diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md index 9f150283..dbcadfa8 100644 --- a/docs/reference/cmdlets/New-IdleAuthSession.md +++ b/docs/reference/cmdlets/New-IdleAuthSession.md @@ -13,7 +13,7 @@ Creates a simple AuthSessionBroker for use with IdLE providers. ## SYNTAX ``` -New-IdleAuthSession [-SessionMap] <Hashtable> [[-DefaultCredential] <PSCredential>] +New-IdleAuthSession [-SessionMap] <Hashtable> [[-DefaultAuthSession] <Object>] [-AuthSessionType] <String> [-ProgressAction <ActionPreference>] [<CommonParameters>] ``` @@ -30,13 +30,13 @@ This is a thin wrapper that delegates to IdLE.Core\New-IdleAuthSessionBroker. ``` $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential -} +} -AuthSessionType 'Credential' ``` ## PARAMETERS ### -SessionMap -A hashtable that maps session configurations to credentials. +A hashtable that maps session configurations to auth sessions. ```yaml Type: Hashtable @@ -50,11 +50,11 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -DefaultCredential -Optional default credential to return when no session options are provided. +### -DefaultAuthSession +Optional default auth session to return when no session options are provided. ```yaml -Type: PSCredential +Type: Object Parameter Sets: (All) Aliases: @@ -65,6 +65,28 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -AuthSessionType +Specifies the type of authentication session. +This determines validation rules, +lifecycle management, and telemetry behavior. + +Valid values: +- 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) +- 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) +- 'Credential': Credential-based authentication (e.g., Active Directory, mock providers) + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ProgressAction TODO: ProgressAction Description diff --git a/docs/reference/providers/provider-ad.md b/docs/reference/providers/provider-ad.md index 7b23467a..27076535 100644 --- a/docs/reference/providers/provider-ad.md +++ b/docs/reference/providers/provider-ad.md @@ -95,6 +95,9 @@ This makes `New-IdleADIdentityProvider` available in your session. - `null` (integrated authentication / run-as) - `PSCredential` (used for AD cmdlets `-Credential`) - **Session options (data-only):** Any hashtable; commonly `@{ Role = 'Tier0' }` / `@{ Role = 'Admin' }` +- **Required `AuthSessionType`:** `Credential` + +The AD provider uses credential-based authentication where the module capabilities exist without requiring explicit session management. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'Credential'` to indicate this authentication pattern. :::warning @@ -122,10 +125,11 @@ $providers = @{ $tier0Credential = Get-Credential -Message 'Enter Tier0 AD admin credentials' $adminCredential = Get-Credential -Message 'Enter AD admin credentials' +# Create broker with Credential session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential +} -DefaultCredential $adminCredential -AuthSessionType 'Credential' $providers = @{ Identity = New-IdleADIdentityProvider @@ -143,10 +147,11 @@ $providers = @{ $sourceCred = Get-Credential -Message 'Enter credentials for source forest' $targetCred = Get-Credential -Message 'Enter credentials for target forest' +# Create broker with Credential session type $broker = New-IdleAuthSession -SessionMap @{ @{ Domain = 'SourceForest' } = $sourceCred @{ Domain = 'TargetForest' } = $targetCred -} +} -AuthSessionType 'Credential' # Steps use With.AuthSessionOptions = @{ Domain = 'SourceForest' } etc. ``` @@ -179,11 +184,11 @@ $adminCredential = Get-Credential -Message "Enter regular admin credentials" # Create provider $provider = New-IdleADIdentityProvider -# Create broker with role-based credential mapping +# Create broker with role-based credential mapping and Credential session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential +} -DefaultCredential $adminCredential -AuthSessionType 'Credential' # Use provider with broker $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ @@ -267,7 +272,7 @@ $targetAD = New-IdleADIdentityProvider -AllowDelete $broker = New-IdleAuthSession -SessionMap @{ @{ Domain = 'Source' } = $sourceCred @{ Domain = 'Target' } = $targetCred -} +} -AuthSessionType 'Credential' $plan = New-IdlePlan -WorkflowPath './migration.psd1' -Request $request -Providers @{ SourceAD = $sourceAD diff --git a/docs/reference/providers/provider-directorysync-entraconnect.md b/docs/reference/providers/provider-directorysync-entraconnect.md index 0d42b067..b71985ac 100644 --- a/docs/reference/providers/provider-directorysync-entraconnect.md +++ b/docs/reference/providers/provider-directorysync-entraconnect.md @@ -63,6 +63,9 @@ and pass it to provider methods. - `DirectorySync` (see `IdLE.Step.TriggerDirectorySync`) - **Session options (data-only):** - Forwarded to the host broker for session selection (provider does not interpret option keys). +- **Required `AuthSessionType`:** `PSRemoting` + +The EntraConnect provider uses PowerShell remoting to execute commands on a remote Entra Connect server. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'PSRemoting'` to indicate remote execution context is expected. :::warning diff --git a/docs/reference/providers/provider-entraID.md b/docs/reference/providers/provider-entraID.md index cc064b27..16697c48 100644 --- a/docs/reference/providers/provider-entraID.md +++ b/docs/reference/providers/provider-entraID.md @@ -47,10 +47,10 @@ The provider accepts authentication sessions in these formats: Connect-AzAccount $token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token -# Create broker +# Create broker with OAuth session type (tokens can be passed directly) $broker = New-IdleAuthSession -SessionMap @{ @{} = $token -} -DefaultCredential $token +} -DefaultAuthSession $token -AuthSessionType 'OAuth' # Create provider $provider = New-IdleEntraIDIdentityProvider @@ -73,10 +73,10 @@ $tenantId = "your-tenant-id" # Obtain token (pseudo-code - use your preferred auth library) $token = Get-GraphAppOnlyToken -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId -# Create broker +# Create broker with OAuth session type (tokens can be passed directly) $broker = New-IdleAuthSession -SessionMap @{ @{} = $token -} -DefaultCredential $token +} -DefaultAuthSession $token -AuthSessionType 'OAuth' # Rest is identical to delegated flow ``` @@ -87,14 +87,21 @@ $broker = New-IdleAuthSession -SessionMap @{ $tier0Token = Get-GraphToken -Role 'Tier0' $adminToken = Get-GraphToken -Role 'Admin' +# Create broker with OAuth session type (tokens can be passed directly) $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Token @{ Role = 'Admin' } = $adminToken -} -DefaultCredential $adminToken +} -DefaultAuthSession $adminToken -AuthSessionType 'OAuth' # Workflow steps specify: With.AuthSessionOptions = @{ Role = 'Tier0' } ``` +### Auth Session Type + +**Required `AuthSessionType`:** `OAuth` + +The EntraID provider uses OAuth-based authentication via Microsoft Graph API tokens. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'OAuth'` to indicate token-based authentication is expected. + > Providers must not prompt for auth. Use the host-provided broker contract. diff --git a/docs/reference/providers/provider-exchangeonline.md b/docs/reference/providers/provider-exchangeonline.md index 82f6eb48..ac5493ea 100644 --- a/docs/reference/providers/provider-exchangeonline.md +++ b/docs/reference/providers/provider-exchangeonline.md @@ -58,6 +58,9 @@ sidebar_label: ExchangeOnline - Typically the step passes `With.AuthSessionName` (if present). For built-in mailbox steps, if `With.AuthSessionName` is absent, it defaults to the provider alias (commonly `ExchangeOnline`). - **Session options (data-only):** - The provider does not interpret options; they are used by the host/broker to select credentials/route to a tenant/session. +- **Required `AuthSessionType`:** `OAuth` + +The ExchangeOnline provider uses OAuth-based authentication via Exchange Online PowerShell. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'OAuth'` to indicate token-based authentication is expected. :::warning diff --git a/docs/reference/providers/provider-mock.md b/docs/reference/providers/provider-mock.md index 2bfe82a5..4a0e3bf0 100644 --- a/docs/reference/providers/provider-mock.md +++ b/docs/reference/providers/provider-mock.md @@ -59,6 +59,10 @@ sidebar_label: Mock This provider does not require authentication. +- **AuthSessionType usage:** Not applicable + +The Mock provider does not acquire or require auth sessions. You do not need to configure an `AuthSessionBroker` when using this provider. If a broker is supplied for broader test scaffolding, this provider will ignore any acquired auth session. + :::warning **Security notes** diff --git a/docs/use/providers.md b/docs/use/providers.md index f368ea56..723d9be1 100644 --- a/docs/use/providers.md +++ b/docs/use/providers.md @@ -112,6 +112,18 @@ Many providers require authenticated connections (tokens, API clients, remote se IdLE keeps authentication out of the engine and out of individual providers by using a host-supplied broker. Using the **AuthSessionBroker** is in particular helpful for scenarios that use different providers or different authentications for one provider in one workflow. +### AuthSessionType + +Each `AuthSessionBroker` must specify an `AuthSessionType` that determines validation rules, lifecycle management, and telemetry behavior: + +- **`OAuth`** - Token-based authentication (e.g., Microsoft Graph, Exchange Online) +- **`PSRemoting`** - PowerShell remoting execution context (e.g., Entra Connect) +- **`Credential`** - Credential-based authentication (e.g., Active Directory, mock providers) + +Each provider documents its required `AuthSessionType` in its reference documentation. + +### Example: Active Directory with Credential Auth + ```powershell # Assuming you have credentials available (e.g., from a secure vault or credential manager) $tier0Credential = Get-Credential -Message "Enter Tier0 admin credentials" @@ -120,11 +132,11 @@ $adminCredential = Get-Credential -Message "Enter regular admin credentials" # Create provider $provider = New-IdleADIdentityProvider -# Create broker with role-based credential mapping +# Create broker with role-based credential mapping and Credential session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential +} -DefaultAuthSession $adminCredential -AuthSessionType 'Credential' # Use provider with broker $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ @@ -133,6 +145,28 @@ $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Provider } ``` +### Example: Entra ID with OAuth + +```powershell +# Host obtains token (example using Azure PowerShell) +Connect-AzAccount +$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token + +# Create broker with OAuth session type (tokens can be passed directly) +$broker = New-IdleAuthSession -SessionMap @{ + @{} = $token +} -DefaultAuthSession $token -AuthSessionType 'OAuth' + +# Create provider +$provider = New-IdleEntraIDIdentityProvider + +# Use in plan +$plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ + Identity = $provider + AuthSessionBroker = $broker +} +``` + The different authentication sessions are used by the workflow definition by the steps via `AuthSessionOptions`. ```powershell With = @{ diff --git a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 index 9e439cb6..5462595f 100644 --- a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 +++ b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 @@ -13,25 +13,37 @@ function New-IdleAuthSessionBroker { AcquireAuthSession method. .PARAMETER SessionMap - A hashtable that maps session configurations to credentials. Each key is a hashtable - representing the AuthSessionOptions pattern, and each value is the PSCredential to return. + A hashtable that maps session configurations to auth sessions. Each key is a hashtable + representing the AuthSessionOptions pattern, and each value is the auth session to return. + The value can be a PSCredential, token string, session object, or any object appropriate + for the AuthSessionType. Common patterns: - - @{ Role = 'Tier0' } -> $tier0Credential - - @{ Role = 'Admin' } -> $adminCredential - - @{ Domain = 'SourceAD' } -> $sourceCred + - @{ Role = 'Tier0' } -> $tier0Credential (for Credential type) + - @{ Role = 'Admin' } -> $adminToken (for OAuth type) + - @{ Server = 'Server01' } -> $remoteSession (for PSRemoting type) - @{ Environment = 'Production' } -> $prodCred - .PARAMETER DefaultCredential - Optional default credential to return when no session options are provided or - when the options don't match any entry in SessionMap. + .PARAMETER DefaultAuthSession + Optional default auth session to return when no session options are provided or + when the options don't match any entry in SessionMap. Can be a PSCredential, token + string, session object, or any object appropriate for the AuthSessionType. + + .PARAMETER AuthSessionType + Specifies the type of authentication session. This determines validation rules, + lifecycle management, and telemetry behavior. + + Valid values: + - 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) + - 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) + - 'Credential': Credential-based authentication (e.g., Active Directory, mock providers) .EXAMPLE - # Simple role-based broker + # Simple role-based broker with Credential session type $broker = New-IdleAuthSessionBroker -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential - } -DefaultCredential $adminCredential + } -DefaultAuthSession $adminCredential -AuthSessionType 'Credential' $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ Identity = New-IdleADIdentityProvider @@ -39,11 +51,23 @@ function New-IdleAuthSessionBroker { } .EXAMPLE - # Domain-based broker for multi-forest scenarios + # OAuth broker with token strings + $broker = New-IdleAuthSessionBroker -SessionMap @{ + @{ Role = 'Admin' } = $graphToken + } -DefaultAuthSession $graphToken -AuthSessionType 'OAuth' + + .EXAMPLE + # Domain-based broker for multi-forest scenarios with Credential session type $broker = New-IdleAuthSessionBroker -SessionMap @{ @{ Domain = 'SourceAD' } = $sourceCred @{ Domain = 'TargetAD' } = $targetCred - } + } -AuthSessionType 'Credential' + + .EXAMPLE + # PSRemoting broker for Entra Connect directory sync + $broker = New-IdleAuthSessionBroker -SessionMap @{ + @{ Server = 'AADConnect01' } = $remoteSessionCred + } -AuthSessionType 'PSRemoting' .OUTPUTS PSCustomObject with AcquireAuthSession method @@ -56,13 +80,18 @@ function New-IdleAuthSessionBroker { [Parameter()] [AllowNull()] - [PSCredential] $DefaultCredential + [object] $DefaultAuthSession, + + [Parameter(Mandatory)] + [ValidateSet('OAuth', 'PSRemoting', 'Credential')] + [string] $AuthSessionType ) $broker = [pscustomobject]@{ PSTypeName = 'IdLE.AuthSessionBroker' SessionMap = $SessionMap - DefaultCredential = $DefaultCredential + DefaultAuthSession = $DefaultAuthSession + AuthSessionType = $AuthSessionType } $broker | Add-Member -MemberType ScriptMethod -Name AcquireAuthSession -Value { @@ -80,12 +109,19 @@ function New-IdleAuthSessionBroker { # This broker routes based on Options only; custom brokers may use Name for additional routing $null = $Name + # TODO: Implement type-specific validation rules for AuthSessionType + # Current implementation allows all options for all session types + # Future enhancements may add: + # - OAuth: Validate token format, expiration, scopes + # - PSRemoting: Validate remote session state, connectivity + # - Credential: Validate credential format, domain membership + # If no options provided, return default if ($null -eq $Options -or $Options.Count -eq 0) { - if ($null -ne $this.DefaultCredential) { - return $this.DefaultCredential + if ($null -ne $this.DefaultAuthSession) { + return $this.DefaultAuthSession } - throw "No auth session options provided and no default credential configured." + throw "No auth session options provided and no default auth session configured." } # Find matching session in map @@ -108,12 +144,12 @@ function New-IdleAuthSessionBroker { } # No match found - if ($null -ne $this.DefaultCredential) { - return $this.DefaultCredential + if ($null -ne $this.DefaultAuthSession) { + return $this.DefaultAuthSession } $optionsStr = ($Options.Keys | ForEach-Object { "$_=$($Options[$_])" }) -join ', ' - throw "No matching credential found for options: $optionsStr" + throw "No matching auth session found for options: $optionsStr" } -Force return $broker diff --git a/src/IdLE/Public/New-IdleAuthSession.ps1 b/src/IdLE/Public/New-IdleAuthSession.ps1 index 903e46ae..434b8ee2 100644 --- a/src/IdLE/Public/New-IdleAuthSession.ps1 +++ b/src/IdLE/Public/New-IdleAuthSession.ps1 @@ -19,15 +19,24 @@ function New-IdleAuthSession { This is a thin wrapper that delegates to IdLE.Core\New-IdleAuthSessionBroker. .PARAMETER SessionMap - A hashtable that maps session configurations to credentials. + A hashtable that maps session configurations to auth sessions. - .PARAMETER DefaultCredential - Optional default credential to return when no session options are provided. + .PARAMETER DefaultAuthSession + Optional default auth session to return when no session options are provided. + + .PARAMETER AuthSessionType + Specifies the type of authentication session. This determines validation rules, + lifecycle management, and telemetry behavior. + + Valid values: + - 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) + - 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) + - 'Credential': Credential-based authentication (e.g., Active Directory, mock providers) .EXAMPLE $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential - } + } -AuthSessionType 'Credential' .OUTPUTS PSCustomObject with AcquireAuthSession method @@ -43,13 +52,20 @@ function New-IdleAuthSession { [Parameter()] [AllowNull()] - [PSCredential] $DefaultCredential + [object] $DefaultAuthSession, + + [Parameter(Mandatory)] + [ValidateSet('OAuth', 'PSRemoting', 'Credential')] + [string] $AuthSessionType ) # Delegate to IdLE.Core implementation. - $params = @{ SessionMap = $SessionMap } - if ($PSBoundParameters.ContainsKey('DefaultCredential')) { - $params['DefaultCredential'] = $DefaultCredential + $params = @{ + SessionMap = $SessionMap + AuthSessionType = $AuthSessionType + } + if ($PSBoundParameters.ContainsKey('DefaultAuthSession')) { + $params['DefaultAuthSession'] = $DefaultAuthSession } return IdLE.Core\New-IdleAuthSessionBroker @params diff --git a/tests/Core/New-IdleAuthSession.Tests.ps1 b/tests/Core/New-IdleAuthSession.Tests.ps1 index e636e1ab..064d04c9 100644 --- a/tests/Core/New-IdleAuthSession.Tests.ps1 +++ b/tests/Core/New-IdleAuthSession.Tests.ps1 @@ -13,7 +13,7 @@ Describe 'New-IdleAuthSession' { It 'creates an auth session broker with the expected type' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } + } -AuthSessionType 'Credential' $broker | Should -Not -BeNullOrEmpty $broker.PSTypeNames | Should -Contain 'IdLE.AuthSessionBroker' @@ -22,7 +22,7 @@ Describe 'New-IdleAuthSession' { It 'creates broker with AcquireAuthSession method' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } + } -AuthSessionType 'Credential' $broker.PSObject.Methods['AcquireAuthSession'] | Should -Not -BeNullOrEmpty } @@ -33,25 +33,25 @@ Describe 'New-IdleAuthSession' { @{ Role = 'Admin' } = $testCred } - $broker = New-IdleAuthSession -SessionMap $sessionMap + $broker = New-IdleAuthSession -SessionMap $sessionMap -AuthSessionType 'Credential' $broker.SessionMap | Should -Not -BeNullOrEmpty $broker.SessionMap.Count | Should -Be 2 } - It 'accepts optional DefaultCredential parameter' { + It 'accepts optional DefaultAuthSession parameter' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -DefaultCredential $testCred + } -DefaultAuthSession $testCred -AuthSessionType 'Credential' - $broker.DefaultCredential | Should -Not -BeNullOrEmpty - $broker.DefaultCredential.UserName | Should -Be 'TestUser' + $broker.DefaultAuthSession | Should -Not -BeNullOrEmpty + $broker.DefaultAuthSession.UserName | Should -Be 'TestUser' } It 'broker can acquire auth session with matching options' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } + } -AuthSessionType 'Credential' $acquiredSession = $broker.AcquireAuthSession('TestName', @{ Role = 'Tier0' }) @@ -60,13 +60,13 @@ Describe 'New-IdleAuthSession' { $acquiredSession.UserName | Should -Be 'TestUser' } - It 'broker returns default credential when no options provided' { + It 'broker returns default auth session when no options provided' { $defaultPassword = ConvertTo-SecureString 'DefaultPassword!' -AsPlainText -Force $defaultCred = New-Object System.Management.Automation.PSCredential('DefaultUser', $defaultPassword) $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } -DefaultCredential $defaultCred + } -DefaultAuthSession $defaultCred -AuthSessionType 'Credential' $acquiredSession = $broker.AcquireAuthSession('TestName', $null) @@ -74,13 +74,13 @@ Describe 'New-IdleAuthSession' { $acquiredSession.UserName | Should -Be 'DefaultUser' } - It 'throws when no matching credential found and no default provided' { + It 'throws when no matching auth session found and no default provided' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } + } -AuthSessionType 'Credential' { $broker.AcquireAuthSession('TestName', @{ Role = 'NonExistent' }) } | - Should -Throw '*No matching credential found*' + Should -Throw '*No matching auth session found*' } It 'is available as exported command from IdLE module' { @@ -98,9 +98,72 @@ Describe 'New-IdleAuthSession' { { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -ErrorAction Stop + } -AuthSessionType 'Credential' -ErrorAction Stop $broker | Should -Not -BeNullOrEmpty } | Should -Not -Throw } + + Context 'AuthSessionType parameter' { + It 'accepts OAuth session type' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Role = 'Admin' } = $testCred + } -AuthSessionType 'OAuth' + + $broker.AuthSessionType | Should -Be 'OAuth' + } + + It 'accepts PSRemoting session type' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Server = 'AADConnect01' } = $testCred + } -AuthSessionType 'PSRemoting' + + $broker.AuthSessionType | Should -Be 'PSRemoting' + } + + It 'accepts Credential session type' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Domain = 'corp.example.com' } = $testCred + } -AuthSessionType 'Credential' + + $broker.AuthSessionType | Should -Be 'Credential' + } + + It 'throws on invalid session type' { + { + New-IdleAuthSession -SessionMap @{ + @{ Role = 'AD' } = $testCred + } -AuthSessionType 'InvalidType' + } | Should -Throw + } + } + + Context 'AuthSessionType validation during acquisition' { + It 'OAuth broker can acquire sessions with appropriate options' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Role = 'Admin' } = $testCred + } -AuthSessionType 'OAuth' + + $session = $broker.AcquireAuthSession('MicrosoftGraph', @{ Role = 'Admin' }) + $session | Should -Not -BeNullOrEmpty + } + + It 'PSRemoting broker can acquire sessions with appropriate options' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Server = 'AADConnect01' } = $testCred + } -AuthSessionType 'PSRemoting' + + $session = $broker.AcquireAuthSession('EntraConnect', @{ Server = 'AADConnect01' }) + $session | Should -Not -BeNullOrEmpty + } + + It 'Credential broker can acquire sessions with appropriate options' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Domain = 'corp.example.com' } = $testCred + } -AuthSessionType 'Credential' + + $session = $broker.AcquireAuthSession('ActiveDirectory', @{ Domain = 'corp.example.com' }) + $session | Should -Not -BeNullOrEmpty + } + } }