From c927afd2d6a6fa43549b59335f3133798550f6f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Tue, 17 Sep 2024 10:03:33 +0200 Subject: [PATCH 1/9] Add RADIUS/TACACS/LDAP option --- PowerFGT/Public/cmdb/user/local.ps1 | 36 +++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/PowerFGT/Public/cmdb/user/local.ps1 b/PowerFGT/Public/cmdb/user/local.ps1 index 758fd8c47..a3c892554 100644 --- a/PowerFGT/Public/cmdb/user/local.ps1 +++ b/PowerFGT/Public/cmdb/user/local.ps1 @@ -47,10 +47,15 @@ function Add-FGTUserLocal { [switch]$status, [Parameter (Mandatory = $false, ParameterSetName = "password")] [SecureString]$passwd, - <#[Parameter (Mandatory = $false, ParameterSetName = "radius")] + [Parameter (Mandatory = $false, ParameterSetName = "radius")] + [ValidateLength(1, 35)] [string]$radius_server, [Parameter (Mandatory = $false, ParameterSetName = "tacacs")] - [string]$tacacs_server,#> + [ValidateLength(1, 35)] + [string]$tacacs_server, + [Parameter (Mandatory = $false, ParameterSetName = "ldap")] + [ValidateLength(1, 35)] + [string]$ldap_server, [Parameter (Mandatory = $false)] [ValidateSet("fortitoken", "email", "sms", "disable", "fortitoken-cloud")] [string]$two_factor, @@ -94,6 +99,24 @@ function Add-FGTUserLocal { Throw "Already a Local User object using the same name" } + if ( $PsBoundParameters.ContainsKey('radius_server') ) { + if ( -Not (Get-FGTUserRADIUS @invokeParams -name $radius_server -connection $connection)) { + Throw "There is no RADIUS Server existing using this name" + } + } + + if ( $PsBoundParameters.ContainsKey('tacacs_server') ) { + if ( -Not (Get-FGTUserTACACS @invokeParams -name $tacacs_server -connection $connection)) { + Throw "There is no TACACS Server existing using this name" + } + } + + if ( $PsBoundParameters.ContainsKey('ldap_server') ) { + if ( -Not (Get-FGTUserLDAP @invokeParams -name $ldap_server -connection $connection)) { + Throw "There is no LDAP Server existing using this name" + } + } + $uri = "api/v2/cmdb/user/local" $local = New-Object -TypeName PSObject @@ -112,15 +135,18 @@ function Add-FGTUserLocal { $local | add-member -name "type" -membertype NoteProperty -Value "password" $local | add-member -name "passwd" -membertype NoteProperty -Value $password } - <# "radius" { $local | add-member -name "type" -membertype NoteProperty -Value "radius" $local | add-member -name "radius-server" -membertype NoteProperty -Value $radius_server } "tacacs" { - $local | add-member -name "type" -membertype NoteProperty -Value "tacacs" + $local | add-member -name "type" -membertype NoteProperty -Value "tacacs+" $local | add-member -name "tacacs+-server" -membertype NoteProperty -Value $tacacs_server - }#> + } + "ldap" { + $local | add-member -name "type" -membertype NoteProperty -Value "ldap" + $local | add-member -name "ldap-server" -membertype NoteProperty -Value $ldap_server + } default { } } From 12b3fc7b76b1f9a4a22ba0d6d238492faeb28a4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Tue, 17 Sep 2024 11:11:59 +0200 Subject: [PATCH 2/9] Set RADIUS/TACACS/LDAP option --- PowerFGT/Public/cmdb/user/local.ps1 | 44 +++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/PowerFGT/Public/cmdb/user/local.ps1 b/PowerFGT/Public/cmdb/user/local.ps1 index a3c892554..2920e6f20 100644 --- a/PowerFGT/Public/cmdb/user/local.ps1 +++ b/PowerFGT/Public/cmdb/user/local.ps1 @@ -349,10 +349,15 @@ function Set-FGTUserLocal { [switch]$status, [Parameter (Mandatory = $false, ParameterSetName = "password")] [SecureString]$passwd, - <#[Parameter (Mandatory = $false, ParameterSetName = "radius")] + [Parameter (Mandatory = $false, ParameterSetName = "radius")] + [ValidateLength(1, 35)] [string]$radius_server, [Parameter (Mandatory = $false, ParameterSetName = "tacacs")] - [string]$tacacs_server,#> + [ValidateLength(1, 35)] + [string]$tacacs_server, + [Parameter (Mandatory = $false, ParameterSetName = "ldap")] + [ValidateLength(1, 35)] + [string]$ldap_server, [Parameter (Mandatory = $false)] [ValidateSet("fortitoken", "email", "sms", "disable", "fortitoken-cloud")] [string]$two_factor, @@ -382,6 +387,24 @@ function Set-FGTUserLocal { $invokeParams.add( 'vdom', $vdom ) } + if ( $PsBoundParameters.ContainsKey('radius_server') ) { + if ( -Not (Get-FGTUserRADIUS @invokeParams -name $radius_server -connection $connection)) { + Throw "There is no RADIUS Server existing using this name" + } + } + + if ( $PsBoundParameters.ContainsKey('tacacs_server') ) { + if ( -Not (Get-FGTUserTACACS @invokeParams -name $tacacs_server -connection $connection)) { + Throw "There is no TACACS Server existing using this name" + } + } + + if ( $PsBoundParameters.ContainsKey('ldap_server') ) { + if ( -Not (Get-FGTUserLDAP @invokeParams -name $ldap_server -connection $connection)) { + Throw "There is no LDAP Server existing using this name" + } + } + $uri = "api/v2/cmdb/user/local/$($userlocal.name)" $_local = New-Object -TypeName PSObject @@ -405,10 +428,6 @@ function Set-FGTUserLocal { } } - if ( $PSCmdlet.ParameterSetName -ne "default" -and $userlocal.type -ne $PSCmdlet.ParameterSetName ) { - throw "User type ($($userlocal.type)) need to be on the same type ($($PSCmdlet.ParameterSetName))" - } - if ($PsBoundParameters.ContainsKey('status')) { if ($status) { $_local | add-member -name "status" -membertype NoteProperty -Value "enable" @@ -420,14 +439,21 @@ function Set-FGTUserLocal { switch ( $PSCmdlet.ParameterSetName ) { "password" { + $_local | add-member -name "type" -membertype NoteProperty -Value "password" $_local | add-member -name "passwd" -membertype NoteProperty -Value $password } - <#"radius" { + "radius" { + $_local | add-member -name "type" -membertype NoteProperty -Value "radius" $_local | add-member -name "radius-server" -membertype NoteProperty -Value $radius_server } "tacacs" { + $_local | add-member -name "type" -membertype NoteProperty -Value "tacacs+" $_local | add-member -name "tacacs+-server" -membertype NoteProperty -Value $tacacs_server - }#> + } + "ldap" { + $_local | add-member -name "type" -membertype NoteProperty -Value "ldap" + $_local | add-member -name "ldap-server" -membertype NoteProperty -Value $ldap_server + } default { } } @@ -443,7 +469,7 @@ function Set-FGTUserLocal { } elseif ( $two_factor -eq "sms" ) { $_local | add-member -name "two-factor" -membertype NoteProperty -Value $two_factor - $_local | add-member -name "two-factor-authentication" -membertype NoteProperty -Value $two_factor++ + $_local | add-member -name "two-factor-authentication" -membertype NoteProperty -Value $two_factor } } From 2e9242484744ddc3730b068d77155e43e45b05e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Tue, 17 Sep 2024 12:07:19 +0200 Subject: [PATCH 3/9] Add tests for RADIUS/TACACS/LDAP --- Tests/integration/UserLocal.Tests.ps1 | 454 +++++++++++++++++++++++++- 1 file changed, 443 insertions(+), 11 deletions(-) diff --git a/Tests/integration/UserLocal.Tests.ps1 b/Tests/integration/UserLocal.Tests.ps1 index ca6333e7f..8a6931a81 100644 --- a/Tests/integration/UserLocal.Tests.ps1 +++ b/Tests/integration/UserLocal.Tests.ps1 @@ -120,6 +120,190 @@ Describe "Add User Local" { $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" } + } + + Context "Local User (RADIUS)" { + + BeforeAll { + Add-FGTUserRADIUS -Name $pester_userradius -server $pester_userradiusserver1 -secret $pester_userradius_secret + } + + It "Add User Local $pester_userlocal as RADIUS user" { + Add-FGTUserLocal -Name $pester_userlocal -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "radius" + $userlocal.'radius-server' | Should $pester_userradius + } + + It "Add User Local $pester_userlocal as RADIUS user enable" { + Add-FGTUserLocal -Name $pester_userlocal -status -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Add User Local $pester_userlocal as RADIUS user email to" { + Add-FGTUserLocal -Name $pester_userlocal -email_to "powerfgt@power.fgt" -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Add User Local $pester_userlocal as RADIUS user MFA by email" { + Add-FGTUserLocal -Name $pester_userlocal -status -two_factor email -email_to "powerfgt@power.fgt" -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Add User Local $pester_userlocal as RADIUS user email with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Add-FGTUserLocal -Name $pester_userlocal -status -data $data -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + } + + AfterEach { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + } + + AfterAll { + Get-FGTUserRADIUS -name $pester_userradius | Remove-FGTUserRADIUS -confirm:$false + } + + } + + Context "Local User (TACACS+)" { + + BeforeAll { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + } + + It "Add User Local $pester_userlocal as TACACS user" { + Add-FGTUserLocal -Name $pester_userlocal -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "tacacs+" + $userlocal.'tacacs+-server' | Should $pester_usertacacs + } + + It "Add User Local $pester_userlocal as TACACS user enable" { + Add-FGTUserLocal -Name $pester_userlocal -status -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Add User Local $pester_userlocal as TACACS user email to" { + Add-FGTUserLocal -Name $pester_userlocal -email_to "powerfgt@power.fgt" -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Add User Local $pester_userlocal as TACACS user MFA by email" { + Add-FGTUserLocal -Name $pester_userlocal -status -two_factor email -email_to "powerfgt@power.fgt" -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Add User Local $pester_userlocal as TACACS user email with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Add-FGTUserLocal -Name $pester_userlocal -status -data $data -tacacs_server $pester_usertacacs + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + } + + AfterEach { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + } + + AfterAll { + Get-FGTUserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + + } + + Context "Local User (LDAP)" { + + BeforeAll { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + } + + It "Add User Local $pester_userlocal as LDAP user" { + Add-FGTUserLocal -Name $pester_userlocal -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "ldap" + $userlocal.'ldap-server' | Should $pester_userldap + } + + It "Add User Local $pester_userlocal as TACACS user enable" { + Add-FGTUserLocal -Name $pester_userlocal -status -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Add User Local $pester_userlocal as TACACS user email to" { + Add-FGTUserLocal -Name $pester_userlocal -email_to "powerfgt@power.fgt" -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Add User Local $pester_userlocal as TACACS user MFA by email" { + Add-FGTUserLocal -Name $pester_userlocal -status -two_factor email -email_to "powerfgt@power.fgt" -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Add User Local $pester_userlocal as TACACS user email with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Add-FGTUserLocal -Name $pester_userlocal -status -data $data -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + } + + AfterEach { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + } + + AfterAll { + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + } + + Context "Local User (Existing entry)" { + It "Try to Add User Local $pester_userlocal (but there is already a object with same name)" { #Add first userlocal Add-FGTUserLocal -Name $pester_userlocal -status -passwd $pester_userlocalpassword @@ -222,27 +406,275 @@ Describe "Configure User Local" { } } -} -Describe "Remove User Local" { + Context "Change name, email, MFA, etc as RADIUS User" { + + BeforeAll { + Add-FGTUserRADIUS -Name $pester_userradius -server $pester_userradiusserver1 -secret $pester_userradius_secret + Add-FGTUserLocal -Name $pester_userlocal -radius_server $pester_userradius + } + + It "Change status User Local to disable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status:$false + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change status User Local to enable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change email to" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -email_to "powerfgt@power.fgt" + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } - Context "local" { + It "Enable MFA by email" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -two_factor email + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } - BeforeEach { + It "Change Name" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -name "pester_userlocal_change" + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change email to with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Get-FGTUserLocal -name "pester_userlocal_change" | Set-FGTUserLocal -data $data + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + AfterAll { + Get-FGTUserLocal -name "pester_userlocal_change" | Remove-FGTUserLocal -confirm:$false + Get-FGTUserRADIUS -name $pester_userradius | Remove-FGTUserRADIUS -confirm:$false + } + + } + + Context "Change name, email, MFA, etc as TACACS+ User" { + + BeforeAll { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + Add-FGTUserLocal -Name $pester_userlocal -tacacs_server $pester_usertacacs + } + + It "Change status User Local to disable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status:$false + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change status User Local to enable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change email to" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -email_to "powerfgt@power.fgt" + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Enable MFA by email" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -two_factor email + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change Name" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -name "pester_userlocal_change" + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change email to with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Get-FGTUserLocal -name "pester_userlocal_change" | Set-FGTUserLocal -data $data + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + AfterAll { + Get-FGTUserLocal -name "pester_userlocal_change" | Remove-FGTUserLocal -confirm:$false + Get-FGTUserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + + } + + Context "Change name, email, MFA, etc as LDAP User" { + + BeforeAll { + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" + Add-FGTUserLocal -Name $pester_userlocal -ldap_server $pester_userldap + } + + It "Change status User Local to disable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status:$false + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "disable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change status User Local to enable" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -status + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -BeNullOrEmpty + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Change email to" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -email_to "powerfgt@power.fgt" + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "disable" + } + + It "Enable MFA by email" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -two_factor email + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change Name" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -name "pester_userlocal_change" + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + It "Change email to with -data" { + $data = @{ "email-to" = "powerfgt@power.fgt" } + Get-FGTUserLocal -name "pester_userlocal_change" | Set-FGTUserLocal -data $data + $userlocal = Get-FGTUserLocal -name "pester_userlocal_change" + $userlocal.name | Should -Be "pester_userlocal_change" + $userlocal.status | Should -Be "enable" + $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'two-factor' | Should -Be "email" + } + + AfterAll { + Get-FGTUserLocal -name "pester_userlocal_change" | Remove-FGTUserLocal -confirm:$false + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + + } + + Context "Change name, email, MFA, etc as LDAP User" { + + BeforeAll { + Add-FGTUserRADIUS -Name $pester_userradius -server $pester_userradiusserver1 -secret $pester_userradius_secret + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + Add-FGTUserLDAP -Name $pester_userldap -server $pester_userldapserver1 -dn "dc=fgt,dc=power,dc=powerfgt" Add-FGTUserLocal -Name $pester_userlocal -passwd $pester_userlocalpassword } - It "Remove User Local $pester_userlocal by pipeline" { + It "Change type to RADIUS from Local" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -radius_server $pester_userradius + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "radius" + $userlocal."radius-server" | Should -Be $pester_userradius + } + + It "Change type to TACACS from RADIUS" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -tacacs_server $pester_usertacacs $userlocal = Get-FGTUserLocal -name $pester_userlocal - $userlocal | Remove-FGTUserLocal -confirm:$false + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "tacacs+" + $userlocal."tacacs+-server" | Should -Be $pester_usertacacs + } + + It "Change type to LDAP from TACACS" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -ldap_server $pester_userldap + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "ldap" + $userlocal."ldap-server" | Should -Be $pester_userldap + } + + It "Change type to Local from LDAP" { + Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -passwd $pester_userlocalpassword $userlocal = Get-FGTUserLocal -name $pester_userlocal - $userlocal | Should -Be $NULL + $userlocal.name | Should -Be $pester_userlocal + $userlocal.type | Should -Be "password" } } -} + Describe "Remove User Local" { + + Context "local" { + + BeforeEach { + Add-FGTUserLocal -Name $pester_userlocal -passwd $pester_userlocalpassword + } + + It "Remove User Local $pester_userlocal by pipeline" { + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal | Remove-FGTUserLocal -confirm:$false + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal | Should -Be $NULL + } -AfterAll { - Disconnect-FGT -confirm:$false -} \ No newline at end of file + } + + } + + AfterAll { + Disconnect-FGT -confirm:$false + } \ No newline at end of file From 49a6bee29d64e934851c02c98a3284d8c62d58c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Tue, 17 Sep 2024 12:09:21 +0200 Subject: [PATCH 4/9] Fix typo --- Tests/common.ps1 | 2 +- Tests/integration/UserLocal.Tests.ps1 | 33 ++++++++++++++------------- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/Tests/common.ps1 b/Tests/common.ps1 index 8846774d1..74e091a98 100644 --- a/Tests/common.ps1 +++ b/Tests/common.ps1 @@ -68,7 +68,7 @@ $script:pester_userradiusserver2 = "pesterradiusserver2.powerfgt" $script:pester_userradiusserver3 = "pesterradiusserver3.powerfgt" $script:pester_userradius_secret = ConvertTo-SecureString "pester_userradiussecret" -AsPlainText -Force -. ../credential.ps1 +#. ../credential.ps1 #TODO: Add check if no ipaddress/login/password info... $script:mysecpassword = ConvertTo-SecureString $password -AsPlainText -Force diff --git a/Tests/integration/UserLocal.Tests.ps1 b/Tests/integration/UserLocal.Tests.ps1 index 8a6931a81..5f1efb6c3 100644 --- a/Tests/integration/UserLocal.Tests.ps1 +++ b/Tests/integration/UserLocal.Tests.ps1 @@ -614,7 +614,7 @@ Describe "Configure User Local" { } - Context "Change name, email, MFA, etc as LDAP User" { + Context "Change type" { BeforeAll { Add-FGTUserRADIUS -Name $pester_userradius -server $pester_userradiusserver1 -secret $pester_userradius_secret @@ -655,26 +655,27 @@ Describe "Configure User Local" { } } +} - Describe "Remove User Local" { - - Context "local" { +Describe "Remove User Local" { - BeforeEach { - Add-FGTUserLocal -Name $pester_userlocal -passwd $pester_userlocalpassword - } + Context "local" { - It "Remove User Local $pester_userlocal by pipeline" { - $userlocal = Get-FGTUserLocal -name $pester_userlocal - $userlocal | Remove-FGTUserLocal -confirm:$false - $userlocal = Get-FGTUserLocal -name $pester_userlocal - $userlocal | Should -Be $NULL - } + BeforeEach { + Add-FGTUserLocal -Name $pester_userlocal -passwd $pester_userlocalpassword + } + It "Remove User Local $pester_userlocal by pipeline" { + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal | Remove-FGTUserLocal -confirm:$false + $userlocal = Get-FGTUserLocal -name $pester_userlocal + $userlocal | Should -Be $NULL } } - AfterAll { - Disconnect-FGT -confirm:$false - } \ No newline at end of file +} + +AfterAll { + Disconnect-FGT -confirm:$false +} \ No newline at end of file From 9188f9cce34b906b747975403f6ea76c44d5f6ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Tue, 17 Sep 2024 12:12:01 +0200 Subject: [PATCH 5/9] Fix -Be in tests --- Tests/integration/UserLocal.Tests.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Tests/integration/UserLocal.Tests.ps1 b/Tests/integration/UserLocal.Tests.ps1 index 5f1efb6c3..f91d36c3c 100644 --- a/Tests/integration/UserLocal.Tests.ps1 +++ b/Tests/integration/UserLocal.Tests.ps1 @@ -133,7 +133,7 @@ Describe "Add User Local" { $userlocal = Get-FGTUserLocal -name $pester_userlocal $userlocal.name | Should -Be $pester_userlocal $userlocal.type | Should -Be "radius" - $userlocal.'radius-server' | Should $pester_userradius + $userlocal.'radius-server' | Should -Be $pester_userradius } It "Add User Local $pester_userlocal as RADIUS user enable" { @@ -193,7 +193,7 @@ Describe "Add User Local" { $userlocal = Get-FGTUserLocal -name $pester_userlocal $userlocal.name | Should -Be $pester_userlocal $userlocal.type | Should -Be "tacacs+" - $userlocal.'tacacs+-server' | Should $pester_usertacacs + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs } It "Add User Local $pester_userlocal as TACACS user enable" { @@ -253,7 +253,7 @@ Describe "Add User Local" { $userlocal = Get-FGTUserLocal -name $pester_userlocal $userlocal.name | Should -Be $pester_userlocal $userlocal.type | Should -Be "ldap" - $userlocal.'ldap-server' | Should $pester_userldap + $userlocal.'ldap-server' | Should -Be $pester_userldap } It "Add User Local $pester_userlocal as TACACS user enable" { From 605d6e1272853dcffe383e00171211f166ca3cf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Tue, 17 Sep 2024 12:29:15 +0200 Subject: [PATCH 6/9] Remove-User missing --- Tests/integration/UserLocal.Tests.ps1 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Tests/integration/UserLocal.Tests.ps1 b/Tests/integration/UserLocal.Tests.ps1 index f91d36c3c..5fb8a9bb1 100644 --- a/Tests/integration/UserLocal.Tests.ps1 +++ b/Tests/integration/UserLocal.Tests.ps1 @@ -311,6 +311,10 @@ Describe "Add User Local" { { Add-FGTUserLocal -Name $pester_userlocal -status -passwd $pester_userlocalpassword } | Should -Throw "Already a Local User object using the same name" } + AfterAll { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + } + } } @@ -654,6 +658,13 @@ Describe "Configure User Local" { $userlocal.type | Should -Be "password" } + AfterAll { + Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false + Get-FGTUserRADIUS -name $pester_userradius | Remove-FGTUserRADIUS -confirm:$false + Get-FGTUserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + Get-FGTUserLDAP -name $pester_userldap | Remove-FGTUserLDAP -confirm:$false + } + } } From 4ec58e057e281d0f9f0eef259f96066a5f2829d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Tue, 17 Sep 2024 15:29:46 +0200 Subject: [PATCH 7/9] Forgot to uncomment credential.ps1 (again...) --- Tests/common.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/common.ps1 b/Tests/common.ps1 index 74e091a98..8846774d1 100644 --- a/Tests/common.ps1 +++ b/Tests/common.ps1 @@ -68,7 +68,7 @@ $script:pester_userradiusserver2 = "pesterradiusserver2.powerfgt" $script:pester_userradiusserver3 = "pesterradiusserver3.powerfgt" $script:pester_userradius_secret = ConvertTo-SecureString "pester_userradiussecret" -AsPlainText -Force -#. ../credential.ps1 +. ../credential.ps1 #TODO: Add check if no ipaddress/login/password info... $script:mysecpassword = ConvertTo-SecureString $password -AsPlainText -Force From 907305684013ff7bec2fd3c61f04a057138b9b44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Tue, 17 Sep 2024 15:58:44 +0200 Subject: [PATCH 8/9] Change some tests --- Tests/integration/UserLocal.Tests.ps1 | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/Tests/integration/UserLocal.Tests.ps1 b/Tests/integration/UserLocal.Tests.ps1 index 5fb8a9bb1..c31ac4ef9 100644 --- a/Tests/integration/UserLocal.Tests.ps1 +++ b/Tests/integration/UserLocal.Tests.ps1 @@ -627,7 +627,7 @@ Describe "Configure User Local" { Add-FGTUserLocal -Name $pester_userlocal -passwd $pester_userlocalpassword } - It "Change type to RADIUS from Local" { + It "Change type to RADIUS from Local" -skip:($fgt_version -lt "6.4.0") { Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -radius_server $pester_userradius $userlocal = Get-FGTUserLocal -name $pester_userlocal $userlocal.name | Should -Be $pester_userlocal @@ -635,7 +635,7 @@ Describe "Configure User Local" { $userlocal."radius-server" | Should -Be $pester_userradius } - It "Change type to TACACS from RADIUS" { + It "Change type to TACACS from RADIUS" -skip:($fgt_version -lt "6.4.0") { Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -tacacs_server $pester_usertacacs $userlocal = Get-FGTUserLocal -name $pester_userlocal $userlocal.name | Should -Be $pester_userlocal @@ -643,7 +643,7 @@ Describe "Configure User Local" { $userlocal."tacacs+-server" | Should -Be $pester_usertacacs } - It "Change type to LDAP from TACACS" { + It "Change type to LDAP from TACACS" -skip:($fgt_version -lt "6.4.0") { Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -ldap_server $pester_userldap $userlocal = Get-FGTUserLocal -name $pester_userlocal $userlocal.name | Should -Be $pester_userlocal @@ -651,13 +651,6 @@ Describe "Configure User Local" { $userlocal."ldap-server" | Should -Be $pester_userldap } - It "Change type to Local from LDAP" { - Get-FGTUserLocal -name $pester_userlocal | Set-FGTUserLocal -passwd $pester_userlocalpassword - $userlocal = Get-FGTUserLocal -name $pester_userlocal - $userlocal.name | Should -Be $pester_userlocal - $userlocal.type | Should -Be "password" - } - AfterAll { Get-FGTUserLocal -name $pester_userlocal | Remove-FGTUserLocal -confirm:$false Get-FGTUserRADIUS -name $pester_userradius | Remove-FGTUserRADIUS -confirm:$false From e350e0b20d9e10929be6998eb3384a0439625ffc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Moreau?= Date: Thu, 3 Oct 2024 12:01:48 +0200 Subject: [PATCH 9/9] Change after review --- Tests/integration/UserLocal.Tests.ps1 | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Tests/integration/UserLocal.Tests.ps1 b/Tests/integration/UserLocal.Tests.ps1 index c31ac4ef9..ae01b1169 100644 --- a/Tests/integration/UserLocal.Tests.ps1 +++ b/Tests/integration/UserLocal.Tests.ps1 @@ -91,6 +91,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -BeNullOrEmpty $userlocal.'two-factor' | Should -Be "disable" + $userlocal.type | Should -Be "password" } It "Add User Local $pester_userlocal email to" { @@ -100,6 +101,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "disable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "disable" + $userlocal.type | Should -Be "password" } It "Add User Local $pester_userlocal MFA by email" { @@ -109,6 +111,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "email" + $userlocal.type | Should -Be "password" } It "Add User Local $pester_userlocal email with -data" { @@ -118,6 +121,7 @@ Describe "Add User Local" { $userlocal.name | Should -Be $pester_userlocal $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.type | Should -Be "password" } } @@ -143,6 +147,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -BeNullOrEmpty $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'radius-server' | Should -Be $pester_userradius } It "Add User Local $pester_userlocal as RADIUS user email to" { @@ -152,6 +157,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "disable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'radius-server' | Should -Be $pester_userradius } It "Add User Local $pester_userlocal as RADIUS user MFA by email" { @@ -161,6 +167,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "email" + $userlocal.'radius-server' | Should -Be $pester_userradius } It "Add User Local $pester_userlocal as RADIUS user email with -data" { @@ -170,6 +177,7 @@ Describe "Add User Local" { $userlocal.name | Should -Be $pester_userlocal $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'radius-server' | Should -Be $pester_userradius } AfterEach { @@ -203,6 +211,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -BeNullOrEmpty $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs } It "Add User Local $pester_userlocal as TACACS user email to" { @@ -212,6 +221,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "disable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs } It "Add User Local $pester_userlocal as TACACS user MFA by email" { @@ -221,6 +231,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "email" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs } It "Add User Local $pester_userlocal as TACACS user email with -data" { @@ -230,6 +241,7 @@ Describe "Add User Local" { $userlocal.name | Should -Be $pester_userlocal $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'tacacs+-server' | Should -Be $pester_usertacacs } AfterEach { @@ -263,6 +275,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -BeNullOrEmpty $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'ldap-server' | Should -Be $pester_userldap } It "Add User Local $pester_userlocal as TACACS user email to" { @@ -272,6 +285,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "disable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "disable" + $userlocal.'ldap-server' | Should -Be $pester_userldap } It "Add User Local $pester_userlocal as TACACS user MFA by email" { @@ -281,6 +295,7 @@ Describe "Add User Local" { $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" $userlocal.'two-factor' | Should -Be "email" + $userlocal.'ldap-server' | Should -Be $pester_userldap } It "Add User Local $pester_userlocal as TACACS user email with -data" { @@ -290,6 +305,7 @@ Describe "Add User Local" { $userlocal.name | Should -Be $pester_userlocal $userlocal.status | Should -Be "enable" $userlocal.'email-to' | Should -Be "powerfgt@power.fgt" + $userlocal.'ldap-server' | Should -Be $pester_userldap } AfterEach {