Missed a test for EnterpriseCA.

BloodHoundAD · Nov 25, 2024 · e90a3de · e90a3de
1 parent 8b499d0
commit e90a3de
Showing 1 changed file with 42 additions and 42 deletions.
diff --git a/test/unit/ACLProcessorTest.cs b/test/unit/ACLProcessorTest.cs
@@ -1674,7 +1674,7 @@ public async Task ACLProcessor_ProcessACL_GenericWrite_EnterpriseCA()
         }
 
         [Fact]
-        public async Task ACLProcessor_ProcessACL_CreateChild_ManageCA()
+        public async Task ACLProcessor_ProcessACL_EnterpriseCA_ManageCA()
         {
             var expectedPrincipalType = Label.EnterpriseCA;
             var expectedPrincipalSID = "S-1-5-21-3130019616-2776909439-2417379446-512";
@@ -1687,7 +1687,7 @@ public async Task ACLProcessor_ProcessACL_CreateChild_ManageCA()
             mockRule.Setup(x => x.AccessControlType()).Returns(AccessControlType.Allow);
             mockRule.Setup(x => x.IsAceInheritedFrom(It.IsAny<string>())).Returns(true);
             mockRule.Setup(x => x.IdentityReference()).Returns(expectedPrincipalSID);
-            mockRule.Setup(x => x.ActiveDirectoryRights()).Returns(ActiveDirectoryRights.CreateChild);
+            mockRule.Setup(x => x.ActiveDirectoryRights()).Returns((ActiveDirectoryRights)CertificationAuthorityRights.ManageCA);
             mockRule.Setup(x => x.ObjectType()).Returns(new Guid(ACEGuids.AllGuid));
             collection.Add(mockRule.Object);
 
@@ -1713,7 +1713,7 @@ public async Task ACLProcessor_ProcessACL_CreateChild_ManageCA()
         }
 
         [Fact]
-        public async Task ACLProcessor_ProcessACL_DeleteChild_ManageCertificates()
+        public async Task ACLProcessor_ProcessACL_EnterpriseCA_ManageCertificates()
         {
             var expectedPrincipalType = Label.EnterpriseCA;
             var expectedPrincipalSID = "S-1-5-21-3130019616-2776909439-2417379446-512";
@@ -1726,7 +1726,7 @@ public async Task ACLProcessor_ProcessACL_DeleteChild_ManageCertificates()
             mockRule.Setup(x => x.AccessControlType()).Returns(AccessControlType.Allow);
             mockRule.Setup(x => x.IsAceInheritedFrom(It.IsAny<string>())).Returns(true);
             mockRule.Setup(x => x.IdentityReference()).Returns(expectedPrincipalSID);
-            mockRule.Setup(x => x.ActiveDirectoryRights()).Returns(ActiveDirectoryRights.DeleteChild);
+            mockRule.Setup(x => x.ActiveDirectoryRights()).Returns((ActiveDirectoryRights)CertificationAuthorityRights.ManageCertificates);
             mockRule.Setup(x => x.ObjectType()).Returns(new Guid(ACEGuids.AllGuid));
             collection.Add(mockRule.Object);
 
@@ -1751,43 +1751,43 @@ public async Task ACLProcessor_ProcessACL_DeleteChild_ManageCertificates()
             Assert.Equal(actual.RightName, expectedRightName);
         }
 
-        // [Fact]
-        // public async Task ACLProcessor_ProcessACL_Enroll()
-        // {
-        //     var expectedPrincipalType = Label.EnterpriseCA;
-        //     var expectedPrincipalSID = "S-1-5-21-3130019616-2776909439-2417379446-512";
-        //     var expectedRightName = EdgeNames.ManageCertificates;
-        //
-        //     var mockLDAPUtils = new Mock<ILdapUtils>();
-        //     var mockSecurityDescriptor = new Mock<ActiveDirectorySecurityDescriptor>(MockBehavior.Loose, null);
-        //     var mockRule = new Mock<ActiveDirectoryRuleDescriptor>(MockBehavior.Loose, null);
-        //     var collection = new List<ActiveDirectoryRuleDescriptor>();
-        //     mockRule.Setup(x => x.AccessControlType()).Returns(AccessControlType.Allow);
-        //     mockRule.Setup(x => x.IsAceInheritedFrom(It.IsAny<string>())).Returns(true);
-        //     mockRule.Setup(x => x.IdentityReference()).Returns(expectedPrincipalSID);
-        //     mockRule.Setup(x => x.ActiveDirectoryRights()).Returns((int)CertificationAuthorityRights.Enroll);
-        //     mockRule.Setup(x => x.ObjectType()).Returns(new Guid(ACEGuids.AllGuid));
-        //     collection.Add(mockRule.Object);
-        //
-        //     mockSecurityDescriptor.Setup(m => m.GetAccessRules(It.IsAny<bool>(), It.IsAny<bool>(), It.IsAny<Type>()))
-        //         .Returns(collection);
-        //     mockSecurityDescriptor.Setup(m => m.GetOwner(It.IsAny<Type>())).Returns((string)null);
-        //     mockLDAPUtils.Setup(x => x.MakeSecurityDescriptor()).Returns(mockSecurityDescriptor.Object);
-        //     mockLDAPUtils.Setup(x => x.ResolveIDAndType(It.IsAny<string>(), It.IsAny<string>()))
-        //         .ReturnsAsync((true, new TypedPrincipal(expectedPrincipalSID, expectedPrincipalType)));
-        //     mockLDAPUtils.Setup(x => x.PagedQuery(It.IsAny<LdapQueryParameters>(), It.IsAny<CancellationToken>()))
-        //         .Returns(Array.Empty<LdapResult<IDirectoryObject>>().ToAsyncEnumerable);
-        //
-        //     var processor = new ACLProcessor(mockLDAPUtils.Object);
-        //     var bytes = Utils.B64ToBytes(UnProtectedUserNtSecurityDescriptor);
-        //     var result = await processor.ProcessACL(bytes, _testDomainName, Label.EnterpriseCA, true).ToArrayAsync();
-        //
-        //     Assert.Single(result);
-        //     var actual = result.First();
-        //     Assert.Equal(actual.PrincipalType, expectedPrincipalType);
-        //     Assert.Equal(actual.PrincipalSID, expectedPrincipalSID);
-        //     Assert.False(actual.IsInherited);
-        //     Assert.Equal(actual.RightName, expectedRightName);
-        // }
+        [Fact]
+        public async Task ACLProcessor_ProcessACL_EnterpriseCA_Enroll()
+        {
+            var expectedPrincipalType = Label.EnterpriseCA;
+            var expectedPrincipalSID = "S-1-5-21-3130019616-2776909439-2417379446-512";
+            var expectedRightName = EdgeNames.Enroll;
+
+            var mockLDAPUtils = new Mock<ILdapUtils>();
+            var mockSecurityDescriptor = new Mock<ActiveDirectorySecurityDescriptor>(MockBehavior.Loose, null);
+            var mockRule = new Mock<ActiveDirectoryRuleDescriptor>(MockBehavior.Loose, null);
+            var collection = new List<ActiveDirectoryRuleDescriptor>();
+            mockRule.Setup(x => x.AccessControlType()).Returns(AccessControlType.Allow);
+            mockRule.Setup(x => x.IsAceInheritedFrom(It.IsAny<string>())).Returns(true);
+            mockRule.Setup(x => x.IdentityReference()).Returns(expectedPrincipalSID);
+            mockRule.Setup(x => x.ActiveDirectoryRights()).Returns((ActiveDirectoryRights)CertificationAuthorityRights.Enroll);
+            mockRule.Setup(x => x.ObjectType()).Returns(new Guid(ACEGuids.AllGuid));
+            collection.Add(mockRule.Object);
+
+            mockSecurityDescriptor.Setup(m => m.GetAccessRules(It.IsAny<bool>(), It.IsAny<bool>(), It.IsAny<Type>()))
+                .Returns(collection);
+            mockSecurityDescriptor.Setup(m => m.GetOwner(It.IsAny<Type>())).Returns((string)null);
+            mockLDAPUtils.Setup(x => x.MakeSecurityDescriptor()).Returns(mockSecurityDescriptor.Object);
+            mockLDAPUtils.Setup(x => x.ResolveIDAndType(It.IsAny<string>(), It.IsAny<string>()))
+                .ReturnsAsync((true, new TypedPrincipal(expectedPrincipalSID, expectedPrincipalType)));
+            mockLDAPUtils.Setup(x => x.PagedQuery(It.IsAny<LdapQueryParameters>(), It.IsAny<CancellationToken>()))
+                .Returns(Array.Empty<LdapResult<IDirectoryObject>>().ToAsyncEnumerable);
+
+            var processor = new ACLProcessor(mockLDAPUtils.Object);
+            var bytes = Utils.B64ToBytes(UnProtectedUserNtSecurityDescriptor);
+            var result = await processor.ProcessACL(bytes, _testDomainName, Label.EnterpriseCA, true).ToArrayAsync();
+
+            Assert.Single(result);
+            var actual = result.First();
+            Assert.Equal(actual.PrincipalType, expectedPrincipalType);
+            Assert.Equal(actual.PrincipalSID, expectedPrincipalSID);
+            Assert.False(actual.IsInherited);
+            Assert.Equal(actual.RightName, expectedRightName);
+        }
     }
 }