Adding new test for admin password and admin usernames

Pallavi Sah · Pallavi Sah · commit 6b2b64126ab0 · 2025-03-18T17:27:05.000-07:00
diff --git a/arm-ttk/testcases/deploymentTemplate/adminPassword-Should-Not-Be-A-Literal.test.ps1 b/arm-ttk/testcases/deploymentTemplate/adminPassword-Should-Not-Be-A-Literal.test.ps1
@@ -0,0 +1,78 @@
+<#
+.Synopsis
+    Ensures that all adminUsernames are expressions
+.Description
+    Ensures that all properties within a template named adminUsername are expressions, not literal strings
+#>
+param(
+    [Parameter(Mandatory = $true)]
+    [PSObject]
+    $TemplateObject
+)
+
+# Find all references to an adminUserName
+# Filtering the complete $TemplateObject directly fails with "The script failed due to call depth overflow." errors
+
+if ("resources" -in $TemplateObject.PSobject.Properties.Name) {
+    $adminPasswordRefsResources = $TemplateObject.resources |
+    Find-JsonContent -Key administratorLoginPassword  -Value * -Like 
+
+    foreach ($ref in $adminPasswordRefsResources) {
+        # Walk over each one
+        # if the property is not a string, then it's likely a param value for a nested deployment, and we should skip it.
+        $a = $ref.administratorLoginPassword
+        if ($a -isnot [string]) { 
+            #check to see if this is a param value on a nested deployment - it will have a value property
+            if ($a.value -is [string]) {
+                $trimmedPassword = "$($a.value)".Trim()
+            }
+            else {
+                continue # since we don't know what object shape we're testing at this point (could be a param declaration on a nested deployment)
+            }
+        }
+        else {
+            $trimmedPassword = "$($a)".Trim()
+        }
+        if ($trimmedPassword -notmatch '\[[^\]]+\]') {
+            # If they aren't expressions
+            Write-Error -TargetObject $ref -Message "AdministratorLoginPassword `"$trimmedPassword`" is not an expression" -ErrorId AdminPassword.Is.Literal # write an error
+            continue # and move onto the next
+        }
+    }
+}
+
+if ("variables" -in $TemplateObject.PSobject.Properties.Name) {
+    $adminPasswordRefsVariables = $TemplateObject.variables |
+    Find-JsonContent -Key administratorLoginPassword  -Value * -Like
+
+    foreach ($ref in $adminPasswordRefsVariables) {
+        # Walk over each one
+        # if the property is not a string, then it's likely a param value for a nested deployment, and we should skip it.
+        if ($ref.administratorLoginPassword -isnot [string]) { continue }
+        $trimmedPassword = "$($ref.administratorLoginPassword)".Trim()
+        if ($trimmedPassword -notmatch '\[[^\]]+\]') {
+            # If they aren't expressions
+            Write-Error -TargetObject $ref -Message "AdminPassword `"$trimmedPassword`" is variable which is not an expression" -ErrorId AdminPassword.Var.Is.Literal # write an error
+            continue # and move onto the next
+        }
+    }
+
+    # TODO - irregular doesn't handle null gracefully so we need to test for it
+    if ($trimmedPassword -ne $null) {
+        $UserNameHasVariable = $trimmedPassword | ?<ARM_Variable> -Extract
+        # this will return the outer most function in the expression
+        $userNameHasFunction = $trimmedPassword | ?<ARM_Template_Function> -Extract
+
+        # If we had a variable reference (not inside of another function) - then check it
+        # TODO this will not flag things like concat so we should add a blacklist here to ensure it's still not a static or deterministic username
+        if ($UserNameHasVariable -and $userNameHasFunction.FunctionName -eq 'variables') { 
+            $variableValue = $TemplateObject.variables.($UserNameHasVariable.VariableName)
+            $variableValueExpression = $variableValue | ?<ARM_Template_Expression>
+            if (-not $variableValueExpression) {
+                Write-Error @"
+AdminPassword references variable '$($UserNameHasVariable.variableName)', which has a literal value.
+"@ -ErrorId AdminPassword.Is.Variable.Literal # write an error
+            }
+        }
+    }
+}
diff --git a/arm-ttk/testcases/deploymentTemplate/adminUsername-Should-Not-Be-A-Literal.test.ps1 b/arm-ttk/testcases/deploymentTemplate/adminUsername-Should-Not-Be-A-Literal.test.ps1
@@ -17,6 +17,9 @@ if ("resources" -in $TemplateObject.PSobject.Properties.Name) {
     $adminUserNameRefsResources = $TemplateObject.resources |
     Find-JsonContent -Key adminUsername  -Value * -Like 
 
+    $adminLoginRefsResources = $TemplateObject.resources |
+    Find-JsonContent -Key administratorLogin  -Value * -Like
+
     foreach ($ref in $adminUserNameRefsResources) {
         # Walk over each one
         # if the property is not a string, then it's likely a param value for a nested deployment, and we should skip it.
@@ -39,12 +42,38 @@ if ("resources" -in $TemplateObject.PSobject.Properties.Name) {
             continue # and move onto the next
         }
     }
+
+    foreach ($ref in $adminLoginRefsResources) {
+        # Walk over each one
+        # if the property is not a string, then it's likely a param value for a nested deployment, and we should skip it.
+        $a = $ref.administratorLogin
+        if ($a -isnot [string]) { 
+            #check to see if this is a param value on a nested deployment - it will have a value property
+            if ($a.value -is [string]) {
+                $trimmedUserName = "$($a.value)".Trim()
+            }
+            else {
+                continue # since we don't know what object shape we're testing at this point (could be a param declaration on a nested deployment)
+            }
+        }
+        else {
+            $trimmedUserName = "$($a)".Trim()
+        }
+        if ($trimmedUserName -notmatch '\[[^\]]+\]') {
+            # If they aren't expressions
+            Write-Error -TargetObject $ref -Message "AdministratorLogin `"$trimmedUserName`" is not an expression" -ErrorId AdminUsername.Is.Literal # write an error
+            continue # and move onto the next
+        }
+    }
 }
 
 if ("variables" -in $TemplateObject.PSobject.Properties.Name) {
     $adminUserNameRefsVariables = $TemplateObject.variables |
     Find-JsonContent -Key adminUsername  -Value * -Like
 
+    $administratorLoginRefsVariables = $TemplateObject.variables |
+    Find-JsonContent -Key administratorLogin  -Value * -Like
+
     foreach ($ref in $adminUserNameRefsVariables) {
         # Walk over each one
         # if the property is not a string, then it's likely a param value for a nested deployment, and we should skip it.
@@ -71,6 +100,37 @@ if ("variables" -in $TemplateObject.PSobject.Properties.Name) {
             if (-not $variableValueExpression) {
                 Write-Error @"
 AdminUsername references variable '$($UserNameHasVariable.variableName)', which has a literal value.
+"@ -ErrorId AdminUserName.Is.Variable.Literal # write an error
+            }
+        }
+    }
+
+    foreach ($ref in $administratorLoginRefsVariables) {
+        # Walk over each one
+        # if the property is not a string, then it's likely a param value for a nested deployment, and we should skip it.
+        if ($ref.administratorLogin -isnot [string]) { continue }
+        $trimmedUserName = "$($ref.administratorLogin)".Trim()
+        if ($trimmedUserName -notmatch '\[[^\]]+\]') {
+            # If they aren't expressions
+            Write-Error -TargetObject $ref -Message "AdministratorLogin `"$trimmedUserName`" is variable which is not an expression" -ErrorId AdminUsername.Var.Is.Literal # write an error
+            continue # and move onto the next
+        }
+    }
+
+        # TODO - irregular doesn't handle null gracefully so we need to test for it
+    if ($trimmedUserName -ne $null) {
+        $UserNameHasVariable = $trimmedUserName | ?<ARM_Variable> -Extract
+        # this will return the outer most function in the expression
+        $userNameHasFunction = $trimmedUserName | ?<ARM_Template_Function> -Extract
+
+        # If we had a variable reference (not inside of another function) - then check it
+        # TODO this will not flag things like concat so we should add a blacklist here to ensure it's still not a static or deterministic username
+        if ($UserNameHasVariable -and $userNameHasFunction.FunctionName -eq 'variables') { 
+            $variableValue = $TemplateObject.variables.($UserNameHasVariable.VariableName)
+            $variableValueExpression = $variableValue | ?<ARM_Template_Expression>
+            if (-not $variableValueExpression) {
+                Write-Error @"
+AdministratorLogin references variable '$($UserNameHasVariable.variableName)', which has a literal value.
 "@ -ErrorId AdminUserName.Is.Variable.Literal # write an error
             }
         }
diff --git a/unit-tests/adminPassword-Should-Not-Be-A-Literal/Fail/Literal-Admin-AdminPassword.json b/unit-tests/adminPassword-Should-Not-Be-A-Literal/Fail/Literal-Admin-AdminPassword.json
@@ -0,0 +1,20 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "variables": {
+        "administratorLogin": "fixedusername",
+        "administratorLoginPassword": "fixedpassword"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.DBforMySQL/flexibleServers",
+            "apiVersion": "2021-05-01",
+            "name": "name",
+            "location": "location",
+            "properties": {
+                "administratorLogin": "[variables('administratorLogin')]",
+                "administratorLoginPassword": "[variables('administratorLoginPassword')]"
+            }
+        }
+    ]
+}
diff --git a/unit-tests/adminPassword-Should-Not-Be-A-Literal/Pass/ExpressionValue.json b/unit-tests/adminPassword-Should-Not-Be-A-Literal/Pass/ExpressionValue.json
@@ -0,0 +1,18 @@
+﻿{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "variables": {
+        "deploymentName": "Deployment-1.0"
+    },
+    "resources": [
+        {
+            "properties": {
+                "parameters": {
+                    "adminPassword": {
+                        "value": "[reference(resourceId('Microsoft.Resources/deployments', variables('deploymentName')), '2019-10-01').outputs.accountSettings.value.accountAdminName]"
+                    }
+                }
+            }
+        }
+    ]
+}
diff --git a/unit-tests/adminPassword-Should-Not-Be-A-Literal/adminPassword-Should-Not-Be-A-Literal.tests.ps1 b/unit-tests/adminPassword-Should-Not-Be-A-Literal/adminPassword-Should-Not-Be-A-Literal.tests.ps1
@@ -0,0 +1,6 @@
+﻿
+#requires -module arm-ttk
+. $PSScriptRoot\..\arm-ttk.test.functions.ps1
+Test-TTK $psScriptRoot
+return        
+
diff --git a/unit-tests/adminUsername-Should-Not-Be-A-Literal/Fail/Literal-Admin-AdminLogin.json b/unit-tests/adminUsername-Should-Not-Be-A-Literal/Fail/Literal-Admin-AdminLogin.json
@@ -0,0 +1,20 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "variables": {
+        "administratorLogin": "fixedusername",
+        "administratorLoginPassword": "fixedpassword"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.DBforMySQL/flexibleServers",
+            "apiVersion": "2021-05-01",
+            "name": "name",
+            "location": "location",
+            "properties": {
+                "administratorLogin": "[variables('administratorLogin')]",
+                "administratorLoginPassword": "[variables('administratorLoginPassword')]"
+            }
+        }
+    ]
+}
