Testing/Unit/PowerShell/Providers/AADProvider/Export-Caps.Tests.ps1
|
BeforeAll { $ClassPath = (Join-Path -Path $PSScriptRoot -ChildPath "./../../../../../Modules/Providers/ProviderHelpers/AADConditionalAccessHelper.psm1") Import-Module $ClassPath [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'CapHelper')] $CapHelper = Get-CapTracker } Describe "GetIncludedUsers" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Users.json") | ConvertFrom-Json } It "returns 'None' when no users are included" { $Cap.Conditions.Users.IncludeUsers += "None" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "None" } It "handles including single users" { $Cap.Conditions.Users.IncludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "1 specific user" } It "handles including multiple users" { $Cap.Conditions.Users.IncludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeUsers += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "2 specific users" } It "handles including single groups" { $Cap.Conditions.Users.IncludeGroups += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "1 specific group" } It "handles including multiple groups" { $Cap.Conditions.Users.IncludeGroups += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeGroups += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "2 specific groups" } It "handles including single roles" { $Cap.Conditions.Users.IncludeRoles += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "1 specific role" } It "handles including multiple roles" { $Cap.Conditions.Users.IncludeRoles += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeRoles += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "2 specific roles" } It "handles including users, groups, and roles simultaneously" { $Cap.Conditions.Users.IncludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeRoles += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeRoles += "caaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeGroups += "daaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.IncludeGroups += "eaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" #gitleaks:allow $Cap.Conditions.Users.IncludeGroups += "faaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "1 specific user, 2 specific roles, 3 specific groups" } It "returns 'All' when all users are included" { $Cap.Conditions.Users.IncludeUsers += "all" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "All" } It "handles including single type of external user" { $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.ExternalTenants.MembershipKind = "all" $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.GuestOrExternalUserTypes = "internalGuest" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "Local guest users" } It "handles including all types of guest users" { $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.ExternalTenants.MembershipKind = "all" $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.GuestOrExternalUserTypes = "b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,serviceProvider,otherExternalUser" $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap)) -Join ", " $UsersIncluded | Should -Be "B2B collaboration guest users, B2B collaboration member users, B2B direct connect users, Local guest users, Service provider users, Other external users" } It "handles empty input" { $Cap = @{} $UsersIncluded = $($CapHelper.GetIncludedUsers($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $UsersIncluded | Should -Be "" } } Describe "GetExcludedUsers" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Users.json") | ConvertFrom-Json } It "returns 'None' when no users are included" { $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "None" } It "handles excluding single users" { $Cap.Conditions.Users.ExcludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "1 specific user" } It "handles excluding multiple users" { $Cap.Conditions.Users.ExcludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeUsers += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "2 specific users" } It "handles excluding single groups" { $Cap.Conditions.Users.ExcludeGroups += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "1 specific group" } It "handles excluding multiple groups" { $Cap.Conditions.Users.ExcludeGroups += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeGroups += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "2 specific groups" } It "handles excluding single roles" { $Cap.Conditions.Users.ExcludeRoles += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "1 specific role" } It "handles excluding multiple roles" { $Cap.Conditions.Users.ExcludeRoles += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeRoles += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "2 specific roles" } It "handles excluding users, groups, and roles simultaneously" { $Cap.Conditions.Users.ExcludeUsers += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeRoles += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeRoles += "caaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeGroups += "daaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Users.ExcludeGroups += "eaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" #gitleaks:allow $Cap.Conditions.Users.ExcludeGroups += "faaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "1 specific user, 2 specific roles, 3 specific groups" } It "handles excluding all types of external users" { $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind = "all" $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.GuestOrExternalUserTypes = "b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,serviceProvider,otherExternalUser" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "B2B collaboration guest users, B2B collaboration member users, B2B direct connect users, Local guest users, Service provider users, Other external users" } It "handles excluding a single type of external user" { $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind = "all" $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.GuestOrExternalUserTypes = "serviceProvider" $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap)) -Join ", " $UsersExcluded | Should -Be "Service provider users" } It "handles empty input" { $Cap = @{} $UsersExcluded = $($CapHelper.GetExcludedUsers($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $UsersExcluded | Should -Be "" } } Describe "GetApplications" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Apps.json") | ConvertFrom-Json } It "handles including all apps" { $Cap.Conditions.Applications.IncludeApplications += "All" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: All" $Apps[2] | Should -Be "Apps excluded: None" } It "handles including/excluding no apps" { $Cap.Conditions.Applications.IncludeApplications += "None" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: None" $Apps[2] | Should -Be "Apps excluded: None" } It "handles including/excluding single specific apps" { $Cap.Conditions.Applications.IncludeApplications += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.ExcludeApplications += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: 1 specific app" $Apps[2] | Should -Be "Apps excluded: 1 specific app" } It "handles including/excluding multiple specific apps" { $Cap.Conditions.Applications.IncludeApplications += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.IncludeApplications += "baaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.IncludeApplications += "caaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.ExcludeApplications += "daaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Cap.Conditions.Applications.ExcludeApplications += "eaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" #gitleaks:allow $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: 3 specific apps" $Apps[2] | Should -Be "Apps excluded: 2 specific apps" } It "handles app filter in include mode" { $Cap.Conditions.Applications.ApplicationFilter.Mode = "include" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: custom application filter" $Apps[2] | Should -Be "Apps excluded: None" } It "handles app filter in exclude mode" { $Cap.Conditions.Applications.ApplicationFilter.Mode = "exclude" $Cap.Conditions.Applications.IncludeApplications += "All" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: All" $Apps[2] | Should -Be "Apps excluded: custom application filter" } It "handles including app filter and specific apps" { $Cap.Conditions.Applications.ApplicationFilter.Mode = "include" $Cap.Conditions.Applications.IncludeApplications += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: 1 specific app" $Apps[2] | Should -Be "Apps included: custom application filter" $Apps[3] | Should -Be "Apps excluded: None" } It "handles excluding app filter and specific apps" { $Cap.Conditions.Applications.ApplicationFilter.Mode = "exclude" $Cap.Conditions.Applications.IncludeApplications += "All" $Cap.Conditions.Applications.ExcludeApplications += "aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: apps" $Apps[1] | Should -Be "Apps included: All" $Apps[2] | Should -Be "Apps excluded: 1 specific app" $Apps[3] | Should -Be "Apps excluded: custom application filter" } It "handles registering a device" { $Cap.Conditions.Applications.IncludeUserActions += "urn:user:registerdevice" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: actions" $Apps[1] | Should -Be "User action: Register or join devices" } It "handles registering security info" { $Cap.Conditions.Applications.IncludeUserActions += "urn:user:registersecurityinfo" $Apps = $($CapHelper.GetApplications($Cap)) $Apps[0] | Should -Be "Policy applies to: actions" $Apps[1] | Should -Be "User action: Register security info" } It "handles registering security info" { $Cap.Conditions.Applications.IncludeAuthenticationContextClassReferences += "c1" $Cap.Conditions.Applications.IncludeAuthenticationContextClassReferences += "c3" $Apps = $($CapHelper.GetApplications($Cap)) $Apps | Should -Be "Policy applies to: 2 authentication contexts" } It "handles empty input" { $Cap = @{} $Apps = $($CapHelper.GetApplications($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $Apps | Should -Be "" } } Describe "GetConditions" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/Conditions.json") | ConvertFrom-Json } It "handles user risk levels" { $Cap.Conditions.UserRiskLevels += "high" $Cap.Conditions.UserRiskLevels += "medium" $Cap.Conditions.UserRiskLevels += "low" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "User risk levels: high, medium, low" } It "handles sign-in risk levels" { $Cap.Conditions.SignInRiskLevels += "low" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Sign-in risk levels: low" } It "handles including all device platforms" { $Cap.Conditions.Platforms.ExcludePlatforms = @() $Cap.Conditions.Platforms.IncludePlatforms = @("all") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Device platforms included: all" $Conditions[1] | Should -Be "Device platforms excluded: none" } It "handles including/excluding specific device platforms" { $Cap.Conditions.Platforms.ExcludePlatforms = @("iOS", "macOS", "linux") $Cap.Conditions.Platforms.IncludePlatforms = @("android") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Device platforms included: android" $Conditions[1] | Should -Be "Device platforms excluded: iOS, macOS, linux" } It "handles including all locations" { $Cap.Conditions.Locations.ExcludeLocations = @() $Cap.Conditions.Locations.IncludeLocations = @("All") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: all locations" $Conditions[1] | Should -Be "Locations excluded: none" } It "handles excluding trusted locations" { $Cap.Conditions.Locations.ExcludeLocations = @("AllTrusted") $Cap.Conditions.Locations.IncludeLocations = @("All") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: all locations" $Conditions[1] | Should -Be "Locations excluded: all trusted locations" } It "handles including/excluding single custom locations" { $Cap.Conditions.Locations.ExcludeLocations = @("00000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.IncludeLocations = @("10000000-0000-0000-0000-000000000000") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: 1 specific location" $Conditions[1] | Should -Be "Locations excluded: 1 specific location" } It "handles including/excluding multiple custom locations" { $Cap.Conditions.Locations.ExcludeLocations = @() $Cap.Conditions.Locations.ExcludeLocations += @("00000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.ExcludeLocations += @("10000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.ExcludeLocations += @("20000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.IncludeLocations = @() $Cap.Conditions.Locations.IncludeLocations += @("30000000-0000-0000-0000-000000000000") $Cap.Conditions.Locations.IncludeLocations += @("40000000-0000-0000-0000-000000000000") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: 2 specific locations" $Conditions[1] | Should -Be "Locations excluded: 3 specific locations" } It "handles including trusted locations" { $Cap.Conditions.Locations.IncludeLocations = @("AllTrusted") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "Locations included: all trusted locations" $Conditions[1] | Should -Be "Locations excluded: none" } It "handles including all client apps" { $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions | Should -Be "Client apps included: all" } It "handles including specific client apps" { $Cap.Conditions.ClientAppTypes = @("exchangeActiveSync", "browser", "mobileAppsAndDesktopClients", "other") $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions | Should -Be "Client apps included: Exchange ActiveSync Clients, Browser, Mobile apps and desktop clients, Other clients" } It "handles custom client app filter in include mode" { $Cap.Conditions.Devices.DeviceFilter.Mode = "include" $Cap.Conditions.Devices.DeviceFilter.Rule = "device.manufacturer -eq 'helloworld'" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[1] | Should -Be "Custom device filter in include mode active" } It "handles custom client app filter in exclude mode" { $Cap.Conditions.Devices.DeviceFilter.Mode = "exclude" $Cap.Conditions.Devices.DeviceFilter.Rule = "device.manufacturer -eq 'helloworld'" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[1] | Should -Be "Custom device filter in exclude mode active" } It "handles many conditions simultaneously" { $Cap.Conditions.UserRiskLevels += "low" $Cap.Conditions.SignInRiskLevels += "high" $Cap.Conditions.Platforms.ExcludePlatforms = @("android", "iOS", "macOS", "linux") $Cap.Conditions.Platforms.IncludePlatforms = @("all") $Cap.Conditions.Locations.IncludeLocations = @("AllTrusted") $Cap.Conditions.Locations.ExcludeLocations = @() $Cap.Conditions.ClientAppTypes = @("exchangeActiveSync") $Cap.Conditions.Devices.DeviceFilter.Mode = "exclude" $Cap.Conditions.Devices.DeviceFilter.Rule = "device.manufacturer -eq 'helloworld'" $Conditions = $($CapHelper.GetConditions($Cap)) $Conditions[0] | Should -Be "User risk levels: low" $Conditions[1] | Should -Be "Sign-in risk levels: high" $Conditions[2] | Should -Be "Device platforms included: all" $Conditions[3] | Should -Be "Device platforms excluded: android, iOS, macOS, linux" $Conditions[4] | Should -Be "Locations included: all trusted locations" $Conditions[5] | Should -Be "Locations excluded: none" $Conditions[6] | Should -Be "Client apps included: Exchange ActiveSync Clients" $Conditions[7] | Should -Be "Custom device filter in exclude mode active" } It "handles empty input" { $Cap = @{} $Conditions = $($CapHelper.GetConditions($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $Conditions | Should -Be "" } } Describe "GetAccessControls" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/AccessControls.json") | ConvertFrom-Json } It "handles blocking access" { $Cap.GrantControls.BuiltInControls = @("block") $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Block access" } It "handles requiring single control" { $Cap.GrantControls.BuiltInControls = @("mfa") $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require multifactor authentication" } It "handles requiring terms of use" { $Cap.GrantControls.TermsOfUse = @("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa") $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require terms of use" } It "handles requiring multiple controls in AND mode" { $Cap.GrantControls.BuiltInControls = @("mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange") $Cap.GrantControls.Operator = "AND" $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require multifactor authentication, device to be marked compliant, Hybrid Azure AD joined device, approved client app, app protection policy, AND password change" } It "handles requiring multiple controls in OR mode" { $Cap.GrantControls.BuiltInControls = @("mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange") $Cap.GrantControls.Operator = "OR" $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require multifactor authentication, device to be marked compliant, Hybrid Azure AD joined device, approved client app, app protection policy, OR password change" } It "handles using authentication strength (phishing resistant MFA)" { $Cap.GrantControls.AuthenticationStrength.DisplayName = "Phishing resistant MFA" $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require authentication strength (Phishing resistant MFA)" } It "handles using both authentication strength and a traditional control" { $Cap.GrantControls.AuthenticationStrength.DisplayName = "Multi-factor authentication" $Cap.GrantControls.BuiltInControls = @("passwordChange") $Cap.GrantControls.Operator = "AND" $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "Allow access but require password change, AND authentication strength (Multi-factor authentication)" } It "handles using no access controls" { $Cap.GrantControls.BuiltInControls = $null $Controls = $($CapHelper.GetAccessControls($Cap)) $Controls | Should -Be "None" } It "handles empty input" { $Cap = @{} $Controls = $($CapHelper.GetAccessControls($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $Controls | Should -Be "" } } Describe "GetSessionControls" { BeforeEach { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', 'Cap')] $Cap = Get-Content (Join-Path -Path $PSScriptRoot -ChildPath "./CapSnippets/SessionControls.json") | ConvertFrom-Json } It "handles using no session controls" { $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "None" } It "handles using app enforced restrictions" { $Cap.SessionControls.ApplicationEnforcedRestrictions.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Use app enforced restrictions" } It "handles using conditional access app control with custom policy" { $Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType = "mcasConfigured" $Cap.SessionControls.CloudAppSecurity.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Use Conditional Access App Control (Use custom policy)" } It "handles using conditional access app control in monitor mode" { $Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType = "monitorOnly" $Cap.SessionControls.CloudAppSecurity.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Use Conditional Access App Control (Monitor only)" } It "handles using conditional access app control in block mode" { $Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType = "blockDownloads" $Cap.SessionControls.CloudAppSecurity.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Use Conditional Access App Control (Block downloads)" } It "handles using sign-in frequency every time" { $Cap.SessionControls.SignInFrequency.FrequencyInterval = "everyTime" $Cap.SessionControls.SignInFrequency.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Sign-in frequency (every time)" } It "handles using sign-in frequency time based" { $Cap.SessionControls.SignInFrequency.FrequencyInterval = "timeBased" $Cap.SessionControls.SignInFrequency.Type = "days" $Cap.SessionControls.SignInFrequency.Value = 10 $Cap.SessionControls.SignInFrequency.IsEnabled = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Sign-in frequency (every 10 days)" } It "handles using persistent browser session" { $Cap.SessionControls.PersistentBrowser.IsEnabled = $true $Cap.SessionControls.PersistentBrowser.Mode = "never" $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Persistent browser session (never persistent)" } It "handles using customized continuous access evaluation" { $Cap.SessionControls.ContinuousAccessEvaluation.Mode = "disabled" $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Customize continuous access evaluation" } It "handles disabling resilience defaults" { $Cap.SessionControls.DisableResilienceDefaults = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls | Should -Be "Disable resilience defaults" } It "handles multiple controls simultaneously" { $Cap.SessionControls.PersistentBrowser.IsEnabled = $true $Cap.SessionControls.PersistentBrowser.Mode = "never" $Cap.SessionControls.DisableResilienceDefaults = $true $Controls = $($CapHelper.GetSessionControls($Cap)) $Controls[0] | Should -Be "Persistent browser session (never persistent)" $Controls[1] | Should -Be "Disable resilience defaults" } It "handles empty input" { $Cap = @{} $Controls = $($CapHelper.GetSessionControls($Cap) 3>$null) -Join ", " # 3>$null to surpress the warning # message as it is expected in this case $Controls | Should -Be "" } } # SIG # Begin signature block # MIIuugYJKoZIhvcNAQcCoIIuqzCCLqcCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDlWcHgGlG3bIZc # LYZfoKtKPJeBKqB+rxeIitjBwNFbbaCCE6MwggWQMIIDeKADAgECAhAFmxtXno4h # MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV # BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z # ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z # G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ # anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s # Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL # 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb # BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3 # JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c # AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx # YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0 # viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL # T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud # EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf # Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk # aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS # PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK # 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB # cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp # 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg # dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri # RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7 # 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5 # nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3 # i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H # EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G # CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C # 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce # 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da # E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T # SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA # FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh # D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM # 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z # 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05 # huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY # mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP # /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T # AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD # VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV # HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN # BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry # sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL # IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf # Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh # OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh # dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV # 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j # wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH # Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC # XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l # /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW # eE4wggdXMIIFP6ADAgECAhANkQ8dPvvR0q3Ytt4H0T3aMA0GCSqGSIb3DQEBCwUA # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwHhcNMjQwMTMwMDAwMDAwWhcNMjUwMTI5MjM1OTU5WjBfMQsw # CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV # BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCT1y7uJCQax8JfiDEYgpiU9URj # EXCTRqtZbDALM9rPUudiuM3mj6A1SUSAAWYv6DTsvGPvxyMI2Idg0mQunl4Ms9DJ # yVwe5k4+Anj/73Nx1AbOPYP8xRZcD10FkctKGhV0PzvrDcwU15hsQWtiepFgg+bX # fHkGMeu426oc69f43vKE43DiqKTf0/UBX/qgpj3JZvJ3zc1kilBOv4sBCksfCjbW # tLZD0tqAgBsNPo3Oy5mQG31E1eZdTNvrdTnEXacSwb3k615z7mHy7nqBUkOruZ9E # tnvC2qla+uL3ks91O/e/LnKzH9Lj1JmEBf6jwPN/MYR9Dymni4Mi3AQ8mpQMyFmi # XcSHymibSNbtTMavpdBWjFfrcvPETX7krROUOoLzMQmNgHArceSh55tgvDRdSU5c # WK3BTvK3l3mgCdgjre7XGYxV3W8apyxk5+RKfHdbv9cpRwpSuDnI8sHeqmB3fnfo # Cr1PPu4WhKegt20CobhDVybiBdhDVqUdR53ful4N/coQOEHDrIExB5nJf9Pvdrza # DyIGKAMIXD79ba5/rQEo+2cA66oJkPlvB5hEGI/jtDcYwDBgalbwB7Kc8zAAhl6+ # JvHfYpXOkppSfEQbaRXZI+LGXWQAFa5pJDfDEAyZSXprStgw594sWUOysp+UOxFe # kSA4mBr0o1jVpdaulwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R # hvv+YXsIiGX0TkIwHQYDVR0OBBYEFAmyTB5bcWyA+8+rq540jPRLJ1nYMD4GA1Ud # IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl # cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw # gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j # cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0 # ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF # BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t # MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ # BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAh2Jnt9IPoBvOQlYQUlCP9iJ5y # XAvEWe1camOwedqMZsHEPpT2yd6+fMzPZmV3/bYJgaN2OrDS1snf62S7yc+AulVw # PAXSp1lSAiFEbZ6PFEdEBIag9B65Mp/cvRtJsIWQIc//jWqFMHpkU6r3MW9YARRu # vaIf5/0qlM4VEwn3lTf+jJdxhhyoOFTWWd3BrlMPcT06z6F6hFfyycQkZ3Y9wEJ3 # uOU9bCNLZL1HCjlKT+oI0WsgeRdbe2sYrnvv9NmDY9oEi8PEq+DGjiTgLbY5OcAX # uUogPPw6gbcuNn8Hq6FFKPIQxaksB8dF8Gw4m2lQoUWESPRF8Zaq9lmZN3+QzA79 # yskfJtAFqz3gUP5wJBdNfi/u1sGbLI0QnJQkIKfFuz7DfDPldw0gIl05BIYwZBmj # TpFRu1/+gIlP1Ul4L/wt9Lxk6pglObLsdxHP2UQrG30JaUN0gv3xZMBBByHGVVTe # cyU4qwJ0ulMdv/kjHwh+m58uOF8gHXLfyBmOjYpohN3+l0rS0qdArZMNSmLTA7N8 # n3V3AZLKB//1yhPt++gR4pCFdXmgwYDDLRxjlV0cMsG1UeSQUdI0aieh/grg5TQO # CergVXS5h3sz5U0ZQPWND41LJhA0gF2OGZNHdUc9+0dwTsfxAERrjaTdeZp0/rdZ # 9iGBoiRsS4U86S8xkDGCGm0wghppAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDZEPHT770dKt # 2LbeB9E92jANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh # AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM # BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCCUgC+YNdzz/wmCPUBWI96YBig/ # Io9Suv22IomJNJ5+3jANBgkqhkiG9w0BAQEFAASCAgBhKT721RD1+ZPhc2w5XTUj # Pv9qlIBbtPGYuwJNC07ATSXWwADFrAtbXa4C2gYhnpsNeovYFQisJG9+u7V3gIOP # P2vKyjRFi9B7iY/+HiiphQWKz2Rm7GY3nlJWyn+j7HBhfNxlHtH3N9zzfbTnh9Vu # NsLZVLCEu1Djg6TBsz2MtC/2NsF54vepboYA5hrUhrQoQ1SX8d/sTtunEKglbFod # vo5hV57/feDYwSAKFcIrz1Hx8dVxspGCv85v5GrLwY/VdGSLfMKbZEoB9Sm02L5I # oN2bDiicHhiEvWqN/btWevRTioa+ONvWUSmvsQlvsNZwd8khlCvqonMQm4bIERvh # XIt3HUHEfPPklZgHUQdxh1i7zhK9acsERC4UNoQzfONJhTYHkh01hTopAmEDcGAp # btXQW2IFGYBuhTZPXh3LgtcNrM+2NC39u9A04ch26DGvB0U5ztnO8wQjTz1ocDzw # ZoAFLGJA+L9QfpnNk8v6QI4e33DELUxw7+/zoN7CDUuBc6yjJIbD23vj9FTr1Onm # qA8cf++EyixQbHpXA92iDAAkTT1u/9KxGUJsyX4L2xdN/+QlenbJ11um0G10aiq0 # vHzB407Pc5XjvsdknmElkGnpiV/tsfsgzXykBLXR6lK6BQGz3KQ2CNr+J8Czh+CC # q2NiVMDUeeELiL5mBsO+d6GCFzowghc2BgorBgEEAYI3AwMBMYIXJjCCFyIGCSqG # SIb3DQEHAqCCFxMwghcPAgEDMQ8wDQYJYIZIAWUDBAIBBQAweAYLKoZIhvcNAQkQ # AQSgaQRnMGUCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCBgjPQsyhLX # 0vPhfe7fcAEOWaVxKfvC3GyZWce3NBYERQIRANqeUMs58WSNiiXoMVA2tdkYDzIw # MjQxMDExMTUxMTExWqCCEwMwgga8MIIEpKADAgECAhALrma8Wrp/lYfG+ekE4zME # MA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2Vy # dCwgSW5jLjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNI # QTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMjQwOTI2MDAwMDAwWhcNMzUxMTI1MjM1 # OTU5WjBCMQswCQYDVQQGEwJVUzERMA8GA1UEChMIRGlnaUNlcnQxIDAeBgNVBAMT # F0RpZ2lDZXJ0IFRpbWVzdGFtcCAyMDI0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A # MIICCgKCAgEAvmpzn/aVIauWMLpbbeZZo7Xo/ZEfGMSIO2qZ46XB/QowIEMSvgjE # dEZ3v4vrrTHleW1JWGErrjOL0J4L0HqVR1czSzvUQ5xF7z4IQmn7dHY7yijvoQ7u # jm0u6yXF2v1CrzZopykD07/9fpAT4BxpT9vJoJqAsP8YuhRvflJ9YeHjes4fduks # THulntq9WelRWY++TFPxzZrbILRYynyEy7rS1lHQKFpXvo2GePfsMRhNf1F41nyE # g5h7iOXv+vjX0K8RhUisfqw3TTLHj1uhS66YX2LZPxS4oaf33rp9HlfqSBePejlY # eEdU740GKQM7SaVSH3TbBL8R6HwX9QVpGnXPlKdE4fBIn5BBFnV+KwPxRNUNK6lY # k2y1WSKour4hJN0SMkoaNV8hyyADiX1xuTxKaXN12HgR+8WulU2d6zhzXomJ2Ple # I9V2yfmfXSPGYanGgxzqI+ShoOGLomMd3mJt92nm7Mheng/TBeSA2z4I78JpwGpT # RHiT7yHqBiV2ngUIyCtd0pZ8zg3S7bk4QC4RrcnKJ3FbjyPAGogmoiZ33c1HG93V # p6lJ415ERcC7bFQMRbxqrMVANiav1k425zYyFMyLNyE1QulQSgDpW9rtvVcIH7Wv # G9sqYup9j8z9J1XqbBZPJ5XLln8mS8wWmdDLnBHXgYly/p1DhoQo5fkCAwEAAaOC # AYswggGHMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQM # MAoGCCsGAQUFBwMIMCAGA1UdIAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG/WwHATAf # BgNVHSMEGDAWgBS6FtltTYUvcyl2mi91jGogj57IbzAdBgNVHQ4EFgQUn1csA3cO # KBWQZqVjXu5Pkh92oFswWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybDMuZGln # aWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0UlNBNDA5NlNIQTI1NlRpbWVTdGFt # cGluZ0NBLmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwJAYIKwYBBQUHMAGGGGh0dHA6 # Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBYBggrBgEFBQcwAoZMaHR0cDovL2NhY2VydHMu # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0UlNBNDA5NlNIQTI1NlRpbWVT # dGFtcGluZ0NBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAPa0eH3aZW+M4hBJH2UOR # 9hHbm04IHdEoT8/T3HuBSyZeq3jSi5GXeWP7xCKhVireKCnCs+8GZl2uVYFvQe+p # PTScVJeCZSsMo1JCoZN2mMew/L4tpqVNbSpWO9QGFwfMEy60HofN6V51sMLMXNTL # fhVqs+e8haupWiArSozyAmGH/6oMQAh078qRh6wvJNU6gnh5OruCP1QUAvVSu4kq # VOcJVozZR5RRb/zPd++PGE3qF1P3xWvYViUJLsxtvge/mzA75oBfFZSbdakHJe2B # VDGIGVNVjOp8sNt70+kEoMF+T6tptMUNlehSR7vM+C13v9+9ZOUKzfRUAYSyyEmY # tsnpltD/GWX8eM70ls1V6QG/ZOB6b6Yum1HvIiulqJ1Elesj5TMHq8CWT/xrW7tw # ipXTJ5/i5pkU5E16RSBAdOp12aw8IQhhA/vEbFkEiF2abhuFixUDobZaA0VhqAsM # HOmaT3XThZDNi5U2zHKhUs5uHHdG6BoQau75KiNbh0c+hatSF+02kULkftARjsyE # pHKsF7u5zKRbt5oK5YGwFvgc4pEVUNytmB3BpIiowOIIuDgP5M9WArHYSAR16gc0 # dP2XdkMEP5eBsX7bf/MGN4K3HP50v/01ZHo/Z5lGLvNwQ7XHBx1yomzLP8lx4Q1z # ZKDyHcp4VQJLu2kWTsKsOqQwggauMIIElqADAgECAhAHNje3JFR82Ees/ShmKl5b # MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lD # ZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yMjAzMjMwMDAwMDBaFw0zNzAzMjIyMzU5 # NTlaMGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7MDkG # A1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1lU3Rh # bXBpbmcgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGhjUGSbPB # PXJJUVXHJQPE8pE3qZdRodbSg9GeTKJtoLDMg/la9hGhRBVCX6SI82j6ffOciQt/ # nR+eDzMfUBMLJnOWbfhXqAJ9/UO0hNoR8XOxs+4rgISKIhjf69o9xBd/qxkrPkLc # Z47qUT3w1lbU5ygt69OxtXXnHwZljZQp09nsad/ZkIdGAHvbREGJ3HxqV3rwN3mf # XazL6IRktFLydkf3YYMZ3V+0VAshaG43IbtArF+y3kp9zvU5EmfvDqVjbOSmxR3N # Ng1c1eYbqMFkdECnwHLFuk4fsbVYTXn+149zk6wsOeKlSNbwsDETqVcplicu9Yem # j052FVUmcJgmf6AaRyBD40NjgHt1biclkJg6OBGz9vae5jtb7IHeIhTZgirHkr+g # 3uM+onP65x9abJTyUpURK1h0QCirc0PO30qhHGs4xSnzyqqWc0Jon7ZGs506o9UD # 4L/wojzKQtwYSH8UNM/STKvvmz3+DrhkKvp1KCRB7UK/BZxmSVJQ9FHzNklNiyDS # LFc1eSuo80VgvCONWPfcYd6T/jnA+bIwpUzX6ZhKWD7TA4j+s4/TXkt2ElGTyYwM # O1uKIqjBJgj5FBASA31fI7tk42PgpuE+9sJ0sj8eCXbsq11GdeJgo1gJASgADoRU # 7s7pXcheMBK9Rp6103a50g5rmQzSM7TNsQIDAQABo4IBXTCCAVkwEgYDVR0TAQH/ # BAgwBgEB/wIBADAdBgNVHQ4EFgQUuhbZbU2FL3MpdpovdYxqII+eyG8wHwYDVR0j # BBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMGA1Ud # JQQMMAoGCCsGAQUFBwMIMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0 # cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0 # cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNVHR8E # PDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVz # dGVkUm9vdEc0LmNybDAgBgNVHSAEGTAXMAgGBmeBDAEEAjALBglghkgBhv1sBwEw # DQYJKoZIhvcNAQELBQADggIBAH1ZjsCTtm+YqUQiAX5m1tghQuGwGC4QTRPPMFPO # vxj7x1Bd4ksp+3CKDaopafxpwc8dB+k+YMjYC+VcW9dth/qEICU0MWfNthKWb8RQ # TGIdDAiCqBa9qVbPFXONASIlzpVpP0d3+3J0FNf/q0+KLHqrhc1DX+1gtqpPkWae # LJ7giqzl/Yy8ZCaHbJK9nXzQcAp876i8dU+6WvepELJd6f8oVInw1YpxdmXazPBy # oyP6wCeCRK6ZJxurJB4mwbfeKuv2nrF5mYGjVoarCkXJ38SNoOeY+/umnXKvxMfB # wWpx2cYTgAnEtp/Nh4cku0+jSbl3ZpHxcpzpSwJSpzd+k1OsOx0ISQ+UzTl63f8l # Y5knLD0/a6fxZsNBzU+2QJshIUDQtxMkzdwdeDrknq3lNHGS1yZr5Dhzq6YBT70/ # O3itTK37xJV77QpfMzmHQXh6OOmc4d0j/R0o08f56PGYX/sr2H7yRp11LB4nLCbb # bxV7HhmLNriT1ObyF5lZynDwN7+YAN8gFk8n+2BnFqFmut1VwDophrCYoCvtlUG3 # OtUVmDG0YgkPCr2B2RP+v6TR81fZvAT6gt4y3wSJ8ADNXcL50CN/AAvkdgIm2fBl # dkKmKYcJRyvmfxqkhQ/8mJb2VVQrH4D6wPIOK+XW+6kvRBVK5xMOHds3OBqhK/bt # 1nz8MIIFjTCCBHWgAwIBAgIQDpsYjvnQLefv21DiCEAYWjANBgkqhkiG9w0BAQwF # ADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQL # ExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElE # IFJvb3QgQ0EwHhcNMjIwODAxMDAwMDAwWhcNMzExMTA5MjM1OTU5WjBiMQswCQYD # VQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln # aWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKn # JS7JIT3yithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/W # BTxSD1Ifxp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHi # LQwb7iDVySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhm # V1efVFiODCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHE # tWoYOAMQjdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6 # MUSaM0C/CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mX # aXpI8OCiEhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZ # xd9LBADMfRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfh # vbfmQ6QYuKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvl # EFDrMcXKchYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn1 # 5GkvmB0t9dmpsh3lGwIDAQABo4IBOjCCATYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV # HQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wHwYDVR0jBBgwFoAUReuir/SSy4Ix # LVGLp6chnfNtyA8wDgYDVR0PAQH/BAQDAgGGMHkGCCsGAQUFBwEBBG0wazAkBggr # BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEMGCCsGAQUFBzAChjdo # dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290 # Q0EuY3J0MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv # bS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwEQYDVR0gBAowCDAGBgRVHSAA # MA0GCSqGSIb3DQEBDAUAA4IBAQBwoL9DXFXnOF+go3QbPbYW1/e/Vwe9mqyhhyzs # hV6pGrsi+IcaaVQi7aSId229GhT0E0p6Ly23OO/0/4C5+KH38nLeJLxSA8hO0Cre # +i1Wz/n096wwepqLsl7Uz9FDRJtDIeuWcqFItJnLnU+nBgMTdydE1Od/6Fmo8L8v # C6bp8jQ87PcDx4eo0kxAGTVGamlUsLihVo7spNU96LHc/RzY9HdaXFSMb++hUD38 # dglohJ9vytsgjTVgHAIDyyCwrFigDkBjxZgiwbJZ9VVrzyerbHbObyMt9H5xaiNr # Iv8SuFQtJ37YOtnwtoeW/VvRXKwYw02fc7cBqZ9Xql4o4rmUMYIDdjCCA3ICAQEw # dzBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNV # BAMTMkRpZ2lDZXJ0IFRydXN0ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1w # aW5nIENBAhALrma8Wrp/lYfG+ekE4zMEMA0GCWCGSAFlAwQCAQUAoIHRMBoGCSqG # SIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjQxMDExMTUx # MTExWjArBgsqhkiG9w0BCRACDDEcMBowGDAWBBTb04XuYtvSPnvk9nFIUIck1YZb # RTAvBgkqhkiG9w0BCQQxIgQgDynTPLQca0FJKzr13+NV7biVC07MM90jSj4mRH06 # pigwNwYLKoZIhvcNAQkQAi8xKDAmMCQwIgQgdnafqPJjLx9DCzojMK7WVnX+13Pb # BdZluQWTmEOPmtswDQYJKoZIhvcNAQEBBQAEggIAJJnG2h+uhC4L6GqaRtFe5Zuh # PpVgRJC/d3hAC9ZhEpt+hnAVAiedwnqlcm2OCwcPpC2oRa2iR9H36O3vOKBVsecT # ZuLRhLSKvfalQBdENRTq5T2b7jRzPMxv8sgu51MPsdVZrmuj3qfvDc0Cckjdb5U/ # 4FBh1LxBOsSoLIjp8IJqCemagVdXRZ0KwFX943XLc3xMQv1VpXpGhgfTEBAnrOGM # ct+BUbTpRO6+jvlcFxtMSBG6cao4+KG04Ty3ci8lhweSFWVTBcY5nlUkz5hAqvSa # l4caVuUJTevcedAyVj14GVyjP5ecVQ8nP0JUjYGqJ3or+BFsnu8CJutG4VbpcPjK # 0zaah419w+evZW4oDTM0smzhBd6Kk3FaBOl+sRf8V2xTio4WNLORNPouvmY7EY22 # EhFoSS0zssl9qyqzGZIRRUSg33fluZZeVrHqqqL8uP2AWcXOXHTGWBRy7gJGNw1/ # JQzp2ZG8sJSOsMdAFTFzr+8gU9XXW1hHIuucixJ/RDTkrsD29MMVaqEtZQzaRQJB # x+FqnDCIQ0Fqrs7XeksF0w26nkk1wwcJvG39hj34fle22QqdWmums32tpR1hzSKu # PnLU6IT+jcA2dd1UqeLXjLkv027tRFNOPevFf8tvcsLs8mdwAwk7BZB2eBd9zRO/ # 1qVK4o8LtcYK3S2j7R0= # SIG # End signature block |