Testing if I have a valid user on my Logic Apps Connector
  • Updated on 23 May 2020
  • 1 minute to read
  • Contributors
  • Print
  • Comments
  • Share
  • Dark
    Light

Testing if I have a valid user on my Logic Apps Connector

  • Print
  • Comments
  • Share
  • Dark
    Light

Following on from my previous article about testing the state of a Logic Apps API Connector, next I want to test the authenticated user. The previous article is:

https://www.integration-playbook.io/docs/testing-if-my-connector-is-connected

In the connector what often happens if the connector is one like Office365 then the developer will use their personal account to get things working. If the developer leaves you may find the connector stops working or if another developer tries to use this connection then they might be able to access stuff under the context of the first developer and be able to get higher priveledges. Really we should always be using a service account here.

This script will run and loop over the API Connectors like in the previous article. It will then get the json for the connector like below.

#Get the connector json
        $connectorUrl = $apiConnection.ResourceId + '?api-version=2018-07-01-preview'        
        $connectorJson = az rest --method get --uri $connectorUrl
        $connectorJsonText = $connectorJson | ConvertFrom-Json

When the Pester test itself runs it will use a list of "Allowed Service Accounts". If the authenticated user on the connector is not set, then thats fine because that connector might not need one. If it is set however then it will check the user is in the approved list and if not it will fail the test.

$approvedAuthenticatedUsers = New-Object "System.Collections.Generic.List[System.String]" 
$approvedAuthenticatedUsers.Add('serviceaccount@acme.com')


It "$($apiConnection.Name) should be authenticated by an approved user" { 
        
            
                #Write-Host ($connectorJson | Format-List | Out-String)           
                $properties = $connectorJsonText.properties

                $authenticatedUser = $properties.authenticatedUser
                if($authenticatedUser -ne $null){
                    $name = $authenticatedUser.name

                    if($name -ne $null){
                        $approved = $approvedAuthenticatedUsers.Contains($name)
                        if($approved -eq $false){
                            Write-Host $name 'is not an approved authentication user'
                            $approved | Should Be $true
                        }
                    }
                }
            }

Not only is this good governance but it can also help prevent any security issues from elevated priveledges or someone impersonating a developer.

Was this article helpful?