From 9227b397e0951310db7a555d6a16b593f4336b0b Mon Sep 17 00:00:00 2001 From: cmoreau <40433177+CedricMoreau@users.noreply.github.com> Date: Mon, 16 Sep 2024 12:39:03 +0200 Subject: [PATCH] UserTACACS: Get/Add/Set/Remove functions and tests (#263) --- PowerFGT/Private/Confirm.ps1 | 42 ++ PowerFGT/Public/cmdb/user/tacacs.ps1 | 531 +++++++++++++++++++++++++ Tests/common.ps1 | 5 + Tests/integration/UserTacacs.Tests.ps1 | 355 +++++++++++++++++ 4 files changed, 933 insertions(+) create mode 100644 PowerFGT/Public/cmdb/user/tacacs.ps1 create mode 100644 Tests/integration/UserTacacs.Tests.ps1 diff --git a/PowerFGT/Private/Confirm.ps1 b/PowerFGT/Private/Confirm.ps1 index de81b084..9d7de4fe 100644 --- a/PowerFGT/Private/Confirm.ps1 +++ b/PowerFGT/Private/Confirm.ps1 @@ -481,6 +481,48 @@ Function Confirm-FGTUserLocal { } +Function Confirm-FGTUserTACACS { + + Param ( + [Parameter (Mandatory = $true)] + [object]$argument + ) + + #Check if it looks like a TACACS Server element + + if ( -not ( $argument | get-member -name name -Membertype Properties)) { + throw "Element specified does not contain a name property." + } + if ( -not ( $argument | get-member -name server -Membertype Properties)) { + throw "Element specified does not contain a server property." + } + if ( -not ( $argument | get-member -name key -Membertype Properties)) { + throw "Element specified does not contain a key property." + } + if ( -not ( $argument | get-member -name secondary-server -Membertype Properties)) { + throw "Element specified does not contain a secondary-server property." + } + if ( -not ( $argument | get-member -name secondary-key -Membertype Properties)) { + throw "Element specified does not contain a secondary-key property." + } + if ( -not ( $argument | get-member -name tertiary-server -Membertype Properties)) { + throw "Element specified does not contain a tertiary-server property." + } + if ( -not ( $argument | get-member -name tertiary-key -Membertype Properties)) { + throw "Element specified does not contain a tertiary-key property." + } + if ( -not ( $argument | get-member -name port -Membertype Properties)) { + throw "Element specified does not contain a port property." + } + if ( -not ( $argument | get-member -name authorization -Membertype Properties)) { + throw "Element specified does not contain a authorization property." + } + if ( -not ( $argument | get-member -name authen-type -Membertype Properties)) { + throw "Element specified does not contain a authen-type property." + } + + $true +} Function Confirm-FGTUserGroup { Param ( diff --git a/PowerFGT/Public/cmdb/user/tacacs.ps1 b/PowerFGT/Public/cmdb/user/tacacs.ps1 new file mode 100644 index 00000000..9b10288d --- /dev/null +++ b/PowerFGT/Public/cmdb/user/tacacs.ps1 @@ -0,0 +1,531 @@ +#Get-FGTUserTACACS +# Copyright 2024, Cédric Moreau +# +# SPDX-License-Identifier: Apache-2.0 +# + +function Add-FGTUserTACACS { + + <# + .SYNOPSIS + Add a FortiGate TACACS+ Server + + .DESCRIPTION + Add a FortiGate TACACS+ Server + + .EXAMPLE + $mykey = ConvertTo-SecureString mykey -AsPlainText -Force + PS C:\>Add-FGTUserTACACS -Name PowerFGT -server tacacs.powerfgt -key $mykey + + Add a TACACS+ Server with tacacs.powerfgt as server and key + + .EXAMPLE + $mykey = ConvertTo-SecureString mykey -AsPlainText -Force + PS C:\>Add-FGTUserTACACS -Name PowerFGT -server tacacs.powerfgt -key $mykey -secondary_server tacacs2.powerfgt -secondary_key $mykey -tertiary_server tacacs3.powerfgt -tertiary_key $mykey + + Add a TACACS+ Server with tacacs.powerfgt as server and key, and secondary and tertiary servers + + .EXAMPLE + $mykey = ConvertTo-SecureString mykey -AsPlainText -Force + PS C:\>Add-FGTUserTACACS -Name PowerFGT -server tacacs.powerfgt -key $mykey -port 49 + + Add a TACACS+ Server with tacacs.powerfgt as server and key and port set to 49 + + .EXAMPLE + $mykey = ConvertTo-SecureString mykey -AsPlainText -Force + PS C:\>Add-FGTUserTACACS -Name PowerFGT -server tacacs.powerfgt -key $mykey -authen_type chap + + Add a TACACS+ Server with tacacs.powerfgt as server and key and CHAP as authentication type + + .EXAMPLE + $mykey = ConvertTo-SecureString mykey -AsPlainText -Force + PS C:\>Add-FGTUserTACACS -Name PowerFGT -server tacacs.powerfgt -key $mykey -authen_type auto + + Add a TACACS+ Server with tacacs.powerfgt as server and key and PAP, MSCHAP and CHAP as authentication type in that order + + .EXAMPLE + $mykey = ConvertTo-SecureString mykey -AsPlainText -Force + PS C:\>Add-FGTUserTACACS -Name PowerFGT -server tacacs.powerfgt -key $mykey -authorization + + Add a TACACS+ Server with tacacs.powerfgt as server and key and authorization enable + #> + + Param( + [Parameter (Mandatory = $true)] + [ValidateLength(1, 35)] + [string]$name, + [Parameter (Mandatory = $true)] + [ValidateLength(1, 63)] + [string]$server, + [Parameter (Mandatory = $true)] + [SecureString]$key, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$secondary_server, + [Parameter (Mandatory = $false)] + [SecureString]$secondary_key, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$tertiary_server, + [Parameter (Mandatory = $false)] + [SecureString]$tertiary_key, + [Parameter (Mandatory = $false)] + [ValidateRange(1, 65535)] + [int]$port, + [Parameter (Mandatory = $false)] + [ValidateSet("mschap", "chap", "pap", "ascii", "auto")] + [string]$authen_type, + [Parameter (Mandatory = $false)] + [switch]$authorization, + [Parameter (Mandatory = $false)] + [boolean]$visibility, + [Parameter (Mandatory = $false)] + [hashtable]$data, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + if ( Get-FGTUserTACACS @invokeParams -name $name -connection $connection) { + Throw "Already a TACACS+ Server using the same name" + } + + $uri = "api/v2/cmdb/user/tacacs+" + + $tacacs = new-Object -TypeName PSObject + + $tacacs | add-member -name "name" -membertype NoteProperty -Value $name + + $tacacs | add-member -name "server" -membertype NoteProperty -Value $server + + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($key); + $key_secure = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $tacacs | add-member -name "key" -membertype NoteProperty -Value $key_secure + } + else { + $key_secure = ConvertFrom-SecureString -SecureString $key -AsPlainText + $tacacs | add-member -name "key" -membertype NoteProperty -Value $key_secure + } + + if ( $PsBoundParameters.ContainsKey('secondary_server') -xor $PsBoundParameters.ContainsKey('secondary_key') ) { + Throw "You must specify secondary server and secondary key !" + } + elseif ($PsBoundParameters.ContainsKey('secondary_server') -and $PsBoundParameters.ContainsKey('secondary_key')) { + $tacacs | add-member -name "secondary-server" -membertype NoteProperty -Value $secondary_server + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secondary_key); + $secondary_key_secure = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $tacacs | add-member -name "secondary-key" -membertype NoteProperty -Value $secondary_key_secure + } + else { + $secondary_key_secure = ConvertFrom-SecureString -SecureString $secondary_key -AsPlainText + $tacacs | add-member -name "secondary-key" -membertype NoteProperty -Value $secondary_key_secure + } + } + + if ( $PsBoundParameters.ContainsKey('tertiary_server') -xor $PsBoundParameters.ContainsKey('tertiary_key') ) { + Throw "You must specify tertiary server and tertiary key !" + } + elseif ($PsBoundParameters.ContainsKey('tertiary_server') -and $PsBoundParameters.ContainsKey('tertiary_key')) { + $tacacs | add-member -name "tertiary-server" -membertype NoteProperty -Value $tertiary_server + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($tertiary_key); + $tertiary_key_secure = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $tacacs | add-member -name "tertiary-key" -membertype NoteProperty -Value $tertiary_key_secure + } + else { + $tertiary_key_secure = ConvertFrom-SecureString -SecureString $tertiary_key -AsPlainText + $tacacs | add-member -name "tertiary-key" -membertype NoteProperty -Value $tertiary_key_secure + } + } + + if ( $PsBoundParameters.ContainsKey('port') ) { + $tacacs | add-member -name "port" -membertype NoteProperty -Value $port + } + + if ( $PsBoundParameters.ContainsKey('authen_type') ) { + $tacacs | add-member -name "authen-type" -membertype NoteProperty -Value $authen_type + } + + if ( $PsBoundParameters.ContainsKey('authorization') ) { + $tacacs | add-member -name "authorization" -membertype NoteProperty -Value "enable" + } + else { + $tacacs | add-member -name "authorization" -membertype NoteProperty -Value "disable" + } + + if ( $PsBoundParameters.ContainsKey('visibility') ) { + #with 6.4.x, there is no longer visibility parameter + if ($connection.version -ge "6.4.0") { + Write-Warning "-visibility parameter is no longer available with FortiOS 6.4.x and after" + } + else { + if ( $visibility ) { + $tacacs | add-member -name "visibility" -membertype NoteProperty -Value "enable" + } + else { + $tacacs | add-member -name "visibility" -membertype NoteProperty -Value "disable" + } + } + } + + if ( $PsBoundParameters.ContainsKey('data') ) { + $data.GetEnumerator() | ForEach-Object { + $tacacs | Add-member -name $_.key -membertype NoteProperty -Value $_.value + } + } + + Invoke-FGTRestMethod -method "POST" -body $tacacs -uri $uri -connection $connection @invokeParams | out-Null + + Get-FGTUserTACACS -connection $connection @invokeParams -name $name + } + + End { + } +} + +function Get-FGTUserTACACS { + + <# + .SYNOPSIS + Get list of all TACACS servers + + .DESCRIPTION + Get list of all TACACS servers + + .EXAMPLE + Get-FGTUserTACACS + + Display all TACACS servers + + .EXAMPLE + Get-FGTUserTACACS -name FGT -filter_type contains + + Get TACACS servers that contains *FGT* + + .EXAMPLE + Get-FGTUserTACACS -meta + + Display all TACACS servers with metadata (q_...) like usage (q_ref) + + .EXAMPLE + Get-FGTUserTACACS -skip + + Display all TACACS servers (but only relevant attributes) + + .EXAMPLE + Get-FGTUserTACACS -vdom vdomX + + Display all TACACS servers on vdomX + #> + + [CmdletBinding(DefaultParameterSetName = "default")] + Param( + [Parameter (Mandatory = $false, Position = 1, ParameterSetName = "name")] + [string]$name, + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "filter")] + [string]$filter_attribute, + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "name")] + [Parameter (ParameterSetName = "filter")] + [ValidateSet('equal', 'contains')] + [string]$filter_type = "equal", + [Parameter (Mandatory = $false)] + [Parameter (ParameterSetName = "filter")] + [psobject]$filter_value, + [Parameter(Mandatory = $false)] + [switch]$meta, + [Parameter(Mandatory = $false)] + [switch]$skip, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('meta') ) { + $invokeParams.add( 'meta', $meta ) + } + if ( $PsBoundParameters.ContainsKey('skip') ) { + $invokeParams.add( 'skip', $skip ) + } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + #Filtering + switch ( $PSCmdlet.ParameterSetName ) { + "name" { + $filter_value = $name + $filter_attribute = "name" + } + default { } + } + + #if filter value and filter_attribute, add filter (by default filter_type is equal) + if ( $filter_value -and $filter_attribute ) { + $invokeParams.add( 'filter_value', $filter_value ) + $invokeParams.add( 'filter_attribute', $filter_attribute ) + $invokeParams.add( 'filter_type', $filter_type ) + } + + $reponse = Invoke-FGTRestMethod -uri 'api/v2/cmdb/user/tacacs+' -method 'GET' -connection $connection @invokeParams + $reponse.results + } + + End { + } +} + +function Set-FGTUserTACACS { + + <# + .SYNOPSIS + Change a FortiGate TACACS Server + + .DESCRIPTION + Change a FortiGate TACACS Server + + .EXAMPLE + $MyFGTUserTACACS = Get-FGTUserTACACS -name MyFGTUserTACACS + PS C:\>$MyFGTUserTACACS | Set-FGTUserTACACS -server mynewTACACSserver + + Change server name from MyFGTUserTACACS to mynewTACACSserver + + .EXAMPLE + $MyFGTUserTACACS = Get-FGTUserTACACS -name MyFGTUserTACACS + PS C:\>$mykey = ConvertTo-SecureString mykey -AsPlainText -Force + PS C:\>$MyFGTUserTACACS | Set-FGTUserTACACS -secondary_server tacacs2.powerfgt -secondary_key $mykey + + Change secondary server and key + + .EXAMPLE + $MyFGTUserTACACS = Get-FGTUserTACACS -name MyFGTUserTACACS + PS C:\>$mykey = ConvertTo-SecureString mykey -AsPlainText -Force + PS C:\>$MyFGTUserTACACS | Set-FGTUserTACACS -tertiary_server tacacs3.powerfgt -tertiary_key $mykey + + Change tertiary server and key + + .EXAMPLE + $MyFGTUserTACACS = Get-FGTUserTACACS -name MyFGTUserTACACS + PS C:\>$MyFGTUserTACACS | Set-FGTUserTACACS -authorization disable + + Change authorization to disable + + .EXAMPLE + $data = @{ "port" = "10049" } + PS C:\>$MyFGTUserTACACS = Get-FGTUserTACACS -name MyFGTUserTACACS + PS C:\>$MyFGTUserTACACS | Set-FGTUserTACACS -data $data + + Change port to 10049 + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'medium', DefaultParameterSetName = 'default')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTUserTACACS $_ })] + [psobject]$usertacacs, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 35)] + [string]$name, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$server, + [Parameter (Mandatory = $false)] + [SecureString]$key, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$secondary_server, + [Parameter (Mandatory = $false)] + [SecureString]$secondary_key, + [Parameter (Mandatory = $false)] + [ValidateLength(1, 63)] + [string]$tertiary_server, + [Parameter (Mandatory = $false)] + [SecureString]$tertiary_key, + [Parameter (Mandatory = $false)] + [ValidateRange(1, 65535)] + [int]$port, + [Parameter (Mandatory = $false)] + [ValidateSet("mschap", "chap", "pap", "ascii", "auto")] + [string]$authen_type, + [Parameter (Mandatory = $false)] + [ValidateSet("enable", "disable")] + [string]$authorization, + [Parameter (Mandatory = $false)] + [hashtable]$data, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/user/tacacs+/$($usertacacs.name)" + + $_tacacs = New-Object -TypeName PSObject + + if ( $PsBoundParameters.ContainsKey('name') ) { + #TODO check if there is no already an object with this name ? + $_tacacs | add-member -name "name" -membertype NoteProperty -Value $name + $usertacacs.name = $name + } + + if ( $PsBoundParameters.ContainsKey('server') ) { + $_tacacs | add-member -name "server" -membertype NoteProperty -Value $server + } + + if ( $PsBoundParameters.ContainsKey('key') ) { + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($key); + $key_secure = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $_tacacs | add-member -name "key" -membertype NoteProperty -Value $key_secure + } + else { + $key_secure = ConvertFrom-SecureString -SecureString $key -AsPlainText + $_tacacs | add-member -name "key" -membertype NoteProperty -Value $key_secure + } + } + + if ( $PsBoundParameters.ContainsKey('secondary_server') ) { + $_tacacs | add-member -name "secondary-server" -membertype NoteProperty -Value $secondary_server + } + + if ( $PsBoundParameters.ContainsKey('secondary_key') ) { + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secondary_key); + $secondary_key_secure = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $_tacacs | add-member -name "secondary-key" -membertype NoteProperty -Value $secondary_key_secure + } + else { + $secondary_key_secure = ConvertFrom-SecureString -SecureString $secondary_key -AsPlainText + $_tacacs | add-member -name "secondary-key" -membertype NoteProperty -Value $secondary_key_secure + } + } + + if ( $PsBoundParameters.ContainsKey('tertiary_server') ) { + $_tacacs | add-member -name "tertiary-server" -membertype NoteProperty -Value $tertiary_server + } + + if ( $PsBoundParameters.ContainsKey('tertiary_key') ) { + if (("Desktop" -eq $PSVersionTable.PsEdition) -or ($null -eq $PSVersionTable.PsEdition)) { + $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($tertiary_key); + $tertiary_key_secure = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); + $_tacacs | add-member -name "tertiary-key" -membertype NoteProperty -Value $tertiary_key_secure + } + else { + $tertiary_key_secure = ConvertFrom-SecureString -SecureString $tertiary_key -AsPlainText + $_tacacs | add-member -name "tertiary-key" -membertype NoteProperty -Value $tertiary_key_secure + } + } + + if ( $PsBoundParameters.ContainsKey('port') ) { + $_tacacs | add-member -name "port" -membertype NoteProperty -Value $port + } + + if ( $PsBoundParameters.ContainsKey('authen_type') ) { + $_tacacs | add-member -name "authen-type" -membertype NoteProperty -Value $authen_type + } + + if ( $PsBoundParameters.ContainsKey('authorization') ) { + $_tacacs | add-member -name "authorization" -membertype NoteProperty -Value $authorization + } + + if ( $PsBoundParameters.ContainsKey('data') ) { + $data.GetEnumerator() | ForEach-Object { + $_tacacs | Add-member -name $_.key -membertype NoteProperty -Value $_.value + } + } + + if ($PSCmdlet.ShouldProcess($usertacacs.name, 'Configure User TACACS')) { + Invoke-FGTRestMethod -method "PUT" -body $_tacacs -uri $uri -connection $connection @invokeParams | out-Null + + Get-FGTUserTACACS -connection $connection @invokeParams -name $usertacacs.name + } + } + + End { + } +} + +function Remove-FGTUserTACACS { + + <# + .SYNOPSIS + Remove a FortiGate TACACS Server + + .DESCRIPTION + Remove a TACACS Server on the FortiGate + + .EXAMPLE + $MyFGTUserTACACS = Get-FGTUserTACACS -name PowerFGT + PS C:\>$MyFGTUserTACACS | Remove-FGTUserTACACS + + Remove user object $MyFGTUserTACACS + + .EXAMPLE + $MyFGTUserTACACS = Get-FGTUserTACACS -name MyFGTUserTACACS + PS C:\>$MyFGTUserTACACS | Remove-FGTUserTACACS -confirm:$false + + Remove UserTACACS object $MyFGTUserTACACS with no confirmation + #> + + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'high')] + Param( + [Parameter (Mandatory = $true, ValueFromPipeline = $true, Position = 1)] + [ValidateScript( { Confirm-FGTUserTACACS $_ })] + [psobject]$usertacacs, + [Parameter(Mandatory = $false)] + [String[]]$vdom, + [Parameter(Mandatory = $false)] + [psobject]$connection = $DefaultFGTConnection + ) + + Begin { + } + + Process { + + $invokeParams = @{ } + if ( $PsBoundParameters.ContainsKey('vdom') ) { + $invokeParams.add( 'vdom', $vdom ) + } + + $uri = "api/v2/cmdb/user/tacacs+/$($usertacacs.name)" + + if ($PSCmdlet.ShouldProcess($usertacacs.name, 'Remove User Tacacs')) { + $null = Invoke-FGTRestMethod -method "DELETE" -uri $uri -connection $connection @invokeParams + } + } + + End { + } +} \ No newline at end of file diff --git a/Tests/common.ps1 b/Tests/common.ps1 index 5d1f1fd3..4d58cd6f 100644 --- a/Tests/common.ps1 +++ b/Tests/common.ps1 @@ -57,6 +57,11 @@ $script:pester_userlocal3 = "pester_userlocal3" $script:pester_userlocal4 = "pester_userlocal4" $script:pester_usergroup1 = "pester_usergroup1" $script:pester_usergroup2 = "pester_usergroup2" +$script:pester_usertacacs = "pester_usertacacs" +$script:pester_usertacacsserver1 = "pestertacacsserver1.powerfgt" +$script:pester_usertacacsserver2 = "pestertacacsserver2.powerfgt" +$script:pester_usertacacsserver3 = "pestertacacsserver3.powerfgt" +$script:pester_usertacacs_key = ConvertTo-SecureString "pester_usertacacskey" -AsPlainText -Force . ../credential.ps1 #TODO: Add check if no ipaddress/login/password info... diff --git a/Tests/integration/UserTacacs.Tests.ps1 b/Tests/integration/UserTacacs.Tests.ps1 new file mode 100644 index 00000000..f52402d4 --- /dev/null +++ b/Tests/integration/UserTacacs.Tests.ps1 @@ -0,0 +1,355 @@ +# +# Copyright 2024, Cedric Moreau +# +# SPDX-License-Identifier: Apache-2.0 +# + +#include common configuration +. ../common.ps1 + +BeforeAll { + Connect-FGT @invokeParams +} + +Describe "Get User Tacacs" { + + BeforeAll { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + } + + It "Get User Tacacs Does not throw an error" { + { + Get-FGTuserTACACS + } | Should -Not -Throw + } + + It "Get ALL User Tacacs" { + $usertacacs = Get-FGTuserTACACS + @($usertacacs).count | Should -Not -Be $NULL + } + + It "Get ALL User Tacacs with -skip" { + $usertacacs = Get-FGTuserTACACS -skip + @($usertacacs).count | Should -Not -Be $NULL + } + + It "Get User Tacacs with -name $pester_usertacacs -meta" { + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs -meta + $usertacacs.q_ref | Should -Not -BeNullOrEmpty + $usertacacs.q_static | Should -Not -BeNullOrEmpty + $usertacacs.q_no_rename | Should -Not -BeNullOrEmpty + $usertacacs.q_global_entry | Should -Not -BeNullOrEmpty + $usertacacs.q_type | Should -Not -BeNullOrEmpty + $usertacacs.q_path | Should -Be "user" + $usertacacs.q_name | Should -Be "tacacs+" + $usertacacs.q_mkey_type | Should -Be "string" + if ($DefaultFGTConnection.version -ge "6.2.0") { + $usertacacs.q_no_edit | Should -Not -BeNullOrEmpty + } + } + + It "Get User Tacacs ($pester_usertacacs)" { + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + } + + It "Get User Tacacs ($pester_usertacacs) and confirm (via Confirm-FGTuserTACACS)" { + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + Confirm-FGTuserTACACS ($usertacacs) | Should -Be $true + } + + Context "Search" { + + It "Search User Tacacs by name ($pester_usertacacs)" { + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + @($usertacacs).count | Should -be 1 + $usertacacs.name | Should -Be $pester_usertacacs + } + + } + + AfterAll { + Get-FGTuserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + +} + +Describe "Add User Tacacs" { + + Context "Tacacs Server (Primary, secondary, tertiary servers, port, authentication type etc ...)" { + + AfterEach { + Get-FGTuserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + + It "Add User Tacacs Server $pester_usertacacs" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + } + + It "Add User Tacacs Server $pester_usertacacs with secondary-server" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -secondary_server $pester_usertacacsserver2 -secondary_key $pester_usertacacs_key + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs.'secondary-server' | Should -Be $pester_usertacacsserver2 + $usertacacs.'secondary-key' | Should -Not -Be $Null + } + + It "Add User Tacacs Server $pester_usertacacs with tertiary-server" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -secondary_server $pester_usertacacsserver2 -secondary_key $pester_usertacacs_key -tertiary_server $pester_usertacacsserver3 -tertiary_key $pester_usertacacs_key + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs.'secondary-server' | Should -Be $pester_usertacacsserver2 + $usertacacs.'secondary-key' | Should -Not -Be $Null + $usertacacs.'tertiary-server' | Should -Be $pester_usertacacsserver3 + $usertacacs.'tertiary-key' | Should -Not -Be $Null + } + + It "Add User Tacacs Server $pester_usertacacs with port" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -port 10049 + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs.port | Should -Be "10049" + } + + It "Add User Tacacs Server $pester_usertacacs with authorization enabled" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -authorization + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs.authorization | Should -Be "enable" + } + + It "Add User Tacacs Server $pester_usertacacs with authorization disabled" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs.authorization | Should -Be "disable" + } + + It "Try to Add User Tacacs Server $pester_usertacacs (but there is already a object with same name)" { + #Add first userTacacs + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + #Add Second userTacacs with same name + { Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key } | Should -Throw "Already a TACACS+ Server using the same name" + } + + } + + Context "Tacacs Server authen-type" { + + AfterEach { + Get-FGTuserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + + It "Add User Tacacs Server $pester_usertacacs with authen_type as auto" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -authen_type auto + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs."authen-type" | Should -Be "auto" + } + + It "Add User Tacacs Server $pester_usertacacs with authen_type as mschap" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -authen_type mschap + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs."authen-type" | Should -Be "mschap" + } + + It "Add User Tacacs Server $pester_usertacacs with authen_type as ascii" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -authen_type ascii + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs."authen-type" | Should -Be "ascii" + } + + It "Add User Tacacs Server $pester_usertacacs with authen_type as chap" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -authen_type chap + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs."authen-type" | Should -Be "chap" + } + + It "Add User Tacacs Server $pester_usertacacs with authen_type as pap" { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key -authen_type pap + $usertacacs = Get-FGTuserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + $usertacacs."authen-type" | Should -Be "pap" + } + + } + +} + +Describe "Configure User TACACS" { + + Context "Change server, secondary-server, port, etc ..." { + + BeforeAll { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + } + + It "Change name of TACACS Server" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -name "pester_tacacsserver_renamed" + $usertacacs = Get-FGTUserTACACS -name "pester_tacacsserver_renamed" + $usertacacs.name | Should -Be "pester_tacacsserver_renamed" + $usertacacs.server | Should -Be $pester_usertacacsserver1 + $usertacacs.key | Should -Not -Be $Null + } + + It "Change name of TACACS Server back to initial value" { + Get-FGTUserTACACS -name "pester_tacacsserver_renamed" | Set-FGTuserTACACS -name $pester_usertacacs + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + } + + It "Change server" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -server $pester_usertacacsserver2 + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver2 + $usertacacs.key | Should -Not -Be $Null + } + + It "Change secondary-server" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -secondary_server $pester_usertacacsserver3 -secondary_key $pester_usertacacs_key + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver2 + $usertacacs.key | Should -Not -Be $Null + $usertacacs."secondary-server" | Should -Be $pester_usertacacsserver3 + $usertacacs."secondary-key" | Should -Not -Be $Null + } + + It "Change tertiary-server" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -tertiary_server $pester_usertacacsserver1 -tertiary_key $pester_usertacacs_key + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.server | Should -Be $pester_usertacacsserver2 + $usertacacs.key | Should -Not -Be $Null + $usertacacs."secondary-server" | Should -Be $pester_usertacacsserver3 + $usertacacs."secondary-key" | Should -Not -Be $Null + $usertacacs."tertiary-server" | Should -Be $pester_usertacacsserver1 + $usertacacs."tertiary-key" | Should -Not -Be $Null + } + + It "Change port" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -port 10049 + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.port | Should -Be "10049" + } + + It "Change authorization to enable" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -authorization enable + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.authorization | Should -Be "enable" + } + + It "Change authorization to disable" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -authorization disable + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs.authorization | Should -Be "disable" + } + + AfterAll { + Get-FGTUserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + + } + + Context "Change authen-type" { + + BeforeAll { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + } + + It "Change type mschap" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -authen_type mschap + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs."authen-type" | Should -Be "mschap" + } + + It "Change type chap" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -authen_type chap + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs."authen-type" | Should -Be "chap" + } + + It "Change type pap" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -authen_type pap + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs."authen-type" | Should -Be "pap" + } + + It "Change type ascii" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -authen_type ascii + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs."authen-type" | Should -Be "ascii" + } + + It "Change type auto" { + Get-FGTUserTACACS -name $pester_usertacacs | Set-FGTuserTACACS -authen_type auto + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs.name | Should -Be $pester_usertacacs + $usertacacs."authen-type" | Should -Be "auto" + } + + AfterAll { + Get-FGTUserTACACS -name $pester_usertacacs | Remove-FGTUserTACACS -confirm:$false + } + + } + +} + +Describe "Remove User TACACS" { + + Context "local" { + + BeforeEach { + Add-FGTUserTACACS -Name $pester_usertacacs -server $pester_usertacacsserver1 -key $pester_usertacacs_key + } + + It "Remove User TACACS $pester_usertacacs by pipeline" { + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs | Remove-FGTUserTACACS -confirm:$false + $usertacacs = Get-FGTUserTACACS -name $pester_usertacacs + $usertacacs | Should -Be $NULL + } + + } + +} + +AfterAll { + Disconnect-FGT -confirm:$false +} \ No newline at end of file