial value" { + Get-FGTUserLDAP -name "pester_ldapserver_renamed" | Set-FGTuserldap -name $pester_userldap + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + } + + It "Change server" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -server $pester_userldapserver2 + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver2 + } + + It "Change secondary-server" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -secondary_server $pester_userldapserver3 + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver2 + $userldap."secondary-server" | Should -Be $pester_userldapserver3 + } + + It "Change tertiary-server" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -tertiary_server $pester_userldapserver1 + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.server | Should -Be $pester_userldapserver2 + $userldap."secondary-server" | Should -Be $pester_userldapserver3 + $userldap."tertiary-server" | Should -Be $pester_userldapserver1 + } + + It "Change CNID" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -cnid sAMAccountName + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.cnid | Should -Be "sAMAccountName" + } + + It "Change DN" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -dn "dc=newfgt,dc=power,dc=powerfgt" + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.dn | Should -Be "dc=newfgt,dc=power,dc=powerfgt" + } + + AfterAll { + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + } + + Context "Change type" { + + BeforeAll { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + } + + It "Change type (Regular)" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -type regular -username powerfgt -password $pester_userldappassword + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.type | Should -Be "regular" + $userldap.username | Should -Be "powerfgt" + $userldap.password | Should -Not -Be $Null + } + + It "Change only username when type is already regular" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -username powerfgtchanged + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.type | Should -Be "regular" + $userldap.username | Should -Be "powerfgtchanged" + } + + It "Change only password when type is already regular" { + { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -password $pester_userldappasswordchanged + } | Should -Not -Throw + } + + It "Change type (Anonymous)" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -type anonymous + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.type | Should -Be "anonymous" + } + + It "Change type (Simple)" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -type simple + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.type | Should -Be "simple" + } + + It "Change only username when type is not regular" { + { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -username powerfgt + } | Should -Throw "The type need to be regular to specify username or password" + } + + It "Change only password when type is not regular" { + { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -password $pester_userldappassword + } | Should -Throw "The type need to be regular to specify username or password" + } + + It "Change username and password when type is not regular" { + { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -username powerfgt -password $pester_userldappassword + } | Should -Throw "The type need to be regular to specify username or password" + } + + It "Change type to regular without username" { + { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -type regular -password $pester_userldappassword + } | Should -Throw "You need to specify an username and a password !" + } + + It "Change type to regular without password" { + { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -type regular -username powerfgt + } | Should -Throw "You need to specify an username and a password !" + } + + It "Change type to regular without username and password" { + { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -type regular + } | Should -Throw "You need to specify an username and a password !" + } + + AfterAll { + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + } + + Context "Change secure connection" { + + BeforeAll { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + } + + It "Change secure connection to ldaps" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -secure ldaps + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.secure | Should -Be "ldaps" + $userldap.port | Should -Be "636" + } + + It "Change secure connection to starttls" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -secure starttls + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.secure | Should -Be "starttls" + $userldap.port | Should -Be "389" + } + + It "Change secure connection to disable" { + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -secure disable + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.secure | Should -Be "disable" + $userldap.port | Should -Be "389" + } + + It "Change secure connection with -data" { + $data = @{ "secure" = "ldaps" } + Get-FGTUserLDAP -name $pester_userldap | Set-FGTuserldap -data $data + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap.name | Should -Be $pester_userldap + $userldap.secure | Should -Be "ldaps" + $userldap.port | Should -Be "636" + } + + AfterAll { + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + } +} + +Describe "Remove User LDAP" { + + Context "local" { + + BeforeEach { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + } + + It "Remove User LDAP $pester_userldap by pipeline" { + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap | Remove-FGTUserLDAP -confirm:$false + $userldap = Get-FGTUserLDAP -name $pester_userldap + $userldap | Should -Be $NULL + } + + } + +} + +AfterAll { + Disconnect-FGT -confirm:$false +} \ No newline at end of file